Using Freeradius authorization to send data to a microcontroller

[Joeven Rex Dizon]

I'm a relatively new freeradius user so I am not really an expert with it.

In our project, depending on a user's authentication/authorization by the
server, we need to send an unlock/lock byte to a microcontroller
(connected to /dev/ttyUSB0, by the way).

So where do I start with the solution? Can I run a certain code/program
automatically once the server authenticates a user?
Are there any previous applications similar to this?

Our installed version is 2.1.0+dfsg-0ubuntu2, running on Ubuntu 8.10.
The backend database we used is MySql.

Thanks in advance.

Rex Dizon
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using Freeradius authorization to send data to a microcontroller

[Alan DeKok]

Joeven Rex Dizon wrote:
 In our project, depending on a user's authentication/authorization by
 the server, we need to send an unlock/lock byte to a microcontroller
 (connected to /dev/ttyUSB0, by the way).
 
 So where do I start with the solution? Can I run a certain code/program
 automatically once the server authenticates a user?

  Yes.

 Are there any previous applications similar to this?

  See man unlang.  You should put the program into back-ticks, like in
the shell.

  e.g.

if (`/path/to/program`) {
...
}

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius authorization without username

[???????, ?? ????????]

I have a freeradius, and I need Calling-Station-Id for authorization. This is 
the one attribute, which I select in the radiusd.conf

checkval {
# The attribute to look for in the request
item-name = Calling-Station-Id

# The attribute to look for in check items. Can be multi valued
check-name = Calling-Station-Id

# The data type. Can be
# string,integer,ipaddr,date,abinary,octets
data-type = string

# If set to yes and we dont find the item-name attribute in the
# request then we send back a reject
# DEFAULT is no
notfound-reject = yes
}
(But in fact, I do not use this)

Why, when freeradius rescieve the access-request packet, and username field 
is empty, then we got access-denied?
I use SQL authorization module.
In the database (I use it as a blacklist, id Calling-Station-Id exist in the 
list, then access denied.):
+++---+++
| id | UserName   | Attribute | op | Value  |
+++---+++
|  2 | 333922 | Auth-Type | == | Reject |
|  1 | all_users_not_in_black_list| Auth-Type | == | Accept |
+++---+++

From sql.conf:
authorize_check_query = SELECT id, UserName, Attribute, Value, op \
  FROM ${authcheck_table} \
  WHERE Username = 
IF(Username='%{SQL-User-Name}','%{SQL-User-Name}','all_users_not_in_black_list')
 \
  LIMIT 1
authorize_reply_query = SELECT id, UserName, Attribute, Value, op \
  FROM ${authreply_table} \
  WHERE Username = 'all_users_not_in_black_list' \
  ORDER BY id

So, info from radiusd in debug mode:

rad_recv: Access-Request packet from host XXX.XXX.XXX.XXX:1812, id=182, 
length=113
NAS-Identifier = ggsn2
User-Name = 
User-Password = 
NAS-IP-Address = XXX.XXX.XXX.XXX
NAS-Port-Type = Virtual
Called-Station-Id = 1000
Calling-Station-Id = 333925
Acct-Session-Id = d45d6126057478b1
Acct-Multi-Session-Id = d45d6126b77a
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
radius_xlat:  '/usr/local/var/log/radius/radacct/auth-detail.log'
rlm_detail: /usr/local/var/log/radius/radacct/auth-detail.log expands to 
/usr/local/var/log/radius/radacct/auth-detail.log
  modcall[authorize]: module auth_log returns ok for request 0
rlm_sql (sql): zero length username not permitted
  modcall[authorize]: module sql returns invalid for request 0
modcall: leaving group authorize (returns invalid) for request 0
Invalid user: [/] (from client ggsn2 port 0 cli 3719248521)
Sending Access-Reject of id 182 to XXX.XXX.XXX.XXX port 1812

I don't care, what kind of username do we have! How I can avoid this problem? 
:-( Can someone help me with this quesion?

Here is the part of my radiusd.conf file:
...skipped...
modules {
checkval {
# The attribute to look for in the request
item-name = Calling-Station-Id

# The attribute to look for in check items. Can be multi valued
check-name = Calling-Station-Id

# The data type. Can be
# string,integer,ipaddr,date,abinary,octets
data-type = string

# If set to yes and we dont find the item-name attribute in the
# request then we send back a reject
# DEFAULT is no
notfound-reject = yes
}

preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints

with_ascend_hack = no
ascend_channels_per_line = 23

with_ntdomain_hack = no

with_specialix_jetstream_hack = no

with_cisco_vsa_hack = no
}

# Livingston-style 'users' file
#
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users

#  If you want to use the old Cistron 'users' file
#  with FreeRADIUS, you should change the next line
#  to 'compat = cistron'.  You can the copy your 'users'
#  file from Cistron.
compat = no
}

# Write a detailed log of all accounting records received.
#
detail {
detailfile = ${radacctdir}/acct-detail.log
detailperm = 0600
}

detail auth_log {
detailfile = ${radacctdir}/auth-detail.log
detailperm = 0600
}

detail reply_log {
detailfile = ${radacctdir}/reply-detail.log
detailperm = 0600
}

$INCLUDE  ${confdir}/sql.conf

Re: freeradius authorization without username

[Phil Mayers]

???, ??  wrote:

rlm_sql (sql): zero length username not permitted
  modcall[authorize]: module sql returns invalid for request 0



This has been discussed at length recently. You would need to patch the 
code.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeRadius Authorization

[abera]

Hi,

I have small newbie questions..

I want to configure freeRadius for authentication 
authorization. I am able to do proper authentication. 

1) I want to configure my users in multiple groups
(depending on their roles). How to do that?

