Re: FreeRADIUS Accounting Logging to Two Separate Locations Simultaneously
Arran - Ignore my 'What would happen to the FreeRADIUS processes…" question - I meant to delete that before sending my message. On Sep 5, 2013, at 9:34 PM, Chris Decker wrote: > Arran, > > Thank you for taking the time to so clearly lay things out - it seems like > rlm_replicate will do exactly what we want! > > I'm going to look into using redis, as it is supported by logstash > out-of-the-box and I'm guessing I'll get the benefit of 'guaranteed > delivery'. What would happen to the FreeRADIUS processes should my client be > unable to connect back to the redis 'server' (for whatever reason) for an > extended period of time? Also, should I be nervous about using the redis > module in production given the 'Experimental' redis module description in the > 2.1.1 changelog? > > > > > Thanks, > Chris > > > P.s. My apologies for replying via the digest - you replied before I had time > to switch off of digests. > > > >> Date: Thu, 5 Sep 2013 19:11:35 +0100 >> From: Arran Cudbard-Bell >> To: FreeRadius users mailing list >> >> Subject: Re: FreeRADIUS Accounting Logging to Two Separate Locations >> Simultaneously >> Message-ID: >> Content-Type: text/plain; charset=us-ascii >> >> >> On 5 Sep 2013, at 18:29, Chris Decker wrote: >> >>> All, >>> >>> I could use some help in understanding my options for the following >>> scenario: >>> In our environment, FreeRADIUS currently writes its Accounting logs to the >>> local drive - one file per authorized client. In addition to the local >>> logging, the Security group wants the Accounting logs sent to their logging >>> cluster (in real-time) so they can put them in their elasticsearch database >>> and respond to incidents. >> >> Well you don't want the main log file from the daemon which makes it easier. >> That can only go to one place. >> >> There are four types modules you could use for this: >> - linelog >> - detail >> - replicate >> - the db modules (ldap, sql, redis) >> >> Linelog can log to files or syslog, you construct the format lines using >> static text and attributes. >> Detail can only log to files, it just dumps the contents of an attribute >> list to a file. >> Replicate fires and forgets a copy of the Accounting-Request to a remote >> server. >> The DB modules just log to a table. >> >> You can list any combination of those modules in the accounting section of >> the server to write to multiple destinations. >> >> It's generally sensible to log one copy of the accounting packets to disk on >> the box it was received, most people use the detail module for this. >> >> For the other consumers, if they want off-box logging and don't want syslog, >> forward them a copy of the packet using rlm_replicate. This copies the >> incoming packet to another destination. It doesn't block, and doesn't wait >> for a response, meaning it will be affected by packet loss. But that >> shouldn't be an issue on a campus network if you set the QoS priorities >> correctly, and hey, at least no congestive failure. >> >> For consuming those packets at the other end, you can use another instance >> of FreeRADIUS (and configure it to not responsd), or radsniff can be used to >> pick them off the wire with libpcap, and output them in something very >> similar to detail format. >> >> I've adopted radsniff as a bit of a pet project until FreeRADIUS 3.0.0 is >> released (were currently in feature freeze, so I needed something to hack >> on). So if you want additional features like outputting packet 'signatures' >> to syslog, and are willing to test the code then I'd be happy to add it in. >> >>> My question: What is the best way to make both the Ops and Security groups >>> happy given the below limitations: >>> - The Security group does not want to pull the logs from MySQL, as they >>> want to use logstash/elasticsearch and this would just complicate things. >> >> Yeah and who wants to manage SQL tables with millions of rows, eww. >> >>> - The Ops group wants to avoid syslog because they fear syslog could block, >>> causing their production FreeRADIUS servers to eventually stop responding >>> to requests. >> >> >> Ok. >> >>> The options we are exploring, in order of preference: >>> 1. "
Re: FreeRADIUS Accounting Logging to Two Separate Locations Simultaneously
Arran, Thank you for taking the time to so clearly lay things out - it seems like rlm_replicate will do exactly what we want! I'm going to look into using redis, as it is supported by logstash out-of-the-box and I'm guessing I'll get the benefit of 'guaranteed delivery'. What would happen to the FreeRADIUS processes should my client be unable to connect back to the redis 'server' (for whatever reason) for an extended period of time? Also, should I be nervous about using the redis module in production given the 'Experimental' redis module description in the 2.1.1 changelog? Thanks, Chris P.s. My apologies for replying via the digest - you replied before I had time to switch off of digests. > Date: Thu, 5 Sep 2013 19:11:35 +0100 > From: Arran Cudbard-Bell > To: FreeRadius users mailing list > > Subject: Re: FreeRADIUS Accounting Logging to Two Separate Locations > Simultaneously > Message-ID: > Content-Type: text/plain; charset=us-ascii > > > On 5 Sep 2013, at 18:29, Chris Decker wrote: > >> All, >> >> I could use some help in understanding my options for the following scenario: >> In our environment, FreeRADIUS currently writes its Accounting logs to the >> local drive - one file per authorized client. In addition to the local >> logging, the Security group wants the Accounting logs sent to their logging >> cluster (in real-time) so they can put them in their elasticsearch database >> and respond to incidents. > > Well you don't want the main log file from the daemon which makes it easier. > That can only go to one place. > > There are four types modules you could use for this: > - linelog > - detail > - replicate > - the db modules (ldap, sql, redis) > > Linelog can log to files or syslog, you construct the format lines using > static text and attributes. > Detail can only log to files, it just dumps the contents of an attribute list > to a file. > Replicate fires and forgets a copy of the Accounting-Request to a remote > server. > The DB modules just log to a table. > > You can list any combination of those modules in the accounting section of > the server to write to multiple destinations. > > It's generally sensible to log one copy of the accounting packets to disk on > the box it was received, most people use the detail module for this. > > For the other consumers, if they want off-box logging and don't want syslog, > forward them a copy of the packet using rlm_replicate. This copies the > incoming packet to another destination. It doesn't block, and doesn't wait > for a response, meaning it will be affected by packet loss. But that > shouldn't be an issue on a campus network if you set the QoS priorities > correctly, and hey, at least no congestive failure. > > For consuming those packets at the other end, you can use another instance of > FreeRADIUS (and configure it to not responsd), or radsniff can be used to > pick them off the wire with libpcap, and output them in something very > similar to detail format. > > I've adopted radsniff as a bit of a pet project until FreeRADIUS 3.0.0 is > released (were currently in feature freeze, so I needed something to hack > on). So if you want additional features like outputting packet 'signatures' > to syslog, and are willing to test the code then I'd be happy to add it in. > >> My question: What is the best way to make both the Ops and Security groups >> happy given the below limitations: >> - The Security group does not want to pull the logs from MySQL, as they want >> to use logstash/elasticsearch and this would just complicate things. > > Yeah and who wants to manage SQL tables with millions of rows, eww. > >> - The Ops group wants to avoid syslog because they fear syslog could block, >> causing their production FreeRADIUS servers to eventually stop responding to >> requests. > > > Ok. > >> The options we are exploring, in order of preference: >> 1. "Robust Accounting" - the Ops team believes there is a way to have the >> logs written to two locations simultaneously - locally and remotely, and if >> the remote connection is lost it does not impact operations. Is this >> possible? Does anyone have a sample config they could share? > > Um, that's a pretty basic feature of the server, just list multiple modules > in the accounting section. > >> 2. Re-configure FreeRADIUS to write to one giant log-file, rotated hourly. >> A script would then essentially 'tail -f' the log file and stream the logs >>
FreeRADIUS Accounting Logging to Two Separate Locations Simultaneously
All, I could use some help in understanding my options for the following scenario: In our environment, FreeRADIUS currently writes its Accounting logs to the local drive - one file per authorized client. In addition to the local logging, the Security group wants the Accounting logs sent to their logging cluster (in real-time) so they can put them in their elasticsearch database and respond to incidents. My question: What is the best way to make both the Ops and Security groups happy given the below limitations: - The Security group does not want to pull the logs from MySQL, as they want to use logstash/elasticsearch and this would just complicate things. - The Ops group wants to avoid syslog because they fear syslog could block, causing their production FreeRADIUS servers to eventually stop responding to requests. -- The options we are exploring, in order of preference: 1. "Robust Accounting" - the Ops team believes there is a way to have the logs written to two locations simultaneously - locally and remotely, and if the remote connection is lost it does not impact operations. Is this possible? Does anyone have a sample config they could share? 2. Re-configure FreeRADIUS to write to one giant log-file, rotated hourly. A script would then essentially 'tail -f' the log file and stream the logs to the Security group (and would handle the hourly filename changes obviously). 3. Re-configure FreeRADIUS to log to syslog, and have syslog write to a local file AND send remotely to the Security group. The Ops group wants to avoid syslog if at all possible. 4. Re-configure FreeRADIUS to also log to MySQL. The Security group would then have to figure out a way to pull the data out in near-real time and insert it into their own database, which they would like to avoid. Any comments or suggestions are welcome. Thanks, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Accounting Logging to Two Separate Locations Simultaneously
The default install comes with a few accounting virtual servers that you can use. I'd strongly advise one of the or of band asynchronous ones. If you use UDP syslog is not blocking. .. it is fire and forget. .. so if you might lose packets if you have congested links or a disruption between source and destination. For security throw a VPN tunnel between the hosts. At the end is whatever floats your boat and is maintainable. . you had a big list some of which seem prone to issues and overworked. And why not think of it the other way around? Let security have all the logs and then give ops access to the data via their system. ..ops then no longer need to worry about data retention, the legal issues, disk space etc. ..they just run a radius daemon ;) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Accounting Logging to Two Separate Locations Simultaneously
Alan, Thanks for responding. I'm from the Security group so I'm not intimately familiar with FreeRADIUS - can you please elaborate on how it would work off we set up a Virtual Accounting server? Sent from my iPhone > On Sep 5, 2013, at 5:53 PM, Alan Buxey wrote: > > The default install comes with a few accounting virtual servers that you can > use. I'd strongly advise one of the or of band asynchronous ones. > > If you use UDP syslog is not blocking. .. it is fire and forget. .. so if you > might lose packets if you have congested links or a disruption between source > and destination. For security throw a VPN tunnel between the hosts. > > At the end is whatever floats your boat and is maintainable. . you had a big > list some of which seem prone to issues and overworked. And why not think of > it the other way around? Let security have all the logs and then give ops > access to the data via their system. ..ops then no longer need to worry about > data retention, the legal issues, disk space etc. ..they just run a radius > daemon ;) > > alan > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Accounting Logging to Two Separate Locations Simultaneously
On 5 Sep 2013, at 18:29, Chris Decker wrote: > All, > > I could use some help in understanding my options for the following scenario: > In our environment, FreeRADIUS currently writes its Accounting logs to the > local drive - one file per authorized client. In addition to the local > logging, the Security group wants the Accounting logs sent to their logging > cluster (in real-time) so they can put them in their elasticsearch database > and respond to incidents. Well you don't want the main log file from the daemon which makes it easier. That can only go to one place. There are four types modules you could use for this: - linelog - detail - replicate - the db modules (ldap, sql, redis) Linelog can log to files or syslog, you construct the format lines using static text and attributes. Detail can only log to files, it just dumps the contents of an attribute list to a file. Replicate fires and forgets a copy of the Accounting-Request to a remote server. The DB modules just log to a table. You can list any combination of those modules in the accounting section of the server to write to multiple destinations. It's generally sensible to log one copy of the accounting packets to disk on the box it was received, most people use the detail module for this. For the other consumers, if they want off-box logging and don't want syslog, forward them a copy of the packet using rlm_replicate. This copies the incoming packet to another destination. It doesn't block, and doesn't wait for a response, meaning it will be affected by packet loss. But that shouldn't be an issue on a campus network if you set the QoS priorities correctly, and hey, at least no congestive failure. For consuming those packets at the other end, you can use another instance of FreeRADIUS (and configure it to not responsd), or radsniff can be used to pick them off the wire with libpcap, and output them in something very similar to detail format. I've adopted radsniff as a bit of a pet project until FreeRADIUS 3.0.0 is released (were currently in feature freeze, so I needed something to hack on). So if you want additional features like outputting packet 'signatures' to syslog, and are willing to test the code then I'd be happy to add it in. > My question: What is the best way to make both the Ops and Security groups > happy given the below limitations: > - The Security group does not want to pull the logs from MySQL, as they want > to use logstash/elasticsearch and this would just complicate things. Yeah and who wants to manage SQL tables with millions of rows, eww. > - The Ops group wants to avoid syslog because they fear syslog could block, > causing their production FreeRADIUS servers to eventually stop responding to > requests. Ok. > The options we are exploring, in order of preference: > 1. "Robust Accounting" - the Ops team believes there is a way to have the > logs written to two locations simultaneously - locally and remotely, and if > the remote connection is lost it does not impact operations. Is this > possible? Does anyone have a sample config they could share? Um, that's a pretty basic feature of the server, just list multiple modules in the accounting section. > 2. Re-configure FreeRADIUS to write to one giant log-file, rotated hourly. A > script would then essentially 'tail -f' the log file and stream the logs to > the Security group (and would handle the hourly filename changes obviously). Sure. Unlike core logging, modules will re-open the file handle each time they write an entry, this is nice because you can just move the files out of the way at rotate time, and not so nice, because it's slow. Depends on load as to whether this is ok. > 3. Re-configure FreeRADIUS to log to syslog, and have syslog write to a local > file AND send remotely to the Security group. The Ops group wants to avoid > syslog if at all possible. Ok. > 4. Re-configure FreeRADIUS to also log to MySQL. The Security group would > then have to figure out a way to pull the data out in near-real time and > insert it into their own database, which they would like to avoid. > Nah... Replicate the packet stream, let them do whatever they want with it. That's usually the easiest way to solve these sorts of issues. -Arran Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP logging
Andrej wrote: > This brings me back to my earlier question: what values are available > where, and when, > via which mechanism? This was asked and answered. I suggest reading responses to your messages. Asking what "values" are available is wrong. There are no magic "values" in the server. There are just attributes in a packet. If you want to know what attributes are available, look at the debug output. That REALLY is it. It's not hard. It's not rocket science. There's no magic. > I think I still don't fully understand how modules hang together, how > I pass information > from e.g. an EAP request into line-log, Read doc/aaa.rst You don't "passd" information into a module. The incoming packet (and associated data) is given to the module. The module then decides what to do. > sites-enabled/eap-inner-tunnel, how > I tell f_ticks (or linelog, or any other modules for that matter) > which values I'd like to work > with. Have you tried reading the debug output? It's *telling you* what it's doing. The f_ticks module is telling you what it's doing. Have you tried reading the default configuration for the "linelog" module? It has LOTS of documentation describing how it works. Ask *specific* questions about what's confusing you. > I would like f_ticks to write out a single line into syslog that > contains the inner and outer > identity of an authentication request, the station ID and MAC address. So... do you see that data in the debug output? If so, read "man unlang" for how to reference attributes. See the default "linelog" configuration for how the module works. Put the two together, and you'll have it. > Can anyone point me at a walk-through or how-to? I've now spent days > flicking from one wiki-page to > the next, and reading mailing list archives w/o find anything that > helps me understand. There are NO examples which document exactly what you're trying to do. Most deployments are unique. Creating documentation for every possible deployment is impossible. It sounds like you're not understanding basic concepts, and reading random web pages, looking for a magic solution. This isn't the best approach. Read doc/aaa.rst. Read "man unlang". Read the debug output. Read the default "linelog"configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP logging
On 28 Aug 2013, at 23:39, Andrej wrote:
> I would like f_ticks to write out a single line into syslog that
> contains the inner and outer
> identity of an authentication request, the station ID and MAC address.
