Freeradius, rlm_perl and tagged attributes from rlm_sql
I'm using Freeradius 2.1.10. I need to reply to NAS same attributes with tags using rlm_sql and rlm_perl. But in result number of tags is missing and in reply only attributes with :0. mysql select * from radreply; ++--+---++--+ | id | username | attribute | op | value| ++--+---++--+ | 1 | testuser@new | Context-Name | = | Internet | | 2 | testuser@new | Service-Name:1| += | GUEST| | 3 | testuser@new | Service-Options:1 | += | 0| | 4 | testuser@new | Service-Name:2| += | INET | | 5 | testuser@new | Service-Options:2 | += | 1| ++--+---++--+ 5 rows in set (0.00 sec) Debug: rlm_perl: Added pair NAS-Port-Type = Virtual Debug: rlm_perl: Added pair CHAP-Password = 0x01d5b5364721d124b36c2fcaf86dc1289b Debug: rlm_perl: Added pair Acct-Session-Id = 6802B4D0-4DAC4ACD Debug: rlm_perl: Added pair Proxy-State = 0x313538 Debug: rlm_perl: Added pair Service-Type = Framed-User Debug: rlm_perl: Added pair CHAP-Challenge = 0xa87b4c6f31d9b71f63a5b54b9482bf1f Debug: rlm_perl: Added pair NAS-IP-Address = 172.26.201.21 Debug: rlm_perl: Added pair NAS-Real-Port = 285216672 Debug: rlm_perl: Added pair Medium-Type = 11 Debug: rlm_perl: Added pair Framed-Protocol = PPP Debug: rlm_perl: Added pair User-Name = testuser@new Debug: rlm_perl: Added pair NAS-Port = 16842752 Debug: rlm_perl: Added pair Acct-Interim-Interval = 1800 Debug: rlm_perl: Added pair Service-Name = GUEST Debug: rlm_perl: Added pair Service-Name = INET Debug: rlm_perl: Added pair Context-Name = Internet Debug: rlm_perl: Added pair Service-Type = Framed-User Debug: rlm_perl: Added pair Framed-IP-Address = 255.255.255.254 Debug: rlm_perl: Added pair Service-Options = 0 Debug: rlm_perl: Added pair Service-Options = 1 Debug: rlm_perl: Added pair Cleartext-Password = testpass Debug: rlm_perl: Added pair Auth-Type = CHAP Info: ++[perl] returns ok Sending Access-Accept of id 180 to 127.0.0.1 port 3 Acct-Interim-Interval = 1800 Service-Name:0 += GUEST Service-Name:0 += INET Context-Name = Internet Service-Type = Framed-User Framed-IP-Address = 255.255.255.254 Service-Options:0 += 0 Service-Options:0 += 1 Proxy-State = 0x313538 Mon Apr 18 17:29:33 2011 : Info: Finished request 3. Mon Apr 18 17:29:33 2011 : Debug: Going to the next request - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
Thank you very much for your responses.
Conversely, you could comment out/remove the use Data::Dumper line
since you're not using it. It's mainly for debugging and easily
printing the entire contents of an object/array/hash/etc.
Ok, Kevin, I don't use Data::Dumper and I can run Freeradius with my perl
module.
My problem is with the hashes that rlm_perl provide to my script ¡rlm_perl
add in the reply hash an attribute Relaciones with the value of the
attribute Nombre-Completo, and also add Nombre-Completo!
Debug:
[ldap1] performing user authorization for ana
[ldap1] expand: %{Stripped-User-Name} - ana
[ldap1] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) - (cn=ana)
...
[ldap1] looking for check items in directory...
[ldap1] ntPassword - NT-Password == 0x35...
[ldap1] looking for reply items in directory...
[ldap1] Relaciones - Relaciones += 01
[ldap1] sn - Nombre-Completo = ana
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap1] user ana authorized to use remote access
[ldap1] ldap_release_conn: Release Id: 0
[ldap1] returns ok
...
rlm_perl: Added pair User-Name = ana
rlm_perl: Added pair User-Password =
rlm_perl: Added pair Intentos-Reject = 1
rlm_perl: Added pair SQL-User-Name = ana
rlm_perl: Added pair Stripped-User-Name = ana
rlm_perl: Added pair Calling-Station-Id = xxx
rlm_perl: Added pair Nombre-Completo = ana
rlm_perl: Added pair Relaciones = 01
*rlm_perl: Added pair Relaciones = ana*
rlm_perl: Added pair NT-Password = 0x35...
rlm_perl: Added pair Simultaneous-Use = 1
rlm_perl: Added pair Ldap-UserDn = ...
Than you
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:Re Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
Your radius client is not sending Digest-Attributes. It's sending Ascend
VSAs. Read your NAS documentation how to set up digest authentication if
you want that.
hi Kalik,
I am really sorry to post again the same question, as per your
instruction I have check all the clients configurations radiusclient.conf
as well as SER configuration ser.cfg, I've uncommented all the modules
that will particularly help to do digest authentication in ser.cfg, but
still the problem of not getting the values of digest attributes exist, I am
using radiusclient 0.5.6 and SER 0.9.6, will it be the problem for
incompatible of versions between the radius server and the radius clients or
SER. Please tell me the possible problems of not getting these values:
'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri',
'Digest-Nonce', 'Digest-Response'
And please tell me the things that I should change in radius server
configuration to get these digest attributes.
for the information I've mentioning the debug when run in radiusd -X
rad_recv: Access-Request packet from host 192.168.1.227 port 33526, id=92,
length=252
User-Name = [EMAIL PROTECTED]
X-Ascend-Netware-timeout = 1785686126
X-Ascend-Send-Secret = 0x3139322e3136382e312e323237
X-Ascend-Receive-Secret =
0x3438316339313763326231623731373133343937623838636165613864326437326534653832
X-Ascend-IP-Pool-Definition = sip:192.168.1.227
X-Ascend-IPX-Peer-Mode = 0x5245474953544552
Digest-Response = 6d1bf8eacbbddb82a606811f7e5c76ae
Service-Type = IAPP-Register
X-Ascend-PW-Lifetime = 1785686126
Cisco-AVPair = call-id=
[EMAIL PROTECTED]
NAS-IP-Address = 127.0.0.1
NAS-Port = 5060
+- entering group authorize
++[preprocess] returns ok
perl_pool: item 0x9f48768 asigned new request. Handled so far: 1
found interpetator at address 0x9f48768
rlm_perl: ###
rlm_perl: RAD_REQUEST: Digest-Response = 6d1bf8eacbbddb82a606811f7e5c76ae
rlm_perl: RAD_REQUEST: X-Ascend-Receive-Secret =
0x3438316339313763326231623731373133343937623838636165613864326437326534653832
rlm_perl: RAD_REQUEST: X-Ascend-IPX-Peer-Mode = 0x5245474953544552
rlm_perl: RAD_REQUEST: Service-Type = IAPP-Register
rlm_perl: RAD_REQUEST: X-Ascend-Netware-timeout = 1785686126
rlm_perl: RAD_REQUEST: Cisco-AVPair = call-id=
[EMAIL PROTECTED]
rlm_perl: RAD_REQUEST: X-Ascend-IP-Pool-Definition = sip:192.168.1.227
rlm_perl: RAD_REQUEST: User-Name = [EMAIL PROTECTED]
rlm_perl: RAD_REQUEST: X-Ascend-PW-Lifetime = 1785686126
rlm_perl: RAD_REQUEST: NAS-Port = 5060
rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1
rlm_perl: RAD_REQUEST: X-Ascend-Send-Secret = 0x3139322e3136382e312e323237
rlm_perl: ###
rlm_perl: Added pair Digest-Response = 6d1bf8eacbbddb82a606811f7e5c76ae
rlm_perl: Added pair X-Ascend-Receive-Secret =
0x3438316339313763326231623731373133343937623838636165613864326437326534653832
rlm_perl: Added pair X-Ascend-IPX-Peer-Mode = 0x5245474953544552
rlm_perl: Added pair Service-Type = IAPP-Register
rlm_perl: Added pair X-Ascend-Netware-timeout = 1785686126
rlm_perl: Added pair Cisco-AVPair = call-id=
[EMAIL PROTECTED]
rlm_perl: Added pair X-Ascend-IP-Pool-Definition = sip:192.168.1.227
rlm_perl: Added pair User-Name = [EMAIL PROTECTED]
rlm_perl: Added pair X-Ascend-PW-Lifetime = 1785686126
rlm_perl: Added pair NAS-Port = 5060
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair X-Ascend-Send-Secret = 0x3139322e3136382e312e323237
rlm_perl: Added pair Reply-Message = Incorrect Password
perl_pool total/active/spare [32/0/32]
Unreserve perl at address 0x9f48768
++[perl] returns reject
Invalid user: [EMAIL PROTECTED]/no User-Password attribute] (from client
192.168.1.227 port 5060)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - [EMAIL PROTECTED]
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.227 port 33528, id=93,
length=252
User-Name = [EMAIL PROTECTED]
X-Ascend-Netware-timeout = 1785686126
X-Ascend-Send-Secret = 0x3139322e3136382e312e323237
X-Ascend-Receive-Secret =
0x3438316339313763326231623731373133343937623838636165613864326437326534653832
X-Ascend-IP-Pool-Definition = sip:192.168.1.227
X-Ascend-IPX-Peer-Mode = 0x5245474953544552
Digest-Response = 6d1bf8eacbbddb82a606811f7e5c76ae
Service-Type = IAPP-Register
X-Ascend-PW-Lifetime = 1785686126
Cisco-AVPair = call-id=
[EMAIL PROTECTED]
NAS-IP-Address = 127.0.0.1
NAS-Port = 5060
+- entering group authorize
++[preprocess] returns ok
perl_pool: item 0xa183d50 asigned new request. Handled so far: 1
found
Need to change response type to Access-Challenge from rlm_perl
Hi,
Looking through archives for this exact question, I see a post from 2008 (
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg47423.html)
where this exact question was previously asked.
Here is my server version info:
radiusd: FreeRADIUS Version 2.2.0, for host x86_64-unknown-linux-gnu, built
on Feb 17 2013 at 03:34:41
Here's my code:
# Construct HTTP request
my $authresult =
authamis($RAD_REQUEST{'User-Name'},$RAD_REQUEST{'User-Password'});
radiusd::radlog(L_DBG, Result after authamis call -
$authresult);
if($authresult eq true) {
$RAD_CHECK{'Response-Packet-Type'} = Access-Challenge;
$RAD_REPLY{'Reply-Message'} = authentication successful;
for (keys %RAD_REPLY) {
radiusd::radlog(L_DBG, RAD_REPLY: $_ =
$RAD_REPLY{$_});
}
for (keys %RAD_CHECK) {
radiusd::radlog(L_DBG, RAD_CHECK: $_ =
$RAD_CHECK{$_});
}
for (keys %RAD_CONFIG) {
radiusd::radlog(L_DBG, RAD_CONFIG: $_ =
$RAD_CONFIG{$_});
}
return RLM_MODULE_OK
}
else {
$RAD_REPLY{'Reply-Message'} = authentication failure;
return RLM_MODULE_REJECT;
}
Here is the relevant debug output:
Found Auth-Type = perl
# Executing group from file
/opt/app/freeradius/etc/raddb/sites-enabled/default
+- entering group perl {...}
rlm_perl: RAD_REQUEST: User-Name = test
rlm_perl: RAD_REQUEST: User-Password = 42594190
rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.65.1
rlm_perl: AMIS request:
http://amis.jdt.com:8080/auth/authenticate/test/42594190
rlm_perl: Result after authamis call - true
rlm_perl: RAD_REPLY: Reply-Message = authentication successful
rlm_perl: RAD_CHECK: Response-Packet-Type = Access-Challenge
rlm_perl: RAD_CHECK: Auth-Type = perl
rlm_perl: RAD_CONFIG: Auth-Type = perl
rlm_perl: Added pair User-Name = test
rlm_perl: Added pair User-Password = 42594190
rlm_perl: Added pair NAS-IP-Address = 192.168.65.1
rlm_perl: Added pair Reply-Message = authentication successful
rlm_perl: Added pair Response-Packet-Type = Access-Challenge
rlm_perl: Added pair Auth-Type = perl
++[perl] returns ok
# Executing section post-auth from file
/opt/app/freeradius/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 81 to 192.168.65.1 port 53504
Reply-Message = authentication successful
Finished request 0.
Going to the next request
Clearly the Access-Challenge setting is not being honored by the server. Is
there another attribute that must be set to configure the response type?
Thanks,
Walter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RLM_perl and Cisco-AVPair
Hi everyone.
Im trying to get RLM_perl to respond with two Cisco-AVPair lines (what
would usually be done with += in users)
Unfortunately only the first seems to get sent back to the nas - debug
output follows
rlm_perl: Added pair Cisco-AVPair = ip:dns-servers=10.10.10.10 10.10.10.12
rlm_perl: Added pair Cisco-AVPair = ip:route=10.10.0.0 255.255.255.0
rlm_perl: Added pair Framed-IP-Address = 10.10.10.12
rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.255
rlm_perl: Added pair Auth-Type = perl
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Auth-Type = System
modcall[authenticate]: module perl returns ok for request 25
modcall: group Auth-Type returns ok for request 25
Sending Access-Accept of id 56 to 127.0.0.1:34529
Cisco-AVPair = ip:dns-servers=10.10.10.10 10.10.10.12
Framed-IP-Address = 10.10.10.10
Framed-IP-Netmask = 255.255.255.255
Service-Type = Framed-User
As you can see, rlm_perl logs that it is adding the pair twice but only
the first is returned.
I've gone so far as to looking at the code for rlm_perl and it looks to me
like it should have worked from what i have done, the coder has asked for
a reference to an array.
my code basically does this
push(@avpairs,'ip:dns-servers=$dns1 $dns2');
push(@avpairs,ip:route=$$thisroute{network} $$thisroute{subnet});
$RAD_REPLY{'Cisco-AVPair'[EMAIL PROTECTED];
Anyone any ideas? Doesn't look like many people use rlm_perl yet
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: %RAD_REPLY hash problem
Hello,
I've tested adding my vendor specific attributes to check list, and the
problem persist.
Here is the debug info:
rad_recv: Access-Request packet from host x.x.x.x port 32880, id=4,
length=75
User-Name = a...@unex.es
User-Password = 111
Calling-Station-Id = ...
...
[ldap1] performing user authorization for ana
[ldap1] expand: %{Stripped-User-Name} - ana
[ldap1] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) - (cn=ana)
...
[ldap1] Bind was successful
...
[ldap1] looking for check items in directory...
[ldap1] Relaciones - Relaciones += 06
[ldap1] Relaciones - Relaciones += 01
[ldap1] ntPassword - NT-Password == 0x44...
[ldap1] looking for reply items in directory...
[ldap1] sn - Nombre-Completo = Ana Gllardo
...
[ldap1] user ana authorized to use remote access
...
rlm_perl: RAD_REQUEST: User-Name = a...@unex.es
rlm_perl: RAD_REQUEST: User-Password = 111
rlm_perl: RAD_REQUEST: Intentos-Reject = 0
rlm_perl: RAD_REQUEST: SQL-User-Name = ana
rlm_perl: RAD_REQUEST: Realm = unex.es
rlm_perl: RAD_REQUEST: Stripped-User-Name = ana
rlm_perl: RAD_REQUEST: Calling-Station-Id = ...
rlm_perl: RAD_CHECK: NT-Password = 0x44...
rlm_perl: RAD_CHECK: Simultaneous-Use = 1
rlm_perl: RAD_CHECK: Relaciones = ARRAY(0x1d59618)
rlm_perl: RAD_CHECK: Ldap-UserDn = ...
rlm_perl: RAD_REREPLY: Nombre-Completo = Ana Gallardo
rlm_perl: relacion: 06
rlm_perl: relacion: 01
rlm_perl: relacion: 0x44...
...
Finally, my solution was delete the undesired member from the hash.
# cat /etc/freeradius/perl/checkRelaciones.pm
#!/usr/bin/perl
use strict;
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);
use constantRLM_MODULE_REJECT=0;# /* immediately reject the
request */
use constantRLM_MODULE_OK=2;# /* the module is OK, continue */
sub authorize {
solucion_bug;
return check_relaciones;
}
sub solucion_bug {
my $r;
my @array;
if (exists $RAD_CHECK{'Relaciones'} defined
$RAD_CHECK{'Relaciones'}){
$r=$RAD_CHECK{'Relaciones'};
if (ref($r) eq ARRAY) {
foreach (@{$r}) {
#radiusd::radlog(1, relacion: $_);
if ($_ =~ /^[0-9]{2}/) {
push(@array, $_);
}
}
if ($#array 0){
$RAD_REPLY{'Relaciones'}...@array;
}
elsif ($#array == 0){
$RAD_REPLY{'Relaciones'}=$array[0];
}
}
unless (ref($r)) {
#radiusd::radlog(1, relacion: $r);
if ($r =~ /^[0-9]{2}/) {
$RAD_REPLY{'Relaciones'}=$r;
}
}
delete($RAD_CHECK{'Relaciones'});
}
}
sub check_relaciones {
my $r;
if (exists $RAD_REPLY{'Relaciones'} defined
$RAD_REPLY{'Relaciones'}){
return RLM_MODULE_OK;
}
else{
$RAD_REPLY{'Codigo-Reject'}=11; #Sin-Relacion-UEX
return RLM_MODULE_REJECT;
}
}
Thank you very much.
++ Ana Gallardo Gómez ++
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Strange Problem with chap.
Hello,
I am using chilli-coova as hotspot and making its authentication via
freeradius.
I dont know if you have any experience with this software but, It has 2
kind of login pages. One is a cgi page with clean password, other is a
java script making chap authentication.
here is the problem.
On freeradius i am using rlm_perl authentication for my users.
When i use cgi page or radtest tool and send clean password, everything
works flawless...
But if i decide to use chap somthing strange happens..
If i type correct user/pass freeradus denies it.. But it i type the
password wrong, freeradius accepts it..
Heres the debug for freeradius..
7798-1 is with the right user/pass comination
7798 is the wrong user/pass combination
rad_recv: Access-Request packet from host 139.179.14.250 port 33545,
id=30, length=285
Vendor-14559-Attr-8 = 0x312e302e3131
User-Name = 7798-1
CHAP-Challenge = 0x091c2ecc9622c2b8072a20db2a85840e
CHAP-Password = 0x001143a4c3f8a192f89b9ff9e7f6f85fe0
NAS-IP-Address = 192.168.182.1
Service-Type = Login-User
Framed-IP-Address = 192.168.182.2
Calling-Station-Id = 00-14-22-A1-BB-AB
Called-Station-Id = 00-0E-0C-6E-6E-7C
NAS-Identifier = nas01
Acct-Session-Id = 491944cd0001
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
WISPr-Location-ID = isocc=,cc=,ac=,network=Coova,
WISPr-Location-Name = My_HotSpot
WISPr-Logoff-URL = http://192.168.182.1:3990/logoff;
Message-Authenticator = 0xcf009790c3d4d941242929020db19b43
server lojnet {
+- entering group authorize
++[preprocess] returns ok
users: Matched entry DEFAULT at line 72
++[files] returns ok
++[control] returns ok
perl_pool: item 0xbe7fd00 asigned new request. Handled so far: 1
found interpetator at address 0xbe7fd00
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair CHAP-Password = 0x001143a4c3f8a192f89b9ff9e7f6f85fe0
rlm_perl: Added pair WISPr-Logoff-URL = http://192.168.182.1:3990/logoff
rlm_perl: Added pair Acct-Session-Id = 491944cd0001
rlm_perl: Added pair Service-Type = Login-User
rlm_perl: Added pair Vendor-14559-Attr-8 = 0x312e302e3131
rlm_perl: Added pair Called-Station-Id = 00-0E-0C-6E-6E-7C
rlm_perl: Added pair Message-Authenticator =
0xcf009790c3d4d941242929020db19b43
rlm_perl: Added pair CHAP-Challenge = 0x091c2ecc9622c2b8072a20db2a85840e
rlm_perl: Added pair NAS-IP-Address = 192.168.182.1
rlm_perl: Added pair Calling-Station-Id = 00-14-22-A1-BB-AB
rlm_perl: Added pair WISPr-Location-ID = isocc=,cc=,ac=,network=Coova,
rlm_perl: Added pair User-Name = 7798-1
rlm_perl: Added pair NAS-Identifier = nas01
rlm_perl: Added pair Framed-IP-Address = 192.168.182.2
rlm_perl: Added pair NAS-Port = 1
rlm_perl: Added pair WISPr-Location-Name = My_HotSpot
rlm_perl: Added pair Reply-Message = Unknown Username Or Password
rlm_perl: Added pair Simultaneous-Use = 1
rlm_perl: Added pair Auth-Type = Perl
perl_pool total/active/spare [32/0/32]
Unreserve perl at address 0xbe7fd00
++[perl_lojnet] returns reject
Invalid user: [7798-1/CHAP-Password] (from client wireless-client port 1
cli 00-14-22-A1-BB-AB)
} # server lojnet
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - 7798-1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 21 for 1 seconds
Going to the next request
Waking up in 0.7 seconds.
Sending delayed reject for request 21
Sending Access-Reject of id 30 to 139.179.14.250 port 33545
Reply-Message = Unknown Username Or Password
Waking up in 4.9 seconds.
Cleaning up request 21 ID 30 with timestamp +1299
Ready to process requests.
rad_recv: Access-Request packet from host 139.179.14.250 port 56290,
id=34, length=283
Vendor-14559-Attr-8 = 0x312e302e3131
User-Name = 7798
CHAP-Challenge = 0xf5a327d969a14458fc8e232dc2b2dd0e
CHAP-Password = 0x00754c55931928ae23c86ffc791482d963
NAS-IP-Address = 192.168.182.1
Service-Type = Login-User
Framed-IP-Address = 192.168.182.2
Calling-Station-Id = 00-14-22-A1-BB-AB
Called-Station-Id = 00-0E-0C-6E-6E-7C
NAS-Identifier = nas01
Acct-Session-Id = 491944cd0001
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
WISPr-Location-ID = isocc=,cc=,ac=,network=Coova,
WISPr-Location-Name = My_HotSpot
WISPr-Logoff-URL = http://192.168.182.1:3990/logoff;
Message-Authenticator = 0x8ccc91235f97010a7c09802979e2cdea
server lojnet {
+- entering group authorize
++[preprocess] returns ok
users: Matched entry DEFAULT at line 72
++[files] returns ok
++[control] returns ok
perl_pool: item 0xc1dfb10 asigned new request. Handled so far: 1
found interpetator at address 0xc1dfb10
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair CHAP-Password = 0x00754c55931928ae23c86ffc791482d963
rlm_perl: Added pair WISPr
Re:Re Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
You are asking your questions on a wrong list. There is nothing you can
do on a radius server in order to get those attributes if radius client
is not sending Digest-Attributes. Direct your question to SER server
support.
hi Kalik,
After I've done some changes in dictionary of radius server I
can see the output sending digest attributes from the client, but still i
didn't get the values at the radius server. Is it the problem of my
configuration of radius server or it may be some other client configuration.
Please advice, sorry for posting the same question again.
Please tell me the possible problems of not getting these values:
'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri',
'Digest-Nonce', 'Digest-Response'
here is the full output when I run in debug mode
rad_recv: Access-Request packet from host 192.168.1.227 port 33093, id=86,
length=271
User-Name = [EMAIL PROTECTED]
Digest-Attributes = 0x0a096a6f686e736f6e
Digest-Attributes = 0x010f3139322e3136382e312e323237
Digest-Attributes =
0x022a34383166353136663737396231653364366365313331653738656462346265393931356634386439
Digest-Attributes = 0x04137369703a3139322e3136382e312e323237
Digest-Attributes = 0x030a5245474953544552
Digest-Response = b8f4759b0c4462aaa56edd1794da872a
Service-Type = Sip-Session
Sip-Uri-User = johnson
Cisco-AVPair = call-id=
[EMAIL PROTECTED]
NAS-IP-Address = 127.0.0.1
NAS-Port = 5060
+- entering group authorize
++[preprocess] returns ok
perl_pool: item 0x89260f0 asigned new request. Handled so far: 1
found interpetator at address 0x89260f0
rlm_perl: ###
rlm_perl: RAD_REQUEST: Digest-Response = b8f4759b0c4462aaa56edd1794da872a
rlm_perl: RAD_REQUEST: Service-Type = Sip-Session
rlm_perl: RAD_REQUEST: Cisco-AVPair = call-id=
[EMAIL PROTECTED]
rlm_perl: RAD_REQUEST: User-Name = [EMAIL PROTECTED]
rlm_perl: RAD_REQUEST: Sip-Uri-User = johnson
rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1
rlm_perl: RAD_REQUEST: NAS-Port = 5060
rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0x89dd638)
rlm_perl: ###
rlm_perl: Added pair Digest-Response = b8f4759b0c4462aaa56edd1794da872a
rlm_perl: Added pair Service-Type = Sip-Session
rlm_perl: Added pair Cisco-AVPair = call-id=
[EMAIL PROTECTED]
rlm_perl: Added pair User-Name = [EMAIL PROTECTED]
rlm_perl: Added pair Sip-Uri-User = johnson
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair NAS-Port = 5060
rlm_perl: Added pair Digest-Attributes = 0x0a096a6f686e736f6e
rlm_perl: Added pair Digest-Attributes = 0x010f3139322e3136382e312e323237
rlm_perl: Added pair Digest-Attributes =
0x022a34383166353136663737396231653364366365313331653738656462346265393931356634386439
rlm_perl: Added pair Digest-Attributes =
0x04137369703a3139322e3136382e312e323237
rlm_perl: Added pair Digest-Attributes = 0x030a5245474953544552
rlm_perl: Added pair Reply-Message = Incorrect Password
perl_pool total/active/spare [32/0/32]
Unreserve perl at address 0x89260f0
++[perl] returns reject
Invalid user: [EMAIL PROTECTED]/no User-Password attribute] (from
client 192.168.1.227 port 5060)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - [EMAIL PROTECTED]
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.227 port 33094, id=87,
length=271
User-Name = [EMAIL PROTECTED]
Digest-Attributes = 0x0a096a6f686e736f6e
Digest-Attributes = 0x010f3139322e3136382e312e323237
Digest-Attributes =
0x022a34383166353136663737396231653364366365313331653738656462346265393931356634386439
Digest-Attributes = 0x04137369703a3139322e3136382e312e323237
Digest-Attributes = 0x030a5245474953544552
Digest-Response = b8f4759b0c4462aaa56edd1794da872a
Service-Type = Sip-Session
Sip-Uri-User = johnson
Cisco-AVPair = call-id=
[EMAIL PROTECTED]
NAS-IP-Address = 127.0.0.1
NAS-Port = 5060
+- entering group authorize
++[preprocess] returns ok
perl_pool: item 0x8a20548 asigned new request. Handled so far: 1
found interpetator at address 0x8a20548
rlm_perl: ###
rlm_perl: RAD_REQUEST: Digest-Response = b8f4759b0c4462aaa56edd1794da872a
rlm_perl: RAD_REQUEST: Service-Type = Sip-Session
rlm_perl: RAD_REQUEST: Cisco-AVPair = call-id=
[EMAIL PROTECTED]
rlm_perl: RAD_REQUEST: User-Name = [EMAIL PROTECTED]
rlm_perl: RAD_REQUEST: Sip-Uri-User = johnson
rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1
rlm_perl: RAD_REQUEST: NAS-Port = 5060
rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0x8ab7bd0)
rlm_perl
Re: Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce'.