2) And what is the common practice for this? How this
is managed in any enterprise servers / enterprise
networks who uses radius server for the AAA?

Thanks...


Regards,
abera




Start your day with Yahoo! - make it your home page 
http://www.yahoo.com/r/hs 
 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Windows XP PEAP and FreeRadius Authorization

[Pavol Zibrita]

Hello!

- Original Message - 
From: Alan DeKok [EMAIL PROTECTED]


 [EMAIL PROTECTED] wrote:
 I'm trying to get working Windows XP - PEAP - MS-CHAPv2 with
  freeRadius, but I don't know how to configure it correctly. I have
  followed the instructions in the radiusd.conf, it's also seems 'working'
  to me but I don't know now where is the problem (something like mschapv2
  - messing with tls?).

   The wireless client is sending EAP-MS-CHAPv2 *outside* of the TLS
 tunnel, and then ignoring the servers response.

Is there any other windows client to use? Or can you imagine what I have
done bad when configuring the xp client?
I have turned of any certificate validation, can this be a problem?

   I don't think there's much you can do on the server to fix a broken
 client.

Also, when I was changing the default_eap_type of eap, and peap, the server
was behaving differently. What should
be setted here when I want to use eap - peap and mschapv2 ? (this supports
the win xp.).

   Alan DeKok.

P.Zibrita


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Windows XP PEAP and FreeRadius Authorization

[Nedialko Dimitrov]

Pavol,
Alan,

Regarding:

   I don't think there's much you can do on the server to fix a broken
 client.

I did some more debuging and found a problem:
There were no specific bind address of the radius server. The AP sent
authentication request to IP1 and received authentication reply from IP2,
and of cource did not accept it.
I set bind address in radiusd.conf and everithig is running fine.
The build in client in Windows XP is running fine.

Check this if tou have more than one address on the server host.

Nedialko


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Windows XP PEAP and FreeRadius Authorization

[Alan DeKok]

[EMAIL PROTECTED] wrote:
I'm trying to get working Windows XP - PEAP - MS-CHAPv2 with
 freeRadius, but I don't know how to configure it correctly. I have
 followed the instructions in the radiusd.conf, it's also seems 'working'
 to me but I don't know now where is the problem (something like mschapv2
 - messing with tls?).

  The wireless client is sending EAP-MS-CHAPv2 *outside* of the TLS
tunnel, and then ignoring the servers response.

  I don't think there's much you can do on the server to fix a broken
client.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Windows XP PEAP and FreeRadius Authorization

[zip]

Hello!

   I'm trying to get working Windows XP - PEAP - MS-CHAPv2 with
freeRadius, but I don't know how to configure it correctly. I have
followed the instructions in the radiusd.conf, it's also seems 'working'
to me but I don't know now where is the problem (something like mschapv2
- messing with tls?).

Well here is the radiusd -X. if you can help me pls. Thankx:

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/freeradius//etc/raddb/proxy.conf
Config:   including file: /usr/local/freeradius//etc/raddb/clients.conf
Config:   including file: /usr/local/freeradius//etc/raddb/snmp.conf
Config:   including file: /usr/local/freeradius//etc/raddb/sql.conf
 main: prefix = /usr/local/freeradius/
 main: localstatedir = /usr/local/freeradius//var
 main: logdir = /usr/local/freeradius//var/log/radius
 main: libdir = /usr/local/freeradius//lib
 main: radacctdir = /usr/local/freeradius//var/log/radius/radacct
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = /usr/local/freeradius//var/log/radius/radius.log
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = /usr/local/freeradius//var/run/radiusd/radiusd.pid
 main: user = (null)
 main: group = (null)
 main: usercollide = no
 main: lower_user = no
 main: lower_pass = no
 main: nospace_user = no
 main: nospace_pass = no
 main: checkrad = /usr/local/freeradius//sbin/checkrad
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = yes
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
Using deprecated clients file.  Support for this will go away soon.
read_config_files:  reading realms
Using deprecated realms file.  Support for this will go away soon.
radiusd:  entering modules setup
Module: Library search path is /usr/local/freeradius/lib
Module: Loaded exec
 exec: wait = yes
 exec: program = (null)
 exec: input_pairs = request
 exec: output_pairs = (null)
 exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: passwd = (null)
 mschap: authtype = MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded System
 unix: cache = no
 unix: passwd = (null)
 unix: shadow = (null)
 unix: group = (null)
 unix: radwtmp = /usr/local/freeradius//var/log/radius/radwtmp
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
 eap: default_eap_type = mschapv2
 eap: timer_expire = 240
 eap: ignore_unknown_eap_types = yes
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = (null)
 tls: pem_file_type = yes
 tls: private_key_file = /usr/local/freeradius//etc/raddb/certs/cert-srv.pem
 tls: certificate_file = /usr/local/freeradius//etc/raddb/certs/cert-srv.pem
 tls: CA_file = /usr/local/freeradius//etc/raddb/certs/demoCA/cacert.pem
 tls: private_key_password = whatever
 tls: dh_file = /usr/local/freeradius//etc/raddb/certs/dh
 tls: random_file = /usr/local/freeradius//etc/raddb/certs/random
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = no
rlm_eap: Loaded and initialized type tls
 peap: default_eap_type = mschapv2
 peap: copy_request_to_tunnel = no
 peap: use_tunneled_reply = no
 peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = /usr/local/freeradius//etc/raddb/huntgroups
 preprocess: hints = /usr/local/freeradius//etc/raddb/hints
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded files
 files: usersfile = /usr/local/freeradius//etc/raddb/users
 files: acctusersfile = /usr/local/freeradius//etc/raddb/acct_users
 files: preproxy_usersfile =