>
> In case of a successful authentication or rejection I'd like to have
> the inner identity and a status on a line,
We do this by using lots of custom linelog instances. In linelog.conf (just a
few examples):
linelog acceptlog {
filename = "/var/log/radius/auth-%D.log"
format = "%S (%l) id %I ACCEPT %{User-Name} (station %{%{Calling-Station
-Id}:--}) auth-type %{control:Auth-Type}/%{EAP-Type} realm %{%{Realm}:--} nas %{
%{NAS-IP-Address}:-%{%{NAS-IPv6-Address}:--}-}/%{%{NAS-Port}:--} (operator %{%{O
perator-Name}:--}) client %{%{Packet-Src-IP-Address}:-%{%{Packet-Src-IPv6-Addres
s}:--}} (%{Client-Shortname}) ap '%{%{UCam-AP-Name}:--}' essid '%{%{UCam-Essid-N
ame}:--}' => %{%{reply:User-Name}:--} reply-msg '%{reply:Reply-Message}'"
}
linelog inner-acceptlog {
filename = "/var/log/radius/auth-%D.log"
format = "%S (%l) id %I INNER-TUNNEL ACCEPT %{User-Name} (station %{%{ou
ter.request:Calling-Station-Id}:--}) outer-id %{outer.request:User-Name} auth-ty
pe %{outer.control:Auth-Type}/%{outer.request:EAP-Type}/%{control:Auth-Type} rea
lm %{%{Realm}:--} nas %{%{outer.request:NAS-IP-Address}:-%{%{outer.request:NAS-I
Pv6-Address}:--}}/%{%{outer.request:NAS-Port}:--} (operator %{%{outer.request:Op
erator-Name}:--}) client %{%{Packet-Src-IP-Address}:-%{%{Packet-Src-IPv6-Address
}:--}} (%{Client-Shortname}) ap '%{%{outer.request:UCam-AP-Name}:--}' essid '%{%
{outer.request:UCam-Essid-Name}:--}' => %{%{reply:User-Name}:--} reply-msg '%{re
ply:Reply-Message}'"
}
linelog proxy-replylog {
filename = "/var/log/radius/auth-%D.log"
format = "%S (%l) id %I PROXY REPLY %{User-Name} (station %{%{Calling-St
ation-Id}:--}) auth-type /%{EAP-Type} realm %{%{Realm}:--} nas %{%{NAS-IP-Addres
s}:-%{%{NAS-IPv6-Address}:--}-}/%{%{NAS-Port}:--} (operator %{%{Operator-Name}:-
-}) client %{%{Packet-Src-IP-Address}:-%{%{Packet-Src-IPv6-Address}:--}} (%{Clie
nt-Shortname}) proxy %{%{proxy-reply:Packet-Src-IP-Address}:-%{%{proxy-reply:Pac
ket-Src-IPv6-Address}:--}} proxy-reply-type %{proxy-reply:Packet-Type} proxy-rep
ly-msg '%{proxy-reply:Reply-Message}' => %{%{proxy-reply:User-Name}:--}"
}
We call them as follows:
[default]
post-proxy {
...
proxy-replylog
...
}
post-auth {
...
acceptlog
...
}
[inner-tunnel]
post-auth {
...
inner-acceptlog
...
}
There are some references to %{UCam-AP-Name} and things in there -- we set
these with things like:
if ("%{Aruba-Location-Id}") {
update request {
UCam-AP-Name := "%{Aruba-Location-Id}"
UCam-Essid-Name := "%{Aruba-Essid-Name}"
}
}
... they let us not refer to the direct Aruba attributes and would allow us to
more easily add another wireless system (we used to have Cisco but migrated
away) - if we had to move again, we don't have lots of Cisco-specific bits all
over the place. Note that the attributes are defined in 'dictionary'.
The above stuff will give lines like:
2013-08-29 10:53:02 (1377769982) id 175 INNER-TUNNEL ACCEPT rc...@cam.ac.uk
(station 0015AF81CEB3) outer-id @cam.ac.uk auth-type EAP/PEAP/EAP realm LOCAL
nas 131.111.1.20/0 (operator 1lapwing.cam.ac.uk) client 131.111.1.20
(erri...@lapwing.cam.ac.uk) ap '00:24:6c:c3:24:fd' essid 'eduroam' => rcf34
reply-msg '[cam.ac.uk] Successful authentication '
[example from inner-acceptlog.]
Hope this helps,
- Bob
--
Bob Franklin +44 1223 748479
Network Division, University of Cambridge Computing Service
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP logging
On Thu, Aug 29, 2013 at 10:39:50AM +1200, Andrej wrote: > On 28 August 2013 18:49, Alan Buxey wrote: > Thanks Alan, > > > Your reference is wrong/unknown which means that there's a noop. This means > > no operation which means no fticks output > > This brings me back to my earlier question: what values are available > where, and when, > via which mechanism? > > I think I still don't fully understand how modules hang together, how > I pass information > from e.g. an EAP request into line-log, or, looking at > sites-enabled/eap-inner-tunnel, how > I tell f_ticks (or linelog, or any other modules for that matter) > which values I'd like to work > with. Everything becomes an attribute or a variable and the definitions are mostly at /usr/share/freeradius/dictionary.freeradius.internal and you can also define your own attributes in /etc/freeradius/dictionary. I use this to get time in a format similar to syslog by having a variable My-Local-Time and calling an exec module with date command and assigning the result to this variable which I can then reference in my linelog. the only way I found how to get what I need is to define a linelog, write there the variables I hope will have what I'm looking for and call that linelog from some part of the server configuration and just run my clients against it and see what happens. for the username you can use outer.request:User-Name in the inner-tunnel which should reference the outer tunnel User-Name. User-Name in the inner-tunnel should be the inner EAP username. Also the attribute named Inner-Tunnel-User-Name might have the inner EAP username but that might be defined only in the post-auth section of the default server. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP logging
On 28 August 2013 18:49, Alan Buxey wrote: Thanks Alan, > Your reference is wrong/unknown which means that there's a noop. This means > no operation which means no fticks output This brings me back to my earlier question: what values are available where, and when, via which mechanism? I think I still don't fully understand how modules hang together, how I pass information from e.g. an EAP request into line-log, or, looking at sites-enabled/eap-inner-tunnel, how I tell f_ticks (or linelog, or any other modules for that matter) which values I'd like to work with. I would like f_ticks to write out a single line into syslog that contains the inner and outer identity of an authentication request, the station ID and MAC address. In case of a successful authentication or rejection I'd like to have the inner identity and a status on a line, Can anyone point me at a walk-through or how-to? I've now spent days flicking from one wiki-page to the next, and reading mailing list archives w/o find anything that helps me understand. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP logging
Your reference is wrong/unknown which means that there's a noop. This means no operation which means no fticks output alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP logging
On 28 August 2013 09:09, Alan DeKok wrote:
> See the debug output. If it's in the debug output, you can use it.
> If it's not in the debug output, it doesn't exist. And you can't use it.
>
> You can always reference the outer tunnel from the inner one.
OK. So, I found a couple of *key* statements in the debug output; and
running the server with -X gives me
[f_ticks] expand: %{proxy-reply:Packet-Type} ->
[f_ticks] ... expanding second conditional
[f_ticks] expand: f_ticks.%{%{proxy-reply:Packet-Type}:-format}
-> f_ticks.format
WARNING: No such configuration item .f_ticks.format
[f_ticks] No such entry ".f_ticks.format"
++[f_ticks] returns noop
But I don't seem to be writing any output at all from the f_ticks
module (whether in debug mode or not).
It looks like this:
linelog f_ticks {
filename = ${logdir}/f-ticks
format = "%{outer.User-Name}#%{User-Name}#%{Packet-Src-IP-Address}#"
reference = "f_ticks.%{%{proxy-reply:Packet-Type}:-format}"
f_ticks {
Access-Accept =
"F-TICKS/eduroam/1.0#REALM=%{Realm}#VISCOUNTRY=EU#VISINST=%{Operator-Name}#CSI=%{Calling-Station-Id}#RESULT=OK#"
Access-Reject =
"F-TICKS/eduroam/1.0#REALM=%{Realm}#VISCOUNTRY=EU#VISINST=%{Operator-Name}#CSI=%{Calling-Station-Id}#RESULT=FAIL#"
}
}
> Alan DeKok.
