Re: radpostauth sql logging of bad passwords
On 2009-Apr-27, at 12:44, Ivan Kalik wrote: On 2009-Apr-27, at 11:27, Alan DeKok wrote: Guy Fraser wrote: I am obviously missing something. Ahem, did you read what sql_log does? Yes it says : modules { ... sql_log { path = ${radacctdir}/sql-relay acct_table = radacct postauth_table = radpostauth sql_user_name = %{%{User-Name}:-DEFAULT} Start = INSERT INTO ${acct_table} ... Stop = UPDATE ${acct_table} SET ... Alive = UPDATE ${acct_table} SET ... Post-Auth = INSERT INTO ${postauth_table} ... } ... } accounting { ... sql_log ... } post-auth { ... sql_log ... } And that my friend does not help me. I tried commenting out that section and it did not work I then changed it to : So... what happens? As far as I could tell nothing changed when I commented out the REJECT section : post-auth { reply_log sql sql_log exec # Post-Auth-Type REJECT { # attr_filter.access_reject # } } Leave reject filter alone. And I still do not get any failed authentications when I use : post-auth { reply_log sql sql_log exec Post-Auth-Type REJECT { sql_log } } List sql instead of sql_log. And put the filter back. Are you saying this will work ? post-auth { reply_log sql sql_log exec Post-Auth-Type REJECT { attr_filter.access_reject sql } } I have put it in an restarted the server. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Guy Fraser Network Administrator The Internet Centre 1-888-450-6787 (780)450-6787 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radpostauth sql logging of bad passwords
Guy Fraser wrote: I have installed : radiusd: FreeRADIUS Version 2.1.3, for host i386-portbld-freebsd7.1, built on Feb 26 2009 at 15:47:46 I have not been able figure out how to get it to log failed authentication attempts into the radpostauth sql table, like I had it working in Version 1. What do you mean by that? Q: I tried to do stuff, but it didn't work. A: Huh? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radpostauth sql logging of bad passwords
On 2009-Apr-17, at 03:08, Alan DeKok wrote: Guy Fraser wrote: I have installed : radiusd: FreeRADIUS Version 2.1.3, for host i386-portbld-freebsd7.1, built on Feb 26 2009 at 15:47:46 I have not been able figure out how to get it to log failed authentication attempts into the radpostauth sql table, like I had it working in Version 1. What do you mean by that? Q: I tried to do stuff, but it didn't work. A: Huh? I thought this would be enough to make it log failed authentications : log { destination = files file = ${logdir}/radius.log requests = ${logdir}/radacct/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y %m%d.log syslog_facility = daemon stripped_names = no auth = yes auth_badpass = yes auth_goodpass = no } Here is the recursive, uncommented and redacted configuration : --- prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct name = radiusd confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd db_dir = ${raddbdir} libdir = /usr/local/lib/freeradius-2.1.3 pidfile = ${run_dir}/${name}.pid user = freeradius group = freeradius max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { type = auth ipaddr = * port = 1645 } listen { ipaddr = * port = 1646 type = acct } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions= yes log { destination = files file = ${logdir}/radius.log requests = ${logdir}/radacct/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y %m%d.log syslog_facility = daemon stripped_names = no auth = yes auth_badpass = yes auth_goodpass = no } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes $INCLUDE proxy.conf #start : proxy.conf# proxy server { default_fallback = no } home_server localhost { type = auth ipaddr = 127.0.0.1 port = 1645 secret = XXX response_window = 20 zombie_period = 40 revive_interval = 120 status_check = status-server check_interval = 30 num_answers_to_alive = 3 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm LOCAL { type= radius authhost= LOCAL accthost= LOCAL } realm domain.net { type= radius authhost= LOCAL accthost= LOCAL } realm customer.com { type= radius authhost= x.x.x.x:1645 accthost= x.x.x.x:1646 secret = XXX nostrip } ... #end# $INCLUDE clients.conf #start : clients.conf# client localhost { ipaddr = 127.0.0.1 secret = XXX require_message_authenticator = no nastype = other } #end# thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ #start : modules/*# acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port } always fail { rcode = fail } always reject { rcode = reject } always noop { rcode = noop } always handled { rcode = handled } always updated { rcode = updated } always notfound { rcode = notfound } always ok { rcode = ok simulcount = 0 mpp = no } attr_filter attr_filter.post-proxy { attrsfile = ${confdir}/attrs } attr_filter attr_filter.pre-proxy { attrsfile = ${confdir}/attrs.pre-proxy } attr_filter attr_filter.access_reject { key = %{User-Name} attrsfile = ${confdir}/attrs.access_reject } attr_filter attr_filter.accounting_response { key = %{User-Name} attrsfile = ${confdir}/attrs.accounting_response } attr_rewrite sanecallerid { attribute = Called-Station-Id searchin = packet searchfor = [+ ] replacewith = ignore_case = no new_attribute = no max_matches = 10 append = no } chap { } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } counter daily { filename = ${db_dir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session reply-name = Session-Timeout allowed-servicetype = Framed-User cache-size = 5000 } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600
Re: radpostauth sql logging of bad passwords
Guy Fraser wrote: I thought this would be enough to make it log failed authentications : Yes. But to flat-text files, not to SQL. post-auth { reply_log sql sql_log This says log to SQL on success. exec Post-Auth-Type REJECT { attr_filter.access_reject You could put SQL logging here, too. The configuration has changed significantly since I last contributed to this project. The main changes are moving text from one file to another. e.g. the large chunks of authorize, etc. in radiusd.conf have moved to separate files. But the main configuration is still pretty much the same. Older configuration files can be used *almost* unchanged. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radpostauth sql logging of bad passwords
I have installed : radiusd: FreeRADIUS Version 2.1.3, for host i386-portbld-freebsd7.1, built on Feb 26 2009 at 15:47:46 I have not been able figure out how to get it to log failed authentication attempts into the radpostauth sql table, like I had it working in Version 1. -- Guy Fraser Network Administrator The Internet Centre 1-888-450-6787 (780)450-6787 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging the return code from the ldap authentication to SQL.
Alan DeKok al...@deployingradius.com wrote: Augusto G. Andreollo wrote: Hmm.. thing is, the post-auth sql query is already being processed, to log the Access-Reject.. Yes.. I know. But the return code from the LDAP module in the *authorize* section is lost by then. Is there any other way I could extract the rejection reason from the LDAP module, to add to this query? It's not in the LDAP module. See src/main/modcall.c for the code that handles calling modules, and the return codes. If you really need this functionality, send a patch. I did. It's bitrotting in your bug database; currently offline so obviously I cannot pull out a linky. It make xlat module failure aware, it's an intrusive patch but works for us and gives us LDAP failover support cleanly. Same goes for bug #544, to provide the ldap DN when needed[1]. :( If you look back in your personal INBOX (if you go back that far) to Sept 1st 2008 you will see this patch being referred to. All my patches live on my dumper space: http://stuff.digriz.org.uk/freeradius/ Cheers [1] it pains me this patch is not there, the LDAP maintainer seems AWOL and no one will touch it insert grumble/ -- Alexander Clouter .sigmonster says: Marriage is the waste-paper basket of the emotions. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging the return code from the ldap authentication to SQL.
Augusto G. Andreollo wrote: I must've been doing something wrong.. When I erased everything and retyped it again, it's now returning OK as given. Weird... OK My problem now is that it only returns correctly when the module returns OK. If the LDAP returns anything else (fail, rejected, notfound), it just completely skips over the IFs block and goes straight to Post-Auth. Is that expected? Yes. In normal processing, failure means STOP. Don't keep bugging other modules with a request that failed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging the return code from the ldap authentication to SQL.
On Tue, 2009-03-17 at 10:11 +0100, Alan DeKok wrote: My problem now is that it only returns correctly when the module returns OK. If the LDAP returns anything else (fail, rejected, notfound), it just completely skips over the IFs block and goes straight to Post-Auth. Is that expected? Yes. In normal processing, failure means STOP. Don't keep bugging other modules with a request that failed. Hmm.. thing is, the post-auth sql query is already being processed, to log the Access-Reject.. Is there any other way I could extract the rejection reason from the LDAP module, to add to this query? Thanks -- Augusto G. Andreollo CCUEC/DCNET/SREDE Universidade Estadual de Campinas - UNICAMP +55 19 3521-2276 -- Wit beyond measure is men's greatest treasure. smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging the return code from the ldap authentication to SQL.
Augusto G. Andreollo wrote: Hmm.. thing is, the post-auth sql query is already being processed, to log the Access-Reject.. Yes.. I know. But the return code from the LDAP module in the *authorize* section is lost by then. Is there any other way I could extract the rejection reason from the LDAP module, to add to this query? It's not in the LDAP module. See src/main/modcall.c for the code that handles calling modules, and the return codes. If you really need this functionality, send a patch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging the return code from the ldap authentication to SQL.
Augusto G. Andreollo wrote: I have the need to log the return code from the LDAP authentication to our database (I'm adding it to the postauth table scheme). I wouldn't suggest doing that for EVERY packet. Why do you think it's necessary? I've already modified the database scheme (ok), the attribute map, to create a new attribute called reason (ok) and the insert queries (ok). All of this is working fine, including the complete authentication, all the way thru Access-Accept and Accounting. My problem now is getting the return code into the variable, according to the LDAP module results. It looks like it's working. What's the problem? (and then it goes on to successfuly add the string rejected to the database. Again, that part is working smoothly). So... what's the problem? My second attempt was with a switch statement, as follows: authenticate { Auth-Type LDAP { redundant { ldap1 ldap2 } switch %{control:rcode} { Umm... there is no control:rcode attribute. expand: %{control:rcode} - ++- entering switch %{control:rcode} {...} +++- entering case {...} See? No control:rcode. (to save room, i've already tried encasing the case options in quotes, as 'rejected', 'ok', etc.. that gives me the exact same results. So does putting it on double quotes, as ok, rejected, etc..) So, any ideas? Use the first method, not the second. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging the return code from the ldap authentication to SQL.
Hi, if (rejected) { are you sure sucha return code is available and comparable in such a way? looks like 'rejected' got matched...possibly because the check went okay - a value of 0 - rejected isnt defined...has a value of 0 too? just a guess! switch %{control:rcode} { nice: but likewise, do you know the value of %{control:rcode} to act the case against? looks like it didnt match any of your triggers and so defaulted to ERROR. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging the return code from the ldap authentication to SQL.
