Using Freeradius authorization to send data to a microcontroller
I'm a relatively new freeradius user so I am not really an expert with it. In our project, depending on a user's authentication/authorization by the server, we need to send an unlock/lock byte to a microcontroller (connected to /dev/ttyUSB0, by the way). So where do I start with the solution? Can I run a certain code/program automatically once the server authenticates a user? Are there any previous applications similar to this? Our installed version is 2.1.0+dfsg-0ubuntu2, running on Ubuntu 8.10. The backend database we used is MySql. Thanks in advance. Rex Dizon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius authorization to send data to a microcontroller
Joeven Rex Dizon wrote: In our project, depending on a user's authentication/authorization by the server, we need to send an unlock/lock byte to a microcontroller (connected to /dev/ttyUSB0, by the way). So where do I start with the solution? Can I run a certain code/program automatically once the server authenticates a user? Yes. Are there any previous applications similar to this? See man unlang. You should put the program into back-ticks, like in the shell. e.g. if (`/path/to/program`) { ... } Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius authorization without username
I have a freeradius, and I need Calling-Station-Id for authorization. This is the one attribute, which I select in the radiusd.conf checkval { # The attribute to look for in the request item-name = Calling-Station-Id # The attribute to look for in check items. Can be multi valued check-name = Calling-Station-Id # The data type. Can be # string,integer,ipaddr,date,abinary,octets data-type = string # If set to yes and we dont find the item-name attribute in the # request then we send back a reject # DEFAULT is no notfound-reject = yes } (But in fact, I do not use this) Why, when freeradius rescieve the access-request packet, and username field is empty, then we got access-denied? I use SQL authorization module. In the database (I use it as a blacklist, id Calling-Station-Id exist in the list, then access denied.): +++---+++ | id | UserName | Attribute | op | Value | +++---+++ | 2 | 333922 | Auth-Type | == | Reject | | 1 | all_users_not_in_black_list| Auth-Type | == | Accept | +++---+++ From sql.conf: authorize_check_query = SELECT id, UserName, Attribute, Value, op \ FROM ${authcheck_table} \ WHERE Username = IF(Username='%{SQL-User-Name}','%{SQL-User-Name}','all_users_not_in_black_list') \ LIMIT 1 authorize_reply_query = SELECT id, UserName, Attribute, Value, op \ FROM ${authreply_table} \ WHERE Username = 'all_users_not_in_black_list' \ ORDER BY id So, info from radiusd in debug mode: rad_recv: Access-Request packet from host XXX.XXX.XXX.XXX:1812, id=182, length=113 NAS-Identifier = ggsn2 User-Name = User-Password = NAS-IP-Address = XXX.XXX.XXX.XXX NAS-Port-Type = Virtual Called-Station-Id = 1000 Calling-Station-Id = 333925 Acct-Session-Id = d45d6126057478b1 Acct-Multi-Session-Id = d45d6126b77a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 radius_xlat: '/usr/local/var/log/radius/radacct/auth-detail.log' rlm_detail: /usr/local/var/log/radius/radacct/auth-detail.log expands to /usr/local/var/log/radius/radacct/auth-detail.log modcall[authorize]: module auth_log returns ok for request 0 rlm_sql (sql): zero length username not permitted modcall[authorize]: module sql returns invalid for request 0 modcall: leaving group authorize (returns invalid) for request 0 Invalid user: [/] (from client ggsn2 port 0 cli 3719248521) Sending Access-Reject of id 182 to XXX.XXX.XXX.XXX port 1812 I don't care, what kind of username do we have! How I can avoid this problem? :-( Can someone help me with this quesion? Here is the part of my radiusd.conf file: ...skipped... modules { checkval { # The attribute to look for in the request item-name = Calling-Station-Id # The attribute to look for in check items. Can be multi valued check-name = Calling-Station-Id # The data type. Can be # string,integer,ipaddr,date,abinary,octets data-type = string # If set to yes and we dont find the item-name attribute in the # request then we send back a reject # DEFAULT is no notfound-reject = yes } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } # Livingston-style 'users' file # files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users # If you want to use the old Cistron 'users' file # with FreeRADIUS, you should change the next line # to 'compat = cistron'. You can the copy your 'users' # file from Cistron. compat = no } # Write a detailed log of all accounting records received. # detail { detailfile = ${radacctdir}/acct-detail.log detailperm = 0600 } detail auth_log { detailfile = ${radacctdir}/auth-detail.log detailperm = 0600 } detail reply_log { detailfile = ${radacctdir}/reply-detail.log detailperm = 0600 } $INCLUDE ${confdir}/sql.conf
Re: freeradius authorization without username