You are (again) sending a request without Digest-Attributes. Try sending
one with them.
Ivan Kalik
Kalik Informatika ISP
hi,
I check all the clients attributes and start sending the Digest
attributes.. now the problem is I can't get those attributes in my perl code
by accessing using RAD_REQUEST or RAD_CHECK, so that I can calculate my ha1,
ha2 for md5 encryption.
Please help.
Output log file when run in debug mode by using radiusd -X
rad_recv: Access-Request packet from host 192.168.1.227 port 32817, id=222,
length=262
User-Name = [EMAIL PROTECTED]
Digest-Attributes = \n\006john
Digest-Attributes = \001\017192.168.1.227
Digest-Attributes = \002*48281f56caacb6aa62fc3bb31ec98146efeaae15
Digest-Attributes = \004\023sip:192.168.1.227
Digest-Attributes = \003\nREGISTER
Digest-Response = 9ae01536efc46358e61f2fe362552af4
Service-Type = SIP
Sip-URI-User = john
Cisco-AVPair = call-id=
[EMAIL PROTECTED]
NAS-IP-Address = 127.0.0.1
NAS-Port = 5060
+- entering group authorize
++[preprocess] returns ok
perl_pool: item 0x8d08568 asigned new request. Handled so far: 1
found interpetator at address 0x8d08568
rlm_perl: ###
rlm_perl: RAD_REQUEST: Digest-Response = 9ae01536efc46358e61f2fe362552af4
rlm_perl: RAD_REQUEST: Service-Type = SIP
rlm_perl: RAD_REQUEST: Cisco-AVPair = call-id=
[EMAIL PROTECTED]
rlm_perl: RAD_REQUEST: User-Name = [EMAIL PROTECTED]
rlm_perl: RAD_REQUEST: Sip-URI-User = john
rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1
rlm_perl: RAD_REQUEST: NAS-Port = 5060
rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0x8df353c)
rlm_perl: ###
rlm_perl: Added pair Digest-Response = 9ae01536efc46358e61f2fe362552af4
rlm_perl: Added pair Service-Type = SIP
rlm_perl: Added pair Cisco-AVPair = call-id=
[EMAIL PROTECTED]
rlm_perl: Added pair User-Name = [EMAIL PROTECTED]
rlm_perl: Added pair Sip-URI-User = john
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair NAS-Port = 5060
rlm_perl: Added pair Digest-Attributes = \n\006john
rlm_perl: Added pair Digest-Attributes = \001\017192.168.1.227
rlm_perl: Added pair Digest-Attributes =
\002*48281f56caacb6aa62fc3bb31ec98146efeaae15
rlm_perl: Added pair Digest-Attributes = \004\023sip:192.168.1.227
rlm_perl: Added pair Digest-Attributes = \003\nREGISTER
rlm_perl: Added pair Reply-Message = Incorrect Password
perl_pool total/active/spare [32/0/32]
Unreserve perl at address 0x8d08568
++[perl] returns ok
rlm_digest: Adding Auth-Type = DIGEST
++[digest] returns ok
rlm_realm: Looking up realm 192.168.1.227 for User-Name =
[EMAIL PROTECTED]
rlm_realm: No such realm 192.168.1.227
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rad_check_password: Found Auth-Type DIGEST
auth: type digest
+- entering group authenticate
rlm_digest: Cleartext-Password or Digest-HA1 is required for authentication.
++[digest] returns invalid
auth: Failed to validate the user.
Login incorrect: [EMAIL PROTECTED]/via Auth-Type = DIGEST] (from client
192.168.1.227 port 5060)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - [EMAIL PROTECTED]
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.227 port 32818, id=223,
length=262
User-Name = [EMAIL PROTECTED]
Digest-Attributes = \n\006john
Digest-Attributes = \001\017192.168.1.227
Digest-Attributes = \002*48281f56caacb6aa62fc3bb31ec98146efeaae15
Digest-Attributes = \004\023sip:192.168.1.227
Digest-Attributes = \003\nREGISTER
Digest-Response = 9ae01536efc46358e61f2fe362552af4
Service-Type = SIP
Sip-URI-User = john
Cisco-AVPair = call-id=
[EMAIL PROTECTED]
NAS-IP-Address = 127.0.0.1
NAS-Port = 5060
+- entering group authorize
++[preprocess] returns ok
perl_pool: item 0x8e67348 asigned new request. Handled so far: 1
found interpetator at address 0x8e67348
rlm_perl: ###
rlm_perl: RAD_REQUEST: Digest-Response = 9ae01536efc46358e61f2fe362552af4
rlm_perl: RAD_REQUEST: Service-Type = SIP
rlm_perl: RAD_REQUEST: Cisco-AVPair = call-id=
[EMAIL PROTECTED]
rlm_perl: RAD_REQUEST: User-Name = [EMAIL PROTECTED]
rlm_perl: RAD_REQUEST: Sip-URI-User = john
rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1
rlm_perl: RAD_REQUEST: NAS-Port = 5060
rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0x8efce0c)
rlm_perl: ###
rlm_perl: Added pair Digest-Response
Re: Question regarding rlm_perl and Access-Challenge
Thanks for the swift reply Dekok. I tried what you suggested and it
doesn't work. Looking at dictionary.freeradius.internal and double
checking the values in the pair everything looks okay.I'm going to
play about with this a bit, but in the mean time here's some more
details and I would greatly appreciate it if you would scan over them
to see if there is anything obvious I am missing.
Here's my authenticate sub.
# Function to handle authenticate
sub authenticate {
# For debugging purposes only
log_request_attributes;
if (($RAD_REQUEST{'User-Name'} =~ /^test/)
($RAD_REQUEST{'User-Password'} =~ /^pass/)) {
$RAD_REPLY{'State'} = challenge;
$RAD_REPLY{'Reply-Message'} = Challenge: ;
$RAD_REPLY{'Response-Packet-Type'} = Access-Challenge;
log_request_attributes;
return RLM_MODULE_HANDLED;
}
else {
# Reject user and tell him why
$RAD_REPLY{'Reply-Message'} = Denied access by
rlm_perl function;
return RLM_MODULE_REJECT;
}
}
And here's the debug output:
perl_pool: item 0x827b1a0 asigned new request. Handled so far: 1
found interpetator at address 0x827b1a0
rlm_perl: RAD_REQUEST: User-Name = test
rlm_perl: RAD_REQUEST: User-Password = pass
rlm_perl: RAD_REQUEST: Service-Type = Login-User
rlm_perl: RAD_REQUEST: NAS-IP-Address = 10.250.0.170
rlm_perl: RAD_REQUEST: NAS-Port = 6
rlm_perl: RAD_REQUEST: User-Name = test
rlm_perl: RAD_REQUEST: User-Password = pass
rlm_perl: RAD_REQUEST: Service-Type = Login-User
rlm_perl: RAD_REQUEST: NAS-IP-Address = 10.250.0.170
rlm_perl: RAD_REQUEST: NAS-Port = 6
rlm_perl: RAD_REPLY: Reply-Message = Challenge:
rlm_perl: RAD_REPLY: Response-Packet-Type = Access-Challenge
rlm_perl: RAD_REPLY: State = challenge
rlm_perl: Added pair User-Name = test
rlm_perl: Added pair User-Password = pass
rlm_perl: Added pair Service-Type = Login-User
rlm_perl: Added pair NAS-IP-Address = 10.250.0.170
rlm_perl: Added pair NAS-Port = 6
rlm_perl: Added pair Reply-Message = Challenge:
rlm_perl: Added pair Response-Packet-Type = Access-Challenge
rlm_perl: Added pair State = challenge
rlm_perl: Added pair Auth-Type = Perl
perl_pool total/active/spare [32/0/32]
Unreserve perl at address 0x827b1a0
++[perl] returns handled
There was no response configured: rejecting request 0
==
The last line here is confusing me. Looking at the code that spits
out this error, it seems to only happen when there is no
Response-Packet-Type in a request_post_handler.
switch (request-packet-code) {
case PW_AUTHENTICATION_REQUEST:
gettimeofday(request-next_when, NULL);
if (request-reply-code == 0) {
/*
* Check if the lack of response is intentional.
*/
vp = pairfind(request-config_items,
PW_RESPONSE_PACKET_TYPE);
if (!vp) {
DEBUG2(There was no response configured: rejecting request %d,
request-number);
request-reply-code = PW_AUTHENTICATION_REJECT;
} else if (vp-vp_integer == 256) {
DEBUG2(Not responding to request %d,
request-number);
} else {
request-reply-code = vp-vp_integer;
}
}
On Tue, Aug 19, 2008 at 1:09 PM, Alan DeKok [EMAIL PROTECTED] wrote:
Harry J Walsh wrote:
I want to develop some test cases for a radius client I am developing
and I would like to be able to use rlm_perl to simulate various
scenarios. The one I am having major problems with is
Access-Challenge. I really like rlm_perl and the flexibility it
provides and I would like to be able to specify the reply type. I've
looked through documentation and the rlm_perl code for any hints on
how to do this and at this stage I'm thinking I'll have to create a
new interface to allow my perl script to specify the correct reply
type to rlm_perl.
Configure the reply with Response-Packet-Type = Access-Challenge,
and make sure that the authenticate section returns handled. That
should do it.
And yes, this isn't documented.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Harry J Walsh
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM on 2.2.0
Hi,
On 2012-09-11 4:05 PM, Phil Mayers wrote:
On 09/11/2012 07:49 PM, Francois Gaudreault wrote:
Hi,
I am playing with EAP-SIM on 2.2.0, but I am facing an issue I cannot
even understand :S Not because I don't want to, but the error messages
are not talking much.
I did compute SRES/Kc for my SIM, but after the third triplet, I just
have:
Don't trim the debug. Critical info is higher up - like the actual
radius packet!
I always trim it the first time, I don't want to spam the planet in case
the issue is simple :) Here is the entire debug (with my IMSI trimmed):
rad_recv: Access-Request packet from host 10.0.0.24 port 1051, id=15,
length=298
User-Name = i...@wlan.mnc720.mcc302.3gppnetwork.org
Calling-Station-Id = 5C-59-48-ED-C4-96
NAS-IP-Address = 10.0.0.24
NAS-Port = 1
Called-Station-Id = 50-A7-33-31-CF-B8:PacketFence-Ruckus
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
NAS-Identifier = 50-A7-33-31-CF-B8
Connect-Info = CONNECT 802.11g
EAP-Message =
0x0238013133303237323034303434313338393040776c616e2e6d6e633732302e6d6360322e336770706e6574776f726b2e6f7267
Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573
Message-Authenticator = 0x8a5c5a80c992696a2eb8b097b865b86f
server packetfence {
# Executing section authorize from file
/usr/local/pf/raddb//sites-enabled/packetfence
+- entering group authorize {...}
[suffix] Looking up realm wlan.mnc720.mcc302.3gppnetwork.org for
User-Name = i...@wlan.mnc720.mcc302.3gppnetwork.org
[suffix] No such realm wlan.mnc720.mcc302.3gppnetwork.org
++[suffix] returns noop
++[preprocess] returns ok
rlm_sim_files: authorized user/imsi i...@wlan.mnc720.mcc302.3gppnetwork.org
rlm_sim_files: Adding EAP-Type: eap-sim
++[sim_files] returns ok
[eap] EAP packet type response id 0 length 56
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Called-Station-Id =
50-A7-33-31-CF-B8:PacketFence-Ruckus
rlm_perl: Added pair Calling-Station-Id = 5C-59-48-ED-C4-96
rlm_perl: Added pair Message-Authenticator =
0x8a5c5a80c992696a2eb8b097b865b86f
rlm_perl: Added pair Vendor-25053-Attr-3 =
0x5061636b657446656e63652d5275636b7573
rlm_perl: Added pair User-Name = i...@wlan.mnc720.mcc302.3gppnetwork.org
rlm_perl: Added pair NAS-Identifier = 50-A7-33-31-CF-B8
rlm_perl: Added pair EAP-Message =
0x0238013133303237323034303434313338393040776c616e2e6d6e633732302e6d6360322e336770706e6574776f726b2e6f7267
rlm_perl: Added pair Connect-Info = CONNECT 802.11g
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair NAS-IP-Address = 10.0.0.24
rlm_perl: Added pair NAS-Port = 1
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair EAP-Sim-Rand3 = 0xff626ed6104164234aabebecafecafe3
rlm_perl: Added pair EAP-Sim-Rand2 = 0x771634015641aabcd4e5a2a3ab521242
rlm_perl: Added pair EAP-Sim-SRES1 = 0xa0a116fe
rlm_perl: Added pair EAP-Sim-SRES2 = 0xc891c365
rlm_perl: Added pair EAP-Sim-KC1 = 0x603c63ecd59340cb
rlm_perl: Added pair EAP-Sim-Rand1 = 0xab521824610aca27814bbde2810347a1
rlm_perl: Added pair EAP-Sim-KC3 = 0xa62f0f3aca277041
rlm_perl: Added pair EAP-Sim-KC2 = 0xbdaf3f47b1fc2520
rlm_perl: Added pair EAP-Sim-SRES3 = 0x6daeb494
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair EAP-Type = SIM
++[packetfence] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type sim
[eap] Underlying EAP-Type set EAP ID to 246
++[eap] returns handled
} # server packetfence
Sending Access-Challenge of id 15 to 10.0.0.24 port 1051
EAP-Message = 0x01f60014120a0f020002000111010100
Message-Authenticator = 0x
State = 0x8c646e1d8c927cd94949c1e5aaf22aa6
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.0.24 port 1051, id=16,
length=348
User-Name = i...@wlan.mnc720.mcc302.3gppnetwork.org
Calling-Station-Id = 5C-59-48-ED-C4-96
NAS-IP-Address = 10.0.0.24
NAS-Port = 1
Called-Station-Id = 50-A7-33-31-CF-B8:PacketFence-Ruckus
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
NAS-Identifier = 50-A7-33-31-CF-B8
Connect-Info = CONNECT 802.11g
EAP-Message =
0x02f60058120a0e0e00333133303237323034303434313338393040776c616e2e6d6e633732302e6d6360322e336770706e6574776f726b2e6f7267001001000107057ae3c3b294faa5fac85c9cdc58737c87
State = 0x8c646e1d8c927cd94949c1e5aaf22aa6
Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573
Message
debug only for rlm_xxx (rlm_perl)
Hello list, is there an option in radiusd.conf how to enable debug logging only for several rlm_modules, e.g. I have rlm_perl and I only want debug messages for this. Thanks for your reply in advance. T. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debug only for rlm_xxx (rlm_perl)
bi...@antworte.me wrote: is there an option in radiusd.conf how to enable debug logging only for several rlm_modules, e.g. I have rlm_perl and I only want debug messages for this. Not at this time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl DEBUG log with garbage output
Rohaizam Abu Bakar [EMAIL PROTECTED] writes:
Hi,..
running xlat within rlm_perl.. giving correct result.. but what concern me
is that.. in debug log.. there are garbage output as below:-
radius_xlat: '.*'
radius_xlat: Running registered xlat function of module y5perl for string
'%{User-Name}:%{NAS-Identifier}'
radius_xlat: 'bacang:JARINGWiF'
rlm_perl: Len is 4 , out is NULL?8???Ù¿¿?49(hÕ¿¿?? freespace is 254
radius_xlat: 'NULL'
Try this patch:
diff -u -r1.13.4.7 rlm_perl.c
--- src/modules/rlm_perl/rlm_perl.c 27 Apr 2006 17:35:44 - 1.13.4.7
+++ src/modules/rlm_perl/rlm_perl.c 25 Jan 2007 10:03:51 -
@@ -694,7 +694,7 @@
} else if (count 0) {
tmp = POPp;
ret = strlen(tmp);
- strncpy(out,tmp,ret);
+ strncpy(out,tmp,ret+1);
radlog(L_DBG,rlm_perl: Len is %d , out is %s freespace is %d,
ret, out,freespace);
Bjørn
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Trucation of octet attribute handled by rlm_perl
Hello everyone
I am having a slight problem with rlm_perl and I would really
appreciate any advice/help.
I have a perl script which rlm_perl adds a value to the
DHCP-Classless-Static-Route attribute something like this :-
perl script snippets
...
my $route = pack('C7', split(/\,/, 16,172,16,10,0,0,2));
...
radiusd::radlog(RADLOG_DEBUG, packed data: . unpack('H*', $route));
...
$RAD_REPLY{'DHCP-Classless-Static-Route'} = $route;
...
###
..but from the debug output I see that the attribute data is truncated
at the first octet with value 00 :-
### freeradius -Xx snippets
...
Thu Feb 28 10:35:23 2013 : rlm_perl: packed data: 10ac100a02
Thu Feb 28 10:35:23 2013 : Debug: rlm_perl: Added pair
DHCP-Classless-Static-Route = ???
...
DHCP-Classless-Static-Route = 0x10ac100a
##
Am I doing somthething daft, or is this a possible bug in rlm_perl?
I am using freeradius 2.2.0.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl multiple attributes in rad_reply was: Adding Multiple Cisco-AVPairs using rlm_perl
В сообщении от Четверг 26 августа 2010 11:17:45 автор Bjørn Mork написал:
Boian Jordanov bjorda...@orbitel.bg writes:
On Aug 22, 2010, at 3:06 PM, Alexander Kubatkin wrote:
В сообщении от Воскресенье 22 августа 2010 10:48:56 автор Alan DeKok
написал:
Alexander Kubatkin wrote:
This isn't working, i'm trying to put 2 dns-servers in dhcp
configuration like this:
$RAD_REPLY{'DHCP-Domain-Name-Server'} = [$ns1,$ns2] ;
To return multiple items you have to use array ref.
Try this way.
$data[0] = nameserver_1;
$data[1] = nameserver_2;
$data[2] = nameserver_3;
$data[3] = nameserver_x;
$RAD_REPLY{'DHCP-Domain-Name-Server'} = \...@data;
Which should be equivalent to doing
$RAD_REPLY{'DHCP-Domain-Name-Server'} = [nameserver_1,
nameserver_2,
nameserver_3,
nameserver_x];
so I don't think that's the problem.
But we are all guessing, since we haven't yet seen the actual debug
output from FreeRADIUS, only selected bits and pieces of the non-working
end result.
Since we *know* that FreeRADIUS and rlm_perl work when configured
correctly, we can deduce that there is something wrong with the
configuration. I believe that's the best we can do, given the input
available to us.
this is with $RAD_REPLY{'DHCP-Domain-Name-Server'} = [$ns1,$ns2] ;
Received DHCP-Request of id ef3e6917 from Relay_ip:68 to DHCP-Server_ip:67
DHCP-Opcode = Client-Message
DHCP-Hardware-Type = Ethernet
DHCP-Hardware-Address-Length = 6
DHCP-Hop-Count = 1
DHCP-Transaction-Id = 4013844759
DHCP-Number-of-Seconds = 73
DHCP-Flags = 0
DHCP-Client-IP-Address = Client_ip
DHCP-Your-IP-Address = 0.0.0.0
DHCP-Server-IP-Address = 0.0.0.0
DHCP-Gateway-IP-Address = Relay_ip
DHCP-Client-Hardware-Address = Client_mac
DHCP-Message-Type = DHCP-Request
DHCP-Hostname = kaa-laptop
DHCP-Parameter-Request-List = DHCP-Subnet-Mask
DHCP-Parameter-Request-List = DHCP-Broadcast-Address
DHCP-Parameter-Request-List = DHCP-Time-Offset
DHCP-Parameter-Request-List = DHCP-Router-Address
DHCP-Parameter-Request-List = DHCP-Domain-Name
DHCP-Parameter-Request-List = DHCP-Domain-Name-Server
DHCP-Parameter-Request-List = DHCP-Domain-Search
DHCP-Parameter-Request-List = DHCP-Hostname
DHCP-Parameter-Request-List = DHCP-NETBIOS-Name-Servers
DHCP-Parameter-Request-List = DHCP-NETBIOS
DHCP-Parameter-Request-List = DHCP-Interface-MTU-Size
DHCP-Parameter-Request-List = DHCP-Classless-Static-Route
DHCP-Parameter-Request-List = DHCP-NTP-Servers
DHCP-Agent-Circuit-Id = 0x000403e50002
server dhcp {
Trying sub-section dhcp DHCP-Request {...}
+- entering group DHCP-Request {...}
[linelog] expand: %{reply:DHCP-Message-Type} -
[linelog] ... expanding second conditional
[linelog] expand: %{request:DHCP-Message-Type} - DHCP-Request
[linelog] expand:
%{%{reply:DHCP-Message-Type}:-%{request:DHCP-Message-Type}} - DHCP-Request
[linelog] expand: /var/log/linelog - /var/log/linelog
[linelog] expand: %{request:DHCP-Client-IP-Address} - Client_ip
[linelog] expand: %{DHCP-Transaction-Id} REQUEST:
%{%{request:DHCP-Client-IP-Address}:-%{request:DHCP-Requested-IP-Address}} from
[%{DHCP-Client-Hardware-Address}] via (%{DHCP-Gateway-IP-Address}) ...
option82= %{DHCP-
Relay-Agent-Information} - 4013844759 REQUEST: Client_ip from [Client_mac] via
(Relay_ip) ... option82=
++[linelog] returns ok
acid: 0x000403e50002
arid: 0x00060022b06cdd22
option82: 0x0106000403e5000200060022b06cdd22
prepare_cached(call
dhcp_get_all(?,?,@ip,@broadcast,@mask,@gw,@ns1,@ns2,@ntp,@domain,@lease_time))
statement handle DBI::st=HASH(0x80269bb00) still Active at
/usr/local/etc/raddb/dhcp.pl line 235
rlm_perl: Added pair DHCP-Your-IP-Address = 0.0.0.0
rlm_perl: Added pair DHCP-Message-Type = DHCP-Request
rlm_perl: Added pair DHCP-Hop-Count = 1
rlm_perl: Added pair Tmp-String-0 = OK
rlm_perl: Added pair DHCP-Agent-Circuit-Id = 0x000403e50002
rlm_perl: Added pair DHCP-Number-of-Seconds = 73
rlm_perl: Added pair DHCP-Client-IP-Address = Client_ip
rlm_perl: Added pair DHCP-Agent-Remote-Id = 0x00060022b06cdd22
rlm_perl: Added pair DHCP-Gateway-IP-Address = Relay_ip
rlm_perl: Added pair DHCP-Hardware-Type = Ethernet
rlm_perl: Added pair DHCP-Flags = 0
rlm_perl: Added pair DHCP-Hardware-Address-Length = 6
rlm_perl: Added pair DHCP-Hostname = laptop_hostname
rlm_perl: Added pair DHCP-Opcode = Client-Message
rlm_perl: Added pair DHCP-Transaction-Id = 4013844759
rlm_perl: Added pair DHCP-Client-Hardware-Address = Client_mac
rlm_perl: Added pair DHCP-Parameter-Request-List = DHCP-Subnet-Mask
rlm_perl: Added pair DHCP-Parameter-Request-List = DHCP-Broadcast-Address
rlm_perl: Added pair DHCP
Re: rlm_perl and accounting
On 8/29/06, Alan DeKok [EMAIL PROTECTED] wrote:
Pshem Kowalczyk [EMAIL PROTECTED] wrote:
So I've compiled the source and gave it a try, but it behaved exactly
as the stable version - didn't replace nor removed any attributes. Is
this supposed to work?
I tested the pre and post proxy methods:
...
# Function to handle pre_proxy
sub pre_proxy {
radiusd::radlog(1, entering pre-proxy);
$RAD_REQUEST{'User-Name'} = 'testuser';
You're re-writing the request packet (i.e. the one from the NAS),
not the packet that's about to be sent to the home server.
Try: $RAD_PROXY_REQUEST{'User-Name'} = 'testuser';
I added:
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK %RAD_PROXY_REQUEST);
and it didn't work, change resulted in the following debug:
rad_recv: Access-Request packet from host 127.0.0.1 port 32787, id=15, length=62
User-Password = test
User-Name = test
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-IP-Address = a.b.c.d
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
rlm_realm: No '@' in User-Name = test, looking up realm NULL
rlm_realm: No such realm NULL
perl_pool: item 0x8201620 asigned new request. Handled so far: 1
found interpetator at address 0x8201620
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair User-Name = test
rlm_perl: Added pair User-Password = test
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair NAS-IP-Address = a.b.c.d
rlm_perl: Added pair Proxy-To-Realm = quik
rlm_perl: Added pair Stripped-User-Name = test
perl_pool total/active/spare [2/0/2]
Unreserve perl at address 0x8201620
modcall: group authorize returns ok for request 0
Processing the pre-proxy section of radiusd.conf
modcall: entering group pre-proxy for request 0
perl_pool: item 0x840f8c8 asigned new request. Handled so far: 1
found interpetator at address 0x840f8c8
rlm_perl: entering pre-proxy
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair User-Name = test
rlm_perl: Added pair User-Password = test
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Realm = quik
rlm_perl: Added pair NAS-IP-Address = a.b.c.d
rlm_perl: Added pair Stripped-User-Name = test
rlm_perl: Added pair Proxy-To-Realm = quik
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair User-Name = test
rlm_perl: Added pair User-Password = test
rlm_perl: Added pair Proxy-State = 0x3135
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Realm = quik
rlm_perl: Added pair NAS-IP-Address = a.b.c.d
perl_pool total/active/spare [2/0/2]
Unreserve perl at address 0x840f8c8
modcall: group pre-proxy returns ok for request 0
Sending Access-Request of id 22 to x.y.z.103 port 1812
Framed-Protocol = PPP
User-Name = test
User-Password = test
Proxy-State = 0x3135
Service-Type = Framed-User
NAS-IP-Address = a.b.c.d
So this time the new value of User-Name ('testuser') doesn't even show
in the debug.
# Function to handle post_proxy
sub post_proxy {
radiusd::radlog(1, entering post-proxy);
$RAD_REPLY{'Framed-IP-Address'} = '10.10.1.1';
That works. The debug log you posted shows that in the reply.
Well, yes it works, but it didn't replace the original value:
Sending Access-Accept of id 96 to 127.0.0.1 port 32785
Framed-IP-Address = 10.10.1.1
Framed-IP-Address = 192.168.1.65
So now I have two, which confuses the NAS. I tried to remove whole key
from the hash using the 'delete' function and add it afterwards, but
it didn't seem to work. It looks like the original attributes are
added anyway after the results from rlm_perl (version 1.37)
In our situation we have to have control over the IPs send to the NASes.