On Mon, 2009-03-16 at 16:13 +0100, Alan DeKok wrote: Augusto G. Andreollo wrote: My problem now is getting the return code into the variable, according to the LDAP module results. It looks like it's working. What's the problem? (and then it goes on to successfuly add the string rejected to the database. Again, that part is working smoothly). So... what's the problem? The problem is that the reason code is wrong, because the IF is matching with rejected, when it should match ok, since the bind completed succesfully. rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful User authenticated OK [ldap1] user u...@university authenticated succesfully +++[ldap1] returns ok ++- policy redundant returns ok ++? if (rejected) ? Evaluating (rejected) - TRUEshould not match ++? if (rejected) - TRUE ++- entering if (rejected) {...} +++[control] returns ok ++- if (rejected) returns ok ++ ... skipping elsif for request 0: Preceding if was taken ++ ... skipping elsif for request 0: Preceding if was taken ++ ... skipping elsif for request 0: Preceding if was taken ++ ... skipping else for request 0: Preceding if was taken +- entering group post-auth {...} on the database, reason should be: - ok when request completed ok - rejected when the password is wrong - not found when the user does not exist on LDAP - fail when the module fails for some reason (not reacheable, server down, whatever wrong like that) - ERROR otherwise. This is necessary for user support... When user x...@domain.com calls asking why his internet access is being denied, we'd like to know exactly why that happened, so that the User Support people only need to escalate the real problems, not your password is wrong problems.. Use the first method, not the second. Ok, I've already scraped the first one. My problem is getting the rcode into the variable reason, defined as ATTRIBUTE reason 3201string Alan (the other one), proposed: if (rejected) { are you sure such a return code is available and comparable in such a way? looks like 'rejected' got matched...possibly because the check went okay - a value of 0 - rejected isnt defined...has a value of 0 too? just a guess! I believe this to be the problem, because even when I shuffle around with the order of the IFs, it's always the rejected one which matches. Does the redundant module passes forward the inner ldap module return codes? And again, should it? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Augusto G. Andreollo CCUEC/DCNET/SREDE Universidade Estadual de Campinas - UNICAMP +55 19 3521-2276 -- Wit beyond measure is men's greatest treasure. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging the return code from the ldap authentication to SQL.
Ok, updating on my progress: On Mon, 2009-03-16 at 14:28 -0300, Augusto G. Andreollo wrote: On Mon, 2009-03-16 at 16:13 +0100, Alan DeKok wrote: Augusto G. Andreollo wrote: My problem now is getting the return code into the variable, according to the LDAP module results. It looks like it's working. What's the problem? (and then it goes on to successfuly add the string rejected to the database. Again, that part is working smoothly). So... what's the problem? The problem is that the reason code is wrong, because the IF is matching with rejected, when it should match ok, since the bind completed succesfully. I must've been doing something wrong.. When I erased everything and retyped it again, it's now returning OK as given. My problem now is that it only returns correctly when the module returns OK. If the LDAP returns anything else (fail, rejected, notfound), it just completely skips over the IFs block and goes straight to Post-Auth. Is that expected? The config is as follows: (on radiusd.conf): redundant redundant_ldap { ldap-server1 #ldap-server2 } (on inner-tunnel): authenticate { Auth-Type LDAP { redundant_ldap if (fail) { update control { reason = fail } } elsif (ok) { update control { reason = ok } } elsif (notfound) { update control { reason = not found } } elsif (rejected) { update control { reason = rejected } } else { update control { reason = ERROR } } } Auth-Type PAP { pap } } post-auth { Post-Auth-Type REJECT { reply_log redundant_sql } redundant_sql update reply { User-Name := %{request:User-Name} } reply_log } On a good user: rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful user authenticated ok [ldap-malibu] user u...@university.com authenticated succesfully +++[ldap-malibu] returns ok ++- group redundant_ldap returns ok ++? if (fail) ? Evaluating (fail) - FALSEskip fail ++? if (fail) - FALSE ++? elsif (ok) ? Evaluating (ok) - TRUE match ok ++? elsif (ok) - TRUE ++- entering elsif (ok) {...} +++[control] returns ok ++- elsif (ok) returns ok ++ ... skipping elsif for request 0: Preceding if was taken ++ ... skipping elsif for request 0: Preceding if was taken ++ ... skipping else for request 0: Preceding if was taken +- entering group post-auth {...} ++- entering group redundant_sql {...} And then it goes on to insert ok on the database. Now, on a bad user (wrong pass): rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials wrong pass +++[ldap-malibu] returns reject ++- group redundant_ldap returns reject the group returned a status Failed to authenticate the user. } # server unicamp.br-inner-tunnel Using Post-Auth-Type Reject skips right thru the IFs +- entering group REJECT {...} [reply_log] expand: /var/log/radius/radacct/%Y%m%d/%H-reply-detail - /var/log/radius/radacct/20090316/12-reply-detail [reply_log] /var/log/radius/radacct/%Y%m%d/%H-reply-detail expands to /var/log/radius/radacct/20090316/12-reply-detail [reply_log] expand: %t - Mon Mar 16 12:26:37 2009 ++[reply_log] returns ok ++- entering group redundant_sql {...} And then it inserts the value on the database as empty, or simply, ''. Pretty much the same happens on an inexistent user. The messages are different, but the result is the exact same. Alan (the other one), proposed: if (rejected) { are you sure such a return code is available and comparable in such a way? looks like 'rejected' got matched...possibly because the check went okay - a value of 0 - rejected isnt defined...has a value of 0 too? just a guess! I believe this to be the problem, because even when I shuffle around with the order of the IFs, it's always the rejected one which matches. Does the redundant module passes forward the inner ldap module return codes? And again, should it? From what I've gathered, the virtual module is returning the status from the inner ldap modules, so I believe my last question is irrelevant. Thanks in advance for any suggestion. -- Augusto G. Andreollo CCUEC/DCNET/SREDE Universidade Estadual de Campinas - UNICAMP +55 19 3521-2276 -- Wit beyond measure is men's greatest treasure. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help with extending logging ...
Hi, I am trying to parse accounting logs of cablelabs format. Some of the attributes are octet strings which in itself contain detailed information that is printed as a octet string by freeradius. e.g.: CableLabs-Event-Message = 0x484153482830783833326632306329 CableLabs-Related-Call-Billing-Crl-ID += 0x494b8dc32020202020202032302b3 030303030300040 CableLabs-Related-Call-Billing-Crl-ID += 0x494b8dc32020202020202032302b3 03030303030003f Acct-Session-Id = IK\215\303 20+00\000\000\000? . other avps' ... With help of members on this list, I have been able to write a perl module to parse these octet strings, but am not able to log them in proper place. I need to log all the standard attributes (typically logged in .../Client-IP-Addr/detail-date file) as well as these extra parsed attributes in one place. These are all in the accounting messages - need to achieve a consolidated log for accounting messages - does not matter in which file it is. How to achieve that? Do I need to make a code change - if so where? Do I need to make a change to the config files - if so which? Do I need to use a specific log mechanism in the perl module - if so what? Any other input/guidance to help achieve that? Thank You -a - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with extending logging ...
Hi Folks, Trying to look at the problem in another way. I am inclined to think that I may have to write a module to parse the octet string and populate the attributes into the AVP list. Assuming that this is feasible, I would like to parse before the logging happens (via the detail module). To this end, wondering how to order the execution of modules - is this dictated via the order of entries in the accounting {} part of the radiusd.conf file? Any insight into the questions /issues below will also be very helpful. Thanks -a On Fri, Dec 19, 2008 at 7:18 AM, al pat alps@gmail.com wrote: Hi, I am trying to parse accounting logs of cablelabs format. Some of the attributes are octet strings which in itself contain detailed information that is printed as a octet string by freeradius. e.g.: CableLabs-Event-Message = 0x484153482830783833326632306329 CableLabs-Related-Call-Billing-Crl-ID += 0x494b8dc32020202020202032302b3 030303030300040 CableLabs-Related-Call-Billing-Crl-ID += 0x494b8dc32020202020202032302b3 03030303030003f Acct-Session-Id = IK\215\303 20+00\000\000\000? . other avps' ... With help of members on this list, I have been able to write a perl module to parse these octet strings, but am not able to log them in proper place. I need to log all the standard attributes (typically logged in .../Client-IP-Addr/detail-date file) as well as these extra parsed attributes in one place. These are all in the accounting messages - need to achieve a consolidated log for accounting messages - does not matter in which file it is. How to achieve that? Do I need to make a code change - if so where? Do I need to make a change to the config files - if so which? Do I need to use a specific log mechanism in the perl module - if so what? Any other input/guidance to help achieve that? Thank You -a - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with extending logging ...
I am inclined to think that I may have to write a module to parse the octet string and populate the attributes into the AVP list. Assuming that this is feasible, I would like to parse before the logging happens (via the detail module). Run perl before detail. Put new attributes on the $RAD_REPLY list. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with extending logging ...
Hmm, but RAD_REPLY is the list that goes back, no? I have perl before detail. -a On Fri, Dec 19, 2008 at 12:17 PM, t...@kalik.net wrote: I am inclined to think that I may have to write a module to parse the octet string and populate the attributes into the AVP list. Assuming that this is feasible, I would like to parse before the logging happens (via the detail module). Run perl before detail. Put new attributes on the $RAD_REPLY list. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with extending logging ...