???, ?? wrote: rlm_sql (sql): zero length username not permitted modcall[authorize]: module sql returns invalid for request 0 This has been discussed at length recently. You would need to patch the code. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRadius Authorization
Hi, I have small newbie questions.. I want to configure freeRadius for authentication authorization. I am able to do proper authentication. 1) I want to configure my users in multiple groups (depending on their roles). How to do that? 2) And what is the common practice for this? How this is managed in any enterprise servers / enterprise networks who uses radius server for the AAA? Thanks... Regards, abera Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows XP PEAP and FreeRadius Authorization
Hello! - Original Message - From: Alan DeKok [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I'm trying to get working Windows XP - PEAP - MS-CHAPv2 with freeRadius, but I don't know how to configure it correctly. I have followed the instructions in the radiusd.conf, it's also seems 'working' to me but I don't know now where is the problem (something like mschapv2 - messing with tls?). The wireless client is sending EAP-MS-CHAPv2 *outside* of the TLS tunnel, and then ignoring the servers response. Is there any other windows client to use? Or can you imagine what I have done bad when configuring the xp client? I have turned of any certificate validation, can this be a problem? I don't think there's much you can do on the server to fix a broken client. Also, when I was changing the default_eap_type of eap, and peap, the server was behaving differently. What should be setted here when I want to use eap - peap and mschapv2 ? (this supports the win xp.). Alan DeKok. P.Zibrita - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows XP PEAP and FreeRadius Authorization
Pavol, Alan, Regarding: I don't think there's much you can do on the server to fix a broken client. I did some more debuging and found a problem: There were no specific bind address of the radius server. The AP sent authentication request to IP1 and received authentication reply from IP2, and of cource did not accept it. I set bind address in radiusd.conf and everithig is running fine. The build in client in Windows XP is running fine. Check this if tou have more than one address on the server host. Nedialko - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows XP PEAP and FreeRadius Authorization
[EMAIL PROTECTED] wrote: I'm trying to get working Windows XP - PEAP - MS-CHAPv2 with freeRadius, but I don't know how to configure it correctly. I have followed the instructions in the radiusd.conf, it's also seems 'working' to me but I don't know now where is the problem (something like mschapv2 - messing with tls?). The wireless client is sending EAP-MS-CHAPv2 *outside* of the TLS tunnel, and then ignoring the servers response. I don't think there's much you can do on the server to fix a broken client. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Windows XP PEAP and FreeRadius Authorization
Hello! I'm trying to get working Windows XP - PEAP - MS-CHAPv2 with freeRadius, but I don't know how to configure it correctly. I have followed the instructions in the radiusd.conf, it's also seems 'working' to me but I don't know now where is the problem (something like mschapv2 - messing with tls?). Well here is the radiusd -X. if you can help me pls. Thankx: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/freeradius//etc/raddb/proxy.conf Config: including file: /usr/local/freeradius//etc/raddb/clients.conf Config: including file: /usr/local/freeradius//etc/raddb/snmp.conf Config: including file: /usr/local/freeradius//etc/raddb/sql.conf main: prefix = /usr/local/freeradius/ main: localstatedir = /usr/local/freeradius//var main: logdir = /usr/local/freeradius//var/log/radius main: libdir = /usr/local/freeradius//lib main: radacctdir = /usr/local/freeradius//var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/freeradius//var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/freeradius//var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/freeradius//sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/freeradius/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/freeradius//var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = mschapv2 eap: timer_expire = 240 eap: ignore_unknown_eap_types = yes tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /usr/local/freeradius//etc/raddb/certs/cert-srv.pem tls: certificate_file = /usr/local/freeradius//etc/raddb/certs/cert-srv.pem tls: CA_file = /usr/local/freeradius//etc/raddb/certs/demoCA/cacert.pem tls: private_key_password = whatever tls: dh_file = /usr/local/freeradius//etc/raddb/certs/dh tls: random_file = /usr/local/freeradius//etc/raddb/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/freeradius//etc/raddb/huntgroups preprocess: hints = /usr/local/freeradius//etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded files files: usersfile = /usr/local/freeradius//etc/raddb/users files: acctusersfile = /usr/local/freeradius//etc/raddb/acct_users files: preproxy_usersfile =