Thx for all the hints
pshemko
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl behaviour
When I call a perl module via rlm_perl and dont undef
%RAD_CHECK and %RAD_REPLY before exiting, rlm_perl duplicates some attributes
contained within the hashes. For instance:
At entry to rlm_perl instance:
$RAD_CHECK{Ldap-Group} is an ARRAY: (GroupA,
GroupB)
After exiting the script, Added pair Ldap-Group
messages appear in debug output. If I call another perl script to dump
the %RAD_CHECK hash, it shows:
$RAD_CHECK{Ldap-Group } is an ARRAY: (GroupA,
GroupB, GroupA, GroupB)
If I undef %RAD_CHECK before exiting from the
first perl module, the values are not duplicated. I did some analysis of
the sequence of events and I believe this is whats happening:
- rlm_ldap creates the Ldap-Group attributes on the check
list with operator T_OP_CMP_EQ during authorize (Ldap-Group is a checkItem in
my ldap.attrmap)
- upon return from the perl script, rlm_perl calls pairmove
to move the attributes from the RAD_CHECK, RAD_REPLY and RAD_PROXY_REPLY hashes
back to the respective pairlist.
- pairmove adds attributes to the destination list for
operator T_OP_CMP_EQ (takes default case) which creates duplicates
Is this expected behaviour of rlm_perl? If so, can it
be put on the to do list for rlm_perl documentation updates (or
is it there already and I missed it)? Also, this seems to imply that its
not possible to change or remove, at least, some types of check or reply attributes
from within rlm_perl?
Also, the wiki for rlm_perl states that it passes configuration
pairs in %RAD_CONFIG. I dont believe this is true (the hash is
empty and I checked the source for 1.1.2, 1.1.3 and the latest snapshot and it
doesnt create that hash). Is this a feature that is in the
works or is the wiki incorrect?
I can supply debug output, radiusd.conf and scripts if necessary..
Thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl authorize
Hi All, I'm trying to authorize a user by using the rlm_perl module only. I.e., I only want the perl script to control the authorization. In radiusd.conf I have set: proxy_requests = no and in the authorize part the files statement is commented (otherwise freeradius will look at the file 'users' for authentication). In the authorize method of my perl script it simply returns RLM_MODULE_OK (to test). When I then send a radius request the authorize failed because of No authenticate method (Auth-Type) configuration found for the request: Rejecting the user. See below for a complete debug output. Can anyone explain why I get this error, and how to fix it? thanks, loz rad_recv: Access-Request packet from host 127.0.0.1:1091, id=20, length=124 User-Name = [EMAIL PROTECTED] User-Password = testpwd NAS-Identifier = starbuster.xxx.net NAS-Port-Id = 444 Acct-Session-Id = 1234567 Acct-Status-Type = Accounting-On WISPr-Location-Name = testlocation modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module chap returns noop rlm_eap: EAP-Message not found modcall[authorize]: module eap returns noop rlm_realm: Looking up realm my_realm for User-Name = [EMAIL PROTECTED] rlm_realm: No such realm my_realm modcall[authorize]: module suffix returns noop modcall[authorize]: module mschap returns noop perl_pool: item 0x8117540 asigned new request. Handled so far: 1 found interpetator at address 0x8117540 rlm_perl: Added pair h323-credit-amount = 100 rlm_perl: Added pair Acct-Session-Id = 1234567 rlm_perl: Added pair Client-IP-Address = 127.0.0.1 rlm_perl: Added pair User-Name = [EMAIL PROTECTED] rlm_perl: Added pair User-Password = testpwd rlm_perl: Added pair NAS-Identifier = starbuster.xxx.net rlm_perl: Added pair Acct-Status-Type = Accounting-On rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair NAS-Port-Id = 444 rlm_perl: Added pair WISPr-Location-Name = testlocation perl_pool total/active/spare [5/0/5] Unreserve perl at address 0x8117540 modcall[authorize]: module perl returns ok modcall: group authorize returns ok auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DHCP routing bug (FreeRadius DHCP reply to Default Gateway)
Hello!
I have Freeradius 2.1.6 on freebsd6.2.
Freebsd have Default Gateway:
DestinationGatewayFlagsRefs Use Netif Expire
default192.168.2.150 UGS 0 7922rl1
Default Gateway have mac-address:
? (192.168.2.150) at 00:30:48:35:31:32 on rl1 [ethernet]
Freeradius receive DHCP-Discover:
[tcpdump]
02:28:25.754215 00:0c:f1:4e:42:36 ff:ff:ff:ff:ff:ff, ethertype IPv4
(0x0800), length 348: 0.0.0.0.68 255.255.255.255.67: BOOTP/DHCP,
Request from 00:0c:f1:4e:42:36, length: 306
After authorization Freeradius send reply to Default Gateway(!), not to clinet:
[tcpdump]
02:28:25.766341 00:30:4f:21:b4:73 00:30:48:35:31:32, ethertype IPv4
(0x0800), length 342: 192.168.2.252.67 255.255.255.255.68:
BOOTP/DHCP, Reply, length: 300
If I delete Default Gateway - FreeRadius dont send anything.
If I put interface = rl1 in the listen{} section, I get error:
/usr/local/etc/raddb/radiusd.conf[56]: System does not support binding
to interfaces. Delete this line from the configuration file.
FreeRadiusd debug messages:
Received DHCP-Discover of id 2083766121 from 0.0.0.0:68 to 0.0.0.0:67
DHCP-Opcode = Client-Message
DHCP-Hardware-Type = Ethernet
DHCP-Hardware-Address-Length = 6
DHCP-Hop-Count = 0
DHCP-Transaction-Id = 2083766121
DHCP-Number-of-Seconds = 0
DHCP-Flags = 0
DHCP-Client-IP-Address = 0.0.0.0
DHCP-Your-IP-Address = 0.0.0.0
DHCP-Server-IP-Address = 0.0.0.0
DHCP-Gateway-IP-Address = 0.0.0.0
DHCP-Client-Hardware-Address = 00:0c:f1:4e:42:36
DHCP-Message-Type = DHCP-Discover
DHCP-Auto-Config = 1
DHCP-Client-Identifier = 00:0c:f1:4e:42:36
DHCP-Requested-IP-Address = 169.254.184.172
DHCP-Hostname = computer-4cacfb
DHCP-Vendor-Class-Identifier = MSFT 5.0
DHCP-Parameter-Request-List = DHCP-Subnet-Mask
DHCP-Parameter-Request-List = DHCP-Domain-Name
DHCP-Parameter-Request-List = DHCP-Router-Address
DHCP-Parameter-Request-List = DHCP-Domain-Name-Server
DHCP-Parameter-Request-List = DHCP-NETBIOS-Name-Servers
DHCP-Parameter-Request-List = DHCP-NETBIOS-Node-Type
DHCP-Parameter-Request-List = DHCP-NETBIOS
DHCP-Parameter-Request-List = DHCP-Perform-Router-Discovery
DHCP-Parameter-Request-List = DHCP-Static-Routes
DHCP-Parameter-Request-List = 249
DHCP-Parameter-Request-List = DHCP-Vendor
DHCP-Vendor = 0xdc00
Trying sub-section dhcp DHCP-Discover {...}
+- entering group DHCP-Discover {...}
expand: %{Packet-Dst-IP-Address} - 0.0.0.0
++[reply] returns noop
rlm_perl: mac: 00:0c:f1:4e:42:36
rlm_perl: DB result: 192.168.2.1
rlm_perl: Added pair DHCP-Your-IP-Address = 0.0.0.0
rlm_perl: Added pair DHCP-Message-Type = DHCP-Discover
rlm_perl: Added pair DHCP-Vendor-Class-Identifier = MSFT 5.0
rlm_perl: Added pair DHCP-Hop-Count = 0
rlm_perl: Added pair DHCP-Number-of-Seconds = 0
rlm_perl: Added pair DHCP-Client-IP-Address = 0.0.0.0
rlm_perl: Added pair DHCP-Gateway-IP-Address = 0.0.0.0
rlm_perl: Added pair DHCP-Hardware-Type = Ethernet
rlm_perl: Added pair DHCP-Flags = 0
rlm_perl: Added pair DHCP-Hardware-Address-Length = 6
rlm_perl: Added pair DHCP-Hostname = computer-4cacfb
rlm_perl: Added pair DHCP-Opcode = Client-Message
rlm_perl: Added pair DHCP-Transaction-Id = 2083766121
rlm_perl: Added pair DHCP-Parameter-Request-List = DHCP-Subnet-Mask
rlm_perl: Added pair DHCP-Parameter-Request-List = DHCP-Domain-Name
rlm_perl: Added pair DHCP-Parameter-Request-List = DHCP-Router-Address
rlm_perl: Added pair DHCP-Parameter-Request-List = DHCP-Domain-Name-Server
rlm_perl: Added pair DHCP-Parameter-Request-List = DHCP-NETBIOS-Name-Servers
rlm_perl: Added pair DHCP-Parameter-Request-List = DHCP-NETBIOS-Node-Type
rlm_perl: Added pair DHCP-Parameter-Request-List = DHCP-NETBIOS
rlm_perl: Added pair DHCP-Parameter-Request-List = DHCP-Perform-Router-Discovery
rlm_perl: Added pair DHCP-Parameter-Request-List = DHCP-Static-Routes
rlm_perl: Added pair DHCP-Parameter-Request-List = 249
rlm_perl: Added pair DHCP-Parameter-Request-List = DHCP-Vendor
rlm_perl: Added pair DHCP-Client-Hardware-Address = 00:0c:f1:4e:42:36
rlm_perl: Added pair DHCP-Server-IP-Address = 0.0.0.0
rlm_perl: Added pair DHCP-Requested-IP-Address = 169.254.184.172
rlm_perl: Added pair DHCP-Auto-Config = 1
rlm_perl: Added pair DHCP-Vendor = 0xdc00
rlm_perl: Added pair DHCP-Client-Identifier = 00:0c:f1:4e:42:36
rlm_perl: Added pair DHCP-Your-IP-Address = 192.168.2.1
rlm_perl: Added pair DHCP-DHCP-Server-Identifier = 192.168.2.252
rlm_perl: Added pair DHCP-Subnet-Mask = 255.255.255.0
rlm_perl: Added pair DHCP-Gateway-IP-Address = 192.168.2.150
rlm_perl: Added pair DHCP-IP-Address-Lease-Time = 86400
rlm_perl: Added pair DHCP-Router-Address = 192.168.2.150
++[perl] returns ok
++? if (ok)
? Evaluating (ok) - TRUE
++? if (ok) - TRUE
++- entering if (ok) {...}
+++[reply] returns ok
++- if (ok
Re: rlm_perl
Could someone show me how to process an access-accept via rlm_perl? The example in the script example.pl still causes an access-reject nomater what I try. That isn't enough information, except to tell you to return a proper value such as RLM_MODULE_OK. Please post debug output. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: working rlm_perl example
[EMAIL PROTECTED] wrote: I have tried the example.pl and it still gives me a access-reject message. Please provide your rlm_perl configuration and debug output of radiusd -X -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl
Alex rsm alex-...@hotmail.com wrote:
And added the following in src/modules/rlm_perl/example.pl
sub authorize {
print This is a TEST\n;
.
}
However, When I send a simple test request I don't see my debug line.
I also don't see the message perl loaded when start Freeradius in
debug mode (radiusd -X).
I am pretty sure stdout is not plumbed up for rlm_perl, and neither is
stderr so you will not see anything.
Of course reading the documentation brings enlightenment in the form of
'radiusd::radlog(1, ...);'... :-/
Searching for 'debug' on the wiki page says many useful things:
http://wiki.freeradius.org/Rlm_perl
...and even less surprisingly it's the same as whats in
src/modules/rlm_perl/example.pl.
*sigh*
Cheers
--
Alexander Clouter
.sigmonster says: Mongoose knghtbrd: and the meek shall inherit k-mart
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need to change response type to Access-Challenge from rlm_perl
To answer my own question, I found that using the return code RLM_MODULE_OK
triggers the server to respond back with Access-Accept. If I used
RLM_MODULE_HANDLED instead, the response packet type was set to what I
expected it to be. This makes sense since I expect the client to exchange
several messages with me before I finally trigger the Access-Accept message.
On Mon, Feb 18, 2013 at 9:00 AM, Walter Goulet wgou...@gmail.com wrote:
Hi,
Looking through archives for this exact question, I see a post from 2008 (
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg47423.html)
where this exact question was previously asked.
Here is my server version info:
radiusd: FreeRADIUS Version 2.2.0, for host x86_64-unknown-linux-gnu,
built on Feb 17 2013 at 03:34:41
Here's my code:
# Construct HTTP request
my $authresult =
authamis($RAD_REQUEST{'User-Name'},$RAD_REQUEST{'User-Password'});
radiusd::radlog(L_DBG, Result after authamis call -
$authresult);
if($authresult eq true) {
$RAD_CHECK{'Response-Packet-Type'} = Access-Challenge;
$RAD_REPLY{'Reply-Message'} = authentication successful;
for (keys %RAD_REPLY) {
radiusd::radlog(L_DBG, RAD_REPLY: $_ =
$RAD_REPLY{$_});
}
for (keys %RAD_CHECK) {
radiusd::radlog(L_DBG, RAD_CHECK: $_ =
$RAD_CHECK{$_});
}
for (keys %RAD_CONFIG) {
radiusd::radlog(L_DBG, RAD_CONFIG: $_ =
$RAD_CONFIG{$_});
}
return RLM_MODULE_OK
}
else {
$RAD_REPLY{'Reply-Message'} = authentication failure;
return RLM_MODULE_REJECT;
}
Here is the relevant debug output:
Found Auth-Type = perl
# Executing group from file
/opt/app/freeradius/etc/raddb/sites-enabled/default
+- entering group perl {...}
rlm_perl: RAD_REQUEST: User-Name = test
rlm_perl: RAD_REQUEST: User-Password = 42594190
rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.65.1
rlm_perl: AMIS request:
http://amis.jdt.com:8080/auth/authenticate/test/42594190
rlm_perl: Result after authamis call - true
rlm_perl: RAD_REPLY: Reply-Message = authentication successful
rlm_perl: RAD_CHECK: Response-Packet-Type = Access-Challenge
rlm_perl: RAD_CHECK: Auth-Type = perl
rlm_perl: RAD_CONFIG: Auth-Type = perl
rlm_perl: Added pair User-Name = test
rlm_perl: Added pair User-Password = 42594190
rlm_perl: Added pair NAS-IP-Address = 192.168.65.1
rlm_perl: Added pair Reply-Message = authentication successful
rlm_perl: Added pair Response-Packet-Type = Access-Challenge
rlm_perl: Added pair Auth-Type = perl
++[perl] returns ok
# Executing section post-auth from file
/opt/app/freeradius/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 81 to 192.168.65.1 port 53504
Reply-Message = authentication successful
Finished request 0.
Going to the next request
Clearly the Access-Challenge setting is not being honored by the server.
Is there another attribute that must be set to configure the response type?
Thanks,
Walter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: final rlm_perl question, hopefully...
Hi all,
Please disregard, I've solved the thing ;-) Silly typo in the return.
Z2L
- Original Message -
From: FreeRadius-ML [EMAIL PROTECTED]
To: freeradius-users freeradius-users@lists.freeradius.org
Sent: Thursday, July 26, 2007 6:41:21 PM (GMT+0200) Asia/Jerusalem
Subject: Fwd: final rlm_perl question, hopefully...
Hi All,
Ok, after reviewing all the information that was received, I've setup my
FreeRadius
as following:
1. The authorize and authenticate sections are setup to activate digest and
perl.
2. My rlm_perl script utilizes the following lines in order to return the
unencrypted
user password back to FreeRadius for digest authentication:
$RAD_CHECK{'Cleartext-Password'} = xx; # Remove this line for
production
$RAD_CHECK{'User-Password'}=xx; # Remove this line for
production
I just put these inside my script for checking, later on this information
will be
retrieved from an external source.
Now, FreeRadius activates my rlm_perl module, no problem, as I can see the
various
reply fields being setup, however, I'm still getting the following error:
rlm_perl: RAD_REQUEST: Client-IP-Address = 192.168.2.80
rlm_perl: RAD_REQUEST: Digest-Response = 632905a2325f672f049800eda7df9ee4
rlm_perl: RAD_REQUEST: User-Name = [EMAIL PROTECTED]
rlm_perl: RAD_REQUEST: Service-Type = IAPP-Register
rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.2.80
rlm_perl: RAD_REQUEST: NAS-Port = 5060
rlm_perl: RAD_REQUEST: Sip-Uri-User = z2l
rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0xbbc93f0)
rlm_perl: RAD_REPLY: Reply-Message = User accepted by z2l WSDL
rlm_perl: RAD_REPLY: z2l-Duration = 60
rlm_perl: RAD_REPLY: z2l-Status = 2
rlm_perl: RAD_REPLY: z2l-Session = 833abb3d-d047-4d0d-a40e-2e147049f96d
rlm_perl: Added pair Reply-Message = User accepted by z2l
rlm_perl: Added pair z2l-Duration = 60
rlm_perl: Added pair z2l-Status = 2
rlm_perl: Added pair z2l-Session = 833abb3d-d047-4d0d-a40e-2e147049f96d
rlm_perl: Added pair Cleartext-Password = z2l
rlm_perl: Added pair User-Password = z2l
rlm_perl: Added pair Auth-Type = digest
perl_pool total/active/spare [32/0/32]
Unreserve perl at address 0xb933260
modcall[authorize]: module perl returns ok for request 5
rlm_realm: Looking up realm 192.168.2.80 for User-Name = [EMAIL
PROTECTED]
rlm_realm: No such realm 192.168.2.80
modcall[authorize]: module suffix returns noop for request 5
modcall: leaving group authorize (returns ok) for request 5
rad_check_password: Found Auth-Type DIGEST
auth: type digest
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_digest: Configuration item User-Password or Digest-HA1 is required for
authentication.
modcall[authenticate]: module digest returns invalid for request 5
modcall: leaving group authenticate (returns invalid) for request 5
auth: Failed to validate the user.
Login incorrect: [EMAIL PROTECTED]/no User-Password attribute] (from client
192.168.2.80 port 5060)
Delaying request 5 for 1 seconds
Finished request 5
Going to the next request
Waking up in 3 seconds...
Now, my configuration is very very simple. In the authorize I have digest and
perl
enabled, in authenticate I have only digest enabled. If I read the debug
correctly, the
authorization is going ok:
modcall[authorize]: module perl returns ok for request 5
rlm_realm: Looking up realm 192.168.2.80 for User-Name = [EMAIL
PROTECTED]
rlm_realm: No such realm 192.168.2.80
modcall[authorize]: module suffix returns noop for request 5
modcall: leaving group authorize (returns ok) for request 5
However, the authentication section fails:
rad_check_password: Found Auth-Type DIGEST
auth: type digest
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_digest: Configuration item User-Password or Digest-HA1 is required for
authentication.
modcall[authenticate]: module digest returns invalid for request 5
modcall: leaving group authenticate (returns invalid) for request 5
auth: Failed to validate the user.
Login incorrect: [EMAIL PROTECTED]/no User-Password attribute] (from client
192.168.2.80 port 5060)
So, I'm either returning something in the wrong way, or I've broken something
again.
Any pointers on the issue would be highly appreciated.
Regards,
Z2L
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl problem (Detaching!!)
Hi..
FR:1.1.2
FBSD:6.0
My rlm_perl keep logging error as example below. Everytime this happen
radiusd will hang and DO NOT respond to any request.
But this NEVER happen while running in debug mode and working fine.
rlm_perl is used to load timeout based on certain rules.. u can see below my
perl script (newtimeou5.pl) and also config files setting.
Please help TQ.
Error /var/log/radius.log
##
Thu Feb 8 12:30:09 2007 : Error: rlm_perl: perl_embed:: module =
/usr/local/etc/raddb/newtimeout4.pl , func = authorize exit status=
Undefined subroutine main:: called.
Thu Feb 8 12:32:00 2007 : rlm_perl: rlm_perl::Detaching. Reloading. Done.
Thu Feb 8 12:39:46 2007 : Error: rlm_perl: perl_embed:: module =
/usr/local/etc/raddb/newtimeout4.pl , func = authorize exit status= panic:
leave_scope inconsistency at /usr/local/etc/raddb/newtimeout4.pl line 184.
Thu Feb 8 12:39:47 2007 : rlm_perl: rlm_perl::Detaching. Reloading. Done.
Thu Feb 8 14:08:52 2007 : rlm_perl: rlm_perl::Detaching. Reloading. Done.
Thu Feb 8 14:22:40 2007 : rlm_perl: rlm_perl::Detaching. Reloading. Done.
Thu Feb 8 14:57:25 2007 : rlm_perl: rlm_perl::Detaching. Reloading. Done.
Fri Feb 9 09:53:52 2007 : Error: rlm_perl: perl_embed:: module =
/usr/local/etc/raddb/newtimeout5.pl , func = authorize exit status= Usage:
Encode::is_utf8(sv, check = 0) at
/usr/local/lib/perl5/site_perl/5.8.7/Convert/ASN1.pm line 422, DATA line
424.
Fri Feb 9 10:21:59 2007 : Error: rlm_perl: perl_embed:: module =
/usr/local/etc/raddb/newtimeout5.pl , func = authorize exit status=
Undefined subroutine Convert::ASN1::authorize called at
/usr/local/lib/perl5/site_perl/5.8.7/Net/LDAP.pm line 759
Fri Feb 9 10:57:59 2007 : Error: rlm_perl: perl_embed:: module =
/usr/local/etc/raddb/newtimeout5.pl , func = preacct exit status=
Undefined subroutine Convert::ASN1::preacct called at
/usr/local/lib/perl5/site_perl/5.8.7/Net/LDAP.pm line 759
##users
DEFAULT NAS-Identifier == Wireless-802.11, Autz-Type := Y5,
Auth-Type :Y5
#radiusd.conf#
authorize {
Autz-Type Y5 {
redundant {
ldapy51
ldapy52
}
y5perl
}
}
modules {
perl y5perl {
module = /usr/local/etc/raddb/newtimeout5.pl
}
}
authenticate {
Auth-Type Y5 {
redundant {
ldapy51
ldapy52
}
}
}
##
###newtimeout5.pl
sub authorize {
##main
my $return_value = 0;
$return_value = timeout;
print VALUE return: $return_value\n;
if ($return_value eq '-1'){
return RLM_MODULE_REJECT;
}else{
return RLM_MODULE_OK;
}
}
sub timeout {
my $query;
my $query2;
my $uid=$RAD_REQUEST{'User-Name'};
my $userfrom;
my $userconnect=$RAD_REQUEST{'NAS-Identifier'};
my $timeout;
if ($userconnect =~ /Wireless-802.11|WiFi/) {
$query=Service;
$query2 = TimeoutWIFI;
}
if ($query){
$userfrom = ldapquery($uid,$query);
if ($userfrom =~ /Y5PLAT|Y5GOLD/){
$userfrom = WiFi-BTP;
}elsif ($userfrom =~ /^Y5$/){
$userfrom = Wireless-802.11;
}
if ($userconnect eq $userfrom){
print rlm_perl: Local user.. No timeout.. Unlimited!!!\n;
return (1);
}elsif ($userconnect ne $userfrom){
print rlm_perl: Roaming user.. Timeout will be loaded
!!\n;
$timeout = ldapquery($uid,$query2);
print rlm_perl: $query2:$timeout\n;
if (!$timeout){
return (-1);
}else{
$RAD_REPLY{'Session-Timeout'} = $timeout;
print rlm_perl: NOT YET\n;
return (1);
}
}
}else{
print rlm_perl: Not a wifi connection !!!\n;
return (1);
}
}
sub ldapquery {
my ( $uid, $query ) = @_;
my $host = xx;
my $value;
my $baseDN = ou=Y5,ou=AAA, ou=x, dc=x, dc=;
my $ldap = Net::LDAP-new( $host ) or die $@;
my $mesg = $ldap-bind ;# an anonymous bind
$mesg = $ldap-search( # perform a search
base = $baseDN,
filter = ((uid=$uid))
);
my $count = $mesg-count;
if ($mesg-code) {
return (NULL);
}
if ($count 0
rewrite attribute with perl module
Hi ALL
i have attribute Session-Timeout with value 36 at radreply database
and want to modify the value when the radius return it when radius replies, i
enabled perl module
and enable it at post-auth
at the perl sub post-auth i added
.
print attr
$RAD_REPLY{'Session-Timeout'} = 5 ;
.
print attr
.
return RLM_MODULE_UPDATED
but that not affect the return vlaue :
Thu Mar 5 23:22:30 2009 : Debug: rlm_perl: RAD_REPLY: Cisco-AVPair =
throttle=55
Thu Mar 5 23:22:30 2009 : Debug: rlm_perl: RAD_REPLY: Session-Timeout = 36
Thu Mar 5 23:22:30 2009 : Debug: rlm_perl: RAD_REPLY: Framed-IP-Address = x
Thu Mar 5 23:22:30 2009 : Debug: rlm_perl: RAD_REQUEST: SQL-User-Name = user
...
Thu Mar 5 23:22:30 2009 : Debug: rlm_perl: RAD_REPLY: Cisco-AVPair =
throttle=55
Thu Mar 5 23:22:30 2009 : Debug: rlm_perl: RAD_REPLY: Session-Timeout = 5
Thu Mar 5 23:22:30 2009 : Debug: rlm_perl: RAD_REPLY: Framed-IP-Address =
xx
but radius sent back
Sending Access-Accept of id 1 to 192.168.100.10:32830
Framed-IP-Address :=
Cisco-AVPair = throttle=55
Session-Timeout = 36
with value of 36 not (5)
and then i enabled the perl module on authorize and authentication section at
radius.conf and put the same pervious code in the same subs (authorize and
authentication ) at perl module , but i got the same result , value not changed
and also the same result when change the return code to become
RLM_MODULE_UPDATED
any hint please ?!! , can i modify the value of reply attributes ?
Thanks lot
_
Windows Live™ Contacts: Organize your contact list.
http://windowslive.com/connect/post/marcusatmicrosoft.spaces.live.com-Blog-cns!503D1D86EBB2B53C!2285.entry?ocid=TXT_TAGLM_WL_UGC_Contacts_032009-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: final rlm_perl question, hopefully...
Hi All,
Ok, after reviewing all the information that was received, I've setup my
FreeRadius
as following:
1. The authorize and authenticate sections are setup to activate digest and
perl.
2. My rlm_perl script utilizes the following lines in order to return the
unencrypted
user password back to FreeRadius for digest authentication:
$RAD_CHECK{'Cleartext-Password'} = xx; # Remove this line for
production
$RAD_CHECK{'User-Password'}=xx; # Remove this line for
production
I just put these inside my script for checking, later on this information
will be
retrieved from an external source.