Cheers,
Andrej
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP logging
Andrej wrote: > Cool - I'll give that a go. Is there a comprehensive list anywhere of > which kind of values > is permissible in which context? See the debug output. If it's in the debug output, you can use it. If it's not in the debug output, it doesn't exist. And you can't use it. You can always reference the outer tunnel from the inner one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP logging
On 28 August 2013 05:09, Arran Cudbard-Bell wrote: Hi Arran, >> Is there a way to e.g. pass information from the outer processing on to the >> inner so I can log both from there, rather than logging both identities >> individually? While it's feasible to have both when there's not much >> authentication traffic happening trying to correlate events if there are >> several within the same time-frame might become impossible. > Sure. Just pull in outer.User-Name in your format string, and call it from > the inner server. Cool - I'll give that a go. Is there a comprehensive list anywhere of which kind of values is permissible in which context? > -Arran > > Arran Cudbard-Bell > FreeRADIUS Development Team Cheers, Andrej - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP logging
On 27 Aug 2013, at 17:59, Andrej wrote: > Hi, > > I'm trying to find a way to log EAP requests and responses on an IdP in such > way that the inner and outer identity of a request end up on one line; using > linelog via f_ticks I managed to get a slightly more concise logging going > than the detail level in accounting messages. But I'd like to be able to > correlate the two, and am struggling to do so. > > Is there a way to e.g. pass information from the outer processing on to the > inner so I can log both from there, rather than logging both identities > individually? While it's feasible to have both when there's not much > authentication traffic happening trying to correlate events if there are > several within the same time-frame might become impossible. > Sure. Just pull in outer.User-Name in your format string, and call it from the inner server. -Arran Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP logging
Hi, I'm trying to find a way to log EAP requests and responses on an IdP in such way that the inner and outer identity of a request end up on one line; using linelog via f_ticks I managed to get a slightly more concise logging going than the detail level in accounting messages. But I'd like to be able to correlate the two, and am struggling to do so. Is there a way to e.g. pass information from the outer processing on to the inner so I can log both from there, rather than logging both identities individually? While it's feasible to have both when there's not much authentication traffic happening trying to correlate events if there are several within the same time-frame might become impossible. Cheers, Andrej - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging Cisco config changes with FreeRadius
On 12 Jul 2013, at 23:31, kyle woock wrote: > Freradius Users, > > I have installed FreeRadius on CentOS 6.4 in VMWare environment and I am > pretty new to using something like FreeRadius. However I have it on my > virtual machine and it is running I am able to authenticate against my Cisco > 3550 Switch that is on my desk and connected to the network. Anyways the > reason I have this is what I want this to do is once someone is logged into a > switch with the FreeRadius credentials I want the session to be logged as to > what they are changing. I know Cisco has a built in logging system but it is > pretty vague I was just curious if there is away to actually show what the > person is changing. ProCurve kit sends the commands issue in HP-Command-String (a VSA), I believe the HP commands closely mirror the Cisco ones for AAA. http://wiki.freeradius.org/vendor/HP#Accounting-command-logging > And if I need another product to go a long with FreeRadius if you guys could > point me in the right direction. Nope, FreeRADIUS can log to systlog/flat file/SQL/REDIS or via Python and Perl. Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging Cisco config changes with FreeRadius
Freradius Users,I have installed FreeRadius on CentOS 6.4 in VMWare environment and I am pretty new to using something like FreeRadius. However I have it on my virtual machine and it is running I am able to authenticate against my Cisco 3550 Switch that is on my desk and connected to the network. Anyways the reason I have this is what I want this to do is once someone is logged into a switch with the FreeRadius credentials I want the session to be logged as to what they are changing. I know Cisco has a built in logging system but it is pretty vague I was just curious if there is away to actually show what the person is changing. And if I need another product to go a long with FreeRadius if you guys could point me in the right direction. Any help would be greatly appreciated. Thanks, Kyle W. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging Access-Challenge in detail log
Hi, We're using 2.1.12. We require a full log of everything that gets sent between a controller and freeradius. We've configured detail.log, inner-tunnel and default to log authentications and replies which work for us, but is there any way to also log Access-Challenge? I've read some very old posts that haven't helped. Thanks, John. -- John Carter Identity Networks jcar...@identitynetworks.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth All and Logging
Possiblebut unlikely to get what you want if you are using EAP methods and wireless alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth All and Logging
On Wed, Oct 10, 2012 at 5:30 AM, Metcalf, David wrote: > > > Can freeradius be configured to authenticate all requests and only log the > authentication attempts, including username and password in plain text. Sort of. See http://wiki.freeradius.org/guide/FAQ#How-do-I-permit-access-to-any-user-regardless-of-password%253F clients usually support fall back to PAP, so if you want to implement that, it might be faster to ONLY allow pap in your FR config by removing all references to chap & eap in authorize and authenticate section. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Auth All and Logging
Can freeradius be configured to authenticate all requests and only log the authentication attempts, including username and password in plain text. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging of socket command file
On Mon, 2012-09-03 at 12:57 +0200, Alan DeKok wrote: > John Horne wrote: > > Using FreeRadius 2.1.10, I am seeing a lot of logged 'Info' messages > > about the socket command file. A snippet shows: > > > > > > Mon Sep 3 11:12:41 2012 : Info: ... adding new socket command > > file /var/run/radiusd/radiusd.sock > ... > > As can be seen this occurs for a few seconds, stops, then starts again > > five minutes later. I am at a bit of a loss as to what is causing this. > > radmin. > > You have configured a cron job to run radmin. > > > My question is, is this something to be concerned about or is it normal > > for these messages to appear so often? > > It's your system. You caused this to happen. > Okay, that's what I thought might be the reply. Trouble is I can't find what is running radmin. I'll keep looking :-) Thanks. John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK Fax: +44 (0)1752 587001 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging of socket command file
John Horne wrote: > Using FreeRadius 2.1.10, I am seeing a lot of logged 'Info' messages > about the socket command file. A snippet shows: > > > Mon Sep 3 11:12:41 2012 : Info: ... adding new socket command > file /var/run/radiusd/radiusd.sock ... > As can be seen this occurs for a few seconds, stops, then starts again > five minutes later. I am at a bit of a loss as to what is causing this. radmin. You have configured a cron job to run radmin. > My question is, is this something to be concerned about or is it normal > for these messages to appear so often? It's your system. You caused this to happen. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging of socket command file
Hello, Using FreeRadius 2.1.10, I am seeing a lot of logged 'Info' messages about the socket command file. A snippet shows: Mon Sep 3 11:12:41 2012 : Info: ... adding new socket command file /var/run/radiusd/radiusd.sock Mon Sep 3 11:12:41 2012 : Info: ... closing socket command file /var/run/radiusd/radiusd.sock Mon Sep 3 11:12:42 2012 : Info: ... adding new socket command file /var/run/radiusd/radiusd.sock Mon Sep 3 11:12:42 2012 : Info: ... closing socket command file /var/run/radiusd/radiusd.sock Mon Sep 3 11:12:43 2012 : Info: ... adding new socket command file /var/run/radiusd/radiusd.sock Mon Sep 3 11:12:43 2012 : Info: ... closing socket command file /var/run/radiusd/radiusd.sock Mon Sep 3 11:17:41 2012 : Info: ... adding new socket command file /var/run/radiusd/radiusd.sock Mon Sep 3 11:17:41 2012 : Info: ... closing socket command file /var/run/radiusd/radiusd.sock Mon Sep 3 11:17:42 2012 : Info: ... adding new socket command file /var/run/radiusd/radiusd.sock Mon Sep 3 11:17:42 2012 : Info: ... closing socket command file /var/run/radiusd/radiusd.sock As can be seen this occurs for a few seconds, stops, then starts again five minutes later. I am at a bit of a loss as to what is causing this. My question is, is this something to be concerned about or is it normal for these messages to appear so often? Thanks, John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK Fax: +44 (0)1752 587001 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging raw accounting packets
A bit of radsniff and even raddebug (just capturing accounting packets) via radmin might be enough to capture the badness they are sending? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging raw accounting packets
Brian Candler wrote: > The reason: vendors have bugs in their accounting implementations, and we > want to be able to show them the original raw packets to prove it's not our > accounting collectors which are mis-interpreting the data. My $0.02 is that you should name && shame the vendors. This has worked well in the past. > The problem with tcpdump is being able to find quickly the packets of > interest (e.g. given a username, or given a FreeRadius > Acct-Unique-Session-Id which is an MD5 across multiple attributes). So I > want to extract the attributes of interest and index them alongside the raw > data, or offsets into the raw data. You can log the packet src/dst ip/port, and the timestamp. That should be good enough to quickly find it in a PCAP file. The problem with dumping raw packets is that you can't. You'll have to convert them to hex, which doubles the size. It's possible, and probably only ~200 lines of code. But I don't really see much benefit for the wider audience. I'd suggest writing a module which does nothing more than register a "paw_packet" xlat callback. That way it will be easy to integrate into any new release of the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging raw accounting packets
> There's no module to do this. There are very few reasons to do this, > IMHO. The reason: vendors have bugs in their accounting implementations, and we want to be able to show them the original raw packets to prove it's not our accounting collectors which are mis-interpreting the data. The problem with tcpdump is being able to find quickly the packets of interest (e.g. given a username, or given a FreeRadius Acct-Unique-Session-Id which is an MD5 across multiple attributes). So I want to extract the attributes of interest and index them alongside the raw data, or offsets into the raw data. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging raw accounting packets
Brian Candler wrote: > I would like to put accounting logs into some sort of database, but store > the entire raw binary packet as well as some decoded attributes. I'd suggest using tcpdump for raw packets. > I can think of plenty of options for the storage: e.g. mysql Blob column, > CouchDB binary attachment, MongoDB etc. But I can't see how to get at the > raw packet from the freeradius config. Even rlm_perl doesn't seem to > receive the raw packet, only a hash of decoded attributes. > > Is there a module which can do this already, or should I be looking to hack > something up in C? There's no module to do this. There are very few reasons to do this, IMHO. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging raw accounting packets
I would like to put accounting logs into some sort of database, but store the entire raw binary packet as well as some decoded attributes. I can think of plenty of options for the storage: e.g. mysql Blob column, CouchDB binary attachment, MongoDB etc. But I can't see how to get at the raw packet from the freeradius config. Even rlm_perl doesn't seem to receive the raw packet, only a hash of decoded attributes. Is there a module which can do this already, or should I be looking to hack something up in C? Thanks, Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to exclude particular user from the logging
dorje2...@seznam.cz wrote: > Hi alan , thanks for you answer. Actually i'm not logging into radius.log, bu > to be precise i'm sending the logs into syslog at the facility local1 > Is is the same in this case ? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to exclude particular user from the logging
> > is it possible to exclude particular user to not being logged in the > radius.log file ? > > Not really. If you're logging user authentications, they *all* get > logged. > > > I have some users that periodically connect and download config files from > > the > routers and they filled the log quite a lot > > Then don't log user authentications in radius.log. Log them in SQL or > something else. > > Hi alan , thanks for you answer. Actually i'm not logging into radius.log, bu to be precise i'm sending the logs into syslog at the facility local1 Is is the same in this case ? thanks pet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to exclude particular user from the logging
dorje2...@seznam.cz wrote: > is it possible to exclude particular user to not being logged in the > radius.log file ? Not really. If you're logging user authentications, they *all* get logged. > I have some users that periodically connect and download config files from > the routers and they filled the log quite a lot Then don't log user authentications in radius.log. Log them in SQL or something else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to exclude particular user from the logging
Hi is it possible to exclude particular user to not being logged in the radius.log file ? I have some users that periodically connect and download config files from the routers and they filled the log quite a lot Thanks Pet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access requests logging to SQL: How to save comments for rejected requests?
No, I used reference to %{Module-Failure-Message}.
I changed reference from %{Module-Failure-Message} to
%{control:Module-Failure-Message} and message 'User not found' droped to
database. It works.
But when I sent request with wrong password, message 'Bad password' did not
drop to database because module saved message to %{Module-Failure-Message}.
I found what must be updated (after set of experiments).
...
authorize {
sql_auth
if ( notfound ) {
# Update 'request' as a
update request {
# Replace attribute
Module-Failure-Message = 'User not
found'
}
}
}
...
Thanks for Your help.
On Sat, Apr 28, 2012 at 08:54:06AM +0200, Alan DeKok wrote:
> How are you referencing it? You added it to the "control" list. Are
> you using %{control:Module-Failure-Message} ?
>
> Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access requests logging to SQL: How to save comments for rejected requests?
George Koulyabin wrote:
> And 'Module-Failure-Message' is empty.
>
> Did I make mistake in configuration?
How are you referencing it? You added it to the "control" list. Are
you using %{control:Module-Failure-Message} ?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access requests logging to SQL: How to save comments for rejected requests?
I tried to implement Your advice.
1) Changes in configuration:
authorize {
...
sql_auth
if ( notfound ) {
update control {
Module-Failure-Message := 'User not
found'
}
}
...
}
2) Run RADIUS in debugging mode
Some debugging info:
...
[sql_auth] returns notfound
+++? if (notfound )
? Evaluating (notfound ) -> TRUE
+++? if (notfound ) -> TRUE
+++- entering if (notfound ) {...}
[control] returns notfound
+++- if (notfound ) returns notfound
...
And 'Module-Failure-Message' is empty.
Did I make mistake in configuration?
On Fri, Apr 27, 2012 at 03:11:27PM +0200, Alan DeKok wrote:
> As always, run the server in debugging mode to see what it's doing.
>
> If the user isn't found, you'll probably have to add a message yourself.
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access requests logging to SQL: How to save comments for rejected requests?
George Koulyabin wrote: > I do it. But I see comments in some cases only. This attribute is filled when > access rejected with wrong password. But this attribute is empty when user is > not found (unknown username). Does other attribute (or hint) exist for cases > when Module-Failure-Message is empty? As always, run the server in debugging mode to see what it's doing. If the user isn't found, you'll probably have to add a message yourself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access requests logging to SQL: How to save comments for rejected requests?
I do it. But I see comments in some cases only. This attribute is filled when access rejected with wrong password. But this attribute is empty when user is not found (unknown username). Does other attribute (or hint) exist for cases when Module-Failure-Message is empty? On Fri, Apr 27, 2012 at 02:00:42PM +0200, Alan DeKok wrote: > George Koulyabin wrote: > > Records drop to database when access is rejected. But I want to see reason > > of rejection. As in radius.log. > > Edit the SQL queries to include Module-Failure-Message. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access requests logging to SQL: How to save comments for rejected requests?
