Re: Rule for don't log specific user session.
Hello Rafael,
It should be possible in Freeradius 2 and using unlang language:
if (User-Name != "test-user") {
sql_log
}
Regards,
Vincent M.
Rafael Medici <[EMAIL PROTECTED]> a écrit :
Hello,
Is there a way to don't log nothing for a specific user, creating a
rule in sql_log?
You will probably ask me why!
Because i have a plugin running on nagios, that checks for
authentication with a specific user ex: "testuser" every 5 minutes,
and at the end of the day my database grows with useless
information. We are a global hotspot provider, so this check running
on nagios is performed in 10.000 hotspots, to test for
authentication, so you could imagine that this "testuser" generates
infinite registers.
I think put some kind of trigger to do that, will probably slow down
my server performance, because we have a huge users database.
I'm running freeradius(1.1.7) + postgre.
Regards,
Rafael Medici
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Filtering RADIUS request to only allow EAP-TTLS in a proxying-only server?
Hello Peter,
Try to look at "attr_filter" section and configure it as you wishes:
In your radiusd.conf:
attr_filter attr_filter.post-proxy {
attrsfile = ${some path}/attrs.post-proxy
}
This file may contains similar information:
DEFAULT
User-Name =* ANY,
Reply-Message =* ANY,
State =* ANY,
Class =* ANY,
Message-Authenticator =* ANY,
Calling-Station-ID =* ANY,
Proxy-State =* ANY,
EAP-Message =* ANY,
MS-MPPE-Recv-Key =* ANY,
MS-MPPE-Send-Key =* ANY,
MS-CHAP-MPPE-Keys =* ANY
State and EAP-Message are needed for EAP.
User-Name is for proxying to the right destination.
If you do not put "User-Password" in this file, you will have this
argument removed.
Some institition will do PEAP instead of EAP-TTLS. It's most likely a
bad idea to do processing on EAP-Message.
Regards,
Vincent
Peter Eriksson <[EMAIL PROTECTED]> a écrit :
One thing I'd like to achive in the "EDUROAM"-responsible RADIUS
"router" (server) is to make sure that *only* EAP-TTLS requests are
forwarded to the RADIUS server doing the real user authentication.
Anyone got something already configured that I could copy?
Ie, I would like to make sure that it will reject requests that
come in from the outside with user+password stuff sent in cleartext.
(And also make sure itself won't send out such requests).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
inner/outer Tunnel attributes of TTLS/MS-CHAPv2
Hello All,
I've an issue with passing attributes from EAP TTLS MS-CHAPv2 to outer:
My /etc/raddb/users contains:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1
User-Name := `%{User-Name}`,
Fall-Through = yes
And my eap ttls module contains:
copy_request_to_tunnel = yes
use_tunneled_reply = yes
The user-name and Tunnel-* are not rewiten/copied to the outer.
This isssue is only with MS-CHAP, not PAP.
Running version: freeradius-1.0.1-3.RHEL4.5
radius -X :
rlm_mschap: adding MS-CHAPv2 MPPE keys
modcall[authenticate]: module "mschap" returns ok for request 39
modcall: group Auth-Type returns ok for request 39
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 39
radius_xlat: '/var/log/radius/radacct/127.0.0.1/reply-detail-20080204'
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/reply-detail-20080204
modcall[post-auth]: module "reply_log" returns ok for request 39
modcall: group post-auth returns ok for request 39
TTLS: Got tunneled reply RADIUS code 2
User-Name := "[EMAIL PROTECTED]"
Tunnel-Type:0 = VLAN
Tunnel-Private-Group-Id:0 = "16"
Tunnel-Medium-Type:0 = IEEE-802
MS-CHAP2-Success =
0x5b533d314643453436444634323935383843304336324346463046363836393836353236314637
MS-MPPE-Recv-Key = 0xcf199064e5ce16501ad868646e8e7b3c
MS-MPPE-Send-Key = 0x053e079625529879fe9f4f1cb9b7ad47
MS-MPPE-Encryption-Policy = 0x0002
MS-MPPE-Encryption-Types = 0x0004
TTLS: Got tunneled Access-Accept
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 39
modcall: group Auth-Type returns ok for request 39
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 39
radius_xlat: '/var/log/radius/radacct/130.223.222.60/reply-detail-20080204'
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /var/log/radius/radacct/130.223.222.60/reply-detail-20080204
modcall[post-auth]: module "reply_log" returns ok for request 39
modcall: group post-auth returns ok for request 39
Sending Access-Accept of id 60 to 130.223.222.60:1645
MS-MPPE-Recv-Key =
0xc9abc77f52aa954231989e3bc26c35b2b6f6578dec2fe6b1bf06e9fb1b75740f
MS-MPPE-Send-Key =
0xe940dd6f47a1a7102d876dacf2f36385a5e717f96372d87256b5e6c1c3ba962b
EAP-Message = 0x03060004
Message-Authenticator = 0x
User-Name = "anonymous"
Finished request 39