Now, FreeRadius activates my rlm_perl module, no problem, as I can see the
various
reply fields being setup, however, I'm still getting the following error:
rlm_perl: RAD_REQUEST: Client-IP-Address = 192.168.2.80
rlm_perl: RAD_REQUEST: Digest-Response = 632905a2325f672f049800eda7df9ee4
rlm_perl: RAD_REQUEST: User-Name = [EMAIL PROTECTED]
rlm_perl: RAD_REQUEST: Service-Type = IAPP-Register
rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.2.80
rlm_perl: RAD_REQUEST: NAS-Port = 5060
rlm_perl: RAD_REQUEST: Sip-Uri-User = z2l
rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0xbbc93f0)
rlm_perl: RAD_REPLY: Reply-Message = User accepted by z2l WSDL
rlm_perl: RAD_REPLY: z2l-Duration = 60
rlm_perl: RAD_REPLY: z2l-Status = 2
rlm_perl: RAD_REPLY: z2l-Session = 833abb3d-d047-4d0d-a40e-2e147049f96d
rlm_perl: Added pair Reply-Message = User accepted by z2l
rlm_perl: Added pair z2l-Duration = 60
rlm_perl: Added pair z2l-Status = 2
rlm_perl: Added pair z2l-Session = 833abb3d-d047-4d0d-a40e-2e147049f96d
rlm_perl: Added pair Cleartext-Password = z2l
rlm_perl: Added pair User-Password = z2l
rlm_perl: Added pair Auth-Type = digest
perl_pool total/active/spare [32/0/32]
Unreserve perl at address 0xb933260
modcall[authorize]: module perl returns ok for request 5
rlm_realm: Looking up realm 192.168.2.80 for User-Name = [EMAIL
PROTECTED]
rlm_realm: No such realm 192.168.2.80
modcall[authorize]: module suffix returns noop for request 5
modcall: leaving group authorize (returns ok) for request 5
rad_check_password: Found Auth-Type DIGEST
auth: type digest
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_digest: Configuration item User-Password or Digest-HA1 is required for
authentication.
modcall[authenticate]: module digest returns invalid for request 5
modcall: leaving group authenticate (returns invalid) for request 5
auth: Failed to validate the user.
Login incorrect: [EMAIL PROTECTED]/no User-Password attribute] (from client
192.168.2.80 port 5060)
Delaying request 5 for 1 seconds
Finished request 5
Going to the next request
Waking up in 3 seconds...
Now, my configuration is very very simple. In the authorize I have digest and
perl
enabled, in authenticate I have only digest enabled. If I read the debug
correctly, the
authorization is going ok:
modcall[authorize]: module perl returns ok for request 5
rlm_realm: Looking up realm 192.168.2.80 for User-Name = [EMAIL
PROTECTED]
rlm_realm: No such realm 192.168.2.80
modcall[authorize]: module suffix returns noop for request 5
modcall: leaving group authorize (returns ok) for request 5
However, the authentication section fails:
rad_check_password: Found Auth-Type DIGEST
auth: type digest
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_digest: Configuration item User-Password or Digest-HA1 is required for
authentication.
modcall[authenticate]: module digest returns invalid for request 5
modcall: leaving group authenticate (returns invalid) for request 5
auth: Failed to validate the user.
Login incorrect: [EMAIL PROTECTED]/no User-Password attribute] (from client
192.168.2.80 port 5060)
So, I'm either returning something in the wrong way, or I've broken something
again.
Any pointers on the issue would be highly appreciated.
Regards,
Z2L
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Affect Static IP by Freeradius/ASA5510
Hi Sorry to restart the same subject, but actually i am search .. i am search but i don't see any solution ... I use: FreeRadius with a Perl Script A Cisco ASA5510 IOS 8.0 In debug i have: When a user don't have IP, use Pool : == rad_recv: Access-Request packet from host 10.218.7.243:1025, id=31, length=166 User-Name = vpn...@xx.fr User-Password = XXX NAS-Port = 1658880 Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = 62.XX.XX.XX Calling-Station-Id = 88.XX.XX.XX NAS-Port-Type = Virtual Tunnel-Client-Endpoint:0 = 88.XX.XX.XX NAS-IP-Address = 10.218.7.243 Cisco-AVPair = ip:source-ip=88.XX.XX.XXy\223 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: Looking up realm xx.fr for User-Name = vpn...@xx.fr rlm_realm: No such realm xx.fr modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 154 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module files returns ok for request 0 Using perl at 0x8149a00 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Framed-IP-Address = 255.255.255.254 rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP rlm_perl: Added pair Framed-MTU = 576 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Auth-Type = Perl modcall[authorize]: module perl returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Perl auth: type Perl Processing the authenticate section of radiusd.conf modcall: entering group Perl for request 0 Using perl at 0x8149a00 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair h323-credit-amount = 100 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Framed-IP-Address = 255.255.255.254 rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP rlm_perl: Added pair Framed-MTU = 576 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Auth-Type = Perl modcall[authenticate]: module perl returns ok for request 0 modcall: leaving group Perl (returns ok) for request 0 Login OK: [vpn...@xx.fr/XXX] (from client 10.218.7.243 port 1658880 cli 88.XX.XX.XX) Sending Access-Accept of id 31 to 10.218.7.243 port 1025 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP h323-credit-amount = 100 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 31 with timestamp 4989aa4d Nothing to do. Sleeping until we see a request. No problems, the user connect and have a IP of the Pool When i use a user with static IP: rad_recv: Access-Request packet from host 10.218.7.243:1025, id=32, length=166 User-Name = vpn...@xx.fr User-Password = XXX NAS-Port = 1662976 Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = 62.23.17.71 Calling-Station-Id = 88.XX.XX.XX NAS-Port-Type = Virtual Tunnel-Client-Endpoint:0 = 88.XX.XX.XX NAS-IP-Address = 10.218.7.243 Cisco-AVPair = ip:source-ip=88.XX.XX.XXy\223 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: Looking up realm xx.fr for User-Name = vpn...@xx.fr rlm_realm: No such realm xx.fr modcall[authorize]: module suffix returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 1 users: Matched entry DEFAULT at line 154 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module files returns ok for request 1 Using perl at 0x8149a00 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Framed-IP-Address = 10.218.3.41 rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP rlm_perl: Added pair Framed-MTU = 576 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service
Re: Problem with rlm_perl
Ок, я так и сделал.
Но дело в том что мой радиус будет авторизовывать и считать несколько
сервисов с разных NAS.
И очень не плохо было бы их разнести.
Причем если запускать radius без режима дебага, то он какое то время будет
работать нормально, правда только какое-то.
---
Ok, I and have made.
But the matter is that my radius will be authenticate and acccounting some
services with different NAS.
And very much it would be not bad to carry them.
And if to start radius without a debug mode it what that time will work
normally, the truth only any.
- Original Message -
From: Anatoly S. Zimin anato...@team.co.ru
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Tuesday, April 07, 2009 3:45 PM
Subject: Re: Problem with rlm_perl
Привет!
На самом деле, весьма _неудобно_ искать проблемы просто по дебагу +
конфиг.
Уж лучше описать её хоть на ломаном англ.
Это так отступление...
А вообще, у rlm_perl весьма много глюков.
Например при работе с разными модулями, типа IO::Socket::.
Попробуйте все засунуть в один скрипт.
Hello.
Config:
perl auth_perl_pppoe {
module = /var/www/radius/radius_auth.pl
func_accounting = accounting
}
perl acc_perl_pppoe {
module = /var/www/radius/radius_accounting.pl
func_authenticate = authenticate
}
-
authenticate {
Auth-Type PPPOE_AUTH {
auth_perl_pppoe
}
}
#
# Accounting. Log the accounting data.
#
accounting {
Acct-Type PPPOE_ACC {
acc_perl_pppoe
}
detail
unix
radutmp
}
this error in radiusd -X:
rad_recv: Access-Request packet from host 93.95.41.141 port 53773, id=8,
length=146
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 100
NAS-Port-Type = Ethernet
User-Name = pppoe_test
Calling-Station-Id = 00:13:77:60:60:CB
Called-Station-Id = internet
NAS-Port-Id = e2_v15
CHAP-Challenge = 0x3b30fc1959ca610275bdc66582b579cf
CHAP-Password = 0x013e0573332525cd3ebc797dbe68f0969d
NAS-Identifier = ntk-hsgw
NAS-IP-Address = 93.95.41.141
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = pppoe_test, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[mschap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 1
[files] users: Matched entry DEFAULT at line 7
[files] users: Matched entry DEFAULT at line 19
++[files] returns ok
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = PPPOE_AUTH
+- entering group PPPOE_AUTH {...}
GOT CLONE -1209066800 0x91011d8
rlm_perl: Added pair NAS-Port-Type = Ethernet
rlm_perl: Added pair CHAP-Password = 0x013e0573332525cd3ebc797dbe68f0969d
rlm_perl: Added pair Huntgroup-Name = ntk_pppoe
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Called-Station-Id = internet
rlm_perl: Added pair Calling-Station-Id = 00:13:77:60:60:CB
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair User-Name = pppoe_test
rlm_perl: Added pair CHAP-Challenge = 0x3b30fc1959ca610275bdc66582b579cf
rlm_perl: Added pair NAS-Identifier = ntk-hsgw
rlm_perl: Added pair NAS-IP-Address = 93.95.41.141
rlm_perl: Added pair NAS-Port = 100
rlm_perl: Added pair NAS-Port-Id = e2_v15
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Class = dialup
rlm_perl: Added pair Mikrotik-Rate-Limit = 256k
rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP
rlm_perl: Added pair Auth-Type = PPPOE_AUTH
++[auth_perl_pppoe] returns ok
Login OK: [pppoe_test] (from client ntk-hsgw port 100 cli
00:13:77:60:60:CB)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 8 to 93.95.41.141 port 53773
Framed-Protocol = PPP
Service-Type = Framed-User
Class = 0x6469616c7570
Mikrotik-Rate-Limit = 256k
Framed-Compression = Van-Jacobson-TCP-IP
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 93.95.41.141 port 57551,
id=9,
length=157
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 100
NAS-Port-Type = Ethernet
User-Name = pppoe_test
Calling-Station-Id = 00:13:77:60:60:CB
Called-Station-Id = internet
NAS-Port-Id = e2_v15
Class = 0x6469616c7570
Acct-Session-Id = 8170005c
Framed-IP-Address = 93.95.42.63
Acct-Authentic = RADIUS
Event-Timestamp = Apr 7 2009 17:07:22 MSD
Acct-Status-Type = Start
NAS-Identifier = ntk-hsgw
NAS-IP-Address = 93.95.41.141
Acct-Delay-Time = 0
+- entering group preacct
Re: Problem with rlm_perl
Да, это точно баг.
У меня была такая проблема, в дебаге работает.
А как только включаешь нормальный режим, (почти)сразу начинаются глюки.
У меня есть предположение - все дело в форках. (как это не мерзко, но у
прекрасного языка perl есть кривые реализации модулей. Которые с багами работают
при форке)
Я решил свои проблемы объединением скриптов и переписал все на более низком
уровне. Т.е. заменил IO::SOcket::Inet на просто Socket. И конечно
исключить такие полезные вещи как fork и threads. Бывает глюки
появляются в новых версиях, может стоит на несколько подверсий откатится
попробовать? (как
крайний вариант)
Ок, я так и сделал.
Но дело в том что мой радиус будет авторизовывать и считать несколько
сервисов с разных NAS.
И очень не плохо было бы их разнести.
Причем если запускать radius без режима дебага, то он какое то время будет
работать нормально, правда только какое-то.
---
Ok, I and have made.
But the matter is that my radius will be authenticate and acccounting some
services with different NAS.
And very much it would be not bad to carry them.
And if to start radius without a debug mode it what that time will work
normally, the truth only any.
- Original Message -
From: Anatoly S. Zimin anato...@team.co.ru
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Tuesday, April 07, 2009 3:45 PM
Subject: Re: Problem with rlm_perl
Привет!
На самом деле, весьма _неудобно_ искать проблемы просто по дебагу +
конфиг.
Уж лучше описать её хоть на ломаном англ.
Это так отступление...
А вообще, у rlm_perl весьма много глюков.
Например при работе с разными модулями, типа IO::Socket::.
Попробуйте все засунуть в один скрипт.
Hello.
Config:
perl auth_perl_pppoe {
module = /var/www/radius/radius_auth.pl
func_accounting = accounting
}
perl acc_perl_pppoe {
module = /var/www/radius/radius_accounting.pl
func_authenticate = authenticate
}
-
authenticate {
Auth-Type PPPOE_AUTH {
auth_perl_pppoe
}
}
#
# Accounting. Log the accounting data.
#
accounting {
Acct-Type PPPOE_ACC {
acc_perl_pppoe
}
detail
unix
radutmp
}
this error in radiusd -X:
rad_recv: Access-Request packet from host 93.95.41.141 port 53773, id=8,
length=146
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 100
NAS-Port-Type = Ethernet
User-Name = pppoe_test
Calling-Station-Id = 00:13:77:60:60:CB
Called-Station-Id = internet
NAS-Port-Id = e2_v15
CHAP-Challenge = 0x3b30fc1959ca610275bdc66582b579cf
CHAP-Password = 0x013e0573332525cd3ebc797dbe68f0969d
NAS-Identifier = ntk-hsgw
NAS-IP-Address = 93.95.41.141
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = pppoe_test, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[mschap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 1
[files] users: Matched entry DEFAULT at line 7
[files] users: Matched entry DEFAULT at line 19
++[files] returns ok
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = PPPOE_AUTH
+- entering group PPPOE_AUTH {...}
GOT CLONE -1209066800 0x91011d8
rlm_perl: Added pair NAS-Port-Type = Ethernet
rlm_perl: Added pair CHAP-Password = 0x013e0573332525cd3ebc797dbe68f0969d
rlm_perl: Added pair Huntgroup-Name = ntk_pppoe
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Called-Station-Id = internet
rlm_perl: Added pair Calling-Station-Id = 00:13:77:60:60:CB
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair User-Name = pppoe_test
rlm_perl: Added pair CHAP-Challenge = 0x3b30fc1959ca610275bdc66582b579cf
rlm_perl: Added pair NAS-Identifier = ntk-hsgw
rlm_perl: Added pair NAS-IP-Address = 93.95.41.141
rlm_perl: Added pair NAS-Port = 100
rlm_perl: Added pair NAS-Port-Id = e2_v15
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Class = dialup
rlm_perl: Added pair Mikrotik-Rate-Limit = 256k
rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP
rlm_perl: Added pair Auth-Type = PPPOE_AUTH
++[auth_perl_pppoe] returns ok
Login OK: [pppoe_test] (from client ntk-hsgw port 100 cli
00:13:77:60:60:CB)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 8 to 93.95.41.141 port 53773
Framed-Protocol = PPP
Service-Type = Framed-User
Class = 0x6469616c7570
Mikrotik-Rate
RE: Radius Access-Challenge and Apache
Hi Alan,
Thank you for your response. I've been having a lot of trouble reaching
the mailing list, my responses are not getting through. Hopefully this
one will!
Below is the output from the debug mode:
rad_recv: Access-Request packet from host 127.0.0.1 port 1026, id=60,
length=83
User-Name = dra
User-Password = *
Service-Type = Authenticate-Only
NAS-Identifier = debian-test-dra.vsl.com.au
NAS-IP-Address = 127.0.0.1
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = dra, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 54
++[files] returns ok
rlm_perl: Authorize Function Called
rlm_perl: Authorization for 127.0.0.1 was granted...
rlm_perl: Added pair User-Name = dra
rlm_perl: Added pair NAS-Identifier = debian-test-dra.vsl.com.au
rlm_perl: Added pair User-Password = *
rlm_perl: Added pair Service-Type = Authenticate-Only
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair Auth-Type = Perl
++[perl] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = Perl
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group Perl {...}
rlm_perl: Log Request Attributes Called
rlm_perl:Request: User-Name = dra
rlm_perl:Request: User-Password = *
rlm_perl:Request: NAS-Identifier = debian-test-dra.vsl.com.au
rlm_perl:Request: Service-Type = Authenticate-Only
rlm_perl:Request: NAS-IP-Address = 127.0.0.1
rlm_perl: Authenticate Function Called
rlm_perl: User: dra Authenticated, now sending access-challenge
rlm_perl: Log Reply Attributes Called
rlm_perl:Reply: Reply-Message = Please Enter Code
rlm_perl:Reply: State = challenge
rlm_perl: Added pair User-Name = dra
rlm_perl: Added pair User-Password = *
rlm_perl: Added pair NAS-Identifier = debian-test-dra.vsl.com.au
rlm_perl: Added pair Service-Type = Authenticate-Only
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair Reply-Message = Please Enter Code
rlm_perl: Added pair State = challenge
rlm_perl: Added pair Response-Packet-Type = Access-Challenge
rlm_perl: Added pair Auth-Type = Perl
++[perl] returns handled
Sending Access-Challenge of id 60 to 127.0.0.1 port 1026
Reply-Message = Please Enter Code
State = 0x6368616c6c656e6765
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 6 ID 60 with timestamp +148
Ready to process requests.
The output to the browser at this point looks like this: (Firefox 6.0,
but I have tried IE 8.0 too)
http://imageshack.us/photo/my-images/856/authenticationrequired2.png/
I turned-up the logging level for Apache too, the following is a
complete successful login:
[Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(1185): Radius
Auth for: debian-test-dra.vsl.com.au requests /test/ :
file=/var/www/test/
[Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(762): Found
Radius Cookie, now check if it's valid...
[Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(1191): Found
cookie=8115747392e228c2f612d8fce9b384074e5c2035f36809adchallenge for
user=dra :
[Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(1195): with
RADIUS challenge state set.\n
[Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(902): Sending
packet on 127.0.0.1:1812
[Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(): RADIUS
server requested challenge for user dra
[Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(1232): RADIUS
authentication for user=dra password=* failed\n
[Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(1239): Sending
failure message to user=dra\n
[Tue Aug 30 09:25:04 2011] [error] [client 10.10.240.240] user dra:
authentication failure for /test/: Password Mismatch
[Tue Aug 30 09:25:04 2011] [debug] mod_deflate.c(615): [client
10.10.240.240] Zlib: Compressed 482 to 324 : URL /test/
[Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(1185): Radius
Auth for: debian-test-dra.vsl.com.au requests /test/ :
file=/var/www/test/
[Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(762): Found
Radius Cookie, now check if it's valid...
[Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(1191): Found
cookie=f94377b91a7b4e30ac0a3910ea54ec194e5c2048f36809adchallenge for
user=dra :
[Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(1195): with
RADIUS challenge state set.\n
[Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(902): Sending
packet on 127.0.0.1:1812
[Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(1256): RADIUS
Authentication for user=dra password= OK. Cookie expiry in 5
minutes\n
[Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius
Re: rlm_perl with WinXP MS-CHAP clients ?
Hello,
It seems that it is not using rlm_perl for authentication. I would
assume that this is because according the document I was following, it
had me add:
Auth-Type Perl {
perl
}
To the authentication section, which means if the Auth-Type is set to
perl then using the module perl. However I think that since the client
or server is setting the auth type to MS-CHAP since that is what the
client is using, it is trying to use the mschap module.
I did make the following change under the users file:
#DEFAULTAuth-Type = System
# Fall-Through = 1
DEFAULT Auth-Type = Perl
Fall-Through = 1
As the documention (http://wiki.freeradius.org/index.php/Rlm_perl) said
to do so.
If anyone has any info it would be helpful.
Michael
Michael Gale wrote:
Hello,
I have a freeradius 1.0.X server setup with ppp and pptp using a
mysql DB for user authentication.
Here I assign static IP's and users to groups. We wish to use rlm_perl
instead of the sql module so we can authenticate the users against a in
house application.
I have build freeradius 1.1.3 from source and it seems to work however
since the client is WinXP and the auth type is MS-CHAP it seems to be
calling the mschap section under authentication and then exiting.
Here is my debug output:
rad_recv: Access-Request packet from host 127.0.0.1:32768, id=51,
length=141
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = baduser
MS-CHAP-Challenge = 0x0c09ad640ce7275613b8a0dd51d2f4c6
MS-CHAP2-Response =
0x630065cbdfea16f542fbda8cdc65d7fd3093ca32eebf6779cfb34001c39530a93ea7f5aebd54eea79f2b
Calling-Station-Id = .271
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
modcall[authorize]: module mschap returns ok for request 0
rlm_realm: No '@' in User-Name = baduser, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
users: Matched entry DEFAULT at line 155
users: Matched entry DEFAULT at line 173
users: Matched entry DEFAULT at line 185
modcall[authorize]: module files returns ok for request 0
perl_pool: item 0x9d5ad20 asigned new request. Handled so far: 1
found interpetator at address 0x9d5ad20
rlm_perl: MG RAD_REQUEST: Service-Type = Framed-User
rlm_perl: MG RAD_REQUEST: Calling-Station-Id = .271
rlm_perl: MG RAD_REQUEST: MS-CHAP-Challenge =
0x0c09ad640ce7275613b8a0dd51d2f4c6
rlm_perl: MG RAD_REQUEST: Client-IP-Address = 127.0.0.1
rlm_perl: MG RAD_REQUEST: Framed-Protocol = PPP
rlm_perl: MG RAD_REQUEST: User-Name = baduser
rlm_perl: MG RAD_REQUEST: MS-CHAP2-Response =
0x630065cbdfea16f542fbda8cdc65d7fd3093ca32eebf6779cfb34001c39530a93ea7f5aebd54eea79f2b
rlm_perl: MG RAD_REQUEST: NAS-IP-Address = 127.0.0.1
rlm_perl: MG RAD_REQUEST: NAS-Port = 0
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Framed-IP-Address = 255.255.255.254
rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP
rlm_perl: Added pair Framed-MTU = 576
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Auth-Type = MS-CHAP
perl_pool total/active/spare [32/0/32]
Unreserve perl at address 0x9d5ad20
modcall[authorize]: module perl returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type MS-CHAP
auth: type MS-CHAP
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 0
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for baduser with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module mschap returns reject for request 0
modcall: leaving group MS-CHAP (returns reject) for request 0
auth: Failed to validate the user.
Login incorrect: [baduser/no User-Password attribute] (from client
localhost port 0 cli .271)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 51 to 127.0.0.1 port 32768
Waking up in 4 seconds...
--- Walking the entire request
Re: rlm_perl
However, When I send a simple test request I don't see my debug line. I also don't see the message perl loaded when start Freeradius in debug mode (radiusd -X). Am I missing anything? Could you post the debug. Might be you don't have rlm_perl built, though the server usually complains about those types of things... -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
%RAD_REPLY hash problem
Hello,
I'm working with Freeradius 2.1.10
I want to authorize an user usng a multivaluated attribute (Relaciones), so
I use perl.
The values of the attribute Relaciones are store in ldap. Nombre-Completo is
another attribute store in ldap.
Relaciones is a integer value. An user is authorize if have one attribute
Relaciones with a positive value (no + sign).
Relaciones, Nombre-Completo and Codigo-Reject are vendor specific attributes
defined in /usr/share/freeradius/dictionary.rinuex
My script perl is:
# cat /etc/freeradius/perl/checkRelaciones.pm
#!/usr/bin/perl
use strict;
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);
#use Data::Dumper;
use constantRLM_MODULE_REJECT=0;# /* immediately reject the
request */
use constantRLM_MODULE_OK=2;# /* the module is OK, continue */
sub authorize {
my $refRelaciones;
if (exists $RAD_REPLY{'Relaciones'} defined
$RAD_REPLY{'Relaciones'}){
$refRelaciones=$RAD_REPLY{'Relaciones'};
foreach (@{$refRelaciones}) {
if ($_ =~ /^[0-9]{2}/) {
return RLM_MODULE_OK;
}
}
$RAD_REPLY{'Codigo-Reject'}=11; #Sin-Relacion
}
return RLM_MODULE_REJECT;
}
Everything works fine.
My problem is that rlm_perl duplicate an attribute in %RAD_REPLY hash.
Debug:
rad_recv: Access-Request packet from host x.x.x.x port 56822, id=100,
length=75
User-Name = a...@unex.es
User-Password =
Calling-Station-Id = ...
server rinuex {
...
[ldap1] looking for check items in directory...
[ldap1] ntPassword - NT-Password == 0x3..
[ldap1] looking for reply items in directory...
[ldap1] Relaciones - Relaciones += 03
[ldap1] sn - Nombre-Completo = Ana Gallardo
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap1] user ana authorized to use remote access
[ldap1] ldap_release_conn: Release Id: 0
[ldap1] returns ok
...
rlm_perl: Added pair User-Name = a...@unex.es
rlm_perl: Added pair User-Password =
rlm_perl: Added pair Intentos-Reject = 0
rlm_perl: Added pair SQL-User-Name = ana
rlm_perl: Added pair Realm = unex.es
rlm_perl: Added pair Stripped-User-Name = ana
rlm_perl: Added pair Calling-Station-Id = ...
rlm_perl: Added pair Nombre-Completo = Ana Gallardo
rlm_perl: Added pair Relaciones = 03
rlm_perl: Added pair Relaciones = Ana Gallardo
rlm_perl: Added pair NT-Password = 0x344...
rlm_perl: Added pair Simultaneous-Use = 1
rlm_perl: Added pair Ldap-UserDn = ...
++[perl] returns ok
...
++[pap] returns ok
...
} # server rinuex
Sending Access-Accept of id 100 to x.x.x.x port 56822
Nombre-Completo = Ana Gallardo
Relaciones += 03
Relaciones += Ana Gallardo
Any ideas??
Sorry for my english and thank you in advance.
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl DEBUG log with garbage output
Hi,..
running xlat within rlm_perl.. giving correct result.. but what concern me is
that.. in debug log.. there are garbage output as below:-
radius_xlat: '.*'
radius_xlat: Running registered xlat function of module y5perl for string
'%{User-Name}:%{NAS-Identifier}'
radius_xlat: 'bacang:JARINGWiF'
rlm_perl: Len is 4 , out is NULL?8???Ù¿¿?49(hÕ¿¿?? freespace is 254
radius_xlat: 'NULL'
calling from :-
attr_rewrite wifi {
##some code
replacewith = %{y5perl:%{User-Name}:%{NAS-Identifier}}
}
preacct
{
y5perl
wifi
files
}
sub xlat {
# some code
# return NULL or somevalue
return ($value);
} -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: confused by logging targets for rlm_perl
Olivier Bilodeau wrote: http://wiki.freeradius.org/Rlm_perl#Logging refers to: 0 - Debug 1 - Auth Those are wrong. See src/include/radiusd.h, L_DBG, etc. I've fixed the Wiki. I expected Debug not to go out in radius.log and Auth to do since I specified Auth to yes in radiusd.conf. Yup. With radius -X, as expected, I got everything. Am I missing something here? Is this a bug or a feature(tm)? Bug. See the v2.1.x branch in git for patches to src/modules/rlm_perl/example.pl Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Packet-Original-Timestamp
Бен Томпсон wrote:
I tried checking out the git master code, but it just hangs when
calling rlm_perl. This is the last line I see when running in debug
mode :-
Fri Mar 1 12:46:49 2013 : Debug: (0) modsingle[authorize]: calling
perl (rlm_perl) for request 0
I need rlm_perl as part of my setup...