George Koulyabin wrote: > Records drop to database when access is rejected. But I want to see reason of > rejection. As in radius.log. Edit the SQL queries to include Module-Failure-Message. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access requests logging to SQL: How to save comments for rejected requests?
I'm using this section.
...
Post-Auth-Type REJECT {
...
sql_auth
}
...
Records drop to database when access is rejected. But I want to see reason of
rejection. As in radius.log.
On Fri, Apr 27, 2012 at 11:17:30AM +0200, Alan DeKok wrote:
> George Koulyabin wrote:
> > I tried to save results of process access requests to SQL database using
> > postauth_query. I used 'Module-Failure-Message' attribute as a comment for
> > rejected requests. The message 'rlm_pap: CLEAR TEXT password check failed'
> > drops to database when password is wrong, for example. But attribute
> > 'Module-Failure-Message' ( and attribute 'Module-Success-Message') is empty
> > when user not found, for example. And other reasons may be.
> > How can I save comments for rejected requests?
>
> Use "the Post-Auth-Type Reject" section.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access requests logging to SQL: How to save comments for rejected requests?
George Koulyabin wrote: > I tried to save results of process access requests to SQL database using > postauth_query. I used 'Module-Failure-Message' attribute as a comment for > rejected requests. The message 'rlm_pap: CLEAR TEXT password check failed' > drops to database when password is wrong, for example. But attribute > 'Module-Failure-Message' ( and attribute 'Module-Success-Message') is empty > when user not found, for example. And other reasons may be. > How can I save comments for rejected requests? Use "the Post-Auth-Type Reject" section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access requests logging to SQL: How to save comments for rejected requests?
Hi. I am using FreeRADIUS 2.1.12. I tried to save results of process access requests to SQL database using postauth_query. I used 'Module-Failure-Message' attribute as a comment for rejected requests. The message 'rlm_pap: CLEAR TEXT password check failed' drops to database when password is wrong, for example. But attribute 'Module-Failure-Message' ( and attribute 'Module-Success-Message') is empty when user not found, for example. And other reasons may be. How can I save comments for rejected requests? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Setting up FreeRADIUS accounting with IP address logging
- Original Message - From: "Alan Buxey" >I'm setting up wifi internet in my student dorm (90 people) and thought wpa2 >enterprise with FreeRADIUS (version 2.1.8 running on Ubuntu) would be a good >solution, together with the >incredibly stable Linksys WRT54GL and dd-wrt. >There are a few problems I cannot figure out though: [snip] OFFTOPIC, but isn't that stated on dd-wrt documentation, that only WPA2-AES auth works correctly on dd/wrt? Andres Septer Systems Administrator Navirec Software OÜ Tallinn, Estonia http://navirec.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Setting up FreeRADIUS accounting with IP address logging
hi, >I'm setting up wifi internet in my student dorm (90 people) and thought wpa2 >enterprise with FreeRADIUS (version 2.1.8 running on Ubuntu) would be a good >solution, together with the >incredibly stable Linksys WRT54GL and dd-wrt. >There are a few problems I cannot figure out though: i'd advise that you run the latest version before doing anything else. >1. How to set up plain-text accounting. >I saw in the configuration that the log directory is set to >/var/log/freeradius/radacct so I created the directory and made writable (777 >to be sure) but alas, there are no logs. accounting required your NAS (your linksys boxes with dd-wrt) to actually send accounting packets. you should still get authentication logs in the /var/log/freeradius directory (when you dont run in debug mode!) >2. How to get freeRADIUS to work with a DHCP server. >I'm not asking about the experimental built-in DHCP server, as it seems very >limited, but is it possible to somehow log the IP addresses that each user is >assigned? We need to know >who was using a certain IP address at a certain >time. accounting will show IP addresss versus MAC address. however, to use a DHCP server just ensure that the network that people are dropped onto after authorization/authentication has a DHCP listener on it to hand out addresses. your Linux box could have an interface on the client network and be handing out IP addresses via ISC DHCPD for example. you could always take the syslog of the DHCP server pumped across the net to syslogNG on your linux box too - with some local scripts you can tie things together like that too >3. How to connect using Windows. >It's dead simple to connect to the network with linux, mac and smartphones but >for Windows it seems impossible to find the right combination of settings. I >haven't googled this issue so >much, so maybe there's a simple answer. Also, >it's a later problem. ? just choose PEAP, ensure that you are NOT using the windows loging username/password (unless you have access to eg active directory). check the certificate, validate the CA... if you search for eg 'eduroam windows' you'll find hundreds of academic sites that use 802.1X with Windows - just look at their step by step instructions...and IGNORE those that say dont check the cert/CA (!) alan >P.S. I have attached the radiusd.conf file at the end. I haven't changed much >though. radiusd -X is the only thing of use on the ML - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up FreeRADIUS accounting with IP address logging
On Sat, Apr 14, 2012 at 5:06 PM, Johan Swetzén wrote: > Hi! > > I'm setting up wifi internet in my student dorm (90 people) and thought wpa2 > enterprise with FreeRADIUS (version 2.1.8 running on Ubuntu) would be a good > solution, together with the incredibly stable Linksys WRT54GL and dd-wrt. > There are a few problems I cannot figure out though: > > 1. How to set up plain-text accounting. > I saw in the configuration that the log directory is set to > /var/log/freeradius/radacct so I created the directory and made writable (777 > to be sure) but alas, there are no logs. Your NAS needs to send accounting packets. IIRC dd-wrt does NOT send accounting packets when used in 802.1x/WPA2-enterprise. chilispot, however, DOES send accounting packets. So you either need to change your NAS, or change your setup with dd-wrt to use captive portal with chillispot. > > 2. How to get freeRADIUS to work with a DHCP server. > I'm not asking about the experimental built-in DHCP server, as it seems very > limited, but is it possible to somehow log the IP addresses that each user is > assigned? We need to know who was using a certain IP address at a certain > time. > The easiest way? Use v2.1.x branch from git, activate its DHCP server, and use dhcp_sqlippool, which would use DB to hand out IP addresses :) AFAIK some NAS (e.g. mikrotik: http://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server ) can ask a radius server for IP address (in standard framed-ip-address attribute), and hand it to DHCP clients. But since you say you use dd-wrt, it might not apply to you. > 3. How to connect using Windows. > It's dead simple to connect to the network with linux, mac and smartphones > but for Windows it seems impossible to find the right combination of > settings. I haven't googled this issue so much, so maybe there's a simple > answer. Also, it's a later problem. If you use captive portal setup, it's easy. If you use 802.1x, you probably need to make sure that FR tries PEAP-MSCHAP first (e.g. by changing default EAP type di eap.conf?) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up FreeRADIUS accounting with IP address logging
Hi Johan, On Sat, Apr 14, 2012 at 12:06:54PM +0200, Johan Swetzén wrote: > I'm setting up wifi internet in my student dorm (90 people) and > thought wpa2 enterprise with FreeRADIUS (version 2.1.8 running > on Ubuntu) would be a good solution, together with the > incredibly stable Linksys WRT54GL and dd-wrt. There are a few > problems I cannot figure out though: 2.1.8 is pretty old. You should really run the latest 2.1.12, which fixes a number of bugs. It's easy to get running on debian/ubuntu, as the freeradius source comes with debian packaging stuff. See http://wiki.freeradius.org/Build#Building+Debian+packages However, what you're trying to do will work on 2.1.8. > 1. How to set up plain-text accounting. > I saw in the configuration that the log directory is set to > /var/log/freeradius/radacct so I created the directory and made > writable (777 to be sure) but alas, there are no logs. The default config creates this directory and writes logs to it. If you have broken the default config, then it won't work. My guess is a permissions problem, or you've fiddled with the config a lot and broken it, or the NAS is not sending accounting packets. You need to run freeradius as 'freeradius -X' and read the debug output to see what's happening. Look for the 'detail' lines. If you see no accounting packets arrive, work out what's broken on your NAS or network. > 2. How to get freeRADIUS to work with a DHCP server. > I'm not asking about the experimental built-in DHCP server, as > it seems very limited, but is it possible to somehow log the IP > addresses that each user is assigned? We need to know who was > using a certain IP address at a certain time. a) see the answer to question 1. b) The NAS should return the client's IP address in the *accounting* packets, which you aren't currently getting, so you won't see anything at the moment. The end-user's IP address, if sent, should be in the Framed-IP-Address attribute. Their MAC address should be in the accounting logs, and any auth logs, as the Calling-Station-Id attribute. > 3. How to connect using Windows. > It's dead simple to connect to the network with linux, mac and > smartphones but for Windows it seems impossible to find the > right combination of settings. I haven't googled this issue so > much, so maybe there's a simple answer. Also, it's a later > problem. If you're using Active Directory: http://wiki.freeradius.org/freeradius_active_directory_integration_howto If not, see the same page especially http://wiki.freeradius.org/freeradius_active_directory_integration_howto#Configuration+of+users and the MS-CHAP-Use-NTLM-Auth := 0 bit. In short, you need to use PEAP with MS-CHAPv2, or EAP-TLS (certificates/PKI), if you're using Windows <= 7. > P.S. I have attached the radiusd.conf file at the end. I haven't changed much > though. That file is essentially useless, it's the whole config that matters, and that's only a very small part. You need to send the debug output from 'freeradius -X' next time. Cheers Matthew -- Matthew Newton, Ph.D. Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting up FreeRADIUS accounting with IP address logging
that the server won't block
# for 30 seconds, if it sees an IP address which has no name associated
# with it.
#
# allowed values: {no, yes}
#
hostname_lookups = no
# Core dumps are a bad thing. This should only be set to 'yes'
# if you're debugging a problem with the server.
#
# allowed values: {no, yes}
#
allow_core_dumps = no
# Regular expressions
#
# These items are set at configure time. If they're set to "yes",
# then setting them to "no" turns off regular expression support.
#
# If they're set to "no" at configure time, then setting them to "yes"
# WILL NOT WORK. It will give you an error.
#
regular_expressions = yes
extended_expressions= yes
#
# Logging section. The various "log_*" configuration items
# will eventually be moved here.
#
log {
#
# Destination for log messages. This can be one of:
#
# files - log to "file", as defined below.
# syslog - to syslog (see also the "syslog_facility", below.
# stdout - standard output
# stderr - standard error.
#
# The command-line option "-X" over-rides this option, and forces
# logging to go to stdout.
#
destination = files
#
# The logging messages for the server are appended to the
# tail of this file if destination == "files"
#
# If the server is running in debugging mode, this file is
# NOT used.
#
file = ${logdir}/radius.log
#
# If this configuration parameter is set, then log messages for
# a *request* go to this file, rather than to radius.log.
#
# i.e. This is a log file per request, once the server has accepted
# the request as being from a valid client. Messages that are
# not associated with a request still go to radius.log.
#
# Not all log messages in the server core have been updated to use
# this new internal API. As a result, some messages will still
# go to radius.log. Please submit patches to fix this behavior.
#
# The file name is expanded dynamically. You should ONLY user
# server-side attributes for the filename (e.g. things you control).
# Using this feature MAY also slow down the server substantially,
# especially if you do thinks like SQL calls as part of the
# expansion of the filename.
#
# The name of the log file should use attributes that don't change
# over the lifetime of a request, such as User-Name,
# Virtual-Server or Packet-Src-IP-Address. Otherwise, the log
# messages will be distributed over multiple files.
#
# Logging can be enabled for an individual request by a special
# dynamic expansion macro: %{debug: 1}, where the debug level
# for this request is set to '1' (or 2, 3, etc.). e.g.
#
# ...
# update control {
# Tmp-String-0 = "%{debug:1}"
# }
# ...
#
# The attribute that the value is assigned to is unimportant,
# and should be a "throw-away" attribute with no side effects.
#
#requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log
#
# Which syslog facility to use, if ${destination} == "syslog"
#
# The exact values permitted here are OS-dependent. You probably
# don't want to change this.
#
syslog_facility = daemon
# Log the full User-Name attribute, as it was found in the request.
#
# allowed values: {no, yes}
#
stripped_names = no
# Log authentication requests to the log file.
#
# allowed values: {no, yes}
#
auth = yes
# Log passwords with the authentication requests.
# auth_badpass - logs password if it's rejected
# auth_goodpass - logs password if it's correct
#
# allowed values: {no, yes}
#
auth_badpass = no
auth_goodpass = yes
# Log additional text at the end of the "Login OK" messages.
# for these to work, the "auth" and "auth_goopass" or "auth_badpass"
# configurations above have to be set to "yes".
#
# The strings below are dynamically expanded, which means that
# you can put anything you want in them. However, note that
# this expansion can be slow, and can negatively impact server
# performance.
#
# msg_goodpass = ""
# msg_badpass = ""
}
# The program to execute to do concurre
Re: Question on logging EAP/PEAP authentication rejections
>
> It's a section, just like any other section. This is documented in
> "man unlang". You put modules or "unlang" rules there. This is
> documented in "man unlang".