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: inner/outer Tunnel attributes of TTLS/MS-CHAPv2
Hello Alan, You have right, this version is too old and do not support this feature (I've checked src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c). This version is the one supplied with Redhat Enterprise 4. I'll compile 1.1.7 from source. Regards, Vincent Magnin Alan DeKok <[EMAIL PROTECTED]> a écrit : Vincent Magnin wrote: Running version: freeradius-1.0.1-3.RHEL4.5 Why? I'm not sure if the functionality you need is even in 1.0.1. Why not try 2.0.1, or maybe 1.1.7? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius2 and proxing
In freeradius 1, if I need to proxy requests whose realm are remote,
I put the following in proxy.conf:
realm DEFAULT {
type = radius
authhost = remote.server1.com:1812
accthost = remote.server1.com:1813
secret =
ldflag = round_robin
nostrip }
realm DEFAULT {
type = radius
authhost = remote.server2.com:1812
accthost = remote.server2.com:1813
secret =
ldflag = round_robin
nostrip
}
I've tried to put the same lines in my freeradius2 config file and it
does not work as expected:
radius -X output:
rlm_realm: Looking up realm "extern.realm.com" for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: No such realm "extern.realm.com"
Then, the request is done locally.
If I put in my proxy.conf file this domain explicitely, it works fine:
realm extern.realm.com {
type = radius
authhost = remote.server2.com:1812
accthost = remote.server2.com:1813
secret =
ldflag = round_robin
nostrip
}
radius -X output:
rlm_realm: Looking up realm "extern.realm.com" for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: Found realm "extern.realm.com"
rlm_realm: Proxying request from user anonymous to realm extern.realm.com
rlm_realm: Adding Realm = "extern.realm.com"
rlm_realm: Preparing to proxy accounting request to realm
"extern.realm.com"
Regards,
Vincent Magnin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TTLS on LDAP with freeradius 2.0.1
hi Thierry,
on your /etc/raddb/users file, you can put the follwing to copy the
inner identity to the outer identity (works with freeradius 1 and 2):
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1
User-Name := `%{User-Name}`,
Fall-Through = yes
Thierry CHICH <[EMAIL PROTECTED]> a écrit :
Hello,
I know that my problem is so simple that I should be ashamed to ask help, but
I have to say that I can't find a good way to do what I want to do.
With the previous release of freeradius 1.1.7, I could do the following
things:
- people with a correct outer identity and inner identity (login/password)
could be authorized and authenticate on a LDAP server, using an EAP-TTLS
tunnel, obtained a WPA key.
- with the same radius server, I could authenticate people with EAP-PEAP and
mschapv2 on a sql database.
It was nice, but I had a small problem: accounting was done using the outer
identity. Since I was using the ldap to do the authorization, people who put
an other valid identity didn't be correctly accounted.
Then, I decided to use freeradius 2.0.1. And then I don't see how
to obtain a
basic configuration that is doing my first point.
I always finished by :
rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes.
auth: No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
If I put an Auth-Type := LDAP, it seems better in the first time, but it is
worst:
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
+- entering group LDAP
rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for authentication.
You seem to have set "Auth-Type := LDAP" somewhere.
THAT CONFIGURATION IS WRONG. DELETE IT.
YOU ARE PREVENTING THE SERVER FROM WORKING PROPERLY.
++[ldap] returns invalid
auth: Failed to validate the user.
At this point, I don't understand what freeradius want.
I don't know how to say : authorize on waht you want, I don't care, and
authenticate on my LDAP server.
Is it a good configuration sample I can find anywhere ?
Regards,
--
Thierry CHICH
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
------------
Vincent Magnin[EMAIL PROTECTED]
Ingénieur Réseau & Télécom +41 21 692 22 48
UNIL, Centre Informatique, 1015 Lausanne
Switzerland
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius2 and proxing
Well,
I've writen a patch for realms.c and now, I've a better behaviour:
rlm_realm: Looking up realm "extern.realm.com" for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: Found realm "DEFAULT"
rlm_realm: Proxying request from user anonymous to realm DEFAULT
rlm_realm: Adding Realm = "DEFAULT"
rlm_realm: Preparing to proxy authentication request to realm "DEFAULT"
Does exist a better way to use the DEFAULT realm?