Yes, sorry $RAD_REQUEST. Accounting request is logged in detail. Ivan Kalik Kalik Informatika ISP Dana 19/12/2008, al pat alps@gmail.com piše: Hmm, but RAD_REPLY is the list that goes back, no? I have perl before detail. -a On Fri, Dec 19, 2008 at 12:17 PM, t...@kalik.net wrote: I am inclined to think that I may have to write a module to parse the octet string and populate the attributes into the AVP list. Assuming that this is feasible, I would like to parse before the logging happens (via the detail module). Run perl before detail. Put new attributes on the $RAD_REPLY list. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging authentication attempts while TLS session resumption (caching) is enabled
Jason Wittlin-Cohen wrote: When authenticating via PEAP or TTLS with an anonymous identity, the log shows both the anonymous identity and the real identity tunneled through the TLS tunnel. However, when TLS session resumption (caching) is enabled, only the anonymous identity is logged. This is presumably due to the fact that the user is not actually sending the real ID and password through the tunnel; rather the saved session is being used. However, being that the tunneled username is still available, and obtained from the cache, it should be available to log. Is this the intended behavior? The server hasn't been updated to log the cached user name. It would seem that logging authentication attempts would be more useful if the real username was provided in addition to the anonymous identity. Yes. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging authentication attempts while TLS session resumption (caching) is enabled
When authenticating via PEAP or TTLS with an anonymous identity, the log shows both the anonymous identity and the real identity tunneled through the TLS tunnel. However, when TLS session resumption (caching) is enabled, only the anonymous identity is logged. This is presumably due to the fact that the user is not actually sending the real ID and password through the tunnel; rather the saved session is being used. However, being that the tunneled username is still available, and obtained from the cache, it should be available to log. Is this the intended behavior? It would seem that logging authentication attempts would be more useful if the real username was provided in addition to the anonymous identity. Caching disabled: Fri Dec 12 17:35:38 2008 : Auth: Login OK: [Jason Wittlin-Cohen] (from client Wireless port 0 via TLS tunnel) Fri Dec 12 17:35:38 2008 : Auth: Login OK: [Anonymous] (from client Wireless port 55 cli 0013e87d571d) Caching enabled: Fri Dec 12 17:35:56 2008 : Auth: Login OK: [Anonymous] (from client Wireless port 55 cli 0013e87d571d) However, the tunneled username does seem to be available. It's obtained from the cache and added to the Access-Accept message: [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Success [peap] Adding cached attributes to the reply: User-Name = Jason Wittlin-Cohen Jason -- Jason Wittlin-Cohen Yale Law School, Class of 2010 jason.wittlin-co...@yale.edu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disabling accounting logging (FreeRADIUS 1.1.4)
Ciaran O'Rourke wrote: Hello We’re running FreeRADIUS 1.1.4 on OpenBSD 4.0. We’ve implemented a proprietary RLM that we use to manipulate auth and accounting packets before proxying them to a central RADIUS server. Diskspace on the host running FreeRADIUS is limited in size (deliberately). My question is: is there a way to completely disable accounting logging? I’ve tried commenting out the entire contents of the accounting section in radiusd.conf (including the ‘detail’ and ‘daily’ entries), but this results in accounting responses not being sent by the server (as if an empty accounting section disables handling of accounting responses). accounting { ok } ...should do it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Disabling accounting logging (FreeRADIUS 1.1.4)
Hello We're running FreeRADIUS 1.1.4 on OpenBSD 4.0. We've implemented a proprietary RLM that we use to manipulate auth and accounting packets before proxying them to a central RADIUS server. Diskspace on the host running FreeRADIUS is limited in size (deliberately). My question is: is there a way to completely disable accounting logging? I've tried commenting out the entire contents of the accounting section in radiusd.conf (including the 'detail' and 'daily' entries), but this results in accounting responses not being sent by the server (as if an empty accounting section disables handling of accounting responses). Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Re: Logging eap protocols
Sorry for my previous email;) I was meaning: %{control:Auth-Type} In my configuration, I use two different auth-type, one for PAP, one for MS-CHAP. Regards, Vincent Vincent Magnin [EMAIL PROTECTED] a écrit : Bonjour, Avez-vous essayé d'utiliser %{Auth-Type} ? Salutations, Vincent Magnin Richard Timsit [EMAIL PROTECTED] a écrit : Alan DeKok a écrit : You can use %{EAP-Type} to log the EAP type. It would best be done as part of a post-auth section. Ok, this works perfectly, thanks a lot ! Is it conseivable to retreive more info for EAP-TTLS or for some others authentications methods, like PAP or CHAP for example ? Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging eap protocols
Hello, i am using a Freeradius 2.1.1. I need logging authentication method by User-Name. I am trying using linelog module for this... but i don't know how to retrieve the information. Does anyone has a clue ? Thanks. -- Richard Timsit [EMAIL PROTECTED] EPFL DIT-TI - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging eap protocols
Richard Timsit wrote: Hello, i am using a Freeradius 2.1.1. I need logging authentication method by User-Name. I am trying using linelog module for this... but i don't know how to retrieve the information. You can use %{EAP-Type} to log the EAP type. It would best be done as part of a post-auth section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging eap protocols
Alan DeKok a écrit : You can use %{EAP-Type} to log the EAP type. It would best be done as part of a post-auth section. Ok, this works perfectly, thanks a lot ! Is it conseivable to retreive more info for EAP-TTLS or for some others authentications methods, like PAP or CHAP for example ? Regards. -- Richard Timsit [EMAIL PROTECTED] EPFL DIT-TI - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging eap protocols
Info like? Ivan Kalik Kalik Informatika ISP Dana 3/12/2008, Richard Timsit [EMAIL PROTECTED] piše: Alan DeKok a écrit : You can use %{EAP-Type} to log the EAP type. It would best be done as part of a post-auth section. Ok, this works perfectly, thanks a lot ! Is it conseivable to retreive more info for EAP-TTLS or for some others authentications methods, like PAP or CHAP for example ? Regards. -- Richard Timsit [EMAIL PROTECTED] EPFL DIT-TI - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Logging eap protocols
Bonjour, Avez-vous essayé d'utiliser %{Auth-Type} ? Salutations, Vincent Magnin Richard Timsit [EMAIL PROTECTED] a écrit : Alan DeKok a écrit : You can use %{EAP-Type} to log the EAP type. It would best be done as part of a post-auth section. Ok, this works perfectly, thanks a lot ! Is it conseivable to retreive more info for EAP-TTLS or for some others authentications methods, like PAP or CHAP for example ? Regards. -- Richard Timsit [EMAIL PROTECTED] EPFL DIT-TI - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
logging to stdout
I have already asked this question a few years ago, but it still seems to be impossible to log to stdout using Ubuntu's Freeradius-1.1.7 (I have worked around it by using a fifo) Am I overlooking something or is logging to stdout still an issue with 1.1.7? (for several reasons I'd like to stay with the original Ubuntu version) R. -- ___ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +--+ | Richard Lucassen, Utrecht| | Public key and email address:| | http://www.lucassen.org/mail-pubkey.html | +--+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: logging to stdout
richard lucassen wrote: I have already asked this question a few years ago, but it still seems to be impossible to log to stdout using Ubuntu's Freeradius-1.1.7 (I have worked around it by using a fifo) Am I overlooking something or is logging to stdout still an issue with 1.1.7? (for several reasons I'd like to stay with the original Ubuntu version) There have been no changes to 1.1.7 since 1.1.7 was released. It's still the same version of software: 1.1.7. The latest version (2.1.1) has major updates from 1.x, and can log to stdout. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: logging to stdout
On Wed, 19 Nov 2008 16:37:22 -0600 Alan DeKok [EMAIL PROTECTED] wrote: I have already asked this question a few years ago, but it still seems to be impossible to log to stdout using Ubuntu's Freeradius-1.1.7 (I have worked around it by using a fifo) Am I overlooking something or is logging to stdout still an issue with 1.1.7? (for several reasons I'd like to stay with the original Ubuntu version) There have been no changes to 1.1.7 since 1.1.7 was released. It's still the same version of software: 1.1.7. Uhhh, a few years ago I was using 1.0.2 or 0.9 or something like that ;-) The latest version (2.1.1) has major updates from 1.x, and can log to stdout. Ok, thnx for your reply Alan. I'll continue to use the fifo workaround (which works like a charm btw :) R. -- ___ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +--+ | Richard Lucassen, Utrecht| | Public key and email address:| | http://www.lucassen.org/mail-pubkey.html | +--+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging CDRs into MySQL
Ivan, Thanks for your response. FreeRadisu is able to connect to the MySQL database and write into the radacct table. However I am not ablle to set things up for logging the VSA attributes into the database. How to edit the dialup.conf for the VSA value logging. I edited the dialup.conf with the inset query for the VSAs as follows: accounting_start_query = \ INSERT INTO ${acct_table1} \ (IPC_SESSION_ID, IPC_SERVICE_TYPE, IPC_SESSION_SEQUENCE_NUM, \ IPC_POS_TRANSPORT_PROTOCOL, IPC_POS_TRANSPORT_PORT, IPC_POS_TRANSPORT_IP, \ ... VALUES \ ('%{IPC-Session-Id}', '%{IPC-Service-Type}', \ '%{IPC-Session-Sequence-Num}', \ '%{IPC-Pos-Transport-Protocol}', '%{IPC-Pos-Transport-Port}', '%{IPC-Pos-Transport-IP}', \ .. I removes all other queries fom the dialup.conf and just have the above one but to no avail. Please suggest. Regards, Prabhu On Thu, 06 Nov 2008 prabhu s sugumaran wrote : Hi, I am facing difficulties in integrating MySQL and FreeRadius for the accounting. I have setup the mysql with a database named 'radius'. I have also defined a table 'rt_cdr1' which is to be used to store the CDRs that come in the accounting request. I add the following statements in radiusd.conf. --- accounting{ detail sql } -- Also in the mysql.conf I have the following : acct_table1=rt_cdr1 acct_table2=rt_cdr1 Is their any other configurations that needs to be done to make the free radius pump the accounting request into databas?..I serarched to no avail . The following is the output of 'radiusd -X -f' : [EMAIL PROTECTED] freeradius]# [EMAIL PROTECTED] freeradius]# /usr/local/sbin/radiusd -X -f FreeRADIUS Version 2.1.1, for host i686-pc-linux-gnu, built on Nov 5 2008 at 14:56:50 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc
Logging CDRs into MySQL
Hi, I am facing difficulties in integrating MySQL and FreeRadius for the accounting. I have setup the mysql with a database named 'radius'. I have also defined a table 'rt_cdr1' which is to be used to store the CDRs that come in the accounting request. I add the following statements in radiusd.conf. --- accounting{ detail sql } -- Also in the mysql.conf I have the following : acct_table1=rt_cdr1 acct_table2=rt_cdr1 Is their any other configurations that needs to be done to make the free radius pump the accounting request into databas?..I serarched to no avail . The following is the output of 'radiusd -X -f' : [EMAIL PROTECTED] freeradius]# [EMAIL PROTECTED] freeradius]# /usr/local/sbin/radiusd -X -f FreeRADIUS Version 2.1.1, for host i686-pc-linux-gnu, built on Nov 5 2008 at 14:56:50 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including configuration file /usr/local/etc/raddb/sites-enabled/default including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir = /usr/local/var logdir = /usr/local/var/log/radius libdir = /usr/local/lib radacctdir = /usr/local/var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /usr/local/var/run/radiusd/radiusd.pid checkrad = /usr/local/sbin/checkrad debug_level = 0 proxy_requests = yes log {
Re: Logging CDRs into MySQL
I am facing difficulties in integrating MySQL and FreeRadius for the accounting. I have setup the mysql with a database named 'radius'. I have also defined a table 'rt_cdr1' which is to be used to store the CDRs that come in the accounting request. I add the following statements in radiusd.conf. --- accounting{ detail sql } -- Why? Accounting section is in default virtual server: including configuration file /usr/local/etc/raddb/sites-enabled/default Also in the mysql.conf I have the following : acct_table1=rt_cdr1 acct_table2=rt_cdr1 Which is not linked anywhere: including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf Maybe sql.conf? Is their any other configurations that needs to be done to make the free radius pump the accounting request into databas?..I serarched to no avail . Edit the accounting queries in dialup.conf if you want extra attributes logged. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: R: R: Logging level