>
Thanks!! That is exactly what I needed. I did not know to look in that man
page. Awesome!
>
> > If there is documentation on
> > Post-Auth-Type REJECT { that is more than a paragraph please point me to
> > it I'd be very interested in it. I cant follow advice thats not given to
> > me or to read documentation that seems to be impossible to find? Im just
> > confused on the replys I received. Oh well.
>
> The documentation assumes some amount of independent thought.
>
> *This* is the cause of most of the contention on this list. Some
> people want to be spoon-fed every possible piece of information. They
> get testy when that doesn't happen.
>
> I get frustrated when people don't bother reading the documentation I
> wrote. I give direct opinions when they express how bad the
> documentation is... that they haven't read.
>
Im sorry I upset you. I could have worded the last part better. Freeradius
is so full of great features that sometimes the doc is not where you expect
it which is why I needed help finding where this was documented. I did
figure it out without it in the end anyways. The man unlang advice was
exactly what I needed and the doc is very clear. Thanks.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Josh Hiner wrote: > Im not sure why people kept telling me to read the spot > above the Post-Auth-Type Reject section. Because it describes how the Post-Auth-Type Reject section works. Note: no text saying "it magically doesn't log User-Names" > Here is a paste of the text > above that section. Because we haven't seen it before, right? > This section was of no help to why usernames were not getting logged in > the detail logs for rejections. From my emails I believe I conveyed that > I was reading documentation and doing the best I could on my own without > being a mooch. The only reason I can think of such short and erroneous > replies is that some people helping on the list are generally annoyed by > any questions. No... they're annoyed at people who ask questions that are answered in the documentation. > That is too bad. A quick reply of "use linelog" would > have been helpful. Why not help people? Are you really implying I haven't spent 12 years writing free software and helping people? If that is what you're implying, I have nothing polite to say to you. If that's not what you're implying, then you're admitting that the question is rude and inflammatory. Honestly, why are so many people insistent on pissing off the people who help them for free? You're getting free software, free support, and free bug fixes. Yet that isn't good enough. We have to spend MORE time because the answers we give aren't good enough for you. Why not just unsubscribe? If you insist on denigrating me, I'll just do it for you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Josh Hiner wrote:
> ...to remind you what Alan said:
>
>> �Read raddb/sites-available/default. �Look for Post-Auth-Type Reject.
>>
>> �This is documented.
>
> in post-auth section
>
>
>Post-Auth-Type REJECT {
>attr_filter.access_reject
>}
*This* is the cause of contention on the list. You've ignored the
comment just above that... which documents how the Post-Auth-Type Reject
section works.
> What advice didnt I follow? Thats all the advice I was given.
The advice assumes that you have an open mind.
> Put stuff
> in there (Post-Auth-Type REJECT) which I did do. First I tried reply_log
> (which didnt log username)
It logs the replies. It will log User-Name if it's in the reply.
> so after much trial I modified linelog. I
> couldnt find documentation even with searching online about what to put
> in there. I pretty much guessed in the end.
It's a section, just like any other section. This is documented in
"man unlang". You put modules or "unlang" rules there. This is
documented in "man unlang".
> If there is documentation on
> Post-Auth-Type REJECT { that is more than a paragraph please point me to
> it I'd be very interested in it. I cant follow advice thats not given to
> me or to read documentation that seems to be impossible to find? Im just
> confused on the replys I received. Oh well.
The documentation assumes some amount of independent thought.
It doesn't describe all possible configurations. It can't. Instead,
it describes how the systems works. It describes how how *you* can use
the tools at your disposal to solve any problem.
*This* is the cause of most of the contention on this list. Some
people want to be spoon-fed every possible piece of information. They
get testy when that doesn't happen.
I get frustrated when people don't bother reading the documentation I
wrote. I give direct opinions when they express how bad the
documentation is... that they haven't read.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Ok. I did follow this advice:
>Ok I went back, looked at the config, and used some common sense to
figure
>part of it out. I have it now logging replys for rejects using the
...to remind you what Alan said:
> �Read raddb/sites-available/default. �Look for Post-Auth-Type Reject.
>
> �This is documented.
in post-auth section
Post-Auth-Type REJECT {
attr_filter.access_reject
}
put things in that bit
What advice didnt I follow? Thats all the advice I was given. Put stuff in
there (Post-Auth-Type REJECT) which I did do. First I tried reply_log
(which didnt log username) so after much trial I modified linelog. I
couldnt find documentation even with searching online about what to put in
there. I pretty much guessed in the end. If there is documentation on
Post-Auth-Type REJECT { that is more than a paragraph please point me to it
I'd be very interested in it. I cant follow advice thats not given to me or
to read documentation that seems to be impossible to find? Im just confused
on the replys I received. Oh well.
Thanks -Josh
On Tue, Mar 20, 2012 at 4:27 PM, Alan Buxey wrote:
> Hi,
>
> >being a mooch. The only reason I can think of such short and erroneous
> >replies is that some people helping on the list are generally annoyed
> by
> >any questions. That is too bad. A quick reply of "use linelog" would
> have
> >been helpful. Why not help people?
>
> ...or it could be that we've been running FreeRADIUS for a long long time
> and
> the method we said works for usbut you've decided on some other way of
> path.
> back in the 0.x days you'd have been SOOL, in 1.x days it would have been
> code
> changes...in 2.x days there are a few ways you can do it. you were told
> the best
> way of doing it - but you chose another valid way.
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Hi, >being a mooch. The only reason I can think of such short and erroneous >replies is that some people helping on the list are generally annoyed by >any questions. That is too bad. A quick reply of "use linelog" would have >been helpful. Why not help people? ...or it could be that we've been running FreeRADIUS for a long long time and the method we said works for usbut you've decided on some other way of path. back in the 0.x days you'd have been SOOL, in 1.x days it would have been code changes...in 2.x days there are a few ways you can do it. you were told the best way of doing it - but you chose another valid way. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Well I eventually found and switched to using linelog to log access rejects
since I can define my own variables that are logged. Oddly enough
freeradius was showing a packet-type of Access-Request for eap
authentication failures. Since I was calling linelog only from the
post_auth_reject spot I just changed the Access-Request= definition to:
Access-Request = "Rejected access: %{User-Name} SSID: %{NAS-Port-Id}"
and the filename= line to be: ${logdir}/authrejectlog-%Y%m%d.log
(yep I could make a subsection to linelog with those changes but chose not
to).
So I am now logging username rejects as well as the SSID they are trying to
connect to. Im not sure why people kept telling me to read the spot above
the Post-Auth-Type Reject section. Here is a paste of the text above that
section.
# Access-Reject packets are sent through the REJECT sub-section of the
# post-auth section.
#
# Add the ldap module name (or instance) if you have set
# 'edir_account_policy_check = yes' in the ldap module configuration
#
This section was of no help to why usernames were not getting logged in the
detail logs for rejections. From my emails I believe I conveyed that I was
reading documentation and doing the best I could on my own without being a
mooch. The only reason I can think of such short and erroneous replies is
that some people helping on the list are generally annoyed by any
questions. That is too bad. A quick reply of "use linelog" would have been
helpful. Why not help people?
-Josh
On Mon, Mar 19, 2012 at 9:15 PM, Josh Hiner wrote:
> Alan. Thanks for the reply. One of my previous emails I did put
> reply_log in the post auth reject spot. Im also copying the user from
> the inner tunnel to the outer tunnel. I am getting reject logs but
> without the username. I swear I have read the section above the post
> auth reject spot in my default file under sites enabled and I do have
> stuff in that section as it clues me to. I must be missing something
> though obviously.
>
> Thanks -josh
>
> Sent from my iPhone
>
> On Mar 19, 2012, at 6:32 PM, Alan Buxey wrote:
>
> > Hi,
> >
> >> Ok I went back, looked at the config, and used some common sense to
> figure
> >> part of it out. I have it now logging replys for rejects using the
> >
> >
> > ...to remind you what Alan said:
> >
> >> �Read raddb/sites-available/default. �Look for Post-Auth-Type
> Reject.
> >>
> >> �This is documented.
> >
> >
> > in post-auth section
> >
> >
> >Post-Auth-Type REJECT {
> >attr_filter.access_reject
> >}
> >
> > put things in that bit
> >
> > alan
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Alan. Thanks for the reply. One of my previous emails I did put
reply_log in the post auth reject spot. Im also copying the user from
the inner tunnel to the outer tunnel. I am getting reject logs but
without the username. I swear I have read the section above the post
auth reject spot in my default file under sites enabled and I do have
stuff in that section as it clues me to. I must be missing something
though obviously.
Thanks -josh
Sent from my iPhone
On Mar 19, 2012, at 6:32 PM, Alan Buxey wrote:
> Hi,
>
>> Ok I went back, looked at the config, and used some common sense to figure
>> part of it out. I have it now logging replys for rejects using the
>
>
> ...to remind you what Alan said:
>
>> �Read raddb/sites-available/default. �Look for Post-Auth-Type Reject.
>>
>> �This is documented.
>
>
> in post-auth section
>
>
>Post-Auth-Type REJECT {
>attr_filter.access_reject
>}
>
> put things in that bit
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Hi,
>Ok I went back, looked at the config, and used some common sense to figure
>part of it out. I have it now logging replys for rejects using the
...to remind you what Alan said:
> �Read raddb/sites-available/default. �Look for Post-Auth-Type Reject.
>
> �This is documented.
in post-auth section
Post-Auth-Type REJECT {
attr_filter.access_reject
}
put things in that bit
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Along with enabling user_tunneled_reply=yes etc.. I am also updating the
outer tunnel with the inner tunnel username like this:
update outer.reply {
User-Name = "%{request:User-Name}"
}
in ./sites-enabled/inner-tunnel
Watching radius debug I can even see attr_filter.access_reject expand
User-Name because it uses it as its key.
I do have sql reject logging fine in other radius server setups. I read the
short doc here: http://freeradius.org/radiusd/doc/Post-Auth-Type and have
searched via google. Im sorry I just cannot figure this one out. I even see
attr_filter. I cannot get Freeradius to log the username in eap/peap login
rejects.
Thanks again.
-Josh
On Fri, Mar 16, 2012 at 4:55 PM, Josh Hiner wrote:
> Hello. Im running freeradius 2.1.6 and logging to /var/log/radius in
> file/detail format. Currently connection logging is working if the user
> authenticates correctly. I cant get access rejects to log though. Ive
> turned on reply detail but that is only showing successful attempts too.
>
> I have : use_tunneled_reply = yes and copy_request_to_tunnel = yes in
> eap.conf (need that to do group checking in the users file) but this does
> not seem to effect the issue of no rejected logins being logged. Searched
> this email list as well as online. Sorry to bother.
>
> Any info would be great. I appreciate your time. Thanks!!!
>
> -Josh
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Ok I went back, looked at the config, and used some common sense to figure part of it out. I have it now logging replys for rejects using the reply_log section of ./modules/detail.log (I also enabled copy tunneled reply to the outer tunnel in eap.conf). In the logged rejections Im not getting the user-name though. I tried disabling the attr_filter.access_reject line in ./sites-enabled/default to see if the attributes were getting filtered but that didnt do anything as I expected. I know that Access-Reject logs are only supposed to have certain info (per attr_filter.access_reject doc). Is there a way to modify the reply_log to include the User-Name in the rejection or should I be using something other than reply_log? Thanks! -Josh On Fri, Mar 16, 2012 at 4:58 PM, Alan DeKok wrote: > Josh Hiner wrote: > > Hello. Im running freeradius 2.1.6 and logging to /var/log/radius in > > file/detail format. Currently connection logging is working if the user > > authenticates correctly. I cant get access rejects to log though. Ive > > turned on reply detail but that is only showing successful attempts too. > > Read raddb/sites-available/default. Look for Post-Auth-Type Reject. > > This is documented. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Josh Hiner wrote: > Hello. Im running freeradius 2.1.6 and logging to /var/log/radius in > file/detail format. Currently connection logging is working if the user > authenticates correctly. I cant get access rejects to log though. Ive > turned on reply detail but that is only showing successful attempts too. Read raddb/sites-available/default. Look for Post-Auth-Type Reject. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question on logging EAP/PEAP authentication rejections
Hello. Im running freeradius 2.1.6 and logging to /var/log/radius in file/detail format. Currently connection logging is working if the user authenticates correctly. I cant get access rejects to log though. Ive turned on reply detail but that is only showing successful attempts too. I have : use_tunneled_reply = yes and copy_request_to_tunnel = yes in eap.conf (need that to do group checking in the users file) but this does not seem to effect the issue of no rejected logins being logged. Searched this email list as well as online. Sorry to bother. Any info would be great. I appreciate your time. Thanks!!! -Josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FYI: Logging Access Accept & Reject messages using linelog module
I was trying to get linelog to log a CSV style log file with the Access
Accept and Reject messages for auditing purposes.