Is Packet-Original-Timestamp definitely not usable in v2.x?
Don't ask leading questions like that. It's rude.
It is usable. Arran said it was usable. You were told this.
If you want to add Event-Timestamp, when it isn't already there, do:
if (!Event-Timestamp) {
update request {
Event-Timestamp := %l
}
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC-Auth issues with rlm_perl
Server: Debian 6 (Squeeze) 2.6.32-5-amd64
FreeRadius: 2.1.10 (Debian package)
Client: HP E-MSM460 AP (MSCHAPv2, Use message authenticator)
Authentication methods for the MSM460 are: MSCHAPv2, MSCHAP, CHAP, EAP
MD5 and PAP.
I'm trying to set up a simple MAC-Auth based network using HP 2610
switches and MSM640 wireless APs as radius clients. I've added the AP to
the clients.conf and configured the AP to use MAC-based authentication
and it appears to be talking to FreeRadius using MSCHAPv2 correctly.
We only have a few dozen clients, so I'm using the perl module to read
and cache a text file of MAC addresses. My script watches the file's
mtime and re-loads it as necessary. I've followed the instructions on
http://wiki.freeradius.org/Rlm_perl, but I get the following error:
/etc/freeradius/users[204]: Parse error (check) for entry DEFAULT:
Unknown value Perl for attribute Auth-Type
After some trial and error, I found that adding perl to the authorize
and authenticate sections of sites-available/inner-tunnel would get rid
of the error, but I have no idea if that solved the problem or merely
masked it and caused he next one.
There appears to be something seriously wrong with the way this config
is working, because rlm_perl is calling the AUTHORIZE function but not
AUTHENTICATE. I've pasted the debug of an authentication attempt below.
It appears to be taking the CLIENT mschap authentication and somehow
applying those attributes to mangle USER authentication.
rad_recv: Access-Request packet from host 192.168.0.29 port 35063,
id=48, length
=275
Acct-Session-Id = 1ca83cd8-00013b2c
NAS-Port = 0
NAS-Port-Type = Wireless-802.11
NAS-Identifier = CN18D332BD
NAS-IP-Address = 192.168.0.29
User-Name = 984b4af5bf40
Calling-Station-Id = 98:4b:4a:f5:bf:40
Called-Station-Id = 2c:41:38:f4:f5:c0
Service-Type = Login-User
MS-CHAP-Challenge = 0x5ec43b8666ef945c1db7a14cc42da516
MS-CHAP2-Response =
0x3000f12947d93103bfe476001a4f8d6fcc6800
00fe6dae7fbe3907cbb43186ffcc0ed0f6f16a31b47731bdba
Colubris-AVPair = ssid=TSV-UC
Colubris-AVPair = phytype=IEEE802dot11n
Message-Authenticator = 0xf6affdfe1901c35141d3128eed2c515e
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = 984b4af5bf40, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 204
++[files] returns ok
rlm_perl: AUTHORIZE
rlm_perl: RAD_REQUEST: NAS-Port-Type = Wireless-802.11
rlm_perl: RAD_REQUEST: Acct-Session-Id = 1ca83cd8-00013b2c
rlm_perl: RAD_REQUEST: Service-Type = Login-User
rlm_perl: RAD_REQUEST: Called-Station-Id = 2c:41:38:f4:f5:c0
rlm_perl: RAD_REQUEST: Calling-Station-Id = 98:4b:4a:f5:bf:40
rlm_perl: RAD_REQUEST: Message-Authenticator =
0xf6affdfe1901c35141d3128eed2c515e
rlm_perl: RAD_REQUEST: MS-CHAP-Challenge =
0x5ec43b8666ef945c1db7a14cc42da516
rlm_perl: RAD_REQUEST: User-Name = 984b4af5bf40
rlm_perl: RAD_REQUEST: NAS-Identifier = CN18D332BD
rlm_perl: RAD_REQUEST: MS-CHAP2-Response =
0x3000f12947d93103bfe476001a4f8d6fcc68fe6dae7fbe3907cbb43186ffcc0ed0f6f16a31b47731bdba
rlm_perl: RAD_REQUEST: Colubris-AVPair = ARRAY(0x127d4d8)
rlm_perl: RAD_REQUEST: NAS-Port = 0
rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.0.29
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Acct-Session-Id = 1ca83cd8-00013b2c
rlm_perl: Added pair Service-Type = Login-User
rlm_perl: Added pair Called-Station-Id = 2c:41:38:f4:f5:c0
rlm_perl: Added pair Calling-Station-Id = 98:4b:4a:f5:bf:40
rlm_perl: Added pair Message-Authenticator =
0xf6affdfe1901c35141d3128eed2c515e
rlm_perl: Added pair MS-CHAP-Challenge = 0x5ec43b8666ef945c1db7a14cc42da516
rlm_perl: Added pair User-Name = 984b4af5bf40
rlm_perl: Added pair NAS-Identifier = CN18D332BD
rlm_perl: Added pair MS-CHAP2-Response =
0x3000f12947d93103bfe476001a4f8d6fcc68fe6dae7fbe3907cbb43186ffcc0ed0f6f16a31b47731bdba
rlm_perl: Added pair Colubris-AVPair = ssid=TSV-UC
rlm_perl: Added pair Colubris-AVPair = phytype=IEEE802dot11n
rlm_perl: Added pair NAS-Port = 0
rlm_perl: Added pair NAS-IP-Address = 192.168.0.29
rlm_perl: Added pair Auth-Type = MSCHAP
++[perl] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext
Re: rlm_perl DEBUG log with garbage output
It's work!!.. thanks..
--haizam
- Original Message -
From: Bjørn Mork [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Thursday, January 25, 2007 6:05 PM
Subject: Re: rlm_perl DEBUG log with garbage output
Rohaizam Abu Bakar [EMAIL PROTECTED] writes:
Hi,..
running xlat within rlm_perl.. giving correct result.. but what concern
me is that.. in debug log.. there are garbage output as below:-
radius_xlat: '.*'
radius_xlat: Running registered xlat function of module y5perl for string
'%{User-Name}:%{NAS-Identifier}'
radius_xlat: 'bacang:JARINGWiF'
rlm_perl: Len is 4 , out is NULL?8???Ù¿¿?49(hÕ¿¿?? freespace is 254
radius_xlat: 'NULL'
Try this patch:
diff -u -r1.13.4.7 rlm_perl.c
--- src/modules/rlm_perl/rlm_perl.c 27 Apr 2006 17:35:44 - 1.13.4.7
+++ src/modules/rlm_perl/rlm_perl.c 25 Jan 2007 10:03:51 -
@@ -694,7 +694,7 @@
} else if (count 0) {
tmp = POPp;
ret = strlen(tmp);
- strncpy(out,tmp,ret);
+ strncpy(out,tmp,ret+1);
radlog(L_DBG,rlm_perl: Len is %d , out is %s freespace is %d,
ret, out,freespace);
Bjørn
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS Issue -
Hi Alan,
I'm facing the issue with configuration EAP-TTLS, LDAP and Perl and using
test client as eapol_test.
Please find the debug logs below:
rad_recv: Access-Request packet from host 127.0.0.1 port 45673, id=0,
length=206
User-Name =
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = 02-00-00-00-00-01
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message =
0x02360175736572317676746e746b6a6b636b76656469756366767672636e657563756b6c766465637475726a646a666b676e7267
Message-Authenticator = 0x065b1291e4b6cff7cecc69db3a9b5b83
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = , looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 0 length 54
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Calling-Station-Id = 02-00-00-00-00-01
rlm_perl: Added pair Message-Authenticator =
0x065b1291e4b6cff7cecc69db3a9b5b83
rlm_perl: Added pair User-Name =
rlm_perl: Added pair EAP-Message =
0x02360175736572317676746e746b6a6b636b76656469756366767672636e657563756b6c766465637475726a646a666b676e7267
rlm_perl: Added pair Connect-Info = CONNECT 11Mbps 802.11b
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair Auth-Type = EAP
++[perl] returns ok
++[files] returns noop
[ldap] performing user authorization for
[ldap] expand: %{Stripped-User-Name} -
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=)
[ldap] expand: dc=example,dc=com - dc=example,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to 192.168.1.103:389, authentication 0
[ldap] bind as cn=admin,dc=example,dc=com/ to 192.168.1.103:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=example,dc=com, with filter (uid=)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] userPassword - Cleartext-Password ==
[ldap] userPassword - Password-With-Header ==
[ldap] looking for reply items in directory...
[ldap] user authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
[pap] Config already contains known good password. Ignoring
Password-With-Header
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group EAP {...}
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Calling-Station-Id = 02-00-00-00-00-01
rlm_perl: Added pair Message-Authenticator =
0x065b1291e4b6cff7cecc69db3a9b5b83
rlm_perl: Added pair User-Name =
rlm_perl: Added pair EAP-Message =
0x02360175736572317676746e746b6a6b636b76656469756366767672636e657563756b6c766465637475726a646a666b676e7267
rlm_perl: Added pair Connect-Info = CONNECT 11Mbps 802.11b
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair h323-credit-amount = 100
rlm_perl: Added pair Cleartext-Password =
rlm_perl: Added pair Password-With-Header =
rlm_perl: Added pair Ldap-UserDn = uid=,ou=people,dc=example,dc=com
rlm_perl: Added pair Auth-Type = EAP
++[perl] returns ok
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 127.0.0.1 port 45673
h323-credit-amount = 100
EAP-Message = 0x010100061520
Message-Authenticator = 0x
State = 0x2a7f4cbf2a7e5963e2206d31c110709d
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 45673, id=1,
length=271
User-Name =
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = 02-00-00-00-00-01
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message =
0x020100651500160301005a01560301507c49a86cfabf980d6b3d94daf27fe3f600a2320dbc3427626ca4b918ad885f2800390038003500160013000a00330032002f000500040015001200090014001100080006000300ff0201040023
State = 0x2a7f4cbf2a7e5963e2206d31c110709d
Message-Authenticator = 0x7984af4d41a5bfd6c39d9a472fe0cc17
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
RE: static IP's with rlm_perl
Hello, Here is the debug info: From the information it looks like I have added the information correctly however it is not sent to the client: --snip-- rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Framed-Netmask = 255.255.255.255 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Framed-IP-Address = 192.168.77.200 rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP rlm_perl: Added pair Framed-MTU = 576 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair NT-Password = 213C197ADF831F46188DC68E3F46860F rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Auth-Type = MS-CHAP .. Sending Access-Accept of id 70 to 127.0.0.1 port 32809 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Framed-Netmask = 255.255.255.255 MS-CHAP2-Success = 0xa4533d41433543323433323341454632313338464643433730443243453533314646353533423131354634 MS-MPPE-Recv-Key = 0xae0f9b99af199f01fe9ab857a793739a MS-MPPE-Send-Key = 0x3c24917e4b02abdc1bd303ea21d95b71 MS-MPPE-Encryption-Policy = 0x0002 MS-MPPE-Encryption-Types = 0x0004 --snip-- So any feedback would be helpful, the whole debug info is below: --snip-- rad_recv: Access-Request packet from host 127.0.0.1:32809, id=70, length=146 Service-Type = Framed-User Framed-Protocol = PPP User-Name = rigvpn_user1 MS-CHAP-Challenge = 0xee068979e7bafef383f8c90f3520d8e9 MS-CHAP2-Response = 0xa400809dff2ecb2017413f1b7b5b71e5e1f3cee84de052f0d485d683d9350d9fd4b4410744a13cc2de0c Calling-Station-Id = .271 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' modcall[authorize]: module mschap returns ok for request 0 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 175 users: Matched entry DEFAULT at line 187 modcall[authorize]: module files returns ok for request 0 perl_pool: item 0x8eecac0 asigned new request. Handled so far: 1 found interpetator at address 0x8eecac0 rlm_perl: PASON RPM AUTH REQUEST: Service-Type = Framed-User rlm_perl: PASON RPM AUTH REQUEST: Calling-Station-Id = .271 rlm_perl: PASON RPM AUTH REQUEST: MS-CHAP-Challenge = 0xee068979e7bafef383f8c90f3520d8e9 rlm_perl: PASON RPM AUTH REQUEST: Client-IP-Address = 127.0.0.1 rlm_perl: PASON RPM AUTH REQUEST: Framed-Protocol = PPP rlm_perl: PASON RPM AUTH REQUEST: User-Name = rigvpn_user1 rlm_perl: PASON RPM AUTH REQUEST: MS-CHAP2-Response = 0xa400809dff2ecb2017413f1b7b5b71e5e1f3cee84de052f0d485d683d9350d9fd4b4410744a13cc2de0c rlm_perl: PASON RPM AUTH REQUEST: NAS-IP-Address = 127.0.0.1 rlm_perl: PASON RPM AUTH REQUEST: NAS-Port = 0 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Framed-Netmask = 255.255.255.255 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Framed-IP-Address = 192.168.77.200 rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP rlm_perl: Added pair Framed-MTU = 576 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair NT-Password = 213C197ADF831F46188DC68E3F46860F rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Auth-Type = MS-CHAP perl_pool total/active/spare [32/0/32] Unreserve perl at address 0x8eecac0 modcall[authorize]: module perl returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: Found NT-Password rlm_mschap: Told to do MS-CHAPv2 for rigvpn_user1 with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module mschap returns ok for request 0 modcall: leaving group MS-CHAP (returns ok) for request 0 Login OK: [rigvpn_user1/no User-Password attribute] (from client localhost port 0 cli .271) Sending Access-Accept of id 70 to 127.0.0.1 port 32809 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Framed-Netmask = 255.255.255.255 MS-CHAP2-Success = 0xa4533d41433543323433323341454632313338464643433730443243453533314646353533423131354634 MS-MPPE-Recv-Key = 0xae0f9b99af199f01fe9ab857a793739a MS-MPPE-Send-Key = 0x3c24917e4b02abdc1bd303ea21d95b71 MS-MPPE-Encryption-Policy = 0x0002 MS
Cannot control attribute ordering via rlm_perl
Hi,
First, the version I'm using:
# freeradius -v
freeradius: FreeRADIUS Version 2.1.8, for host x86_64-pc-linux-gnu, [...]
I'm trying to control the attribute-ordering when using rlm_perl. Thus far my
experience is that this is not possible. My theory is that this is due to the
hash-tables used as the interface between the C and Perl worlds.
Here is a small example that demonstrates the problem. I've turned on the
users and perl modules in the authorize section (in that order). These are
the important bits from the users file and the example.pl file.
(from the users file)
steve Cleartext-Password := testing
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 172.16.3.33,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = std.ppp,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP,
WiMAX-Packet-Data-Flow-Id = 1,
WiMAX-Service-Data-Flow-Id = 1,
WiMAX-Service-Profile-Id = 2
(from the example.pl)
sub authorize
{
return RLM_MODULE_NOOP;
}
The debug log of the server is below. The interesting bits are (a) the
rlm_perl: Added pair and (b) the attribute-order in the packet that the
server sends in reply - the order is changed.
The ordering is important to for me as I want those three WiMAX attributes
packed inside a parent attribute WiMAX-Packet-Flow-Descriptor. If I turn off
the perl module (or place it before the files module) the packing works as
expected.
I put all this down to the attribute-list being rebuilt (by rlm_perl) from the
%RAD_REPLY table. The hash-table has no concept of ordering, so it ends up
randomised.
The above is a contrived example - what I really want to do is add those three
WiMAX attributes in my perl script. But due to the ordering problems I think I
am wasting my time and need to come up with another solution.
Can anyone see how I can control the ordering of attributes coming out of the
perl script?
Thanks,
Claude Brown.
Vividwireless.
rad_recv: Access-Request packet from host 127.0.0.1 port 50265, id=2, length=63
User-Name = steve
User-Password = testing
Message-Authenticator = 0xc8b10e777a7ea53a261c855029fd0b58
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = steve, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry steve at line 76
++[files] returns ok
GOT CLONE -1588651264 0x1a0e160
rlm_perl: Added pair User-Name = steve
rlm_perl: Added pair User-Password = testing
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair Message-Authenticator = 0xc8b10e777a7ea53a261c855029fd0b58
rlm_perl: Added pair WiMAX-Service-Data-Flow-Id = 1
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Framed-Routing = Broadcast-Listen
rlm_perl: Added pair WiMAX-Packet-Data-Flow-Id = 1
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair Framed-Filter-Id = std.ppp
rlm_perl: Added pair Framed-IP-Address = 172.16.3.33
rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.0
rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP
rlm_perl: Added pair WiMAX-Service-Profile-Id = 2
rlm_perl: Added pair Framed-MTU = 1500
rlm_perl: Added pair Cleartext-Password = testing
++[perl] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password testing
[pap] Using clear text password testing
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [steve] (from client localhost port 0)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 2 to 127.0.0.1 port 50265
WiMAX-Service-Data-Flow-Id = 1
Service-Type = Framed-User
Framed-Routing = Broadcast-Listen
WiMAX-Packet-Data-Flow-Id = 1
Framed-Protocol = PPP
Framed-Filter-Id = std.ppp
Framed-IP-Address = 172.16.3.33
Framed-IP-Netmask = 255.255.255.0
Framed-Compression = Van-Jacobson-TCP-IP
WiMAX-Service-Profile-Id = 2
Framed-MTU = 1500
Finished request 0.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Affect IP with script perl into freeradius
t...@kalik.net a écrit :
thanks for your return. I have added:
$RAD_REPLY{'Framed-IP-Address'} = 10.218.6.1;
return RLM_MODULE_OK;
but no change, he use the pool included into the cisco ASA (10.218.4.5)
a error of me ?
Do a debug (radiusd -X) and see did the attribute make it into the
Access-Accept packet. If it is sent to Cisco - the problem is on ASA. Do
debug aaa there and see why is it ignoring static IP address.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ok, first this is the debug of Freeradius:
rad_recv: Access-Request packet from host 10.218.7.243:1025, id=50,
length=165
User-Name = usertest
User-Password = XXX
NAS-Port = 1011712
Service-Type = Framed-User
Framed-Protocol = PPP
Called-Station-Id = 62.XX.XX.XX
Calling-Station-Id = 88.XX.XX.XX
NAS-Port-Type = Virtual
Tunnel-Client-Endpoint:0 = 88.XX.XX.XX
NAS-IP-Address = 10.218.7.243
Cisco-AVPair = ip:source-ip=88.166.47.158y\223
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module preprocess returns ok for request 1
modcall[authorize]: module chap returns noop for request 1
modcall[authorize]: module mschap returns noop for request 1
rlm_realm: No '@' in User-Name = usertest, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 1
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 1
users: Matched entry DEFAULT at line 154
users: Matched entry DEFAULT at line 173
users: Matched entry DEFAULT at line 185
modcall[authorize]: module files returns ok for request 1
Using perl at 0x8146460
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Framed-IP-Address = 10.218.4.120
rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.0
rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP
rlm_perl: Added pair Framed-MTU = 576
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Auth-Type = Perl
modcall[authorize]: module perl returns ok for request 1
modcall: leaving group authorize (returns ok) for request 1
rad_check_password: Found Auth-Type Perl
auth: type Perl
Processing the authenticate section of radiusd.conf
modcall: entering group Perl for request 1
Using perl at 0x8146460
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair h323-credit-amount = 100
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Framed-IP-Address = 255.255.255.254
rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.0
rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP
rlm_perl: Added pair Framed-MTU = 576
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Auth-Type = Perl
modcall[authenticate]: module perl returns ok for request 1
modcall: leaving group Perl (returns ok) for request 1
Login OK: [usertest/XX] (from client 10.218.7.243 port 1011712 cli
88.xx.xx.xx)
Sending Access-Accept of id 50 to 10.218.7.243 port 1025
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Framed-IP-Netmask = 255.255.255.0
h323-credit-amount = 100
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 50 with timestamp 497f20c3
Nothing to do. Sleeping until we see a request.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl with WinXP MS-CHAP clients ?
Hello, I have a freeradius 1.0.X server setup with ppp and pptp using a mysql DB for user authentication. Here I assign static IP's and users to groups. We wish to use rlm_perl instead of the sql module so we can authenticate the users against a in house application. I have build freeradius 1.1.3 from source and it seems to work however since the client is WinXP and the auth type is MS-CHAP it seems to be calling the mschap section under authentication and then exiting. Here is my debug output: rad_recv: Access-Request packet from host 127.0.0.1:32768, id=51, length=141 Service-Type = Framed-User Framed-Protocol = PPP User-Name = baduser MS-CHAP-Challenge = 0x0c09ad640ce7275613b8a0dd51d2f4c6 MS-CHAP2-Response = 0x630065cbdfea16f542fbda8cdc65d7fd3093ca32eebf6779cfb34001c39530a93ea7f5aebd54eea79f2b Calling-Station-Id = .271 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' modcall[authorize]: module mschap returns ok for request 0 rlm_realm: No '@' in User-Name = baduser, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 155 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module files returns ok for request 0 perl_pool: item 0x9d5ad20 asigned new request. Handled so far: 1 found interpetator at address 0x9d5ad20 rlm_perl: MG RAD_REQUEST: Service-Type = Framed-User rlm_perl: MG RAD_REQUEST: Calling-Station-Id = .271 rlm_perl: MG RAD_REQUEST: MS-CHAP-Challenge = 0x0c09ad640ce7275613b8a0dd51d2f4c6 rlm_perl: MG RAD_REQUEST: Client-IP-Address = 127.0.0.1 rlm_perl: MG RAD_REQUEST: Framed-Protocol = PPP rlm_perl: MG RAD_REQUEST: User-Name = baduser rlm_perl: MG RAD_REQUEST: MS-CHAP2-Response = 0x630065cbdfea16f542fbda8cdc65d7fd3093ca32eebf6779cfb34001c39530a93ea7f5aebd54eea79f2b rlm_perl: MG RAD_REQUEST: NAS-IP-Address = 127.0.0.1 rlm_perl: MG RAD_REQUEST: NAS-Port = 0 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Framed-IP-Address = 255.255.255.254 rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP rlm_perl: Added pair Framed-MTU = 576 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Auth-Type = MS-CHAP perl_pool total/active/spare [32/0/32] Unreserve perl at address 0x9d5ad20 modcall[authorize]: module perl returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for baduser with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 0 modcall: leaving group MS-CHAP (returns reject) for request 0 auth: Failed to validate the user. Login incorrect: [baduser/no User-Password attribute] (from client localhost port 0 cli .271) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 51 to 127.0.0.1 port 32768 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 51 with timestamp 451194b6 Nothing to do. Sleeping until we see a request. -- Michael Gale Red Hat Certified Engineer Network Administrator Pason Systems Corp. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_perl
Hi,
Thanks for your reply. i am going here to post the
debug logs. from the log it seems rlm_per is loaded
successfully but when i am trying to call authorize
and authenticate function from example.pl, the
functions are not calling well.
Here is full configuration what i did to work with
perl module.
radreply table:
---
123456 Auth-Type := perl
---
radiusd.conf
-
modules area:
perl {
module = /usr/local/etc/example.pl
func_accounting = accounting
func_authenticate = authenticate
func_authorize = authorize
func_preacct = preacct
func_checksimul = checksimul
func_xlat = xlat
}
authorize {
preprocess
chap
suffix
perl
}
authenticate {
Auth-Type Perl {
perl
}
}
-
example.pl
sub authorize {
return RLM_MODULE_OK;
}
sub authenticate {
if ($RAD_REQUEST{'User-Name'} =~ /^baduser/i) {
$RAD_REPLY{'Reply-Message'} = Denied access;
return RLM_MODULE_REJECT;
} else {
$RAD_REPLY{'h323-credit-time'} =
\h323-credit-time=200\;
return RLM_MODULE_OK;
}
}
Here is the Log:
===
Wed Sep 28 07:50:45 2005 : Info: Detach perl 0x93af7a0
Wed Sep 28 07:50:45 2005 : rlm_perl:
rlm_perl::Detaching. Reloading. Done.
Wed Sep 28 07:50:45 2005 : Info: detach at 0x93af7a0
returned status 0
Wed Sep 28 07:50:45 2005 : Info: Detach perl 0x94b0ec8
Wed Sep 28 07:50:45 2005 : rlm_perl:
rlm_perl::Detaching. Reloading. Done.
Wed Sep 28 07:50:45 2005 : Info: detach at 0x94b0ec8
returned status 0
Wed Sep 28 07:50:45 2005 : Info: Detach perl 0x950b550
Wed Sep 28 07:50:45 2005 : rlm_perl:
rlm_perl::Detaching. Reloading. Done.
Wed Sep 28 07:50:45 2005 : Info: detach at 0x950b550
returned status 0
Wed Sep 28 07:50:45 2005 : Info: Detach perl 0x9565480
Wed Sep 28 07:50:45 2005 : rlm_perl:
rlm_perl::Detaching. Reloading. Done.
Wed Sep 28 07:50:45 2005 : Info: detach at 0x9565480
returned status 0
Wed Sep 28 07:50:45 2005 : Info: Detach perl 0x95bf180
Wed Sep 28 07:50:45 2005 : rlm_perl:
rlm_perl::Detaching. Reloading. Done.
Wed Sep 28 07:50:45 2005 : Info: detach at 0x95bf180
returned status 0
Wed Sep 28 07:50:45 2005 : rlm_perl:
rlm_perl::Detaching. Reloading. Done.
Wed Sep 28 07:50:48 2005 : Info: rlm_sql (sql): Driver
rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Wed Sep 28 07:50:48 2005 : Info: rlm_sql (sql):
Attempting to connect to [EMAIL PROTECTED]:/radius
Wed Sep 28 07:50:48 2005 : Info: rlm_sql_mysql:
Starting connect to MySQL server for #0
Wed Sep 28 07:50:48 2005 : Info: rlm_sql_mysql:
Starting connect to MySQL server for #1
=
I AM REALLY SORRY FOR BIG THREAD.