You're right! I was looking at 2.1.0 version of the file. I checked (and configured) the 2.1.1 and everything is OK. Thanks, Arrigo -Messaggio originale- Da: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Per conto di Alan DeKok Inviato: martedì 30 settembre 2008 18.16 A: FreeRadius users mailing list Oggetto: Re: R: R: Logging level Arrigo Savio wrote: I read all comments, and tried to give some permission on the files, but I still receive the error pasted... I read in docs that: # If not set, then ANYONE can connect to the control socket, # and have complete control over the server. This is likely # not what you want. I tried to comment out the parameters, but it doesn't work anyway. Did you see the access_mode parameter? Are you sure you're using 2.1.1? Are you sure you're looking at the configuration files that are included in 2.1.1? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: Logging level
Arrigo Savio wrote: radmin set ERROR: You do not have write permission. Where can I specify this permission? Read the example configuration file in raddb/sites-available/control-socket. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: R: Logging level
I read all comments, and tried to give some permission on the files, but I still receive the error pasted... I read in docs that: # If not set, then ANYONE can connect to the control socket, # and have complete control over the server. This is likely # not what you want. I tried to comment out the parameters, but it doesn't work anyway. Arrigo. -Messaggio originale- Da: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Per conto di Alan DeKok Inviato: martedì 30 settembre 2008 8.43 A: FreeRadius users mailing list Oggetto: Re: R: Logging level Arrigo Savio wrote: radmin set ERROR: You do not have write permission. Where can I specify this permission? Read the example configuration file in raddb/sites-available/control-socket. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: R: Logging level
Arrigo Savio wrote: I read all comments, and tried to give some permission on the files, but I still receive the error pasted... I read in docs that: # If not set, then ANYONE can connect to the control socket, # and have complete control over the server. This is likely # not what you want. I tried to comment out the parameters, but it doesn't work anyway. Did you see the access_mode parameter? Are you sure you're using 2.1.1? Are you sure you're looking at the configuration files that are included in 2.1.1? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging level
Hi everybody. I installed Freeradius 2.1.0 on a Fedora 9 server. I'm trying to understand if is it possible to set the logging level in radius.log log file. Where can I set up a radius -X like level also in radius.log file? Is it eventually possible to change this level on the fly? I mean without restarting the whole radius process Thanks,Arryxyz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging level
Arrigo Savio wrote: Hi everybody. I installed Freeradius 2.1.0 on a Fedora 9 server. I suggest using 2.1.1, which was released last week. I'm trying to understand if is it possible to set the logging level in radius.log log file. Where can I set up a radius -X like level also in radius.log file? Yes. Put debug_level = 2 in radiusd.conf. Is it eventually possible to change this level on the fly? I mean without restarting the whole radius process In 2.1.1, yes. See radmin. Connect to the server, and type help. See also man radmin Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: Logging level
Good. I upgraded to 2.1.1 and I successfully tried the debug_level option. I have a problem with radmin. I configured the listening socket and ran the program. I can run all the show commands, but if I try any set, I receive the error: radmin set ERROR: You do not have write permission. Where can I specify this permission? Listening socket in radiusd.conf: listen { type = control socket = ${run_dir}/radiusd.sock uid = root gid = root } Arrigo -Messaggio originale- Da: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Per conto di Alan DeKok Inviato: lunedì 29 settembre 2008 11.48 A: FreeRadius users mailing list Oggetto: Re: Logging level Arrigo Savio wrote: Hi everybody. I installed Freeradius 2.1.0 on a Fedora 9 server. I suggest using 2.1.1, which was released last week. I'm trying to understand if is it possible to set the logging level in radius.log log file. Where can I set up a radius -X like level also in radius.log file? Yes. Put debug_level = 2 in radiusd.conf. Is it eventually possible to change this level on the fly? I mean without restarting the whole radius process In 2.1.1, yes. See radmin. Connect to the server, and type help. See also man radmin Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging problem
Hello Alan, I want logging information, if a client shows up with an expired certificate. Therefor in authorize I have: ... eap if ( invalid ) { update reply { Tmp-String-5=INVALID Certificate } } in post-auth : .. Post-Auth-Type REJECT { sql_log } and in modules/sql_log: Post-Auth = INSERT INTO ${postauth_table} \ (username, pass, reply, authdate, nasname, nasipaddress,radiusip,machinetype,nasport,modulefailmes,csi) VALUES \ ('%{User-Name}', '%{User-Password}', \ '%{reply:Packet-Type}', '%S', '%{NAS-Identifier}','%{Client-IP-Address}','${RADIP}',\ '%{Port-Message}','%{NAS-Port-Id}','%{reply:Tmp-String-5}','%{Calling-Station-Id}'); When a client shows up with an expired certificate I would expect to see the message INVALID Certificate. . Here is what I get with 2.1.0: [tls] TLS 1.0 Alert [length 0002], fatal certificate_expired TLS Alert write:fatal:certificate expired TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. } # server cisco Using Post-Auth-Type Reject +- entering group REJECT {...} [sql_log] Processing sql_log_postauth expand: %{User-Name} - HOST/osd02red.ww901.mycompany.net expand: %{%{User-Name}:-DEFAULT} - HOST/osd02red.ww901.mycompany.net [sql_log] sql_set_user escaped user -- 'HOST/osd02red.ww901.mycompany.net' expand: INSERT INTO radpostauth (username, pass, reply, authdate, nasname, nasipaddress,radiusip,machinetype,nasport,modulefailmes,csi) VALUES ('%{User-Name}', '%{User-Password}','%{reply:Packet-Type}', '%S', '%{NAS-Identifier}','%{Client-IP-Address}','1.2.3.4', '%{Port-Message}','%{NAS-Port-Id}','%{reply:Tmp-String-5}','%{Calling-Station-Id}'); - INSERT INTO radpostauth (username, pass, reply, authdate, nasname, nasipaddress,radiusip,machinetype,nasport,modulefailmes,csi) VALUES ('HOST/osd02red.ww901.mycompany.net', '', 'Access-Reject', '2008-09-12 09:58:09', '','123.246.185.169','1.2.3.4', '','','','00-00-00-00-00-02'); It seems, if (invalid) is not entered and I don't see why. Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging problem
Norbert Wegener wrote: It seems, if (invalid) is not entered and I don't see why. The default behavior for invalid is to stop processing the request. This can be changed by: eap { invalid = 1 } if ( invalid ) { ... I'm not sure the default behavior is really documented anywhere, unfortunately. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging problem
If fear not... eap { invalid = 1 } if (invalid) { update reply { Tmp-String-5=INVALID Certificate } ... TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. } # server cisco Using Post-Auth-Type Reject +- entering group REJECT {...} ... Alan DeKok schrieb: Norbert Wegener wrote: It seems, if (invalid) is not entered and I don't see why. The default behavior for invalid is to stop processing the request. This can be changed by: eap { invalid = 1 } if ( invalid ) { ... I'm not sure the default behavior is really documented anywhere, unfortunately. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging problem
Norbert Wegener wrote: If fear not... Hmm... if this is in the authenticate section, then the rules are different. The authenticate section is processed by selecting *one* module / section from the list. That *one* module is processed. So if you have: authenticate { eap foo } Then eap is run for Auth-Type = eap. foo is not used, and any failure / noop / whatever of eap does NOT cause it to fall through to foo. The solution is to wrap it in an Auth-Type block: authenticate { Auth-Type eap { eap { invalid = 1 } if ( invalid ) { ... } } foo } In this case, the eap *section* will be processed. The contents will be treated just as if they were being run in the authorize section. So the default action for invalid has to be changed in order for it to fall through, and continue processing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging problem
Thanks, that works. Norbert Wegener Alan DeKok schrieb: Norbert Wegener wrote: If fear not... Hmm... if this is in the authenticate section, then the rules are different. The authenticate section is processed by selecting *one* module / section from the list. That *one* module is processed. So if you have: authenticate { eap foo } Then eap is run for Auth-Type = eap. foo is not used, and any failure / noop / whatever of eap does NOT cause it to fall through to foo. The solution is to wrap it in an Auth-Type block: authenticate { Auth-Type eap { eap { invalid = 1 } if ( invalid ) { ... } } foo } In this case, the eap *section* will be processed. The contents will be treated just as if they were being run in the authorize section. So the default action for invalid has to be changed in order for it to fall through, and continue processing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
logging unknown clients
Is there any way to get the freeradius 2.1 server to log requests coming from unknown clients? As far as I can tell, these are just silently discarded. I have read through all the comments on the log section in radiusd.conf but I don't see anything about this. Is there anywhere else where the logging capabilities are more fully documented that I just haven't been able to find? Thanks, --Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: logging unknown clients
This is deliberately not logged as DoS prevention measure. Such requests will be reported only in debug mode. Search for Ignoring request in listen.c. Ivan Kalik Kalik Informatika ISP Dana 11/9/2008, Greg Woods [EMAIL PROTECTED] piše: Is there any way to get the freeradius 2.1 server to log requests coming from unknown clients? As far as I can tell, these are just silently discarded. I have read through all the comments on the log section in radiusd.conf but I don't see anything about this. Is there anywhere else where the logging capabilities are more fully documented that I just haven't been able to find? Thanks, --Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: logging unknown clients
Greg Woods wrote: Is there any way to get the freeradius 2.1 server to log requests coming from unknown clients? As far as I can tell, these are just silently discarded. Yes. Attackers can send packets much more quickly than the server can log them. Logging unknown client could quickly overload the server. You can edit the code to log more messages. But do this only if you don't have any untrusted users on your network. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Logging
On Sat, 23 Aug 2008 07:04:11 +0200 Alan DeKok [EMAIL PROTECTED] wrote: Aaron Spanik wrote: *snip* I suggest getting access. Sorry... but it's the simplest way to debug things when something is going wrong. Always. But sometimes one is forced to prove something is wrong before the other end will consent to looking for the problem. *snip* I have also peeled through all the dictionary files looking for an appropriate RADIUS Attribute which I could use. I found Packet-Src-Ip-Address and Packet-Dst-Ip-Address, which didn't work in any of the detail sections, as they all returned 127.0.0.1, which makes some sense to me given the initial source and destination of the request packets; I'm also pretty sure I shouldn't be using parameters from dictionary.freeradius.internal this way. That's what they're defined for. See also man unlang. If you want the destination IP address of the *proxied* packet, you need to use %{proxy-request:Packet-Dst-IP-address} See, I read man unlang and noticed the %{list:attribute} syntax, but then failed to remember reading that when I actually went about trying to use %{Packet-Dst-Ip-Address}. So my question is this: short of editing the source to make the auth_log pop the home server being contacted into the loglines in radius.log, is there any way to get that information on a per-request basis? Is there some unlang magic I could work in the pre- or post-processing phases? It doesn't really matter to me where the information goes, as long as I can associate it with a particular request. It's already associated with the request. You've just got to put 22 together to refer to the *proxied* packet, not the *request* packet. I'm glad that I appeared to have half a clue and lacked only the other half to rub it against ;) As you no doubt know, once I used %{proxy-request:Packet-Dst-Ip-Address} I started seeing exactly what I wanted to see in my logs. I'd also suggest upgrading to recent code (git.freeradius.org). It has *very* good statistics tracking available via RADIUS packets. You can get accept/reject per home server. See raddb/sites-available/status. That sounds excellent; I will check out the GIT version. Can you comment on how long it is likely to take before those features make it into an official release? You can also log much more configurable messages via the linelog module. See raddb/modules/linelog. Alan DeKok. Thanks much for your response; it was truly helpful. /a -- Aaron Spanik [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Logging