Took a while to see that the "Access-Reject" verb doesn't work in the
modules/linelog file, it only ever uses the Access-Request since all the
requests are Access-Request messages. So I had to log the
%{reply:Packet-Type}
So this is what I did in the end in the linelog module file:
Access-Request =
"\"%S\",\"%{reply:Packet-Type}\",\"%{Packet-Src-IP-Address}\",\"%{NAS-IP-Address}\",\"%{Client-Shortname}\",\"%{User-Name}\""
Then I updated the post-auth section of the default file to include the
linelog module in both the main and the Post-Auth-Type REJECT to log the
Access-Reject messages too.
post-auth {
*linelog*
Post-Auth-Type REJECT {
*linelog*
reject
}
And I get this in the linelog file.
"2012-03-06
20:40:02","Access-Accept","192.168.1.2","192.168.1.2","APP","Peter"
"2012-03-06
20:40:46","Access-Reject","192.168.1.2","192.168.1.2","APP","Peter"
Which is what we needed to have logged.
Hope it helps someone else.
Cheers
Peter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: confused by logging targets for rlm_perl
Olivier Bilodeau wrote: > http://wiki.freeradius.org/Rlm_perl#Logging refers to: > 0 - Debug > 1 - Auth Those are wrong. See src/include/radiusd.h, L_DBG, etc. I've fixed the Wiki. > I expected Debug not to go out in radius.log and Auth to do since I > specified Auth to yes in radiusd.conf. Yup. > With radius -X, as expected, I got everything. > > Am I missing something here? Is this a bug or a feature(tm)? Bug. See the v2.1.x branch in git for patches to src/modules/rlm_perl/example.pl Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
confused by logging targets for rlm_perl
Hi there! It's been a while.. François turned out to be our official freeradius-users correspondent lately ;) So, I'm changing some things in our rlm_perl module and tried to make a better use of the logging facilities provided by the freeradius core. http://wiki.freeradius.org/Rlm_perl#Logging refers to: 0 - Debug 1 - Auth 2 - Proxy 3 - Info 4 - Error However in practice my tests today revealed behavior that I would prefer be clarified by one of the gurus here. With file logging, auth = yes and sending messages with &radiusd::radlog() I found that: Debug, Info and Error goes to the radius.log file while Auth does not. I haven't tried Proxy or Acct (which is available according to src/main/log.c). I expected Debug not to go out in radius.log and Auth to do since I specified Auth to yes in radiusd.conf. With radius -X, as expected, I got everything. Am I missing something here? Is this a bug or a feature(tm)? Running freeradius 2.1.12. Thanks, -- Olivier Bilodeau obilod...@inverse.ca :: +1.514.447.4918 *115 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging only auth failures?
Hi Alan
Thanks for the quick reply. I believe I've accomplished what I wanted to do.
I've set 'auth' to undefined in the log{} section of radiusd.conf, created
another instance of the linelog module called linelog_REJECT in which I set the
reference to "%{reply:Packet-Type}", and then added 'linelog_REJECT' to the
'Post-Auth-Type REJECT' section within the default site config file. My remote
syslog server is now only receiving 'Rejected access: someLoginName' messages.
Thank you for your help.
On Feb 14, 2012, at 12:06 PM, Alan DeKok wrote:
> Ian Ehrenwald wrote:
>> Hello
>> I am using FreeRADIUS 2.1.9-3 on CentOS 6.0. I am sending all syslog output
>> to a remote rsyslog server (and have local1.* assigned to RADIUS in
>> rsyslogd.conf). I want to log only auth failures, not successful logins.
>> Is there an easy way to do this? I don't want to use a SQL backing store
>> for this project since that is what is holding the syslog data on the remote
>> machine anyway. 'auth = yes' logs everything, 'auth = no' logs nothing, and
>> I don't want to see/store the good/bad passwords, so 'auth_badpass' and
>> 'auth_goodpass' aren't an option. I'm sure I'm not the only person who has
>> wanted to do this, but I can't find anything on the freeradius-users list.
>> Any help? Thanks.
>
> Patch the source.
>
> Or, use rlm_linelog, in the "Post-Auth-Type Reject" section.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ian Ehrenwald, Linux Systems Administrator
TripAdvisor, LLC, 141 Needham St, Newton, MA 02464
978-328-7816 (mobile) / 617-795-7716 (desk)
iehrenw...@tripadvisor.com / (Sent from my MacBook Pro)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging only auth failures?
Ian Ehrenwald wrote: > Hello > I am using FreeRADIUS 2.1.9-3 on CentOS 6.0. I am sending all syslog output > to a remote rsyslog server (and have local1.* assigned to RADIUS in > rsyslogd.conf). I want to log only auth failures, not successful logins. Is > there an easy way to do this? I don't want to use a SQL backing store for > this project since that is what is holding the syslog data on the remote > machine anyway. 'auth = yes' logs everything, 'auth = no' logs nothing, and > I don't want to see/store the good/bad passwords, so 'auth_badpass' and > 'auth_goodpass' aren't an option. I'm sure I'm not the only person who has > wanted to do this, but I can't find anything on the freeradius-users list. > Any help? Thanks. Patch the source. Or, use rlm_linelog, in the "Post-Auth-Type Reject" section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging only auth failures?
Hello I am using FreeRADIUS 2.1.9-3 on CentOS 6.0. I am sending all syslog output to a remote rsyslog server (and have local1.* assigned to RADIUS in rsyslogd.conf). I want to log only auth failures, not successful logins. Is there an easy way to do this? I don't want to use a SQL backing store for this project since that is what is holding the syslog data on the remote machine anyway. 'auth = yes' logs everything, 'auth = no' logs nothing, and I don't want to see/store the good/bad passwords, so 'auth_badpass' and 'auth_goodpass' aren't an option. I'm sure I'm not the only person who has wanted to do this, but I can't find anything on the freeradius-users list. Any help? Thanks. Ian Ehrenwald, Linux Systems Administrator TripAdvisor, LLC, 141 Needham St, Newton, MA 02464 978-328-7816 (mobile) / 617-795-7716 (desk) iehrenw...@tripadvisor.com / (Sent from my MacBook Pro) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VPMS and logging
Hello,
Am 12.01.2012 um 16:59 schrieb Phil Mayers:
> On 01/12/2012 03:25 PM, Patrick M. Hausen wrote:
>
>> VMPS-Packet-Type = VMPS-Join-Request
>> VMPS-Error-Code = VMPS-No-Error
>> VMPS-Sequence-Number = 892
>> VMPS-Client-IP-Address = 1.2.3.4
>> VMPS-Port-Name = "Fa0/21"
>> VMPS-VLAN-Name = "--NONE--"
>> VMPS-Domain-Name = "Hausnetz"
>> VMPS-Unknown = 0x00
>> VMPS-Ethernet-Frame = 0x0050……
>
> Note that VMPS-VLAN-Name in the VMPS request is "--NONE--"
I noticed that already ;-)
> Use
>
> %{reply:VMPS-VLAN-Name}
>
> ...in your "linelog" config if you want to log the vlan from the reply.
Thanks a lot!
Kind regards,
Patrick
--
punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
i...@punkt.de http://www.punkt.de
Gf: Jürgen Egeling AG Mannheim 108285
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VPMS and logging
On 01/12/2012 03:25 PM, Patrick M. Hausen wrote:
VMPS-Packet-Type = VMPS-Join-Request
VMPS-Error-Code = VMPS-No-Error
VMPS-Sequence-Number = 892
VMPS-Client-IP-Address = 1.2.3.4
VMPS-Port-Name = "Fa0/21"
VMPS-VLAN-Name = "--NONE--"
VMPS-Domain-Name = "Hausnetz"
VMPS-Unknown = 0x00
VMPS-Ethernet-Frame = 0x0050……
Note that VMPS-VLAN-Name in the VMPS request is "--NONE--"
[linelog] expand: /var/log/vmps.log -> /var/log/vmps.log
[linelog] expand: %S %C %{VMPS-Port-Name} %{VMPS-Mac} %{VMPS-VLAN-Name}
-> 2012-01-12 16:06:34 Switch1 Fa0/21 xx:xx:xx:xx:xx:xx --NONE--
%{name} means: attribute "name" from the request
++[linelog] returns ok
Done VMPS
} # server vmps
VMPS-VLAN-Name = "default"
VMPS-Cookie = xx:xx:xx:xx:xx:xx
...whereas this is a reply value.
Use
%{reply:VMPS-VLAN-Name}
...in your "linelog" config if you want to log the vlan from the reply.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VPMS and logging
Hi, all,
I have set up VMPS with FreeRADIUS 2.1.12 to use with our internal
Cisco switches. After finding the sample files and some documentation
with Google, I'm quite satisfied with the result. At least everything seems
to work as designed.
Besides … ;-) logging seems to be somewhat inconsistent. Here's what
radiusd -X outputs when I connect my personal workstation to the network:
(addresses anonymised)
--
VMPS-Packet-Type = VMPS-Join-Request
VMPS-Error-Code = VMPS-No-Error
VMPS-Sequence-Number = 892
VMPS-Client-IP-Address = 1.2.3.4
VMPS-Port-Name = "Fa0/21"
VMPS-VLAN-Name = "--NONE--"
VMPS-Domain-Name = "Hausnetz"
VMPS-Unknown = 0x00
VMPS-Ethernet-Frame = 0x0050……
server vmps {
Doing VMPS
+- entering group vmps {...}
++? if (!VMPS-Mac)
? Evaluating !(VMPS-Mac) -> TRUE
++? if (!VMPS-Mac) -> TRUE
++- entering if (!VMPS-Mac) {...}
+++? if (VMPS-Ethernet-Frame =~ /0x.{12}(..)(..)(..)(..)(..)(..).*/)
? Evaluating (VMPS-Ethernet-Frame =~ /0x.{12}(..)(..)(..)(..)(..)(..).*/) ->
TRUE
+++? if (VMPS-Ethernet-Frame =~ /0x.{12}(..)(..)(..)(..)(..)(..).*/) -> TRUE
+++- entering if (VMPS-Ethernet-Frame =~ /0x.{12}(..)(..)(..)(..)(..)(..).*/)
{...}
expand: %{1}:%{2}:%{3}:%{4}:%{5}:%{6} -> xx:xx:xx:xx:xx:xx
[request] returns noop
+++- if (VMPS-Ethernet-Frame =~ /0x.{12}(..)(..)(..)(..)(..)(..).*/) returns
noop
+++ ... skipping else for request 0: Preceding "if" was taken
++- if (!VMPS-Mac) returns noop
[mac2vlan] Added VMPS-VLAN-Name: 'default' to reply_items
++[mac2vlan] returns ok
expand: %{VMPS-Mac} -> xx:xx:xx:xx:xx:xx
++[reply] returns ok
++? if (VMPS-Packet-Type == VMPS-Reconfirm-Request)
? Evaluating (VMPS-Packet-Type == VMPS-Reconfirm-Request) -> FALSE
++? if (VMPS-Packet-Type == VMPS-Reconfirm-Request) -> FALSE
[linelog] expand: /var/log/vmps.log -> /var/log/vmps.log
[linelog] expand: %S %C %{VMPS-Port-Name} %{VMPS-Mac} %{VMPS-VLAN-Name}
-> 2012-01-12 16:06:34 Switch1 Fa0/21 xx:xx:xx:xx:xx:xx --NONE--
++[linelog] returns ok
Done VMPS
} # server vmps
VMPS-VLAN-Name = "default"
VMPS-Cookie = xx:xx:xx:xx:xx:xx
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 892 with timestamp +11
Ready to process requests.
--
So, the last lines seem to imply that I am to be put into VLAN "default" which
is just the name of VLAN 1 on Cisco gear. And indeed the switch does precisely
that. So far, so good.
Then, why does FreeRADIUS log this?
"2012-01-12 16:06:34 Switch1 Fa0/21 xx:xx:xx:xx:xx:xx --NONE--"
Note the "--NONE--" for the VLAN name. I'm about to implement this throughout
our entire office and of course the log will be essential for daily
administration
tasks, like adding/removing/fixing MAC address entries and the like. I get
completely
inconsistent results here - for some workstations it's "default" and for some
"--NONE--".
Here's the detailled config, "guests" is the name of the default VLAN for all
unknown MAC addresses. The rest is more or less copied from the examples.
I omitted all the basic radiusd config that I had already in place. We use
FreeRADIUS for Enterprise WPA2 in our WLAN. I added VMPS as a virtual
server.