Yours,
Abdul Lateef
Computer Programmer
HATIF COM
Mob: +974 - 5405022
Tel: +974 - 4883068
ICQ: 276994704
YM!: abdul_zu
Fax: +974 - 4883063
Doha Qatar
http://www.hatif.com
__
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejected proxy requests not making it to the client
I'm not sure how the script could be blocking the server after it's already ran and returned the updated packet so the proxying can take place which does happen: • rlm_perl: Changing User-Name: legg...@yubiauth.mcs.example.com • rlm_perl: Added pair NAS-Port-Type = Virtual • rlm_perl: Added pair Service-Type = Authenticate-Only • rlm_perl: Added pair Auth-Type = System • rlm_perl: Added pair Calling-Station-Id = client.mcs.example.com • rlm_perl: Added pair User-Name = legg...@yubiauth.mcs.example.com • rlm_perl: Added pair User-Password = 654321 • rlm_perl: Added pair NAS-Identifier = sshd • rlm_perl: Added pair Stripped-User-Name = leggett • rlm_perl: Added pair NAS-IP-Address = 192.168.6.203 • rlm_perl: Added pair NAS-Port = 32448 • rlm_perl: Added pair Ldap-UserDn = uid=leggett,ou=people,dc=mcs,dc=example,dc=com • Cached username is legg...@yubiauth.mcs.example.com, list username is legg...@yubiauth.mcs.example.com • ++[get_domain] returns updated • [suffix] Looking up realm yubiauth.mcs.example.com for User-Name = legg...@yubiauth.mcs.example.com • [suffix] Found realm yubiauth.mcs.example.com • [suffix] Adding Stripped-User-Name = leggett • [suffix] Adding Realm = yubiauth.mcs.example.com • [suffix] Proxying request from user leggett to realm yubiauth.mcs.example.com • [suffix] Preparing to proxy authentication request to realm yubiauth.mcs.example.com • Cached username is leggett, list username is legg...@yubiauth.mcs.example.com • ++[suffix] returns updated The request packet then gets proxied off, comes back and this script is never called again. The same script gets called the same way on successful requests and this script is only called in the authorize phase. I've also tested that when one of the failure cases is reached (return RLM_MODULE_FAIL) that a fail packet is sent back to the client and no proxying ever takes place which is what I would expect. The script is at http://pastebin.com/gB91jj8W. On Jul 2, 2013, at 12:20 PM, Alan DeKok al...@deployingradius.com wrote: Ti Leggett wrote: Tue Jul 2 10:39:04 2013 : Error: WARNING: Unresponsive child for request 0, in component core module thread Fix your scripts so that they don't block the server. The upstream server does get the request, send the reject back to the proxy and the proxy receives the reject but doesn't seem to send the reject back to the client. When the user types the password successfully everything works fine - the client gets an OK and none of the hung request errors show up. The default configuration doesn't have this issue. Access-Requests can be proxied. Access-Rejects can be returned through a proxy to a client. A debug log of one of these failed sessions is at http://pastebin.com/8n7snaBV. Any ideas what might be going on? The debug log shows nothing interesting. The most probable issue is that your scripts are blocking the server. Fix that. You can verify this by configuring a test system *without* your scripts. Or a test user, which bypasses the scripts. It will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with PAP autentification on freeradius-3.0.0
Hi,
I have problem with PAP autentification on freeradius-3.0.0, but on
freeradius-2.2.1 everythink works correct. Could you please help me, thx.
Debug output for freeradius-3.0.0:
radiusd@tdrad1test:/storage/app/radius/raddb/auth-new$
/storage/app/radius/freeradius-3.0.0/sbin/radiusd -X -d
/storage/app/radius/raddb/auth-new
radiusd: FreeRADIUS Version 3.0.0, for host x86_64-unknown-linux-gnu, built on
May 14 2013 at 16:22:54
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
...
Listening on proxy address * port 0
Listening on auth address * port 1812 as server default
Listening on auth address * port 1645 as server default
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 50633, id=15,
length=115
NAS-Port-Type = Virtual
Service-Type = Framed-User
Calling-Station-Id = 421905012405
Called-Station-Id = l2tp.vps
Framed-Protocol = PPP
User-Name = l...@radiustest.sk
User-Password = l2tp
Connect-Info = 864
NAS-IP-Address = 213.151.234.114
(0) # Executing section authorize from file
/storage/app/radius/raddb/auth-new/sites-enabled/default
(0) group authorize {
(0) - entering group authorize {...}
(0) [chap] = noop
(0) suffix : Looking up realm radiustest.sk for User-Name =
l...@radiustest.sk
(0) suffix : Found realm DEFAULT
(0) suffix : Adding Stripped-User-Name = l2tp
(0) suffix : Adding Realm = DEFAULT
(0) suffix : Authentication realm is LOCAL.
(0) [suffix] = ok
rlm_perl: Added pair NAS-Port-Type = Virtual
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Called-Station-Id = l2tp.vps
rlm_perl: Added pair Calling-Station-Id = 421905012405
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair User-Name = l...@radiustest.sk
rlm_perl: Added pair User-Password = l2tp
rlm_perl: Added pair Connect-Info = 864
rlm_perl: Added pair Realm = DEFAULT
rlm_perl: Added pair Stripped-User-Name = l2tp
rlm_perl: Added pair NAS-IP-Address = 213.151.234.114
rlm_perl: Added pair Current-Time = 1368711260
rlm_perl: Added pair Password-With-Header =
{SSHA}cAgh2LCe5649EzEAbc+nAfIOvOyOJSmU+sKiPA==
rlm_perl: Added pair VPDN_SERVICE_ID = User-GPRS-L2TP
(0) [perl] = ok
(0) [pap] = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file
/storage/app/radius/raddb/auth-new/sites-enabled/default
(0) group PAP {
(0) - entering group PAP {...}
(0) pap : login attempt with password l2tp
(0) pap : Using SSHA encryption.
(0) ERROR: pap : SSHA password check failed
(0) pap : Passwords don't match
(0) [pap] = reject
(0) Failed to authenticate the user.
(0) Login incorrect (pap: SSHA password check failed):
[l...@radiustest.sk/l2tp] (from client localhost port 0 cli 421905012405)
Debug output for freeradius-2.2.1:
radiusd@tdrad1test:/storage/app/radius/raddb/auth$
/storage/app/radius/freeradius/sbin/radiusd -X -d /storage/app/radius/raddb/auth
radiusd: FreeRADIUS Version 2.2.1, for host x86_64-unknown-linux-gnu, built on
May 2 2013 at 09:22:02
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
...
Listening on authentication address * port 1812
Listening on authentication address * port 1645
Listening on proxy address * port 37677
Listening on command file ../../log/radius/radius_auth.sock
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 57436, id=196,
length=115
NAS-Port-Type = Virtual
Service-Type = Framed-User
Calling-Station-Id = 421905012405
Called-Station-Id = l2tp.vps
Framed-Protocol = PPP
User-Name = l...@radiustest.sk
User-Password = l2tp
Connect-Info = 864
NAS-IP-Address = 213.151.234.114
# Executing section authorize from file
/storage/app/radius/raddb/auth/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[suffix] Looking up realm radiustest.sk for User-Name = l...@radiustest.sk
[suffix] Found realm DEFAULT
[suffix] Adding Stripped-User-Name = l2tp
[suffix] Adding Realm = DEFAULT
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[files] returns noop
rlm_perl: Added pair NAS-Port-Type = Virtual
rlm_perl: Added pair
Re: Separate rlm_perl in each virtual server
Alexander Shikoff wrote:
Now radiusd receives a DHCP packet and:
Received DHCP-Discover of id fcb1c6c0 from 193.200.84.232:67 to
193.200.85.245:67
[...]
server dhcp {
Trying sub-section dhcp DHCP-Discover {...}
+- entering group DHCP-Discover {...}
rlm_perl: -authorization.pl- : post_auth
^^^
Post *all* of the debug output. You've deleted the pieces which can
help solve the problem.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl radiusd::radlog $type codes
The rlm_perl Documentation (in the Wiki) lists the $type values for radiusd::radlog($type, $message) as 0 - Debug 1 - Auth 2 - Proxy 3 - Info 4 - Error while include/radiusd.h says #define L_DBG 1 #define L_AUTH 2 #define L_INFO 3 #define L_ERR 4 #define L_PROXY 5 #define L_ACCT 6 #define L_CONS 128 and I can see no translation in src/modules/rlm_perl.c. Am I missing something or is this a documentation error? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl DEBUG log with garbage output
Bjørn Mork wrote: Try this patch: Looking at the code, it appears the strncpy is even more wrong than just adding +1. I've committed a different fix which should avoid other errors (like potential buffer overflows with data taken from rlm_perl). It's only exploitable by people who can control the Perl scripts that the server runs, so it's not a real problem. But it should be fixed. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius not working in normal mode but working in debug mode
Hello,
Please see the debug log: (log output from command freeradius -fxx -l
stdout) and with freeradius -X it works fine.
My issue is that debug mode freeradius -X the authentication works great but
once I try with normal mode it doesn't. I have checked all the permissions all
are correct.
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.99 port 5, id=24,
length=177
Threads: total/active/spare threads = 5/0/5
Waking up in 0.9 seconds.
Thread 5 got semaphore
Thread 5 handling request 0, (1 handled so far)
User-Name = TEST.COM\\user1
Calling-Station-Id = 005e5523
EAP-Message =
0x023f01544553542e434f4d5c75736572317676646a65687563697275656b63746a6869747568666365726465666c747269726668626775747464686467
Message-Authenticator = 0x07222d989a50a5ab3ad1a36ec1fe32d8
[thread] # Executing section authorize from file
/etc/freeradius/sites-enabled/default
[thread] +- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = TEST.COM\user1, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[ntdomain] Looking up realm TEST.COM for User-Name = TEST.COM\user1
[ntdomain] No such realm TEST.COM
++[ntdomain] returns noop
[eap] EAP packet type response id 0 length 63
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
rlm_perl: Added pair User-Name = TEST.COM\\user1
rlm_perl: Added pair EAP-Message =
0x023f01544553542e434f4d5c75736572317676646a65687563697275656b63746a6869747568666365726465666c747269726668626775747464686467
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair NAS-IP-Address = 192.168.1.99
rlm_perl: Added pair Calling-Station-Id = 005e5523
rlm_perl: Added pair Message-Authenticator = 0x07222d989a50a5ab3ad1a36ec1fe32d8
rlm_perl: Added pair Auth-Type = EAP
++[perl] returns ok
[files] users: Matched entry DEFAULT at line 147
++[files] returns ok
[ldap] performing user authorization for TEST.COM\user1
[ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) - (uid=user1)
[ldap] expand: dc=example,dc=com - dc=example,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to 192.168.1.120:389, authentication 0
[ldap] bind as cn=admin,dc=example,dc=com/yubico to 192.168.1.120:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=example,dc=com, with filter (uid=user1)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] userPassword - Cleartext-Password == yubico
[ldap] userPassword - Password-With-Header == yubico
[ldap] looking for reply items in directory...
[ldap] user TEST.COM\user1 authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
[pap] Config already contains known good password. Ignoring
Password-With-Header
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group EAP {...}
rlm_perl: Added pair User-Name = TEST.COM\\user1
rlm_perl: Added pair EAP-Message =
0x023f01544553542e434f4d5c75736572317676646a65687563697275656b63746a6869747568666365726465666c747269726668626775747464686467
rlm_perl: Added pair Calling-Station-Id = 005e5523
rlm_perl: Added pair NAS-IP-Address = 192.168.1.99
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair Message-Authenticator = 0x07222d989a50a5ab3ad1a36ec1fe32d8
rlm_perl: Added pair Cleartext-Password = yubico
rlm_perl: Added pair Password-With-Header = yubico
rlm_perl: Added pair Ldap-UserDn = uid=user1,ou=people,dc=example,dc=com
rlm_perl: Added pair Auth-Type = EAP
++[perl] returns noop
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 24 to 192.168.1.99 port 5
EAP-Message = 0x010100061920
Message-Authenticator = 0x
State = 0x122bbc42122aa5a2412bf0f529fb8dfe
Finished request 0.
Going to the next request
Thread 5 waiting to be assigned a request
rad_recv: Access-Request packet from host 192.168.1.99 port 5, id=25,
length=348
Waking up in 0.9 seconds.
Thread 4 got semaphore
Thread 4 handling request 1, (1 handled so far)
User-Name = TEST.COM\\user1
Calling-Station-Id = 005e5523
EAP-Message =
0x020100d8190016030100cd01c9030151189e9c9fbe653e32873d8edf71da69da00c2f53aba302ad4fd7b82cc7df16d5cc014c00a0039003800880087c00fc00500350084c012c00800160013c00dc003000ac013c00900330032009a009900450044c00ec004002f009600410007c011c007c00cc002000500040
Re: rlm_perl authorize
Authorize and authentication are two separate and distinct things. You notice that in the users file, either explicitly, or through a default, an Auth-Type is set. Always. If you want to have only your perl module handle authorization, then it also must set an Auth-Type. Mind you, the chap/mschap/eap modules work, so you might as well let them take care of setting an Auth-Type for things they handle, and you only worry about everything else. On Tue, 2004-02-17 at 03:41, loz wrote: Hi All, I'm trying to authorize a user by using the rlm_perl module only. I.e., I only want the perl script to control the authorization. In radiusd.conf I have set: proxy_requests = no and in the authorize part the files statement is commented (otherwise freeradius will look at the file 'users' for authentication). In the authorize method of my perl script it simply returns RLM_MODULE_OK (to test). When I then send a radius request the authorize failed because of No authenticate method (Auth-Type) configuration found for the request: Rejecting the user. See below for a complete debug output. Can anyone explain why I get this error, and how to fix it? thanks, loz rad_recv: Access-Request packet from host 127.0.0.1:1091, id=20, length=124 User-Name = [EMAIL PROTECTED] User-Password = testpwd NAS-Identifier = starbuster.xxx.net NAS-Port-Id = 444 Acct-Session-Id = 1234567 Acct-Status-Type = Accounting-On WISPr-Location-Name = testlocation modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module chap returns noop rlm_eap: EAP-Message not found modcall[authorize]: module eap returns noop rlm_realm: Looking up realm my_realm for User-Name = [EMAIL PROTECTED] rlm_realm: No such realm my_realm modcall[authorize]: module suffix returns noop modcall[authorize]: module mschap returns noop perl_pool: item 0x8117540 asigned new request. Handled so far: 1 found interpetator at address 0x8117540 rlm_perl: Added pair h323-credit-amount = 100 rlm_perl: Added pair Acct-Session-Id = 1234567 rlm_perl: Added pair Client-IP-Address = 127.0.0.1 rlm_perl: Added pair User-Name = [EMAIL PROTECTED] rlm_perl: Added pair User-Password = testpwd rlm_perl: Added pair NAS-Identifier = starbuster.xxx.net rlm_perl: Added pair Acct-Status-Type = Accounting-On rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair NAS-Port-Id = 444 rlm_perl: Added pair WISPr-Location-Name = testlocation perl_pool total/active/spare [5/0/5] Unreserve perl at address 0x8117540 modcall[authorize]: module perl returns ok modcall: group authorize returns ok auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help: login incorrect with FR 2.2.1
On Fri, May 17, 2013 at 2:09 AM, Wang, Yu ywan...@fsu.edu wrote: Hello, I upgraded FR from 2.1.10 to 2.2.1. Everything went well except about 25% of our wireless users cannot authenticate after the upgrade. The backend authentication server is Active Directory and we use ntlm_auth from winbind to pass MSCHAPv2 response from FR to AD. rlm_perl: Added pair NT-Password = 0x33343133344331374133364243314244413638324232323239443431 [pap] Normalizing NT-Password from hex encoding Just curious. Does ALL the failed user have NT-Password attribute added by rlm_perl? IIRC the reason for using ntlm_auth is that AD would NOT give out NT-Passowrd when running in LDAP mode. Or to put it another way, if you had access to NT-Password (e.g. stored in another database, whatever), then you won't need ntlm_auth at all. If fo DO use ntlm_auth (which I don't see from the debug log), try removing NT-Password from the list of attributes added by rlm_perl. My guess is whatever your rlm_perl data source is out of sync with your AD. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl and proxy
Hi,
I'm trying to implement proxy using rlm_perl, I've applied the patch
that should allow me to modify the attributes, but it doesn't seem to
work. (freeradius 1.1.2)
Perl code:
# Function to handle pre_proxy
sub pre_proxy {
radiusd::radlog(1, entering pre-proxy);
my %hash = ();
$hash{'User-Name'} = testuser;
$hash{'Operator'} = :=;
$RAD_REPLY{'User-Name'} = \%hash;
return RLM_MODULE_UPDATED;
}
# Function to handle post_proxy
sub post_proxy {
radiusd::radlog(1, entering post-proxy);
my %hash = ();
$hash{'Framed-IP-Address'} = 10.10.1.1;
$hash{'Operator'} = :=;
$RAD_REPLY{'Framed-IP-Address'} = \%hash;
return RLM_MODULE_UPDATED;
}
and then debug from radius:
rad_recv: Access-Request packet from host 127.0.0.1:32777, id=31, length=219
User-Password = password
User-Name = [EMAIL PROTECTED]
Acct-Session-Id = erx atm 8/0.16901030:169.1030:0239293057
Service-Type = Framed-User
Framed-Protocol = PPP
Connect-Info = speed:UBR
NAS-Port-Type = xDSL
NAS-Port = 1084818438
NAS-Port-Id = atm 8/0.16901030:169.1030
NAS-IP-Address = 10.10.1.2
NAS-Identifier = CH_RAN_11
ERX-Qos-Profile-Name = qos-3584k_shape
ERX-Ingress-Policy-Name = 128k_rate
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module preprocess returns ok for request 1
rlm_realm: Looking up realm somwhere.com for User-Name =
[EMAIL PROTECTED]
rlm_realm: Found realm DEFAULT
rlm_realm: Adding Stripped-User-Name = test1
rlm_realm: Proxying request from user test1 to realm DEFAULT
rlm_realm: Adding Realm = DEFAULT
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 1
perl_pool: item 0x81fc008 asigned new request. Handled so far: 2
found interpetator at address 0x81fc008
rlm_perl: Added pair REALM = somwhere.com
rlm_perl: Added pair Proxy-To-Realm = quik
rlm_perl: Added pair Stripped-User-Name = test1
perl_pool total/active/spare [3/0/3]
Unreserve perl at address 0x81fc008
modcall[authorize]: module perl returns ok for request 1
modcall: leaving group authorize (returns ok) for request 1
Processing the pre-proxy section of radiusd.conf
modcall: entering group pre-proxy for request 1
perl_pool: item 0x85ea2a8 asigned new request. Handled so far: 2
found interpetator at address 0x85ea2a8
rlm_perl: entering pre-proxy
rlm_perl: Added pair User-Name = testuser
rlm_perl: Added pair Realm = somwhere.com
rlm_perl: Added pair Stripped-User-Name = test1
rlm_perl: Added pair Proxy-To-Realm = quik
perl_pool total/active/spare [3/0/3]
Unreserve perl at address 0x85ea2a8
modcall[pre-proxy]: module perl returns updated for request 1
modcall: leaving group pre-proxy (returns updated) for request 1
As you can see it modified the User-Name attribute (at least it claims
it did), but:
Sending Access-Request of id 1 to 10.10.12.103 port 1812
User-Password = password
User-Name = test1
Acct-Session-Id = erx atm 8/0.16901030:169.1030:0239293057
Service-Type = Framed-User
Framed-Protocol = PPP
Connect-Info = speed:UBR
NAS-Port-Type = xDSL
NAS-Port = 1084818438
NAS-Port-Id = atm 8/0.16901030:169.1030
NAS-IP-Address = 10.10.1.2
NAS-Identifier = CH_RAN_11
ERX-Qos-Profile-Name = qos-3584k_shape
ERX-Ingress-Policy-Name = 128k_rate
Proxy-State = 0x3331
It doesn't send it, what's more:
rad_recv: Access-Accept packet from host 10.10.12.103:1812, id=1, length=30
Framed-IP-Address = 192.168.1.65
Proxy-State = 0x3331
Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 1
perl_pool: item 0x89bb2e0 asigned new request. Handled so far: 2
found interpetator at address 0x89bb2e0
rlm_perl: entering post-proxy
rlm_perl: Added pair Framed-IP-Address = 10.10.1.1
rlm_perl: Added pair Realm = somwhere.com
rlm_perl: Added pair Stripped-User-Name = test1
rlm_perl: Added pair Proxy-To-Realm = quik
rlm_perl: Added pair Proxy-State = 0x3331
rlm_perl: Added pair Framed-IP-Address = 192.168.1.65
perl_pool total/active/spare [3/0/3]
Unreserve perl at address 0x89bb2e0
modcall[post-proxy]: module perl returns updated for request 1
modcall: leaving group post-proxy (returns updated) for request 1
authorize: Skipping authorize in post-proxy stage
rad_check_password: Found Auth-Type
rad_check_password: Auth-Type = Accept, accepting the user
Sending Access-Accept of id 31 to 127.0.0.1 port 32777
Framed-IP-Address := 10.10.1.1
Framed-IP-Address = 192.168.1.65
Finished request 1
So in both cases it retaind original values of the attributes. How do
i fix this?
regards
pshemko
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Separate rlm_perl in each virtual server
On Sun, Jan 30, 2011 at 08:47:17AM +0100, Alan DeKok wrote:
Alexander Shikoff wrote:
Now radiusd receives a DHCP packet and:
Received DHCP-Discover of id fcb1c6c0 from 193.200.84.232:67 to
193.200.85.245:67
[...]
server dhcp {
Trying sub-section dhcp DHCP-Discover {...}
+- entering group DHCP-Discover {...}
rlm_perl: -authorization.pl- : post_auth
^^^
Post *all* of the debug output. You've deleted the pieces which can
help solve the problem.
--
MINO-RIPE
FreeRADIUS Version 2.1.10, for host amd64-portbld-freebsd8.0, built on Nov 2
2010 at 21:47:55
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/ISG_DHCP
including configuration file /usr/local/etc/raddb/modules/ISG_Auth
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/dhcp
including configuration file
/usr/local/etc/raddb/sites-enabled/dhcp-authorization.conf
main {
user = freeradius
group = freeradius
allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = /usr/local
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/local/lib/freeradius-2.1.10
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/local/sbin/checkrad
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security
Re:Re Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
Good. Now you are getting Digest-Attributes. Now uncomment digest entry
in authorize section of default or whatever virtual server is processing
this.
Hi Kalik,
As per your instruction I've uncommented all the digest entry
in authorize and authenticate section in the sites-enabled/default file,
unfortunately I still didn't get the values of these attributes in my perl
code to authenticate. I am confusing what should I emphasized, please help.
*I am submitting the complete radius log when it run in debug mode before
authenticate a user here*
FreeRADIUS Version 2.0.3, for host i686-pc-linux-gnu, built on Apr 9 2008
at 21:42:16
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/clients.conf
including configuration file /usr/local/etc/raddb/snmp.conf
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = /usr/local
localstatedir = /usr/local/var
logdir = /usr/local/var/log/radius
libdir = /usr/local/lib
radacctdir = /usr/local/var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /usr/local/var/run/radiusd/radiusd.pid
checkrad = /usr/local/sbin/checkrad
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = testing123
shortname = localhost
nastype = other
}
client 192.168.1.227 {
require_message_authenticator = no
secret = johnson
}
radiusd: Loading Realms and Home Servers
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = request
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = Password Has Expired
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = You are calling outside your allowed timespan
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_perl
Module: Instantiating perl
perl {
module = /usr/local/etc/raddb/myperltemp.pl
func_authorize = authorize
func_authenticate = authenticate
func_accounting = accounting
func_preacct = preacct
func_checksimul = checksimul
func_detach = detach
func_xlat = xlat
func_pre_proxy = pre_proxy
func_post_proxy = post_proxy
func_post_auth = post_auth
}
perl {
max_clones = 32
start_clones = 32
min_spare_clones = 0
max_spare_clones = 32
cleanup_delay = 5
max_request_per_clone = 0
}
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = auto
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_digest
Module: Instantiating digest
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = /usr/local/etc/raddb/huntgroups
hints = /usr/local/etc/raddb/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating
Re:Re Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
1. First rule is to start with default configuration and then make
changes.
2. I don't see any modules running here - only perl and preprocess. You
have obviously made major changes to the default configuration.
3. Go back to the default configuration uncomment digest entries and get
digest authentication working with an entry in users file:
http://wiki.freeradius.org/Digest
4. Once that is working add your perl module into the mix. As i said
before digest attributes might be in $RAD_CHECK rather than $RAD_REQUEST.
Ivan Kalik
Kalik Informatika ISP
Dana 6/5/2008, johnson elangbam [EMAIL PROTECTED] piše:
Good. Now you are getting Digest-Attributes. Now uncomment digest entry
in authorize section of default or whatever virtual server is processing
this.
Hi Kalik,
As per your instruction I've uncommented all the digest entry
in authorize and authenticate section in the sites-enabled/default file,
unfortunately I still didn't get the values of these attributes in my perl
code to authenticate. I am confusing what should I emphasized, please help.
*I am submitting the complete radius log when it run in debug mode before
authenticate a user here*
FreeRADIUS Version 2.0.3, for host i686-pc-linux-gnu, built on Apr 9 2008
at 21:42:16
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/clients.conf
including configuration file /usr/local/etc/raddb/snmp.conf
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = /usr/local
localstatedir = /usr/local/var
logdir = /usr/local/var/log/radius
libdir = /usr/local/lib
radacctdir = /usr/local/var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /usr/local/var/run/radiusd/radiusd.pid
checkrad = /usr/local/sbin/checkrad
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = testing123
shortname = localhost
nastype = other
}
client 192.168.1.227 {
require_message_authenticator = no
secret = johnson
}
radiusd: Loading Realms and Home Servers
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = request
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = Password Has Expired
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = You are calling outside your allowed timespan
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_perl
Module: Instantiating perl
perl {
module = /usr/local/etc/raddb/myperltemp.pl
func_authorize = authorize
func_authenticate = authenticate
func_accounting = accounting
func_preacct = preacct
func_checksimul = checksimul
func_detach = detach
func_xlat = xlat
func_pre_proxy = pre_proxy
func_post_proxy = post_proxy
func_post_auth = post_auth
}
perl {
max_clones = 32
start_clones = 32
min_spare_clones = 0
max_spare_clones = 32
cleanup_delay = 5
max_request_per_clone = 0
}
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = auto
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_digest
Module: Instantiating digest
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = /usr/local/etc/raddb/huntgroups
hints = /usr/local/etc/raddb/hints
with_ascend_hack
Re: Freeradius 3.0 hints, rlm_perl
Hello Arran,
DEFAULT User-Name =~ ^v104([^@]+)
User-Name := %{1}@V104.GMVL.DE
Can you got some debug output or even just the value of the User-Name?
It may just be the escaping is less crazy than it used to be.
username is: v104\Administrator but radius puts it internally as
v104\\Administrator.
This is how it looks like in 2.2.0:
rad_recv: Access-Request packet from host 10.104.1.0 port 54489, id=59,
length=58
User-Name = v104\\Administrator
User-Password = Pa$$w0rd
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[control] returns notfound
[preprocess]expand: %{User-Name} - v104\Administrator
[preprocess] hints: Matched DEFAULT at 1
[preprocess]expand: %{1}@V104.GMVL.DE - administra...@v104.gmvl.de
++[preprocess] returns ok
Found Auth-Type = perl
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
rlm_perl: Added pair User-Name = administra...@v104.gmvl.de
rlm_perl: Added pair User-Password = Pa$$w0rd
rlm_perl: Added pair NAS-IP-Address = 10.104.1.0
rlm_perl: Added pair Reply-Message = Enter SMS one time password
rlm_perl: Added pair State = 72641523
rlm_perl: Added pair Response-Packet-Type = Access-Challenge
rlm_perl: Added pair Auth-Type = perl
No. That just means you don't have a reject {} section in Post-Auth,
it has nothing to do with the perl module.