Aaron Spanik wrote: As you no doubt know, once I used %{proxy-request:Packet-Dst-Ip-Address} I started seeing exactly what I wanted to see in my logs. Yup. That sounds excellent; I will check out the GIT version. Can you comment on how long it is likely to take before those features make it into an official release? A week, maybe two. We've been meaning to do a release for a month or so, but other things got in the way. Thanks much for your response; it was truly helpful. Any time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about Logging
I apologize in advance if this question is answered in the documentation, but if it is, I haven't been able to find it. I have the following setup: - Client daemon running on host A - FreeRADIUS 2.0.4 server running on host A proxying auth requests - Two Remote RADIUS servers serving authentication from a load-balanced pool - The client daemon sends authentication requests to the FreeRADIUS server with a username and password over loopback. - The FreeRADIUS server receives the Access-Request and proxies it to the remote RADIUS servers. - Responses from the RADIUS server are proxied back to the client daemon for action. - Accounting records are sent by the client daemon, however they are swallowed by the FreeRADIUS server (always ok) as accounting is not being used at this point. The first thing I will mention is that this I do not have any issue with this configuration; i.e. it works exactly the way it's supposed to. Recently, however, there has been reason to suspect that the two remote RADIUS servers are behaving inconsistently with each other (i.e. auth fails on one and then immediately succeeds on the other). Unfortunately, I have zero access to the remote RADIUS servers and limited access to the folks who could tell me whether something is, in fact, wrong with the remote configuration. In order to provide statistics on my end or at least look for trends, I would like to keep track of what remote server a given request is proxied to, but I can't seem to find an easy way of doing it: - I have auth_logging turned on so that my radius.log file contains basic Yay/Nay information about a particular auth request, but the IP of the server the request was proxied to is not included. - I have detail configured for auth-detail, pre-proxy-detail, post-proxy-detail, and reply-detail. All are pretty much stock except I put the User-Name into the header in a couple of them. None of these show the IP of the particular home server that a given request was sent to. I do understand that I can get this information if I run a full debug trace, however this is a production system and I don't need all that information, just one little piece, nor do I want to run a production server outputting to stdout. I have also peeled through all the dictionary files looking for an appropriate RADIUS Attribute which I could use. I found Packet-Src-Ip-Address and Packet-Dst-Ip-Address, which didn't work in any of the detail sections, as they all returned 127.0.0.1, which makes some sense to me given the initial source and destination of the request packets; I'm also pretty sure I shouldn't be using parameters from dictionary.freeradius.internal this way. I also found FreeRADIUS-Proxied-To, however it appears that's only for accounting packets. So my question is this: short of editing the source to make the auth_log pop the home server being contacted into the loglines in radius.log, is there any way to get that information on a per-request basis? Is there some unlang magic I could work in the pre- or post-processing phases? It doesn't really matter to me where the information goes, as long as I can associate it with a particular request. Thanks, /a -- Aaron Spanik [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Logging
Aaron Spanik wrote: Recently, however, there has been reason to suspect that the two remote RADIUS servers are behaving inconsistently with each other (i.e. auth fails on one and then immediately succeeds on the other). Unfortunately, I have zero access to the remote RADIUS servers and limited access to the folks who could tell me whether something is, in fact, wrong with the remote configuration. I suggest getting access. Sorry... but it's the simplest way to debug things when something is going wrong. In order to provide statistics on my end or at least look for trends, I would like to keep track of what remote server a given request is proxied to, but I can't seem to find an easy way of doing it: See the pre-proxy section. The destination IP address is determined before that section is run. - I have auth_logging turned on so that my radius.log file contains basic Yay/Nay information about a particular auth request, but the IP of the server the request was proxied to is not included. The default log messages don't include IP addresses of the proxies. I have also peeled through all the dictionary files looking for an appropriate RADIUS Attribute which I could use. I found Packet-Src-Ip-Address and Packet-Dst-Ip-Address, which didn't work in any of the detail sections, as they all returned 127.0.0.1, which makes some sense to me given the initial source and destination of the request packets; I'm also pretty sure I shouldn't be using parameters from dictionary.freeradius.internal this way. That's what they're defined for. See also man unlang. If you want the destination IP address of the *proxied* packet, you need to use %{proxy-request:Packet-Dst-IP-address} So my question is this: short of editing the source to make the auth_log pop the home server being contacted into the loglines in radius.log, is there any way to get that information on a per-request basis? Is there some unlang magic I could work in the pre- or post-processing phases? It doesn't really matter to me where the information goes, as long as I can associate it with a particular request. It's already associated with the request. You've just got to put 22 together to refer to the *proxied* packet, not the *request* packet. I'd also suggest upgrading to recent code (git.freeradius.org). It has *very* good statistics tracking available via RADIUS packets. You can get accept/reject per home server. See raddb/sites-available/status. You can also log much more configurable messages via the linelog module. See raddb/modules/linelog. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
postauth sql logging
Hi all, I have just recently migrated from 1.1.7 to 2.0.5. In 1.1.7 I had the postauth sql logging turned on to log successful and failed auth attempts. I not able to find where I would add it in 2.0.5 to enable this feature. I see the sql statement in the dialup.conf config file but I am unsure on how to invoke the sql query. Any pointers would be great. Thanks, Jeff. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: postauth sql logging
Jeff Crowe wrote: I have just recently migrated from 1.1.7 to 2.0.5. In 1.1.7 I had the postauth sql logging turned on to log successful and failed auth attempts. I not able to find where I would add it in 2.0.5 to enable this feature. Read radiusd.conf, especially the last few lines. It explains where the configuration has moved to. See raddb/sites-available/default. I see the sql statement in the dialup.conf config file but I am unsure on how to invoke the sql query. This is documented... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging attributes to the regular log
Frank Bulk - iNAME wrote: I'll do my best to ignore the abrasive comments. Since you make a point of talking about them, I can explain. Very few people CC me on posts to the list, and every time they get told that I still read the list. Almost no one sets return receipt requested, because it's rude to do so. I'm not in the position that I can edit the source code. Is there is a feature request form that you can point me to? This is something that I would benefit many others, too. bugs.freeradius.org. Yes, ISC's DHCP is different, but it's a core networking service just like DNS. Functionality built into one may suggest a feature capability appreciated by the broader sysadmins out there. Quite frankly, FreeRADIUS is more feature-rich than the ISC server. The ISC server doesn't include plugins to SQL, LDAP, Perl, Python. It isn't modular. And it doesn't do RADIUS. (FreeRADIUS does DHCP). 'rlm_linelog' doesn't appear to have much documentation -- can someone point me in the right direction? Configure it: linelog { filename = ${logdir}/ format = Login OK for %{User-Name} on %{NAS-Port-Id} ... } Then list linelog anywhere you want the log message to be written (post-auth, etc.) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configurable logging
I have just committed updates to the linelog module (including documentation) that significantly increase it's usability. The goal is to move most of the hard-coded log messages to this module. Once these log messages are added to the configuration, the existing hard-coded messages can be deleted. We're looking for volunteers to examine the existing log messages, and to submit sample one-line log formats for the linelog module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configurable logging
Alan DeKok wrote: I have just committed updates to the linelog module (including documentation) that significantly increase it's usability. The goal is to move most of the hard-coded log messages to this module. Once these log messages are added to the configuration, the existing hard-coded messages can be deleted. Ok, so you're talking about removing all DEBUG() and other logging function calls from the source and replacing it all with soft configuration based logging ? Or just specific ones ? Are you no longer committing to CVS btw ? We're looking for volunteers to examine the existing log messages, and to submit sample one-line log formats for the linelog module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configurable logging
Arran Cudbard-Bell wrote: Ok, so you're talking about removing all DEBUG() and other logging function calls from the source and replacing it all with soft configuration based logging ? Or just specific ones ? No! The DEBUG logs will still be there. I'm talking about the hard-coded logs like login OK, or login failed. Are you no longer committing to CVS btw ? Yes. See http://git.freeradius.org. I'll get gitweb set up soon, too. Git is harder to learn than Mercurial. But it beats the heck out of CVS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging attributes to the regular log
Frank Bulk wrote: I scoured online and in the archives but I haven't found a solution to my question: is there a way to log additional attributes, not unlike what's done in ISC's DHCP logging? What do you mean by that? I know that 'detail' logging is possible, but those are stored in a separate file for each connection. The detail log doesn't store it's logs in a separate file for each connection. If you want that to happen, just configure it in the detail module. Make the file name depend on a per-connection attribute. I just want to add another parameter that the NAS sends to FreeRADIUS. Is that request related to the previous sentences? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Logging attributes to the regular log
Alan: I'll do my best to explain. Currently our NAS is returning the NAS-Port and FreeRADIUS is logging it like this: Fri Jul 18 13:09:52 2008 : Auth: Login OK: [khj] (from client dslam port 1073873726) Fri Jul 18 13:09:55 2008 : Auth: Login OK: [dfsands6] (from client dslam port 1073873388) Fri Jul 18 13:10:37 2008 : Auth: Login OK: [s44] (from client dslam port 1073742057) According to my NAS' documentation, that longish number is a bit-representation of an interface. Rather than figure out how to call some external module to re-write that value into something that looks like port #/#/VP/VC, which seems to be more complex, I would like to print the value of NAS-Port-Id(87) which contains the same information. So, I would like the above output to look like this: Fri Jul 18 13:09:52 2008 : Auth: Login OK: [khj] (from client dslam NAS-Port-ID 2/0/12/313) Fri Jul 18 13:09:55 2008 : Auth: Login OK: [dfsands6] (from client dslam NAS-Port-ID 4/0/6/141) Fri Jul 18 13:10:37 2008 : Auth: Login OK: [s44] (from client dslam port NAS-Port ID 4/0/2/22) The last field is directly from the contents of NAS-Port-Id(87), without any manipulation. ISC's DHCP is very powerful -- in the configuration file you can define what is logged. See: http://marc.info/?l=dhcp-usersm=121369168201304w=2 for an example. Any ideas? Frank -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Saturday, July 19, 2008 1:42 AM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: Logging attributes to the regular log Frank Bulk wrote: I scoured online and in the archives but I haven't found a solution to my question: is there a way to log additional attributes, not unlike what's done in ISC's DHCP logging? What do you mean by that? I know that 'detail' logging is possible, but those are stored in a separate file for each connection. The detail log doesn't store it's logs in a separate file for each connection. If you want that to happen, just configure it in the detail module. Make the file name depend on a per-connection attribute. I just want to add another parameter that the NAS sends to FreeRADIUS. Is that request related to the previous sentences? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging attributes to the regular log