--
mac2vlan:
xx:xx:xx:xx:xx:xx,default
radiusd.conf:
modules {
passwd mac2vlan {
filename = ${confdir}/mac2vlan
format = "*VMPS-Mac:=VMPS-VLAN-Name"
delimiter = ","
}
linelog {
filename = ${logdir}/vmps.log
format = "%S %C %{VMPS-Port-Name} %{VMPS-Mac} %{VMPS-VLAN-Name}"
}
}
$INCLUDE vmps.conf
vmps.conf:
server vmps {
listen {
ipaddr = *
port = 1589
type = vmps
}
client 1.2.3.4 {
secret = dontmind
shortname = Switch1
}
vmps {
if (!VMPS-Mac) {
if (VMPS-Ethernet-Frame =~
/0x.{12}(..)(..)(..)(..)(..)(..).*/) {
update request {
VMPS-Mac =
"%{1}:%{2}:%{3}:%{4}:%{5}:%{6}"
}
}
else {
update request {
VMPS-Mac = "%{VMPS-Cookie}"
}
}
}
mac2vlan
update reply {
VMPS-Packet-Type = VMPS-Join-Response
Re: Logging User Accounts
Yes, look at the linelog module alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging User Accounts
Hello, I try to log users if they connect to radius, is it possible to track that without all other informations from debug mode? So best would be I only see that: [TIME]: foobar logged in Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: logging accounting
vazoumana fofana wrote: > I enable accounting on freeradius server. I see logs are stored under > repository wich contains the ip of controller. You mean the "detail" files. > Is it possible to change this and specify an other name ? Yes. See raddb/modules/detail That's why the configuration files are text... so they can be edited. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
logging accounting
Hello , I enable accounting on freeradius server. I see logs are stored under repository wich contains the ip of controller. Is it possible to change this and specify an other name ? Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: freeradius logging
sandm...@uni-greifswald.de wrote: > I need more informations in the logs because sometimes the radius > service will be stopped. But i don't know why. > Where i must configure this Loglevel to get more informations in this logs? Your best bet is to run it under gdb. See doc/bugs Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: freeradius logging
Hi all, I am hoping that someone can help me. I need more informations in the logs because sometimes the radius service will be stopped. But i don't know why. Where i must configure this Loglevel to get more informations in this logs? best regards David Sandmann smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging to destination = files AND syslog?
Mika wrote: > Hello. > I am running 2.1.10. Is it possible to log to files and syslog (both)? No. Use something like rsyslog to send logs to multiple destinations. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging to destination = files AND syslog?
Hello. I am running 2.1.10. Is it possible to log to files and syslog (both)? Regards Mika -- View this message in context: http://freeradius.1045715.n5.nabble.com/Logging-to-destination-files-AND-syslog-tp5010771p5010771.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stop Logging in radpostauth table
hey thanks! that did it. From: Arran Cudbard-Bell To: Det Det ; FreeRadius users mailing list Sent: Monday, October 24, 2011 6:09 PM Subject: Re: Stop Logging in radpostauth table On 24 Oct 2011, at 12:03, Det Det wrote: Hi, > > >How do I stop logging in radpostauth table? Is commenting out the query that >inserts to radpostauth a correct way of doing that? > > No... comment out the SQL call in the post-auth section. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stop Logging in radpostauth table
On 24 Oct 2011, at 12:03, Det Det wrote: > Hi, > > How do I stop logging in radpostauth table? Is commenting out the query that > inserts to radpostauth a correct way of doing that? > No... comment out the SQL call in the post-auth section. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stop Logging in radpostauth table
Hi, How do I stop logging in radpostauth table? Is commenting out the query that inserts to radpostauth a correct way of doing that? thanks! det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help desk support of authn/authz failures? Logging detailed messages to SQL?
if(!control:NT-Password && !control:Cleartext-Password){
update control {
Reject-Reason := 'AttributeMissing'
}
}
oops...
-
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help desk support of authn/authz failures? Logging detailed messages to SQL?
> 1) How do other people - specifically organizations with a help desk
> large enough that they're distinctly separate from anyone with enough
> privs to tail a log file - handle user support of authentication failures?
In a former life I worked at a largish UK university. Whilst I was there I
wrote a user portal application which allowed users to register their equipment
and download a supplicant setup program (from CloudPath networks). It also
allowed them to see the last few records from the postauth table, so they could
self diagnose some faults.
As the users were registering equipment Mac-Addresses, we could match them to
Calling-Station-ID and pull up failed post-auth records even where the
something like host based authentication was being used, and the User-Name was
all funky.
One of the neat features a colleague had put in a previous version was 'sudo'
functionality, whether help desk advisors could sudo into a students account,
fix dodgy registrations and view post-auth records.
Unfortunately they own the source, as it was written whilst I was under their
employment, so I can't release it.
For the more fine grained stuff, we did exactly the same as you're doing with
the custom Reject-Reason attributes.Though i'd recommend using an enumerated
integer instead of a string, and defining a bunch of standard values.
> 2) This is proving problematic with users who have EAP
> misconfigurations, empty LDAP passwords, etc. that only manifest as a
> module failure and only show up in the log file. I've been considering
> patching the relevant modules to add/update an attribute on failure,
ldap
if(notfound){
update control {
Reject-Reason := 'UserNotFound'
}
}
if(!control:NT-Password || !control:Cleartext-Password){
update control {
Reject-Reason := 'AttributeMissing'
}
}
You can almost certainly do everything you want to do without touching the
module source. If you *do* want to edit the source, I recommend adding more
Module-Failure-Message attributes (see below), and then submitting the patches,
that way you're not stuck applying your patches every update.
> since currently AFAIK this information is only available in the log
> file, and not anywhere that I can include in the SQL post-auth log. Has
> anyone else done anything similar?
Yes. We did exactly that. Empty attributes are easy to diagnose, because you
can just check for the presence of the control attribute after the LDAP module
has run (see above).
The student records system that was meant to populate the NT-Password
attribute, didn't. Spent many hours camped out on the helpdesk for that first
month. This was back in 2007, we were one of the first Universities to do wired
802.1X authentication for the residences, and didn't have anything like
CloudPath available :(
> Or is more detailed module failure
> information accessible through something that I haven't been able to
> find in the docs?
Module-Failure-Message is sometimes populated with more verbose failure
reasons, you'll have to check which modules support this, and whether the
information is relevant.
I highly recommend the CloudPath dissolvable client, it works for Windows, Mac
OSX, Linux and just makes so many of these configuration problems disappear.
It's probably about three days to generate a configuration and deploy it (or
less if you're motivated).
If you wanted a custom portal and you didn't have the time to write one
yourselves, Network RADIUS (http://networkradius.com/) offer commercial RADIUS
support, and could probably take on the project.
It all depends on how much time you have available, and how much you're willing
to spend to fix the problem.
-Arran
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help desk support of authn/authz failures? Logging detailed messages to SQL?
Thanks for the quick reply! Alan Buxey wrote: > hi, > > firstly, deployment tool - such as CloudPath xpressconnect or sux1 to ensure > that the user is doing the least amount possible to mess things up (also > ensures > that all the right things such as validate server, RADIUS name etc are all > properly > defined). > We use Cloudpath, but still have issues with either devices that get gronked (iOS comes to mind) or devices that users attempt to "fix". > secondly, capture the output of the logfile (Perl Tail File module is nice) - > which > is why I wanted the radiusd.log file to be the right one - logrotate really > messes > the recent 2.1.x logfile up - so i now have a manual restart of the server > along > with log rotation.hmm.. and putting data (detail file stuff too) into a > database with > a nice web front end for 'low level access' is a must. > To put this nicely... our HD people can't deal with a logfile. They need "if the box is red, read the "Reason" column next to it, and go to that section in the wiki page." Unfortunately student labor isn't the best, and those who are technically competent generally get jobs as sysprogs. > there have been discussions in europe about way of logging the reason for a > failure and > putting it onto a sites secure web area so that users can log in and see why > things arent > working for them > Sounds like exactly what I need. Perhaps a patch to set an internal control: attribute, which could then be logged however (for me, Post-Auth Type Reject also goes to rlm_sql for logging, into such a secure page). > alan > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help desk support of authn/authz failures? Logging detailed messages to SQL?
hi, firstly, deployment tool - such as CloudPath xpressconnect or sux1 to ensure that the user is doing the least amount possible to mess things up (also ensures that all the right things such as validate server, RADIUS name etc are all properly defined). secondly, capture the output of the logfile (Perl Tail File module is nice) - which is why I wanted the radiusd.log file to be the right one - logrotate really messes the recent 2.1.x logfile up - so i now have a manual restart of the server along with log rotation.hmm.. and putting data (detail file stuff too) into a database with a nice web front end for 'low level access' is a must. there have been discussions in europe about way of logging the reason for a failure and putting it onto a sites secure web area so that users can log in and see why things arent working for them alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help desk support of authn/authz failures? Logging detailed messages to SQL?
We've rolled out FreeRADIUS as the authentication and authorization
server for our University-wide WLAN with 30,000+ users. Our help desk
(general IT, not wireless-specific) support staff is made up of student
workers, with full-time second-level support and us sysadmins/wireless
engineers for third-level support.
As we've rolled out WPA2 and the supplicants give no useful information
about authentication failures to end-users, our help desk is being
inundated with "help, I can't login" calls. We do auth logging to MySQL.
Help desk staff are not given access to our authentication servers, so
our current solution is to use lots of unlang config kludge in
authorize{} to defer any notfound or reject module responses
(configurable failover), then use if statements to check the actual
return of the module. If it's a "bad" user (notfound, reject, etc.) we
set a locally-defined string attribute (control:Reject-Reason) and then
reject the user, and Post-Auth Type Reject logs to SQL including that
string reason. Which is then accessible in a read-only web tool for the
help desk.
1) How do other people - specifically organizations with a help desk
large enough that they're distinctly separate from anyone with enough
privs to tail a log file - handle user support of authentication failures?
2) This is proving problematic with users who have EAP
misconfigurations, empty LDAP passwords, etc. that only manifest as a
module failure and only show up in the log file. I've been considering
patching the relevant modules to add/update an attribute on failure,
since currently AFAIK this information is only available in the log
file, and not anywhere that I can include in the SQL post-auth log. Has
anyone else done anything similar? Or is more detailed module failure
information accessible through something that I haven't been able to
find in the docs?
Thanks for any advice/insights,
Jason
--
Jason Antman
System Administrator
Rutgers University
OIT Central Systems & Services / NetOps
Office: 732-445-6363
Cell: 732-983-7256
jant...@oit.rutgers.edu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Implementing SQL Insert/logging for SoH.
On 2 Aug 2011, at 16:09, Palmer J.D.F. wrote: >>> Didn't think xlat could do inserts and updates? >> >> I wrote the patch to add the functionality and its been in the server >> code for about the past three years :) > > Good stuff. :) > > The source of rlm_sql.c still states only ... > "* sql xlat function. Right now only SELECTs are supported." Yeah its just to scare off the uninitiated. I guess I should really fix it :) Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Implementing SQL Insert/logging for SoH.
> > Didn't think xlat could do inserts and updates?
>
> I wrote the patch to add the functionality and its been in the server
> code for about the past three years :)
Good stuff. :)
The source of rlm_sql.c still states only ...
"* sql xlat function. Right now only SELECTs are supported."
We'd already tried - Tmp-String-5 := "%{sql:INSERT into radsoh
(sid,data) VALUES (NULL,'ss');} - but it wasn't encapsulated in an
'update request {.. ..}' statement so failed, schoolboy error.
I did some digging on interweb which said INSERTs not possible, then
read the above comment in the 2.1.11 source, so gave up on xlat then.
All sorted now though.
Thanks,
Jezz.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Implementing SQL Insert/logging for SoH.
On 2 Aug 2011, at 15:44, Palmer J.D.F. wrote:
>>> Palmer J.D.F. wrote:
Further to my last foray onto the list regarding SoH, I'm looking
> to
commit the returned SoH info to the radius database using
>> FreeRADIUS'
sql connection.
>>>
>>> It's just attributes.
>>
>> just use sql xlat...
>>
>> update request {
>> Tmp-String-1 := "%{sql:INSERT INTO ...}"
>> }
>>
>
> Didn't think xlat could do inserts and updates?
I wrote the patch to add the functionality and its been in the server code for
about the past three years :)
-Arran
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Implementing SQL Insert/logging for SoH.
> > Palmer J.D.F. wrote:
> >> Further to my last foray onto the list regarding SoH, I'm looking
to
> >> commit the returned SoH info to the radius database using
> FreeRADIUS'
> >> sql connection.
> >
> > It's just attributes.
>
> just use sql xlat...
>
> update request {
> Tmp-String-1 := "%{sql:INSERT INTO ...}"
> }
>
Didn't think xlat could do inserts and updates?
Cheers,
Jezz.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Implementing SQL Insert/logging for SoH.
> Palmer J.D.F. wrote: >> Further to my last foray onto the list regarding SoH, I'm looking to >> commit the returned SoH info to the radius database using FreeRADIUS' >> sql connection. > > It's just attributes. > Read raddb/sites-available/soh. The server runs an "authorize" > section. This is *exactly* like the normal "authorize" section for a > RADIUS packet. Just configure the authorize queries, and go. > > No source code mods are needed. > Thanks Alan, that's far more straight forward. :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Implementing SQL Insert/logging for SoH.