I see, I'll try that and report back.
Can you provide a backtrace please? I'll see if I can fix it.
I'll do that.
I found another small bug in the debian packages generated by
debian/rules binary in the 2.2.0 release:
Initscript puts pid file in /var/run/freeradius
But Freeradius wants to put it in /var/run/radius, so it does not start:
Sun Jul 21 19:36:34 2013 : Error: Failed creating PID file
/var/run/radiusd/radiusd.pid: No such file or directory
Cheers,
Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debug only for rlm_xxx (rlm_perl)
It's a pity. OK. How can I have a minimal logging to log ONLY requests (i.e. rejects and accepts)? Is there a way to do this? Thanks for your reply in advance. Tom. On Thu, 11 Mar 2010 17:56:27 +0100, Alan DeKok al...@deployingradius.com wrote: bi...@antworte.me wrote: is there an option in radiusd.conf how to enable debug logging only for several rlm_modules, e.g. I have rlm_perl and I only want debug messages for this. Not at this time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
confused by logging targets for rlm_perl
Hi there! It's been a while.. François turned out to be our official freeradius-users correspondent lately ;) So, I'm changing some things in our rlm_perl module and tried to make a better use of the logging facilities provided by the freeradius core. http://wiki.freeradius.org/Rlm_perl#Logging refers to: 0 - Debug 1 - Auth 2 - Proxy 3 - Info 4 - Error However in practice my tests today revealed behavior that I would prefer be clarified by one of the gurus here. With file logging, auth = yes and sending messages with radiusd::radlog() I found that: Debug, Info and Error goes to the radius.log file while Auth does not. I haven't tried Proxy or Acct (which is available according to src/main/log.c). I expected Debug not to go out in radius.log and Auth to do since I specified Auth to yes in radiusd.conf. With radius -X, as expected, I got everything. Am I missing something here? Is this a bug or a feature(tm)? Running freeradius 2.1.12. Thanks, -- Olivier Bilodeau obilod...@inverse.ca :: +1.514.447.4918 *115 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Packet-Original-Timestamp
2013/3/1 Alan DeKok al...@deployingradius.com:
Бен Томпсон wrote:
I tried checking out the git master code, but it just hangs when
calling rlm_perl. This is the last line I see when running in debug
mode :-
Fri Mar 1 12:46:49 2013 : Debug: (0) modsingle[authorize]: calling
perl (rlm_perl) for request 0
I need rlm_perl as part of my setup...
Is Packet-Original-Timestamp definitely not usable in v2.x?
Don't ask leading questions like that. It's rude.
It is usable. Arran said it was usable. You were told this.
Hi Alan
I am sorry, it was not intended to be rude. I misread Arran's email,
and misunderstood what he told me.
If you want to add Event-Timestamp, when it isn't already there, do:
if (!Event-Timestamp) {
update request {
Event-Timestamp := %l
}
}
Many thanks, I will try this.
Ben
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: static IP's with rlm_perl
Hello,
No, that did not work, with the setting below the debug shows:
--snip--
.
rlm_perl: Added pair Framed-IP-Address = ��M
...
Sending Access-Accept of id 73 to 127.0.0.1 port 32813
Framed-IP-Address = 255.255.255.254
--snip--
Before when I was setting it with a string I looked fine in the logs:
--snip--
rlm_perl: Added pair Framed-IP-Address = 192.168.77.200
(however it was not sent out)
...
Sending Access-Accept of id 71 to 127.0.0.1 port 32811
Framed-IP-Address = 255.255.255.254
--snip--
Thanks for the suggestion.
Michael
Garber, Neal wrote:
$RAD_REPLY{'Framed-IP-Address'} = '192.168.77.200';
See if the following helps:
use Socket;
.
.
.
$RAD_REPLY{'Framed-IP-Address'} = inet_aton('192.168.77.200');
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Michael Gale
Red Hat Certified Engineer
Network Administrator
Pason Systems Corp.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_perl
hi friends,
I am really sorry to post it again. Because still i
did not find any reply to solve my problems.
--- Abdul Lateef [EMAIL PROTECTED] wrote:
Hi,
Thanks for your reply. i am going here to post the
debug logs. from the log it seems rlm_per is loaded
successfully but when i am trying to call authorize
and authenticate function from example.pl, the
functions are not calling well.
Here is full configuration what i did to work with
perl module.
radreply table:
---
123456Auth-Type := perl
---
radiusd.conf
-
modules area:
perl {
module = /usr/local/etc/example.pl
func_accounting = accounting
func_authenticate = authenticate
func_authorize = authorize
func_preacct = preacct
func_checksimul = checksimul
func_xlat = xlat
}
authorize {
preprocess
chap
suffix
perl
}
authenticate {
Auth-Type Perl {
perl
}
}
-
example.pl
sub authorize {
return RLM_MODULE_OK;
}
sub authenticate {
if ($RAD_REQUEST{'User-Name'} =~ /^baduser/i) {
$RAD_REPLY{'Reply-Message'} = Denied access;
return RLM_MODULE_REJECT;
} else {
$RAD_REPLY{'h323-credit-time'} =
\h323-credit-time=200\;
return RLM_MODULE_OK;
}
}
Here is the Log:
===
Wed Sep 28 07:50:45 2005 : Info: Detach perl
0x93af7a0
Wed Sep 28 07:50:45 2005 : rlm_perl:
rlm_perl::Detaching. Reloading. Done.
Wed Sep 28 07:50:45 2005 : Info: detach at 0x93af7a0
returned status 0
Wed Sep 28 07:50:45 2005 : Info: Detach perl
0x94b0ec8
Wed Sep 28 07:50:45 2005 : rlm_perl:
rlm_perl::Detaching. Reloading. Done.
Wed Sep 28 07:50:45 2005 : Info: detach at 0x94b0ec8
returned status 0
Wed Sep 28 07:50:45 2005 : Info: Detach perl
0x950b550
Wed Sep 28 07:50:45 2005 : rlm_perl:
rlm_perl::Detaching. Reloading. Done.
Wed Sep 28 07:50:45 2005 : Info: detach at 0x950b550
returned status 0
Wed Sep 28 07:50:45 2005 : Info: Detach perl
0x9565480
Wed Sep 28 07:50:45 2005 : rlm_perl:
rlm_perl::Detaching. Reloading. Done.
Wed Sep 28 07:50:45 2005 : Info: detach at 0x9565480
returned status 0
Wed Sep 28 07:50:45 2005 : Info: Detach perl
0x95bf180
Wed Sep 28 07:50:45 2005 : rlm_perl:
rlm_perl::Detaching. Reloading. Done.
Wed Sep 28 07:50:45 2005 : Info: detach at 0x95bf180
returned status 0
Wed Sep 28 07:50:45 2005 : rlm_perl:
rlm_perl::Detaching. Reloading. Done.
Wed Sep 28 07:50:48 2005 : Info: rlm_sql (sql):
Driver
rlm_sql_mysql (module rlm_sql_mysql) loaded and
linked
Wed Sep 28 07:50:48 2005 : Info: rlm_sql (sql):
Attempting to connect to [EMAIL PROTECTED]:/radius
Wed Sep 28 07:50:48 2005 : Info: rlm_sql_mysql:
Starting connect to MySQL server for #0
Wed Sep 28 07:50:48 2005 : Info: rlm_sql_mysql:
Starting connect to MySQL server for #1
=
I AM REALLY SORRY FOR BIG THREAD.
Yours,
Abdul Lateef
Computer Programmer
HATIF COM
Mob: +974 - 5405022
Tel: +974 - 4883068
ICQ: 276994704
YM!: abdul_zu
Fax: +974 - 4883063
Doha Qatar
http://www.hatif.com
__
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
Yours,
Abdul Lateef
Computer Programmer
HATIF COM
Mob: +974 - 5405022
Tel: +974 - 4883068
ICQ: 276994704
YM!: abdul_zu
Fax: +974 - 4883063
Doha Qatar
http://www.hatif.com
__
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debug only for rlm_xxx (rlm_perl)
Hi Doug, I will try this. But - without my patch, the compile goes OK. Thanks Thomas. On Wed, 17 Mar 2010 15:15:20 -0700, Doug Hardie bc...@lafn.org wrote: Only one of those errors references the code you added. There should have been a line in my earlier email like: struct stat sb; The other errors indicate a problem with the normal build includes. How did you try and rebuild it? I suspect there is a way to just rebuild rlm_perl, but I haven't tried to do that on version 2. I suspect you may need to rebuild the entire freeradius. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: missing rlm_perl.so in the built from src file
I built a fresh freeradius on a ubuntu server from source files. When I add perl module and start the freeradiusin the debug mode, it is asking for rlm_perl.so that can not find it. It seems the make file does not create the shared lib file for perl module. Is there any change should be made in Makefile to create rlm_perl.so file? The configure script won't add the entries to the MakeFile if it can't find the headers it needs to build rlm_perl. If you look in the output of './configure' you'll see a message like 'Failed to find headers, silently not building rlm_perl'. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: rlm-perl lc usernames
Here is the debug using radtest radtest RadUser [EMAIL PROTECTED] localhost 10 testing123 .. rlm_perl: RAD_REQUEST: User-Name = RadUser .. rlm_perl: Added pair User-Name = raduser .. Sending Access-Accept of id 225 to 127.0.0.1 port 38149 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = 254 That worked out as expected. Probably something to do with username format. Alan thinks that he found a bug: http://lists.freeradius.org/pipermail/freeradius-users/2008-September/msg00543.html Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tagged attributes problem and rlm_perl in FreeRADIUS 2.1.4
Alexandr Kovalenko wrote: Then I have few questions: 1. How could this be that it worked in 1.1.7 (but only 1st auth attempt, all further didn't, until restart)? shrug Look at the code. I don't want to debug it. 2. Is there any work-in-progress project on adding support for tagged attributes in rlm_perl? Nope. As always, patches are welcome. 3. Is there any workaround to make it work? Edit the source code. 4. Which of these modules: rlm_python, rlm_exec, rlm_anything other user programmable support tagged attributes? The python module looks like it should. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Centos 5.3 problem
I was running freeradius 2.0.5 on my Centos 5.2 server using rlm_perl. When I upgraded to 5.3 I get : rlm_perl: perl_parse failed: /billing/bin/billing.pl not found or has syntax errors. I googled it and found that this may be caused by libperl.so not being linked properly or Data::Dumper that needs to be recompiled. I have done everything that the mailing list suggested but the problem persists. Debug billing.pl in the IDE (get something like EPIC). Trace it and you should find exactly what's wrong. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl authorize
loz [EMAIL PROTECTED] wrote: I'm trying to authorize a user by using the rlm_perl module only. I.e., I only want the perl script to control the authorization. That's nice. How will the user be authenticated? and in the authorize part the files statement is commented (otherwise freeradius will look at the file 'users' for authentication). Nonsense. When I then send a radius request the authorize failed because of No authenticate method (Auth-Type) configuration found for the request: Rejecting the user. See below for a complete debug output. Can anyone explain why I get this error, and how to fix it? You tell the server how to authenticate the user. See doc/aaa.txt for background on what the server does. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi-valued LDAP attribute
In a continuation to my previous issue about how to reference an LDAP
attribute in post-auth, I am now wondering how to iterate through a
multi-valued attribute in a perl script I call from post-auth. In the
debug you can see all three values are returned:
Multi-value attributes are an array in Perl.
I'm no perl expert, but shouldn't I be able to reference all three
values with $RAD_REPLY{'Person-Type'}?
No. That entry is an array. You need @{$RAD_REPLY{'Person-Type'}},
and then de-reference each entry from there.
I'm still having no luck trying to get all of the values off this multi-valued
attribute.. I believe I've got the perl syntax correct but when I try to
dereference @{$RAD_REPLY{'Person-Type'}} to check through all values, I get:
rlm_perl: perl_embed:: module = /etc/freeradius/groupcheck.pl , func =
post_auth exit status= Can't use string (employee) as an ARRAY ref while
strict refs in use at /etc/freeradius/groupcheck.pl line 112.
It appears as though $RAD_REPLY{'Person-Type'} is a string not an array.. if I
ask for value, I get employee..
But again, all three values are returned:
...
[ldap] looking for reply items in directory...
[ldap] personType - Person-Type = employee
[ldap] personType - Person-Type = fulltime
[ldap] personType - Person-Type = it
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user atrack authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
...
I did notice the following in the post-auth debug:
...
rlm_perl: Added pair User-Name = atrack
rlm_perl: Added pair MS-MPPE-Recv-Key = 0xc8bf3146d6b3966f0838e304da9bf9d2
rlm_perl: Added pair Person-Type = employee
rlm_perl: Added pair EAP-Message = 0x03090004
rlm_perl: Added pair MS-MPPE-Send-Key = 0x46948d82b0b42f60dd31e93a0d643790
...
So, for Person-Type, only the one value, employee, is passed to the perl
module? Shouldn't there be another two lines of this for the other two values?
I (finally) upgraded to 2.1.12, with same results. How can I get the other
values?
Or, is there a better way to do this?
Thanks,
A.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to debug rlm_perl in multithread?
HI, FreeRadius. when run radiusd -X it works fine. But when run in multithread (without -X) it core dump after ten or twelve queriest to radiusd. please help any. -- Eugen Konkov mailto:kes-...@yandex.ru - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to debug rlm_perl in multithread?
Eugen Konkov wrote: HI, FreeRadius. when run radiusd -X it works fine. But when run in multithread (without -X) it core dump after ten or twelve queriest to radiusd. please help any. Read doc/bugs Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Migrating to threaded rlm_perl
Rolling back to Freeradius 2.1.10 solved problem with memory leaks. I did not debug it, but it seems like accountig problem in 2.1.11. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Migrating-to-threaded-rlm-perl-tp4506040p4521029.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Migrating to threaded rlm_perl
Energ wrote: Rolling back to Freeradius 2.1.10 solved problem with memory leaks. I did not debug it, but it seems like accountig problem in 2.1.11. rlm_detail seems to have an issue. Patch is in github, v2.1.x branch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: post-auth problem
Andrea Gabellini [EMAIL PROTECTED] wrote: But If I reject the request via the rlm_perl module (returning RLM_MODULE_REJECT) I can't see anything. In debug mode the server doesn't execute the post-auth module in such situation. Try using the Post-Auth-Type Reject block in 1.0.0. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Blank User-name attribute
It looks like the %RAD_REQUEST hash is empty by the time you get to the
authenticate function in the perl script. I've set up the
log_request_attributes function for just standard output like thus:
sub log_request_attributes {
print ### Request attributes debug ##\n;
for (keys %RAD_REQUEST) {
print hello\n;
...
And in the debug output from the radiusd -X, you'll see this:
auth: type perl
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
perl_pool: item 0x9413670 asigned new request. Handled so far: 1
found interpetator at address 0x9413670
### Request attributes debug ##
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Framed-Routing = Broadcast-Listen
rlm_perl: Added pair Framed-Protocol = PPP
...
You can see that we never get a 'hello', because it nevers enters the
for loop in the log function since %RAD_REQUEST is empty.
I'm not sure what I've done to make it disappear. Thanks for the response!
Boyan Jordanov wrote:
On Sunday 06 November 2005 02:35, Gustave Nylander wrote:
I have freeradias 1.0.5 installed with the rlm_perl module, and the
trouble I'm having is that the user-name attribute is an empty string
within the 'authenticate' routine I have for the perl script.
Please see in example.pl that comes with 1.0.5 there is a function
log_request_attributes. Call this function right after you enter your
authentuicate function, run radius in debug and send output.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and accounting
Justin Church [EMAIL PROTECTED] wrote: Anything in this debug indicate why the server doesn't send Accounting-Response? The server didn't log the accounting information anywhere, therefore it's not safe to tell the NAS that the accoutning information was stored on the server. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Retrieve 'Aruba-Location-Id' from RAD_REQUEST
Hi,
Thanks for the suggestion. I added log_request_attributes; in authorize
function and it already has sub log_request_attributes in the perl script.
When run FR in debug mode, the Aruba-Location-ID does present but when I
call $ RAD_REQUEST{'Aruba-Location-Id'} from rlm_perl, it came up empty.
logs?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_eap: Identity does not match User-Name...
hi, i found the same question and also this topic already on the mailinglist, but no solution which works for me. i'm already debugging this thing the whole day, without any solution. i'm using 802.1x with clients: winXP sp2 method: EAP-MSCHAPv2 server: 2.0.0-pre1 it works all fine, as long as i'm not supply any domain-name. if i supply a domain-name it immediately fails with rlm_eap: Identity does not match User-Name, setting from EAP Identity. could anybody help me with that? and yes, there is no entry in users for EAP. thx michael ** * DEBUG LOG ** rad_recv: Access-Request packet from host 192.168.0.240 port 1645, id=66, length=149 User-Name = DOMAINXYZ\\mipa Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = 00-1A-E2-D8-3D-81 Calling-Station-Id = 00-80-C8-39-16-92 EAP-Message = 0x0202001601454e54455250524953455c7061747a6572 Message-Authenticator = 0xfe2f2b31d8a812b6338524fe5618414e NAS-Port-Type = Ethernet NAS-Port = 50001 NAS-IP-Address = 192.168.0.240 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_eap: EAP packet type response id 2 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 modcall[authorize]: module files returns noop for request 0 perl_pool: item 0x816a2d8 asigned new request. Handled so far: 1 found interpetator at address 0x816a2d8 rlm_perl: Added pair NAS-Port-Type = Ethernet rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Calling-Station-Id = 00-80-C8-39-16-92 rlm_perl: Added pair Called-Station-Id = 00-1A-E2-D8-3D-81 rlm_perl: Added pair Message-Authenticator = 0xfe2f2b31d8a812b6338524fe5618414e rlm_perl: Added pair User-Name = DOMAINXYZ\\mipa rlm_perl: Added pair EAP-Message = 0x0202001601454e54455250524953455c7061747a6572 rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair NAS-IP-Address = 192.168.0.240 rlm_perl: Added pair NAS-Port = 50001 rlm_perl: Added pair Framed-MTU = 1500 rlm_perl: Added pair Auth-Type = EAP perl_pool total/active/spare [32/0/32] Unreserve perl at address 0x816a2d8 modcall[authorize]: module perl returns ok for request 0 modcall[authorize]: module expiration returns noop for request 0 modcall[authorize]: module logintime returns noop for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module eap returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. Found Post-Auth-Type Processing the post-auth section of radiusd.conf modcall: entering group REJECT for request 0 radius_xlat: 'DOMAINXYZ\\mipa' attr_filter: Matched entry DEFAULT at line 11 modcall[post-auth]: module attr_filter.access_reject returns updated for request 0 modcall: group REJECT returns updated for request 0 Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 66 to 192.168.0.240 port 1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 66 with timestamp 475edfcb Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius AS DHCP + rlm_perl
Hi everybody.
FreeRadius ver. 2.1.10 from git
My problem is string :
===
++[perl] returns reject
from radiusd -X debug
The last strings in perl script that executed :
radiusd::radlog(L_ERR, --- RLM_MODULE_OK ---.RLM_MODULE_OK.)
if $DEBUG;
return RLM_MODULE_OK;
As you can see from output radiusd -X log message --- RLM_MODULE_OK ---
then I`m expected some thing like that
++[perl] returns ok
I think maybe it`s because I`m using wrong return code
and tried to return 3 , but it didn`t help.
Please give me advice.
Thanks.
radiusd -X output is :
FreeRADIUS Version 2.1.10, for host i386-unknown-freebsd7.2, built on
Jul 30 2010 at 11:27:44
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file
/usr/local/etc/raddb/sites-enabled/control-socket
including configuration file /usr/local/etc/raddb/sites-enabled/dhcp
main {
user = freeradius
group = freeradius
allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = /usr/local
localstatedir = /var
logdir = /var/log
libdir = /usr/local/lib/freeradius-2.1.9
radacctdir = /var/log/radacct
hostname_lookups
Re: Freeradius AS DHCP + rlm_perl
30.07.2010 19:03, Urazaev Vadim пишет:
Hi everybody.
FreeRadius ver. 2.1.10 from git
My problem is string :
===
++[perl] returns reject
from radiusd -X debug
The last strings in perl script that executed :
radiusd::radlog(L_ERR, --- RLM_MODULE_OK ---.RLM_MODULE_OK.)
if $DEBUG;
return RLM_MODULE_OK;
As you can see from output radiusd -X log message --- RLM_MODULE_OK ---
then I`m expected some thing like that
++[perl] returns ok
I think maybe it`s because I`m using wrong return code
and tried to return 3 , but it didn`t help.
Please give me advice.
Thanks.
radiusd -X output is :
FreeRADIUS Version 2.1.10, for host i386-unknown-freebsd7.2, built on
Jul 30 2010 at 11:27:44
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file
/usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file
/usr/local/etc/raddb/sites-enabled/control-socket
including configuration file /usr/local/etc/raddb/sites-enabled/dhcp
main {
user = freeradius
group = freeradius
allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = /usr/local
localstatedir = /var
logdir = /var/log
libdir = /usr/local/lib/freeradius-2.1.9
radacctdir = /var/log/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
RE: rlm_perl
Hi Arran,
Thank you for the response.
I add perl in the sites-available/default file as follow:
authorize {
#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
preprocess
ldap
perl
.
}
And added the following into raddb/modules/perl file
perl {
module = path/example.pl
}
And added the following in src/modules/rlm_perl/example.pl
sub authorize {
print This is a TEST\n;
.
}
However, When I send a simple test request I don't see my debug line. I also
don't see the message perl loaded when start Freeradius in debug mode
(radiusd -X).
Am I missing anything?
I appreciate it.
ASM
From: a.cudba...@freeradius.org
Subject: Re: rlm_perl
Date: Thu, 29 Sep 2011 19:39:55 +0200
To: freeradius-users@lists.freeradius.org
On 29 Sep 2011, at 19:25, Alex rsm wrote:Hi,
How can I configure Freeradius to call example.pl perl script in the rlm_perl
module? i.e., I want the perl script to be called when Freeradius receives a
request.
read/modify raddb/modules/perl and list perl in sites-available/default
authorize {}
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debug only for rlm_xxx (rlm_perl)
On 11 March 2010, at 03:43, bi...@antworte.me bi...@antworte.me wrote: Hello list, is there an option in radiusd.conf how to enable debug logging only for several rlm_modules, e.g. I have rlm_perl and I only want debug messages for this. Thanks for your reply in advance. It can be done via some modifications to the module source. Here is the approach I use in my modules: At the top of each function: int rdebug; rdebug = !stat(/var/log/radacct/radius_debug, sb); Then after each DEBUG entry add: if (rdebug) radlog (L_AUTH, %s, auth_msg); Note the L_AUTH is the level, the auth_msg is the message in the DEBUG statement. You can also add our own debugging that way that goes beyond that provided in the original module. To turn on this debugging just touch the filename listed in the stat command above. Debugging for that module will start. Disable it by deleting that file. You can change the file name to anything convenient for you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Possible bug in rlm_perl
I think I may have found a bug in rlm_perl? I have written script with
the aid of another freeradius list member that checks to see if a user
is in a certain samba windows group. If they are not in the group (the
wireless group) the module rejects the login. The module works perfectly
except for those users who's usernames begin with a letter t. For
instance ISD\josh will succeed but ISD\\ted will fail. I have done much
testing and cant find my script to be the issue. Look below for debug
output for the perl module.
Notice that right after the ++[files] line I print out the radius items
for debugging. Notice the User-Name value is correct going into the perl
script. Notice on the exit of the perl script on each debug that the
username is correct. Then notice later in each debug where these lines are:
Login OK: [ISD\\josh] (from client CCISD-REMC-Radius port 0 via TLS tunnel)
but when the username begins with a t it fails here like this:
Login incorrect: [ISD\tbraun] (from client CCISD-REMC-Radius port 0 via
TLS tunnel)
Notice only one backslash.
I have tried to make it succeed by adding backslashes (for users that
start with t) but no success. It will do ISD\\\tbraun and ISD\tbraun but
never ISD\\tbraun. Therefore, with users that start with t I always
get User-name does not match eap identity failure.
Thanks for any help. At the very bottom after the debug output you will
find my simple perl script that is well commented.
-Josh
--- Successful attempt
++[files] returns noop
They key is User-Name and the value is ISD\\josh.They key is EAP-Message
and the value is 0x020900061a03.They key is EAP-Type and the value is
MS-CHAP-V2.They key is State and the value is
0xfeecb38bffe5a965a0ca1cd92ce6c42b.They key is FreeRADIUS-Proxied-To and
the value is 127.0.0.1.
rlm_perl: Added pair User-Name = ISD\josh
rlm_perl: Added pair EAP-Message = 0x020900061a03
rlm_perl: Added pair EAP-Type = MS-CHAP-V2
rlm_perl: Added pair State = 0xfeecb38bffe5a965a0ca1cd92ce6c42b
rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair Proxy-To-Realm = LOCAL
++[perl] returns updated
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
Login OK: [ISD\\josh] (from client CCISD-REMC-Radius port 0 via TLS tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 2
EAP-Message = 0x03090004
Message-Authenticator = 0x
User-Name = ISD\\josh
[peap] Got tunneled reply RADIUS code 2
EAP-Message = 0x03090004
Message-Authenticator = 0x
User-Name = ISD\\josh
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
- End snip of successful attempt -
- Failed attempt from user who's username begins with a t
(tbraun) -
++[files] returns noop
They key is User-Name and the value is ISD\\tbraun.They key is
EAP-Message and the value is 0x0207000f014953445c74627261756e.They key
is EAP-Type and the value is Identity.They key is FreeRADIUS-Proxied-To
and the value is 127.0.0.1.rlm_perl: Added pair User-Name = ISD\tbraun
rlm_perl: Added pair EAP-Message = 0x0207000f014953445c74627261756e
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair Proxy-To-Realm = LOCAL
rlm_perl: Added pair EAP-Type = MS-CHAP-V2
++[perl] returns updated
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Identity does not match User-Name, setting from EAP Identity.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [ISD\tbraun] (from client CCISD-REMC-Radius port 0 via
TLS tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 3
[peap] Got tunneled reply RADIUS code 3
[peap] Tunneled authentication was rejected.