Don't CC me on posts to the list. I *do* read the list, if you hadn' already noticed. And DON'T set return receipt requested. It's annoying. I generally delete all email which has that set. Frank Bulk - iNAME wrote: ... According to my NAS' documentation, that longish number is a bit-representation of an interface. Rather than figure out how to call some external module to re-write that value into something that looks like port #/#/VP/VC, which seems to be more complex, I would like to print the value of NAS-Port-Id(87) which contains the same information. Edit the source code. ISC's DHCP is very powerful -- in the configuration file you can define what is logged. See: http://marc.info/?l=dhcp-usersm=121369168201304w=2 for an example. That's nice. It's a completely different piece of software. Any ideas? Use rlm_linelog to log the information you want to a log file. The authentication log message is just the default. You can always suppress it, and log exactly the information you want using another module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Logging attributes to the regular log
I'll do my best to ignore the abrasive comments. I'm not in the position that I can edit the source code. Is there is a feature request form that you can point me to? This is something that I would benefit many others, too. Yes, ISC's DHCP is different, but it's a core networking service just like DNS. Functionality built into one may suggest a feature capability appreciated by the broader sysadmins out there. 'rlm_linelog' doesn't appear to have much documentation -- can someone point me in the right direction? Frank -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Saturday, July 19, 2008 12:23 PM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: Logging attributes to the regular log snip Frank Bulk - iNAME wrote: ... According to my NAS' documentation, that longish number is a bit-representation of an interface. Rather than figure out how to call some external module to re-write that value into something that looks like port #/#/VP/VC, which seems to be more complex, I would like to print the value of NAS-Port-Id(87) which contains the same information. Edit the source code. ISC's DHCP is very powerful -- in the configuration file you can define what is logged. See: http://marc.info/?l=dhcp-usersm=121369168201304w=2 for an example. That's nice. It's a completely different piece of software. Any ideas? Use rlm_linelog to log the information you want to a log file. The authentication log message is just the default. You can always suppress it, and log exactly the information you want using another module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging attributes to the regular log
I scoured online and in the archives but I haven't found a solution to my question: is there a way to log additional attributes, not unlike what's done in ISC's DHCP logging? I know that 'detail' logging is possible, but those are stored in a separate file for each connection. I just want to add another parameter that the NAS sends to FreeRADIUS. Regards, Frank - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging NAS IP address and supplicant MAC/IP address with subnet in clients.conf
Hi, I'm running freeradius-1.1.7.1 and have switched to using a subnet for my NAS devices in clients.conf. Unfortunately, my logs no longer tell me which NAS device a request came from and show only the MAC address of the user's laptop. Is there a way to get the NAS IP address as well in the logs? Having the NAS IP, the user's laptop IP and also MAC address in one line would be great. Thanks! ~Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging NAS IP address and supplicant MAC/IP address with subnet inclients.conf
It's already logged in detail logs. Ivan Kalik Kalik Informatika ISP Dana 15/7/2008, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: Hi, I'm running freeradius-1.1.7.1 and have switched to using a subnet for my NAS devices in clients.conf. Unfortunately, my logs no longer tell me which NAS device a request came from and show only the MAC address of the user's laptop. Is there a way to get the NAS IP address as well in the logs? Having the NAS IP, the user's laptop IP and also MAC address in one line would be great. Thanks! ~Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: logging of tls logons
So, how can I get in logs exactly common names? As I understand, only way to do it is check_cert_cn = %{User-Name} in eap.conf? -- Vladimir Vassiliev [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
logging of tls logons
I have such entries in my radius.log Fri Jun 6 18:52:31 2008 : Auth: Login OK: [asus_large] (from client wifi port 2 cli 00-19-7D-4A-B7-F4) asus_large - in this example is a common name of SSL certificate and I thought it cannot be forged and I can identify which certificate was used. But today I entered to wifi network from my PDA and saw that I can forge this entry as I want. So, it's not really common name, but something provided by client. So, how can I get in logs exactly common names? -- Vladimir Vassiliev [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: detail sql logging problem
[EMAIL PROTECTED] wrote: a further question on this one - as the detail relay virtual server buffered-sql is only supposed to run when the main thread isnt busy...and is only supposed to read detail file, log to SQL then 'be quiet' why, when it encounters such an issue does the main authentication/accounting etc thread not process anything? I'm not sure I haven't been able to test it myself, so I don't really know what's going on in that situation. I'd have thought that the virtual server would be moaning and complaining as much as it wants, but the main core functionality would just keep on going... I would think so, too. Maybe the detail file reader is re-queuing failed requests too quickly, and starving other threads from CPU... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
detail sql logging problem
hi, further to last email, heres example packet: Tue Apr 15 12:20:56 2008 User-Name = x NAS-Port = 29 NAS-IP-Address = 192.168.1.28 Framed-IP-Address = 192.168.0.3 NAS-Identifier = wism Airespace-Wlan-Id = 1 Acct-Session-Id = 48048f97/00:11:12:12:14:11/8514 Acct-Authentic = RADIUS Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 222 Acct-Status-Type = Stop Acct-Input-Octets = 1942107 Acct-Output-Octets = 5085070 Acct-Input-Packets = 9162 Acct-Output-Packets = 8299 Acct-Terminate-Cause = Lost-Service Acct-Session-Time = 0 Acct-Delay-Time = 0 Calling-Station-Id = 192.168.0.3 Called-Station-Id = 192.168.1.28 Acct-Unique-Session-Id = f7ebd89424c03437 Timestamp = 1208258456 Request-Authenticator = Verified as you can see, Stop request, due to lost service. however, sessio-time is 0 - i suspect this is because of mobility. they've moved from one wism controller to another or from one AP to another and then left the network altogther. either way, kit is reporting the value. in our SQL logging we look for the Acct-Session-Id, and the Timestamp and then use those to create the session time due to wierdnesses (see the example UPDATE comand in sql/postgresl/dialup.conf to get what I mean) so hope we dont actually care about what the kit tells us(!) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: detail sql logging problem
[EMAIL PROTECTED] wrote: further to last email, heres example packet: ... Acct-Session-Time = 0 unlang. :) accounting { ... if (Acct-Sesion-Time != 0) { sql } else { ok } ... } i.e. bypass the module that gets upset over 0 session time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: detail sql logging problem
Hi, unlang. :) yes - i was pondering that one. okay. and even better, use eg sql_log for the ones that are session-time = 0 so that i can capture them, know them, and see when the issue is fixed etc... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius server not logging ?
FreeRADIUS Version 1.1.6 Rhel3 I hope it's an easy one I've my server setup authentication is working fine but I have no log in this directory detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d The Client-IP-Address directory exist (automatic) but I've no detail-xxx files in it detail section is uncommented # Write a detailed log of all accounting records received.# detail {detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%ddetailperm = 0600 } any clues ? Thanks for your help _ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius server not logging ?
J-P Raymond wrote: I've my server setup authentication is working fine but I have no log in this directory detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d The NAS isn't sending accounting packets. any clues ? This is in the FAQ, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Detail cisco logging
hello, you for the page web of freeradius, i look it befor i ask this question. can anyone give me the right configuration of the swith cisco3560 to authenticate a windows XP on lan network. i use TLS ou PEAP. thanks _ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Detail cisco logging
Well, look again. Same question was asked and answered today. Different Cisco device but that doesn't change a thing. Ivan Kalik Kalik Informatika ISP Dana 5/2/2008, hamid benane [EMAIL PROTECTED] piše: hello, you for the page web of freeradius, i look it befor i ask this question. can anyone give me the right configuration of the swith cisco3560 to authenticate a windows XP on lan network. i use TLS ou PEAP. thanks _ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Detail cisco logging
Hi, Hello, I have successfully configured freeradius 2.x to do AAA for my Cisco Catalyst 3560. Using modules rlm_detail I am able to log when the session starts and ends, however I am also interested in logging exactly what commands were issued by the user. Does anyone know how I can accomplish this? TACACS+ not FreeRADIUS unless you contribute some code alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Detail cisco logging
http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ#It_still_doesn.27t_work.21 Ivan Kalik Kalik Informatika ISP Dana 5/2/2008, hamid benane [EMAIL PROTECTED] piše: Hello,i have the same configuration like you freeradius-1.1.1, cisco 3560 but when i try to autheticate my windows xp its failed. i want to know how you configure your freeradius and cisco to work well. my configuration on wireless work fine. For your question that you ask, i dont undesrstand. can you give more details perhaps i can help you thanks _ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Detail cisco logging
Hello,i have the same configuration like you freeradius-1.1.1, cisco 3560 but when i try to autheticate my windows xp its failed. i want to know how you configure your freeradius and cisco to work well. my configuration on wireless work fine. For your question that you ask, i dont undesrstand. can you give more details perhaps i can help you thanks _ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Detail cisco logging
You have mistaken this list for Cisco technical support. Ivan Kalik Kalik Informatika Dana 1/2/2008, Vijay Avarachen [EMAIL PROTECTED] piše: Hello, I have successfully configured freeradius 2.x to do AAA for my Cisco Catalyst 3560. Using modules rlm_detail I am able to log when the session starts and ends, however I am also interested in logging exactly what commands were issued by the user. Does anyone know how I can accomplish this? Thank you, Vijay Avarachen -- Knowledge is the only wealth that grows as you spend it, and diminishes as you save it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Detail cisco logging
Hello, I have successfully configured freeradius 2.x to do AAA for my Cisco Catalyst 3560. Using modules rlm_detail I am able to log when the session starts and ends, however I am also interested in logging exactly what commands were issued by the user. Does anyone know how I can accomplish this? Thank you, Vijay Avarachen -- Knowledge is the only wealth that grows as you spend it, and diminishes as you save it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Detail cisco logging
Ok I accomplished this outside of FreeRadius. Requires IOS vers 12.3(4)T and 12.2(25)S. Here are the important sections from the config: archive log config logging enable logging size 1000 notify syslog hidekeys logging xxx.xxx.xxx.xxx Reference: 1. http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801d1e81.html 2. http://www.linuxhomenetworking.com/cisco-hn/syslog-cisco.htm You can also specify facility (default local7). Log entries will look like: Feb 1 04:15:08 172.16.40.204 55: 1d21h: %PARSER-5-CFGLOG_LOGGEDCMD: User:vavarachen logged command:logging host 172.17.13.215 Feb 1 04:15:41 172.16.40.204 56: 1d21h: %PARSER-5-CFGLOG_LOGGEDCMD: User:vavarachen logged command:logging facility local7 Feb 1 04:15:54 172.16.40.204 57: 1d21h: %PARSER-5-CFGLOG_LOGGEDCMD: User:vavarachen logged command:logging on Hope this helps someone. Vijay Avarachen On Feb 1, 2008 1:33 PM, Vijay Avarachen [EMAIL PROTECTED] wrote: Hello, I have successfully configured freeradius 2.x to do AAA for my Cisco Catalyst 3560. Using modules rlm_detail I am able to log when the session starts and ends, however I am also interested in logging exactly what commands were issued by the user. Does anyone know how I can accomplish this? Thank you, Vijay Avarachen -- Knowledge is the only wealth that grows as you spend it, and diminishes as you save it. -- Knowledge is the only wealth that grows as you spend it, and diminishes as you save it. -- ancient Sanskrit saying - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging from another PC