On 2 Aug 2011, at 15:07, Alan DeKok wrote:
> Palmer J.D.F. wrote:
>> Further to my last foray onto the list regarding SoH, I'm looking to
>> commit the returned SoH info to the radius database using FreeRADIUS'
>> sql connection.
>
> It's just attributes.
just use sql xlat...
update request {
Tmp-String-1 := "%{sql:INSERT INTO ...}"
}
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Implementing SQL Insert/logging for SoH.
Palmer J.D.F. wrote: > Further to my last foray onto the list regarding SoH, I'm looking to > commit the returned SoH info to the radius database using FreeRADIUS' > sql connection. It's just attributes. > I could be well off target here, but please humour me, so far I have... > > Created a table 'radsoh', and declared this inside sql.conf. OK... > Added a query (soh_query) to dialup.conf, at present this simply just > inserts User-Name to the table. Uh... that won't work. > Declared soh_query in rlm_sql/conf.h > Declared soh_query in the 'module_config' section of rlm_sql.c > Declared a function, rlm_sql_soh, which is essentially a copy of > rlm_sql_postauth into rlm_sql.c. > Added rlm_sql_soh to the export section of rlm_sql.c. And all of that is unnecessary. > It compiles and runs, but here is where I run out of ideas. > > Presuming I'm on the right track, what else is required to enable the > query, and how would I make the call to execute the query? > Ideally the call should be made from the with SoH virtual server defined > in raddb/sites-enabled. Read raddb/sites-available/soh. The server runs an "authorize" section. This is *exactly* like the normal "authorize" section for a RADIUS packet. Just configure the authorize queries, and go. No source code mods are needed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Implementing SQL Insert/logging for SoH.
Hi, Further to my last foray onto the list regarding SoH, I'm looking to commit the returned SoH info to the radius database using FreeRADIUS' sql connection. I could be well off target here, but please humour me, so far I have... Created a table 'radsoh', and declared this inside sql.conf. Added a query (soh_query) to dialup.conf, at present this simply just inserts User-Name to the table. Declared soh_query in rlm_sql/conf.h Declared soh_query in the 'module_config' section of rlm_sql.c Declared a function, rlm_sql_soh, which is essentially a copy of rlm_sql_postauth into rlm_sql.c. Added rlm_sql_soh to the export section of rlm_sql.c. It compiles and runs, but here is where I run out of ideas. Presuming I'm on the right track, what else is required to enable the query, and how would I make the call to execute the query? Ideally the call should be made from the with SoH virtual server defined in raddb/sites-enabled. Thanks, Jezz. Jezz Palmer Information Services and Systems Swansea University Singleton Park Swansea SA2 8PP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
selective disabling password logging for proxied users?
Hello,
I'm sorry, that I ask again ..
We are using the freeradius server with authentication against ldap as
"local database" and proxy the realms (IPASS) to authenticate users
are not in our database.
So is is possible, to disable the password logging only for the
proxied request?
The local requests are only users who got a temporary voucher. In case
of failure, the help desk should use the log to check if the user did
use the correct password.
But the password for IPASS users password should not be logged.
If I disable the password logging in the detail section (suppress
{User-Password}), the complete password logging will be disabled.
Is it possible, to disable this selective only for proxied users?
Thanks for help - Meike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
password logging only for local users
Hello,
we are using the freeradius server with authentication against ldap as
"local database" and proxy and realms (IPASS) to authenticate users
are not in our database.
So is is possible, to disable the password logging only for the
proxied request.
The local requests are only users who got a temporary voucher. In case
of failure, the helpdesk should use the log to check if the user did
use the correct password.
But the password for IPASS users should not be logged.
If I disable the password logging in the detail section (suppress
{User-Password}), the complete password logging will be disabled.
Is it possible, to disable this selective?
Thanks for help - Meike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth authentication results logging messages
On 05/19/2011 08:04 PM, John Douglass wrote:
Now, the actual ntlm_auth command within the $RADIUS/modules/mschap does
read:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
So it's not doing necessarily the same kind of authentication command as
I was doing above but I have no idea how to simulate a challege request
on command line to verify :)
You can just run FreeRADIUS in debug mode and capture any ntlm_auth
command line - they're re-usable, the "response" value is the same every
time for a given challenge, username and password. Security revolves
around the challenge being random and not re-used.
(I have some utilities for generating the response that I keep meaning
to stick in an AppEngine page at some point)
Login incorrect (mschap: External script says Logon failure
(0xc06d)): [asdf/] (from client LAWN-WiSM port
29 cli 00-25-00-f5-a3-2b via TLS tunnel)
However, "Logon failure" is nebulous when it could be either "bad
password", "account disabled", or "no such user" that comes out of the
"ntlm_auth" command (at least when I run it by hand).
Is this the fault of the results of ntlm_auth being vague or is
something else at play?
The former. As you noted above, you were testing with username/password
auth as opposed to challenge/response auth. The latter gives a much
smaller, less interesting (but arguably more secure) set of error codes.
About all you get other than "Login failure" is "Password expired"
(which the recent MS-CHAP password change patch I wrote looks for and
acts on)
This is for boring reasons to do with the way Samba makes the RPC call
against the domain, and gradual changes in Windows about what error
codes it leaks (if you think about it, leaking the difference between
"invalid user" and "invalid password" makes user/pass dictionary attacks
easier)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth authentication results logging messages
On 19/05/2011 21:00, Garber, Neal wrote:
I found a similar user in an old thread who submitted a patch:
(http://freeradius.1045715.n5.nabble.com/Capturing-ntlm-auth-failure-
reasons-in-rlm-mschap-td2791760.html)
And it appears that this patch made it into the rlm_mschap.c module code:
I submitted that patch and it was included in FR v1. Unfortunately,
a change in v2 regressed this functionality. In v2, there's now an additional
round trip, so the ntlm_auth results need to be saved - they
are saved, in the current version, for success; but, not for failure.
I submitted another patch for v2 last year that saves the ntlm_auth
results for failures as well; but, it required rework (Alan wanted it
split into two separate patches) and I haven't had a chance to rework
it yet. Other, really nice mschap patches have been submitted
since then (thank you Phil), so the rework, for me, is now a bit more.
Note that needing the results saved is probably because you want to do
something with the information in post-auth.
John, if you just want to log the information you can do something like
[in the inner-tunnel file]:
authenticate {
Auth-Type MS-CHAP {
mschap {
reject = 1
}
if (reject) {
linelog
reject
}
}
...
}
The linelog module (or any other module you want to use e.g. SQL) can log
to a file or syslog or somethingelse at this point. The information you
want will be in the %{Module-Failure-Message} and %{reply:MS-CHAP-Error}
attributes.
We use linelog extensively to syslog to a file and then have a webpage
that does the equivalent of tail the file and refresh routinely - very
easy for the help desk staff to see what is going on without needing to
ssh to anything.
-James
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ntlm_auth authentication results logging messages
> I found a similar user in an old thread who submitted a patch: > (http://freeradius.1045715.n5.nabble.com/Capturing-ntlm-auth-failure- > reasons-in-rlm-mschap-td2791760.html) > And it appears that this patch made it into the rlm_mschap.c module code: I submitted that patch and it was included in FR v1. Unfortunately, a change in v2 regressed this functionality. In v2, there's now an additional round trip, so the ntlm_auth results need to be saved - they are saved, in the current version, for success; but, not for failure. I submitted another patch for v2 last year that saves the ntlm_auth results for failures as well; but, it required rework (Alan wanted it split into two separate patches) and I haven't had a chance to rework it yet. Other, really nice mschap patches have been submitted since then (thank you Phil), so the rework, for me, is now a bit more. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth authentication results logging messages
I am running freeradius-2.1.10 and ntlm_auth Version 3.0.33-3.29.el5_6.2.
Because our AD is managed by a different area (and we rely upon this for
user authentication), I am looking for ways to assist our customer
support area with appropriate logs to help debug AD issues. Sometimes,
due to bad processes, things don't always stay in sync across the domain.
What I have found is that ntlm_auth can return a variety of states like
the following (I am sure there is more):
[root@dvlana ~]# ntlm_auth --request-nt-key --domain=AD
--username=douglass --password=CORRECTPASSWORD
NT_STATUS_OK: Success (0x0)
[root@dvlana ~]# ntlm_auth --request-nt-key --domain=AD
--username=douglass --password=BADPASSWORDHERE
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a)
[root@dvlana ~]# ntlm_auth --request-nt-key --domain=AD
--username=douglass --password=CORRECTPASSWORD
NT_STATUS_ACCOUNT_DISABLED: Account disabled (0xc072)
[root@dvlana ~]# ntlm_auth --request-nt-key --domain=AD
--username=douglass12 --password=PASSWORD
NT_STATUS_NO_SUCH_USER: No such user (0xc064)
Now, the actual ntlm_auth command within the $RADIUS/modules/mschap does
read:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
So it's not doing necessarily the same kind of authentication command as
I was doing above but I have no idea how to simulate a challege request
on command line to verify :)
I found a similar user in an old thread who submitted a patch:
(http://freeradius.1045715.n5.nabble.com/Capturing-ntlm-auth-failure-reasons-in-rlm-mschap-td2791760.html)
And it appears that this patch made it into the rlm_mschap.c module code:
if (result != 0) {
char *p;
VALUE_PAIR *vp = NULL;
RDEBUG2("External script failed.");
vp = pairmake("Module-Failure-Message", "",
T_OP_EQ);
if (!vp) {
radlog_request(L_ERR, 0, request, "No
memory to allocate Module-Failure-Message");
return RLM_MODULE_FAIL;
}
p = strchr(buffer, '\n');
if (p) *p = '\0';
snprintf(vp->vp_strvalue, sizeof(vp->vp_strvalue),
"%s: External script says %s",
inst->xlat_name, buffer);
vp->length = strlen(vp->vp_strvalue);
pairadd(&request->packet->vps, vp);
return -1;
}
However, when I view my debug for freeradius:
mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect (mschap: External script says Logon failure
(0xc06d)): [asdf/] (from client LAWN-WiSM port
29 cli 00-25-00-f5-a3-2b via TLS tunnel)
However, "Logon failure" is nebulous when it could be either "bad
password", "account disabled", or "no such user" that comes out of the
"ntlm_auth" command (at least when I run it by hand).
Is this the fault of the results of ntlm_auth being vague or is
something else at play?
I also see that there may be a pair added with "Module-Failure-Message".
No where do I see that in a debug session when I force a failure to
occur (debug is below). Would that pair show up if it were available? If
so, any suggestions on how to get the output of ntlm_auth logged correctly?
Am I missing a logging option or configuration option to enable me to
get additional information out of the ntlm_auth failure or is this code
not functioning correctly?
Below is a full debug of a failed authentication with a non-existent
user "asdf":
rad_recv: Access-Request packet from host 10.80.10.42 port 32769, id=54,
length=180
User-Name = "asdf"
Calling-Station-Id = "00-25-00-f5-a3-2b"
Called-Station-Id = "00-25-45-37-5c-60:GTtestwpa"
NAS-Port = 29
NAS-IP-Address = 10.80.10.42
NAS-Identifier = "Rich-core-WiSM-E"
Airespace-Wlan-Id = 7
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "809"
EAP-Message = 0x020200090161736466
Message-Authenticator = 0xbeb78b0b65e4a5537d6a1e14f56a93ac
server wpa {
# Executing section authorize from file
/services/freeradius/etc/raddb//sites-enabled/dvlan-wpa
+- entering group authorize {...}
++[preprocess] returns ok
[eap] EAP packet type response id 2 length 9
[eap]
Re: Mac Auth and post-auth logging to SQL
On 03/29/2011 08:52 PM, Jason Antman wrote:
This makes MUCH more sense, thanks! Now the next (relatively
new-to-radius) person won't end up as confused as I was.
I have MAC auth working with a SQL data source and custom XLAT to check
for some special field values in SQL, based on a somewhat custom schema
(more from the one-row-per-MAC standpoint than using radcheck and
Yeah, we do a similar thing with a database stored procedure to allocate
an appropriate vlan by mac & location combo; it's basically along the
lines of:
update control {
Tmp-String-0 := "%{sql:select .. from proc('%{Calling-Station-Id}')"
}
if (control:Tmp-String-0 =~ /...regexp for SQL result.../) {
update reply {
# vlan
Tunnel-Private-Group-Id := "%{1}"
Other-Stuff := "%{2}"
}
}
FreeRadius is damn clever when you grasp it ;o)
radreply), as well as xlat to include a Username in the reply message.
When I'm finished with it and have it working, I'll be more than willing
to pass along my code.
Alan can probably give you a wiki account if you want to document it there.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