Regards,
Vincent Magnin
Vincent Magnin <[EMAIL PROTECTED]> a écrit :
In freeradius 1, if I need to proxy requests whose realm are remote,
I put the following in proxy.conf:
realm DEFAULT {
type = radius
authhost = remote.server1.com:1812
accthost = remote.server1.com:1813
secret =
ldflag = round_robin
nostrip }
realm DEFAULT {
type = radius
authhost = remote.server2.com:1812
accthost = remote.server2.com:1813
secret =
ldflag = round_robin
nostrip
}
I've tried to put the same lines in my freeradius2 config file and it
does not work as expected:
radius -X output:
rlm_realm: Looking up realm "extern.realm.com" for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: No such realm "extern.realm.com"
Then, the request is done locally.
If I put in my proxy.conf file this domain explicitely, it works fine:
realm extern.realm.com {
type = radius
authhost = remote.server2.com:1812
accthost = remote.server2.com:1813
secret =
ldflag = round_robin
nostrip
}
radius -X output:
rlm_realm: Looking up realm "extern.realm.com" for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: Found realm "extern.realm.com"
rlm_realm: Proxying request from user anonymous to realm extern.realm.com
rlm_realm: Adding Realm = "extern.realm.com"
rlm_realm: Preparing to proxy accounting request to realm
"extern.realm.com"
Switzerland
--- freeradius-server-2.0.1/src/main/realms.c 2008-01-09 14:39:13.0 +0100
+++ freeradius-server-2.0.1-defaultrealm/src/main/realms.c 2008-02-07 14:14:26.0 +0100
@@ -1323,11 +1323,21 @@
REALM *realm_find(const char *name)
{
REALM myrealm;
-
+ REALM *ret;
+
if (!name) name = "NULL";
myrealm.name = name;
- return rbtree_finddata(realms_byname, &myrealm);
+ ret = rbtree_finddata(realms_byname, &myrealm);
+
+ if (!ret) {
+ const char *defrealm = "DEFAULT";
+
+ myrealm.name = defrealm;
+ ret = rbtree_finddata(realms_byname, &myrealm);
+ }
+
+ return ret;
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Freeradius2 and proxing
I do not receive any comment about my supplied patch.
I will try to explain my issue better:
Freeradius 2.0.1 (or latest CVS):
src/modules/rlm_realm/rlm_realm.c:
/*
* Allow DEFAULT realms unless told not to.
*/
realm = realm_find(realmname);
if (!realm) {
DEBUG2("rlm_realm: No such realm \"%s\"",
(realmname == NULL) ? "NULL" : realmname);
return 0;
}
if (inst->ignore_default && (strcmp(realm->name, "DEFAULT")) == 0) {
DEBUG2("rlm_realm: Found DEFAULT, but skipping due to config.");
return 0;
}
realname contains the realm (suffix/ntdomain authorize).
If the 'realname' is not defined in proxy.conf and if a DEFAULT realm
is defined in proxy.conf; realm_find returns NULL.
Thus, the correct debug message is shown:
lm_realm: No such realm "example.com"
But, DEFAULT realm is not handled (-> return 0).
From my point of view, something is missing here to handle the DEFAULT realm.
Regards,
Vincent Magnin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Freeradius2 and proxing
Alan DeKok <[EMAIL PROTECTED]> a écrit : Does exist a better way to use the DEFAULT realm? Nope. I've added a patch with the same behavior. Thank you, Vincent Magnin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Logging eap protocols
Bonjour,
Avez-vous essayé d'utiliser %{Auth-Type} ?
Salutations,
Vincent Magnin
Richard Timsit <[EMAIL PROTECTED]> a écrit :
Alan DeKok a écrit :
You can use %{EAP-Type} to log the EAP type. It would best be done as
part of a post-auth section.
Ok, this works perfectly, thanks a lot !
Is it conseivable to retreive more info for EAP-TTLS or for some
others authentications methods, like PAP or CHAP for example ?
Regards.
--
Richard Timsit <[EMAIL PROTECTED]>
EPFL DIT-TI
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Re: Logging eap protocols
Sorry for my previous email;)
I was meaning: %{control:Auth-Type}
In my configuration, I use two different auth-type, one for PAP, one
for MS-CHAP.
Regards,
Vincent
Vincent Magnin <[EMAIL PROTECTED]> a écrit :
Bonjour,
Avez-vous essayé d'utiliser %{Auth-Type} ?
Salutations,
Vincent Magnin
Richard Timsit <[EMAIL PROTECTED]> a écrit :
Alan DeKok a écrit :
You can use %{EAP-Type} to log the EAP type. It would best be done as
part of a post-auth section.
Ok, this works perfectly, thanks a lot !
Is it conseivable to retreive more info for EAP-TTLS or for some
others authentications methods, like PAP or CHAP for example ?
Regards.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