Hmm. That sounds great. I have Port-based VLANs on the switches but still no affects. Am I using wrong type VLANs? Port-based authentication, could you explain some? Thanks. Yes. Use VLANs and port based authentication and they won't be able to do that. If they manually change IP address to a different VLAN connection will become unusable. Ivan Kalik Kaliki Informatika ISP Dana 29/1/2008, [EMAIL PROTECTED] [EMAIL PROTECTED] pi¹e: Hi, I have a question. When the user logs using own username and password into Radius server (ie, using 192.168.160.5), it is OK. When someone change IP address statically into logged IP (to 192.168.160.5), he can use the logged account. I mean he can use another one's account. How can I block another PC? And I don't want the user logs often in one day. User must logs once in a day. That's why I don't want to put Idle-Timeout attribute. I'm using FreeRadius 2.0.1 with Cisco'BBSM 5.3. Could you give some clarfication for this? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging from another PC
1. Switch has to support dynamic VLAN assignment by radius. Then you pass Tunnel set of attributes (type, medium and id) to it and place a user in a desired VLAN. If you can only configure VLANs manually, than this is not going to work. 2. How does someone change his IP address to a different subnet and VLAN connection through the switch still works??? That should not be possible. Your VLAN configuration is suspect. If someone is placed on a VLAN with a private address and then changes the address to a public one (trying to get onto Internet, for instance) - he should not be able to connect to anything because he is on one subnet and gateway on another. Same applies if all addresses are private but you are doing NAT for one (subnet) and not for another etc. Ivan Kalik Kalik Informatika ISP Dana 31/1/2008, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: Hmm. That sounds great. I have Port-based VLANs on the switches but still no affects. Am I using wrong type VLANs? Port-based authentication, could you explain some? Thanks. Yes. Use VLANs and port based authentication and they won't be able to do that. If they manually change IP address to a different VLAN connection will become unusable. Ivan Kalik Kaliki Informatika ISP Dana 29/1/2008, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: Hi, I have a question. When the user logs using own username and password into Radius server (ie, using 192.168.160.5), it is OK. When someone change IP address statically into logged IP (to 192.168.160.5), he can use the logged account. I mean he can use another one's account. How can I block another PC? And I don't want the user logs often in one day. User must logs once in a day. That's why I don't want to put Idle-Timeout attribute. I'm using FreeRadius 2.0.1 with Cisco'BBSM 5.3. Could you give some clarfication for this? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging from another PC
Yes. Use VLANs and port based authentication and they won't be able to do that. If they manually change IP address to a different VLAN connection will become unusable. Ivan Kalik Kaliki Informatika ISP Dana 29/1/2008, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: Hi, I have a question. When the user logs using own username and password into Radius server (ie, using 192.168.160.5), it is OK. When someone change IP address statically into logged IP (to 192.168.160.5), he can use the logged account. I mean he can use another one's account. How can I block another PC? And I don't want the user logs often in one day. User must logs once in a day. That's why I don't want to put Idle-Timeout attribute. I'm using FreeRadius 2.0.1 with Cisco'BBSM 5.3. Could you give some clarfication for this? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging from another PC
Hey, On Jan 29, 2008 9:45 AM, [EMAIL PROTECTED] wrote: Hi, I have a question. When the user logs using own username and password into Radius server (ie, using 192.168.160.5), it is OK. When someone change IP address statically into logged IP (to 192.168.160.5), he can use the logged account. I mean he can use another one's account. This is something that the NAS controls. FreeRADIUS only receives authentication requests upon which it can Accept or Reject the user. You might also want to look at the Simultaneous-Use attribute. How can I block another PC? And I don't want the user logs often in one day. You can set a check attribute for the Calling-Station-Id MAC Address and so the user will be granted access only if he logs in from a specific machine. User must logs once in a day. That's why I don't want to put Idle-Timeout attribute. Explain better please. Regards, Liran Tal. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Detailed logging on 1.1.7 [fixed]
Peter Nixon wrote: On Mon 28 Jan 2008, Mother wrote: 1. Install screen (not by default installed in FreeBSD). 2. Run a new screen, name it something convenient (# screen -S radiusd) 3. Hit Ctrl+A-H, this will log all console output to file. 4. Start radiusd with -X or -x 5. Detach from the screen with Ctrl+A-d FreeRADIUS is now running in this screen, and everything is being stored to log file. At any time, you can reattach to the screen (both from local and over SSH) to see what is going on in real time. Thanks. Nice instructions. I have added them to the wiki (slightly modified) Cheers Thanks Peter, it's nice to see the contribution was meaningful :) Cheers, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Detailed logging on 1.1.7 [fixed]
Hi all, Since I hate when people write No problem, I fixed it and then disappear into the ether without giving details that could be useful to others, here is what I did: 1. Install screen (not by default installed in FreeBSD). 2. Run a new screen, name it something convenient (# screen -S radiusd) 3. Hit Ctrl+A-H, this will log all console output to file. 4. Start radiusd with -X or -x 5. Detach from the screen with Ctrl+A-d FreeRADIUS is now running in this screen, and everything is being stored to log file. At any time, you can reattach to the screen (both from local and over SSH) to see what is going on in real time. Cheers, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Detailed logging on 1.1.7 [fixed]
On Mon 28 Jan 2008, Mother wrote: 1. Install screen (not by default installed in FreeBSD). 2. Run a new screen, name it something convenient (# screen -S radiusd) 3. Hit Ctrl+A-H, this will log all console output to file. 4. Start radiusd with -X or -x 5. Detach from the screen with Ctrl+A-d FreeRADIUS is now running in this screen, and everything is being stored to log file. At any time, you can reattach to the screen (both from local and over SSH) to see what is going on in real time. Thanks. Nice instructions. I have added them to the wiki (slightly modified) Cheers -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging from another PC
Hi, I have a question. When the user logs using own username and password into Radius server (ie, using 192.168.160.5), it is OK. When someone change IP address statically into logged IP (to 192.168.160.5), he can use the logged account. I mean he can use another one's account. How can I block another PC? And I don't want the user logs often in one day. User must logs once in a day. That's why I don't want to put Idle-Timeout attribute. I'm using FreeRadius 2.0.1 with Cisco'BBSM 5.3. Could you give some clarfication for this? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Detailed logging on 1.1.7
Hi all, After searching around the docs, I cannot find a way to control the debug log level (to radius.log), and since I am having problems where the server seems to freeze every now and then, I really need to find a cause. All I could see in the last batch of logs is: Wed Jan 23 09:15:51 2008 : Info: rlm_sql (sql): No matching entry in the database for request from user [mother] Wed Jan 23 11:34:00 2008 : Error: Discarding duplicate request from client Whisher-Test:2207 - ID: 0 due to unfinished request 391 About a dozen more of these Wed Jan 23 11:34:30 2008 : Error: WARNING: Unresponsive child (id 136186368) for request 391 (in component authorize module rlm_sql) Wed Jan 23 11:34:32 2008 : Error: Discarding duplicate request from client Whisher-Test:2207 - ID: 0 due to unfinished request 391 About another dozen of these It seems the server stopped responding at 09:15 or just after, and I restarted it at 11:34 after a user complained he could not login on the hotspot's landing page. Any insight will be greatly appreciated, regards, Mike PS Before you start screaming Upgrade to 2.0.0!!, I cannot (yet) as this is on a FreeBSD box using ports and Oracle. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Detailed logging on 1.1.7
http://www.digipedia.pl/man/radiusd.8.html Ivan Kalik Kalik Informatika ISP Dana 23/1/2008, Mother [EMAIL PROTECTED] piše: Hi all, After searching around the docs, I cannot find a way to control the debug log level (to radius.log), and since I am having problems where the server seems to freeze every now and then, I really need to find a cause. All I could see in the last batch of logs is: Wed Jan 23 09:15:51 2008 : Info: rlm_sql (sql): No matching entry in the database for request from user [mother] Wed Jan 23 11:34:00 2008 : Error: Discarding duplicate request from client Whisher-Test:2207 - ID: 0 due to unfinished request 391 About a dozen more of these Wed Jan 23 11:34:30 2008 : Error: WARNING: Unresponsive child (id 136186368) for request 391 (in component authorize module rlm_sql) Wed Jan 23 11:34:32 2008 : Error: Discarding duplicate request from client Whisher-Test:2207 - ID: 0 due to unfinished request 391 About another dozen of these It seems the server stopped responding at 09:15 or just after, and I restarted it at 11:34 after a user complained he could not login on the hotspot's landing page. Any insight will be greatly appreciated, regards, Mike PS Before you start screaming Upgrade to 2.0.0!!, I cannot (yet) as this is on a FreeBSD box using ports and Oracle. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Detailed logging on 1.1.7
Ivan, [EMAIL PROTECTED] wrote: http://www.digipedia.pl/man/radiusd.8.html Yes, deja-vu :) One question, -x (not -X), provides debug output to radius.log??? I tried this before, but did not seem to get anything other than what is already normally ouput. Best regards, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Detailed logging on 1.1.7
Mother wrote: Ivan, [EMAIL PROTECTED] wrote: http://www.digipedia.pl/man/radiusd.8.html Yes, deja-vu :) One question, -x (not -X), provides debug output to radius.log??? I tried this before, but did not seem to get anything other than what is already normally ouput. Best regards, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html radiusd -x The more x's the more verbose And no -X stops the server from forking, and writes output to /dev/stdout -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (was latest CVS 2.0) - logging issue
Hi, A lot has changed since -pre2. Hmm... it *should* be configurable in radiusd.conf. See the log section in radiusd.conf. Some configuration items have moved, because it was dumb to have log_foo, log_bar, log_baz, etc. ha! a lot HAS been changing. damn. you are right. how did i miss that fundamental change to the log {} section. ??? crazy. anyway, i have now moved all the pre-2 log stuff log_auth, log_file etc etc into the correct single log {} stanza and removed the legacy log_ prefix which each entry had. its all working fine now. there was another post by someone else on this list a while back about latest CVS being more quiet than the old. perhaps this needs to be highlighted a little better - perhaps have somehting in the startup parser that can detect these old legacy configs and spew out a warning? in 'the old days' the log_ entries could lie anywhere in radiusd.conf - really should only be in log {} and no entries should start with log_ .. ah! but they do. we have a small oddity log_destination = files surely this should also be cleared into the log {} stanza? eg log { destination = files } sorry for the false alert and thanks for the pointer/tip to getting this little issue sorted. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (was latest CVS 2.0) - logging issue
[EMAIL PROTECTED] wrote: ha! a lot HAS been changing. damn. you are right. how did i miss that fundamental change to the log {} section. ??? It got changed fairly recently. there was another post by someone else on this list a while back about latest CVS being more quiet than the old. perhaps this needs to be highlighted a little better - perhaps have somehting in the startup parser that can detect these old legacy configs and spew out a warning? I just updated the code so that the parsing of entries is re-arranged a bit. It means that old configurations with log_foo will still use *those* definitions. So other people with the same kind of config won't suddenly see the logs get quieter. we havea small oddity log_destination = files surely this should also be cleared into the log {} stanza? eg Likely, yes. log { destination = files } sorry for the false alert and thanks for the pointer/tip to getting this little issue sorted. It's a usability issue that was easy to fix. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
no logging = reject?
I am using a recent pre-2, authentication via a mysql database. In post-auth I have a sql module, that reports accept/reject to a another mysql database. When this database is not available, the user is rejected, although I get Auth-Type = Accept before. Is this a desired behaviour, bug or feature? ... rad_check_password: Auth-Type = Accept, accepting the user Login OK: [7989] (from client 149.246.185.169 port 1812) +- entering group post-auth ++? if (%{User-Name} =~ /.net/i || %{User-Name} =~ /@/ ) expand: %{User-Name} - 7989 ? Evaluating (%{User-Name} =~ /.net/i) - FALSE expand: %{User-Name} - 7989 Evaluating (%{User-Name} =~ /@/) - FALSE ++? if (%{User-Name} =~ /.net/i || %{User-Name} =~ /@/ ) - FALSE expand: //var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d - //var/log/radius/radacct/149.246.185.169/reply-detail-20071218 rlm_detail: //var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to //var/log/radius/radacct/149.246.185.169/reply-detail-20071218 expand: %t - Tue Dec 18 15:29:07 2007 ++[reply_log] returns ok rlm_sql (sql): Processing sql_postauth expand: %{User-Name} - 7989 rlm_sql (sql): sql_set_user escaped user -- '7989' expand: INSERT into radpostauth (id, user, pass, reply, date,nasname) values ('', '%{User-Name}', '%{User-Password}', '%{reply:Packet-Type}', NOW(),'%{NAS-IP-Address}') - INSERT into radpostauth (id, user, pass, reply, date,nasname) values ('', '7989', '7989', 'Access-Accept', NOW(),'139.25.153.222') rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date,nasname) values ('', '7989', '7989', 'Access-Accept', NOW(),'139.25.153.222') rlm_sql (sql): Ignoring unconnected handle 4.. rlm_sql (sql): Ignoring unconnected handle 3.. rlm_sql (sql): Ignoring unconnected handle 2.. rlm_sql (sql): Ignoring unconnected handle 1.. rlm_sql (sql): Ignoring unconnected handle 0.. rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0 ++[sql] returns fail Found Post-Auth-Type Reject +- entering group REJECT rlm_sql (sql): Processing sql_postauth expand: %{User-Name} - 7989 rlm_sql (sql): sql_set_user escaped user -- '7989' expand: INSERT into radpostauth (id, user, pass, reply, date,nasname) values ('', '%{User-Name}', '%{User-Password}', '%{reply:Packet-Type}', NOW(),'%{NAS-IP-Address}') - INSERT into radpostauth (id, user, pass, reply, date,nasname) values ('', '7989', '7989', 'Access-Reject', NOW(),'139.25.153.222') rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date,nasname) values ('', '7989', '7989', 'Access-Reject', NOW(),'139.25.153.222') rlm_sql (sql): Ignoring unconnected handle 4.. rlm_sql (sql): Ignoring unconnected handle 3.. rlm_sql (sql): Ignoring unconnected handle 2.. rlm_sql (sql): Ignoring unconnected handle 1.. rlm_sql (sql): Ignoring unconnected handle 0.. rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0 ++[sql] returns fail Sending Access-Reject of id 51 to 149.246.185.169 port 32833 Finished request 0. Going to the next request Waking up in 0.9 seconds. Waking up in 4.0 seconds. Cleaning up request 0 ID 51 with timestamp +1 Ready to process requests. Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: no logging = reject?
Norbert Wegener wrote: I am using a recent pre-2, authentication via a mysql database. In post-auth I have a sql module, that reports accept/reject to a another mysql database. When this database is not available, the user is rejected, although I get Auth-Type = Accept before. Is this a desired behaviour, bug or feature? ... rad_check_password: Auth-Type = Accept, accepting the user Login OK: [7989] (from client 149.246.185.169 port 1812) +- entering group post-auth ++? if (%{User-Name} =~ /.net/i || %{User-Name} =~ /@/ ) expand: %{User-Name} - 7989 ? Evaluating (%{User-Name} =~ /.net/i) - FALSE expand: %{User-Name} - 7989 Evaluating (%{User-Name} =~ /@/) - FALSE ++? if (%{User-Name} =~ /.net/i || %{User-Name} =~ /@/ ) - FALSE expand: //var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d - //var/log/radius/radacct/149.246.185.169/reply-detail-20071218 rlm_detail: //var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to //var/log/radius/radacct/149.246.185.169/reply-detail-20071218 expand: %t - Tue Dec 18 15:29:07 2007 ++[reply_log] returns ok rlm_sql (sql): Processing sql_postauth expand: %{User-Name} - 7989 rlm_sql (sql): sql_set_user escaped user -- '7989' expand: INSERT into radpostauth (id, user, pass, reply, date,nasname) values ('', '%{User-Name}', '%{User-Password}', '%{reply:Packet-Type}', NOW(),'%{NAS-IP-Address}') - INSERT into radpostauth (id, user, pass, reply, date,nasname) values ('', '7989', '7989', 'Access-Accept', NOW(),'139.25.153.222') rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date,nasname) values ('', '7989', '7989', 'Access-Accept', NOW(),'139.25.153.222') rlm_sql (sql): Ignoring unconnected handle 4.. rlm_sql (sql): Ignoring unconnected handle 3.. rlm_sql (sql): Ignoring unconnected handle 2.. rlm_sql (sql): Ignoring unconnected handle 1.. rlm_sql (sql): Ignoring unconnected handle 0.. rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0 ++[sql] returns fail Found Post-Auth-Type Reject +- entering group REJECT rlm_sql (sql): Processing sql_postauth expand: %{User-Name} - 7989 rlm_sql (sql): sql_set_user escaped user -- '7989' expand: INSERT into radpostauth (id, user, pass, reply, date,nasname) values ('', '%{User-Name}', '%{User-Password}', '%{reply:Packet-Type}', NOW(),'%{NAS-IP-Address}') - INSERT into radpostauth (id, user, pass, reply, date,nasname) values ('', '7989', '7989', 'Access-Reject', NOW(),'139.25.153.222') rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date,nasname) values ('', '7989', '7989', 'Access-Reject', NOW(),'139.25.153.222') rlm_sql (sql): Ignoring unconnected handle 4.. rlm_sql (sql): Ignoring unconnected handle 3.. rlm_sql (sql): Ignoring unconnected handle 2.. rlm_sql (sql): Ignoring unconnected handle 1.. rlm_sql (sql): Ignoring unconnected handle 0.. rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0 ++[sql] returns fail Sending Access-Reject of id 51 to 149.246.185.169 port 32833 Finished request 0. Going to the next request Waking up in 0.9 seconds. Waking up in 4.0 seconds. Cleaning up request 0 ID 51 with timestamp +1 Ready to process requests. Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Feature. Whats slightly worrying about using rlm_sql is if for any reason a table is locked, the SQL request will block until the table is unlocked. In blocking it appears to block the entire FR server ! Everything just stops until the table is unlocked, and the request is satisfied ! -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: no logging = reject?
Arran Cudbard-Bell wrote: Norbert Wegener wrote: I am using a recent pre-2, authentication via a mysql database. In post-auth I have a sql module, that reports accept/reject to a another mysql database. When this database is not available, the user is rejected, although I get Auth-Type = Accept before. Is this a desired behaviour, bug or feature? Generally, failure of a module will result in failure of the request. See doc/configurable_failover for info how to control this. I would strongly recommend in your post-auth section doing what we did: post-auth { redundant { sql detail } } ...that way, if sql actually fails, you just dump to a file. You can monitor the file any number of ways to see how frequently (or not) this happens. However as Arran points out, if the module *blocks* rather than fails, you may suffer a potentially arbitrarily long wait. If your SQL server is routinely blocking then it is too slow and you need to fix that, however if you want complete insurance against e.g. unforseeable faults, I would use rlm_sql_log. I was originally somewhat sceptical of it, however we recently moved a ~1M auths/day server from doing direct SQL writes to using sql_log in order to be tolerant of SQL server drops, and I'm much (much!) happier as a result. What we actually do is this: * a single central SQL server; two databases: * radcheck - contains the SQL radcheck/reply group tables * radacct - contains the radacct radpostauth tables[1] * 2 radius servers, each with a local read-only SQL replica of the radcheck database; the radius processes are configured to read (do lookups against) their local SQL, and write to the sql_log file * copies of radsqlrelay pushing the accounting data to the central server The time lag during normal loads is: * central radcheck - server radchecks: 0-10 seconds (postgres slony) * server sql-relay - central radacct: 0-10 seconds (radsqlrelay) During extended outages (such as the arranged maintenance in our datacentre this weekend) the radius servers continue to chug away and log to relay files, then replication radsqlrelay spring back to life and catch up later. [1] One minor note - as per my recent post, the sql_log module cannot do the try update / except insert technique that the sql module uses, so I modified things slightly; I write the sql_log updates to a *2nd* table, and use a TRIGGER on INSERT to update/insert the main radacct table. It works very well. As Alan pointed out in reply to my post, you could also run plain old radrelay and an accounting-only radius server on the central database server, however for various boring reasons I won't go into, that wasn't an option for us. HTH - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: no logging = reject?
Arran Cudbard-Bell wrote: Whats slightly worrying about using rlm_sql is if for any reason a table is locked, the SQL request will block until the table is unlocked. In blocking it appears to block the entire FR server ! Everything just stops until the table is unlocked, and the request is satisfied ! That appears to be the SQL library, and interaction with threads. It may suspend the entire process when a thread blocks... which isn't nice. The only way to fix this is to run the RADIUS server and SQL queries in separate processes... which is complicated. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html