[peap] FAILURE
--- End of snip of failed attempt
--- Begin paste of perl script --
#!/usr/bin/perl -w
use strict;
# use ...
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);
use Data::Dumper;
# This is hash wich hold original request from radius
#my %RAD_REQUEST;
# In this hash you add values that will be returned to NAS.
#my %RAD_REPLY;
#This is for check items
#my %RAD_CHECK;
#
# This the remapping of return values
#
use constantRLM_MODULE_REJECT=0;# /* immediately reject
the request */
use constantRLM_MODULE_FAIL= 1;# /* module failed,
don't reply */
use constantRLM_MODULE_OK=2;# /* the module is OK,
continue */
use constant
Re: Possible bug in rlm_perl
Josh Hiner wrote:
I think I may have found a bug in rlm_perl? I have written script with
the aid of another freeradius list member that checks to see if a user
is in a certain samba windows group. If they are not in the group (the
wireless group) the module rejects the login. The module works
perfectly except for those users who's usernames begin with a letter
t. For instance ISD\josh will succeed but ISD\\ted will fail. I have
done much testing and cant find my script to be the issue. Look below
for debug output for the perl module.
Notice that right after the ++[files] line I print out the radius
items for debugging. Notice the User-Name value is correct going into
the perl script. Notice on the exit of the perl script on each debug
that the username is correct. Then notice later in each debug where
these lines are:
Login OK: [ISD\\josh] (from client CCISD-REMC-Radius port 0 via TLS
tunnel)
but when the username begins with a t it fails here like this:
Login incorrect: [ISD\tbraun] (from client CCISD-REMC-Radius port 0
via TLS tunnel)
Notice only one backslash.
I have tried to make it succeed by adding backslashes (for users that
start with t) but no success. It will do ISD\\\tbraun and ISD\tbraun
but never ISD\\tbraun. Therefore, with users that start with t I
always get User-name does not match eap identity failure.
Thanks for any help. At the very bottom after the debug output you
will find my simple perl script that is well commented.
-Josh
--- Successful attempt
++[files] returns noop
They key is User-Name and the value is ISD\\josh.They key is
EAP-Message and the value is 0x020900061a03.They key is EAP-Type and
the value is MS-CHAP-V2.They key is State and the value is
0xfeecb38bffe5a965a0ca1cd92ce6c42b.They key is FreeRADIUS-Proxied-To
and the value is 127.0.0.1.
rlm_perl: Added pair User-Name = ISD\josh
rlm_perl: Added pair EAP-Message = 0x020900061a03
rlm_perl: Added pair EAP-Type = MS-CHAP-V2
rlm_perl: Added pair State = 0xfeecb38bffe5a965a0ca1cd92ce6c42b
rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair Proxy-To-Realm = LOCAL
++[perl] returns updated
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
Login OK: [ISD\\josh] (from client CCISD-REMC-Radius port 0 via TLS
tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 2
EAP-Message = 0x03090004
Message-Authenticator = 0x
User-Name = ISD\\josh
[peap] Got tunneled reply RADIUS code 2
EAP-Message = 0x03090004
Message-Authenticator = 0x
User-Name = ISD\\josh
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
- End snip of successful attempt -
- Failed attempt from user who's username begins with a t
(tbraun) -
++[files] returns noop
They key is User-Name and the value is ISD\\tbraun.They key is
EAP-Message and the value is 0x0207000f014953445c74627261756e.They key
is EAP-Type and the value is Identity.They key is
FreeRADIUS-Proxied-To and the value is 127.0.0.1.rlm_perl: Added pair
User-Name = ISD\tbraun
rlm_perl: Added pair EAP-Message = 0x0207000f014953445c74627261756e
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair Proxy-To-Realm = LOCAL
rlm_perl: Added pair EAP-Type = MS-CHAP-V2
++[perl] returns updated
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Identity does not match User-Name, setting from EAP Identity.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [ISD\tbraun] (from client CCISD-REMC-Radius port 0
via TLS tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 3
[peap] Got tunneled reply RADIUS code 3
[peap] Tunneled authentication was rejected.
[peap] FAILURE
--- End of snip of failed attempt
--- Begin paste of perl script --
#!/usr/bin/perl -w
use strict;
# use ...
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);
use Data::Dumper;
# This is hash wich hold original request from radius
#my %RAD_REQUEST;
# In this hash you add values that will be returned to NAS.
#my %RAD_REPLY;
#This is for check items
#my %RAD_CHECK;
#
# This the remapping of return values
#
use constantRLM_MODULE_REJECT=0;# /* immediately
reject the request */
use constantRLM_MODULE_FAIL= 1;# /* module failed,
don't reply */
use constantRLM_MODULE_OK=2;# /* the module is OK,
continue */
use
RE: Rlm_perl causes segfault (want perl to rewrite attributes)
Yes, that helps exactly - thanks.
I also found a way to work around the problem without translation - by
having a multiple-entry DEFAULT line to direct each ssid to it's own dbm
lookup table. It took some re-reading of the rlm_dbm docs to figure out,
but it works... Although I now have three dbm files instead of 1.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Boian Jordanov
Sent: Saturday, February 12, 2005 11:31 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: Rlm_perl causes segfault (want perl to rewrite
attributes)
On Sat, Feb 12, 2005 at 01:02:34AM -0600, Dudley Atkinson wrote:
I'd like to implement the rlm_perl to rewrite some
attributes, and I
get a segfault. I've included the debug and the perl -VV so maybe
someone more knowledgeable can tell me why it fails (or
give me a good
pointer).
First apply patches from bug 111 and 179 to fresh rlm_perl
taken from CVS
Attr_rewrite won't work for this, because I want to change the
User-Name based on what the Cisco-AVPair is. If attr_rewrite will
work for this situation, I'm all ears (or eyes as the case may be),
but I couldn't see how to do that from the faq/doc/googles.
You can do this with attr_rewrite and perl xlat.
attr_rewrite test {
attribute = User-Name
# may be packet, reply, proxy,
proxy_reply or config
searchin = packet
searchfor = \.*
replacewith = %{perl:%{Cisco-AVPair[*]}
}
ignore_case = no
new_attribute = no
max_matches = 1
## If set to yes then the replace string will
be appended to the original string
append = no
}
in your perl script
sub xlat {
@CiscoAVPair = @_;
#some code here
return $username;
}
and put test (name of instance of attr_rewrite) in authorize section.
I hope this will help.
--
Best Regards,
Boian Jordanov
SNE
Orbitel - the Internet Company
tel. +359 2 4004 723
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl and empty user name variable
I have freeradius 1.05 configured with rlm_perl to handle
authentication, and the problem seems to be that the
$RAD_REQUEST{'User-Name'} variable is an empty string within the perl
script I have set up. The perl script is based on the example.pl script
provided with freeradius.
My users file has one line: DEFAULT Auth-Type := Perl_Auth
The applicable sections of radiusd.conf are:
modules section:
perl {
module = /home/rpm/test_rad.pl
func_authenticate = authenticate
func_authorize = authorize
}
authorize {
files
}
authenticate {
Auth-Type Perl_Auth {
perl
}
}
The perl script itself has the variables toward the top uncommented, and
the authenticate sub is:
sub authenticate {
# For debugging purposes only
log_request_attributes;
if ($RAD_REQUEST{'User-Name'} ==) {
return RLM_MODULE_REJECT;
}
if ($RAD_REQUEST{'User-Name'} =~ /^fred/i) {
# Reject user and tell him why
$RAD_REPLY{'Reply-Message'} = Denied access by rlm_perl
function;
return RLM_MODULE_REJECT;
} else {
# Accept user and set some attribute
$RAD_REPLY{'h323-credit-amount'} = 100;
return RLM_MODULE_OK;
}
}
All authentication attempts get caught with the empty string check in
the code above. Below is the radiusd debug:
rad_recv: Access-Request packet from host 127.0.0.1:43349, id=196,
length=55
User-Name = gus
User-Password = 123
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
users: Matched entry DEFAULT at line 1
modcall[authorize]: module files returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type Perl_Auth
auth: type Perl_Auth
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_perl: Added pair Auth-Type = Perl_Auth
modcall[authenticate]: module perl returns reject for request 0
modcall: group Auth-Type returns reject for request 0
auth: Failed to validate the user.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius AS DHCP + rlm_perl
On 07/30/2010 12:57 PM, Urazaev Vadim wrote:
[16 pages of debug output snipped for brevity]
Sorry Guys for disturb you, problem was in eval{} block in my perl
script inside which command return always return reject code.
Anyway Thanks for all.
And for that I had to page through 16 pages of debug output?
Please have the courtesy to trim irrelevant material.
Thanks!
--
John Dennis jden...@redhat.com
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MSCHAP Auth fails
Hello out there,
I'm testing the FreeRADIUS Version 2.1.12 Modul with AD Integration
following the deployingradius.com Guide.
Installed winbind and samba Version 3.6.3 and ntlm_auth tests are fine.
Now i'm testing with radtest while running radius in Debug mod.
The following line has been added to users:
DEFAULT Auth-Type = mschap
This is the output from radtest:
radtest -t mschap User001 USERPW localhost 0 s3cr3t
Sending Access-Request of id 61 to 127.0.0.1 port 1812
User-Name = User001
NAS-IP-Address = 172.16.28.168
NAS-Port = 0
Message-Authenticator = 0x
MS-CHAP-Challenge = 0x7e9462ca7fbf5d20
MS-CHAP-Response =
0x0001a42d3b5b243dede8b6
dc20fc78f0fdad458a494f649cca2b
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=61,
length=38
MS-CHAP-Error = \000E=691 R=1
And this from radiusd -X:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 48471, id=105,
length=133
User-Name = User001
NAS-IP-Address = 172.16.28.168
NAS-Port = 0
Message-Authenticator = 0x5d1a20d2d2c7897d376d003f73153552
MS-CHAP-Challenge = 0x28d302e62ccf7399
MS-CHAP-Response =
0x0001f7b8cd66af90b5791f
b4b09421dbbf2cbed180e7e72304b5
server packetfence {
# Executing section authorize from file
/etc/raddb/sites-enabled/packetfence
+- entering group authorize {...}
[suffix] No '@' in User-Name = User001, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[preprocess] returns ok
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 2
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_perl: Added pair User-Name = User001
rlm_perl: Added pair MS-CHAP-Response =
0x0001f7b8cd66af90b5791f
b4b09421dbbf2cbed180e7e72304b5
rlm_perl: Added pair NAS-Port = 0
rlm_perl: Added pair NAS-IP-Address = 172.16.28.168
rlm_perl: Added pair MS-CHAP-Challenge = 0x28d302e62ccf7399
rlm_perl: Added pair Message-Authenticator =
0x5d1a20d2d2c7897d376d003f73153552
rlm_perl: Added pair Auth-Type = MSCHAP
++[packetfence] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/raddb/sites-enabled/packetfence
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap]expand: %{Stripped-User-Name} -
[mschap]... expanding second conditional
[mschap]expand: %{mschap:User-Name:-None} - User001
[mschap]expand:
--username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}} -
--username=User001
[mschap] mschap1: 28
[mschap]expand: --challenge=%{mschap:Challenge:-00} -
--challenge=28d302e62ccf7399
[mschap]expand: #ntresponse=%{mschap:NT-Response:-00} -
#ntresponse=f7b8cd66af90b5791fb4b09421dbbf2cbed180e7e72304b5
Exec-Program output: Logon failure (0xc06d)
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] MS-CHAP-Response is incorrect.
++[mschap] returns reject
Failed to authenticate the user.
Login incorrect (mschap: External script says Logon failure
(0xc06d)): [User001] (from client 127.0.0.1 port 0)
The ntlm_auth is well configured in mschap module (--ntresponse)!
Thanks for helping.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius not unescaping \ and
Ok, debug logs and config files are attached.
It looks like the problem could be with rlm_perl. as the proxying
happens correctly if we disable the perl module completely.
However, even with no logic happening in the perl script, additional
\'s are added to the attributes.
Please see the attached log of a login attempt for
Username: murray/A\
Password: A\
which is eventually proxied as
User-Name = A
User-Password = A
Thanks,
Murray
On Fri, Sep 3, 2010 at 3:33 PM, Alan DeKok al...@deployingradius.com wrote:
Murray Long wrote:
I am running the latest version provided by Ubuntu, 2.1.8+dfsg-1ubuntu1
Is this not considered recent?
I will try 2.1.9 from the freeradius site and see how that goes.
Well.. it works in the current 2.1.x branch.
How about posting debug logs?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
perl_module.pm
Description: Perl program
radiusd.conf
Description: Binary data
FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan 5 2010 at 02:49:11
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
main {
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/freeradius
libdir = /usr/lib/freeradius
radacctdir = /var/log/freeradius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /var/run/freeradius/freeradius.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log sectiong {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
log_stripped_names = no
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
realm murray {
authhost = 10.0.0.101:1812
accthost = 10.0.0.101:1813
secret = secret
}
realm NULL {
}
realm default {
}
realm default {
} # realm default
radiusd: Loading Clients
client 0.0.0.0/0 {
require_message_authenticator = no
secret = secret
shortname = swak
}
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = request
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
}
radiusd: Loading Virtual Servers
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_perl
Module: Instantiating perl
perl {
module = /etc/freeradius/perl_module.pm
func_authorize = authorize
func_authenticate = authenticate
func_accounting = accounting
func_preacct = preacct
func_checksimul = checksimul
func_detach = detach
func_xlat = xlat
func_pre_proxy = pre_proxy
func_post_proxy = post_proxy
func_post_auth = post_auth
func_recv_coa = recv_coa
func_send_coa = send_coa
}
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = crypt
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = /etc/freeradius/huntgroups
hints = /etc/freeradius/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating realm_prefix
realm realm_prefix {
format = prefix
delimiter = /
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile = /var/log/freeradius/radacct/%{NAS-Identifier}/%Y-%m-%d
header = %t
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port
}
Module: Checking accounting {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = *
port = 1812
}
listen {
type = acct
ipaddr = *
port = 1813
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Status-Server packet
Re: rlm_perl
Alexander Clouter a...@digriz.org.uk writes:
Alex rsm alex-...@hotmail.com wrote:
And added the following in src/modules/rlm_perl/example.pl
sub authorize {
print This is a TEST\n;
.
}
However, When I send a simple test request I don't see my debug line.
I also don't see the message perl loaded when start Freeradius in
debug mode (radiusd -X).
I am pretty sure stdout is not plumbed up for rlm_perl, and neither is
stderr so you will not see anything.
Oh, but they are. At least in debug mode
I don't think Alex (the other one :-) really enabled the perl module. It
will NOT be silent in debug mode.
You should see something like this when the module is instantiated:
Module: Linked to module rlm_perl
Module: Instantiating module perl from file /etc/freeradius/modules/perl
perl {
module = /etc/freeradius/example.pl
func_authorize = authorize
func_authenticate = authenticate
func_accounting = accounting
func_preacct = preacct
func_checksimul = checksimul
func_detach = detach
func_xlat = xlat
func_pre_proxy = pre_proxy
func_post_proxy = post_proxy
func_post_auth = post_auth
func_recv_coa = recv_coa
func_send_coa = send_coa
}
And with the following /etc/freeradius/example.pl:
use constantRLM_MODULE_REJECT=0;# /* immediately reject the request */
use constantRLM_MODULE_FAIL= 1;# /* module failed, don't reply */
use constantRLM_MODULE_OK=2;# /* the module is OK, continue */
use constantRLM_MODULE_HANDLED= 3;# /* the module handled the request,
so stop. */
use constantRLM_MODULE_INVALID= 4;# /* the module considers the request
invalid. */
use constantRLM_MODULE_USERLOCK= 5;# /* reject the request (user is
locked out) */
use constantRLM_MODULE_NOTFOUND= 6;# /* user not found */
use constantRLM_MODULE_NOOP= 7;# /* module succeeded without doing
anything */
use constantRLM_MODULE_UPDATED= 8;# /* OK (pairs modified) */
use constantRLM_MODULE_NUMCODES= 9;# /* How many return codes there are
*/
sub authorize {
print Here\n;
return RLM_MODULE_NOOP;
}
I get:
rad_recv: Access-Request packet from host 127.0.0.1 port 41702, id=236,
length=43
User-Name = foo
User-Password = bar
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = foo, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
Here
rlm_perl: Added pair User-Name = foo
rlm_perl: Added pair User-Password = bar
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
++[perl] returns noop
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the
user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - foo
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 236 to 127.0.0.1 port 41702
Waking up in 4.9 seconds.
Cleaning up request 0 ID 236 with timestamp +132
Ready to process requests.
Note the Here right before the rlm_perl: debug lines. That's the
perl scripts stdout. But there's no use looking for output from the perl
script if the rlm_perl module isn't loaded.
Of course reading the documentation brings enlightenment in the form of
'radiusd::radlog(1, ...);'... :-/
Sure. That's essential if you want to log something useful in
production mode.
Bjørn
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: trigger an Access Challenge
Sorry for sending this message twice, but I forgot the debug output.
---
Thanks for reply. But the client that I use, only supports PAP and CHAP
requests and neither of them initiates the server to send an Access Challenge.
That is why I tried to create the challenge with the help of the perl module.
Then I realized that freeradius.net unfortunatly doesn't include this module.
After spending serveral hours in setting up a linux environment I'm in despair
of this perl script. Perhaps somebody can tell me why it doesn't work!?
sub authenticate {
# For debugging purposes only
log_request_attributes;
if ($RAD_REQUEST{'User-Name'} =~ /^baduser/i) {
# Reject user and tell him why
$RAD_REPLY{'Reply-Message'} = Denied access by rlm_perl function;
return RLM_MODULE_REJECT;
} else {
# send the challenge
$RAD_REPLY{'State'} = challenge;
$RAD_REPLY{'Reply-Message'} = challenge: ;
$RAD_CHECK{'Response-Packet-Type'} = Access-Challenge;
return RLM_MODULE_HANDLED;
}
}
If I'm not completely wrong, it's the same that worked for this guy:
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg47425.html
But the server doesn't send the reply to the client (Timeout at clientside)
rad_recv: Access-Request packet from host 10.0.1.131:57004, id=7, length=71
User-Name = radius
NAS-IP-Address = 10.0.1.131
CHAP-Password = 0x7826d3a1143b969ddf5ea1599a9483574a
CHAP-Challenge = 0x9899ee060e58b9864898d5fa165a2455
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module chap returns ok for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = radius, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
users: Matched entry radius at line 52
modcall[authorize]: module files returns ok for request 0
perl_pool: item 0xb809a5f0 asigned new request. Handled so far: 1
found interpetator at address 0xb809a5f0
rlm_perl: Added pair User-Password = pass
rlm_perl: Added pair Auth-Type = Perl
perl_pool total/active/spare [5/0/5]
Unreserve perl at address 0xb809a5f0
modcall[authorize]: module perl returns ok for request 0
rlm_pap: WARNING! No known good password found for the user. Authentication
may fail because of this.
modcall[authorize]: module pap returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type Perl
auth: type Perl
Processing the authenticate section of radiusd.conf
modcall: entering group Perl for request 0
perl_pool: item 0xb8181050 asigned new request. Handled so far: 1
found interpetator at address 0xb8181050
rlm_perl: RAD_REQUEST: Client-IP-Address = 10.0.1.131
rlm_perl: RAD_REQUEST: CHAP-Challenge = 0x9899ee060e58b9864898d5fa165a2455
rlm_perl: RAD_REQUEST: CHAP-Password = 0x7826d3a1143b969ddf5ea1599a9483574a
rlm_perl: RAD_REQUEST: User-Name = radius
rlm_perl: RAD_REQUEST: NAS-IP-Address = 10.0.1.131
rlm_perl: RAD_REPLY: Reply-Message = challenge:
rlm_perl: RAD_REPLY: User-Password = pass
rlm_perl: RAD_REPLY: State = challenge
rlm_perl: Added pair Reply-Message = challenge:
rlm_perl: Added pair User-Password = pass
rlm_perl: Added pair State = challenge
rlm_perl: Added pair Response-Packet-Type = Access-Challenge
rlm_perl: Added pair Auth-Type = Perl
perl_pool total/active/spare [5/0/5]
Unreserve perl at address 0xb8181050
modcall[authenticate]: module perl returns handled for request 0
modcall: leaving group Perl (returns handled) for request 0
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.1.131:57004, id=7, length=71
Discarding duplicate request from client localhost:57004 - ID: 7
--- Walking the entire request list ---
Waking up in 4 seconds...
rad_recv: Access-Request packet from host 10.0.1.131:57004, id=7, length=71
Discarding duplicate request from client localhost:57004 - ID: 7
--- Walking the entire request list ---
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 7 with timestamp 49a4220b
Nothing to do. Sleeping until we see a request.
If this makes sense to somebody, I would be thankful for an advice :-)
Regards, Ronny
-Ursprüngliche Nachricht-
Von: freeradius-users-bounces+voigt=bi-web...@lists.freeradius.org
[mailto:freeradius-users-bounces+voigt=bi-web...@lists.freeradius.org] Im
Auftrag von t...@kalik.net
Gesendet: Dienstag, 24. Februar 2009 00:07
An: FreeRadius users mailing list
Betreff: Re: trigger an Access Challenge
I want to test a radius client with the freeradius server. Access
Requests and Replies
rlm_perl - authorize - authenticate issue
Hi,
I am using freeradius (rlm_perl) for a VoIP system for a long time now
and today I tried to use it for routing purposes as well.
In my authorize function of my perl script I am assigning the routing info
to $RAD_REPLY :
...
my @final_routing = (
MLPAMPLA01/1/$calling_num/$called_num/$calling_num/$called_num/xxx.xxx.xxx.xxx:1720,
MLPAMPLA02/1/$calling_num/$called_num/$calling_num/$called_num/yyy.yyy.yyy.yyy:1720,
);
...
$RAD_REPLY{'Cisco-Command-Code'} = [EMAIL PROTECTED];
...
My authenticate section is very simple for now (accept everything):
sub authenticate
{
return RLM_MODULE_OK;
}
My problem is that when freeradius accepts a message it processes the
authorize section correctly :
rlm_perl: Added pair Cisco-Command-Code =
MLPAMPLA01/1//d//d/xxx.xxx.xxx.xxx:1720
rlm_perl: Added pair Cisco-Command-Code =
MLPAMPLA02/1//d//d/yyy.yyy.yyy.yyy:1720
and when it processes the authenticate section it adds the above two
pairs one more time leading to
this reply :
Sending Access-Accept of id 139 to zzz.zzz.zzz.zzz port 1814
Cisco-Command-Code +=
MLPAMPLA01/1//d//d/xxx.xxx.xxx.xxx:1720
Cisco-Command-Code +=
MLPAMPLA02/1//d//d/yyy.yyy.yyy.yyy:1720
Cisco-Command-Code +=
MLPAMPLA01/1//d//d/xxx.xxx.xxx.xxx:1720
Cisco-Command-Code +=
MLPAMPLA02/1//d//d/yyy.yyy.yyy.yyy:1720
...which is not the desired result. In which part does the second
addition of the attributes occur?
The debug output follows :
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
rlm_realm: Looking up realm LLL for User-Name = [EMAIL PROTECTED]
rlm_realm: No such realm LLL
modcall[authorize]: module suffix returns noop for request 0
users: Matched entry DEFAULT at line 152
modcall[authorize]: module files returns ok for request 0
perl_pool: item 0x950f330 asigned new request. Handled so far: 1
found interpetator at address 0x950f330
rlm_perl: Added pair Cisco-Command-Code =
MLPAMPLA01/1//d//d/xxx.xxx.xxx.xxx:1720
rlm_perl: Added pair Cisco-Command-Code =
MLPAMPLA02/1//d//d/yyy.yyy.yyy.yyy:1720
rlm_perl: Added pair Auth-Type = PERL
perl_pool total/active/spare [10/0/10]
Unreserve perl at address 0x950f330
modcall[authorize]: module perl returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type PERL
auth: type PERL
Processing the authenticate section of radiusd.conf
modcall: entering group PERL for request 0
perl_pool: item 0xa009ae0 asigned new request. Handled so far: 1
found interpetator at address 0xa009ae0
rlm_perl: Added pair Cisco-Command-Code =
MLPAMPLA01/1//d//d/xxx.xxx.xxx.xxx:1720
rlm_perl: Added pair Cisco-Command-Code =
MLPAMPLA02/1//d//d/yyy.yyy.yyy.yyy:1720
rlm_perl: Added pair Auth-Type = PERL
perl_pool total/active/spare [10/0/10]
Unreserve perl at address 0xa009ae0
modcall[authenticate]: module perl returns ok for request 0
modcall: leaving group PERL (returns ok) for request 0
Sending Access-Accept of id 17 to ooo.ooo.ooo.ooo port 1814
Cisco-Command-Code +=
MLPAMPLA01/1//d//d/xxx.xxx.xxx.xxx:1720
Cisco-Command-Code +=
MLPAMPLA02/1//d//d/yyy.yyy.yyy.yyy:1720
Cisco-Command-Code +=
MLPAMPLA01/1//d//d/xxx.xxx.xxx.xxx:1720
Cisco-Command-Code +=
MLPAMPLA02/1//d//d/yyy.yyy.yyy.yyy:1720
Finished request 0
--
---
Apostolos Pantsiopoulos
Kinetix Tele.com Support Center
email: [EMAIL PROTECTED], [EMAIL PROTECTED]
Tel. Fax: +30 2310556134
Mobile : +30 6937069097
MSN : [EMAIL PROTECTED]
WWW: http://www.kinetix.gr/
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: authentication sub in perl
Ok,
openSLL is installed on my server. No more issue on EAP. However, my debug line
in sub authenticate still is not being called:
#example.pl
# Function to handle authorize
sub authorize {
print TEST-authorize: username=$RAD_REQUEST{'User-Name'}\n;
# For debugging purposes only
# log_request_attributes;
# Here's where your authorization code comes
# You can call another function from here:
test_call;
return RLM_MODULE_OK;
}
# Function to handle authenticate
sub authenticate {
print TEST-authenticate\n;
# For debugging purposes only
# log_request_attributes;
if ($RAD_REQUEST{'User-Name'} =~ /^baduser/i) {
# Reject user and tell him why
$RAD_REPLY{'Reply-Message'} = Denied access by rlm_perl
function;
return RLM_MODULE_REJECT;
} else {
# Accept user and set some attribute
$RAD_REPLY{'h323-credit-amount'} = 100;
return RLM_MODULE_OK;
}
}
and here is the debug:
Cleaning up request 9 ID 9 with timestamp +7
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.0.31 port 50071, id=19,
length=169
User-Name = abc
NAS-IP-Address = 10.0.0.31
NAS-Identifier = belair
NAS-Port = 0
Called-Station-Id = 00-0D-67-12-15-80:SSO_BelAir-PMIP-8021x
Calling-Station-Id = 5C-59-48-F0-34-8B
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message = 0x020801616263
Message-Authenticator = 0xb952dcdfcec1e39a79c029ccdc94c2ca
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = abc, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 0 length 8
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[sql] expand: %{User-Name} - abc
[sql] sql_set_user escaped user -- 'abc'
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -
SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'abc' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname
FROM radusergroup WHERE username = 'abc' ORDER BY
priority
rlm_sql (sql): Released sql socket id: 1
[sql] User abc not found
++[sql] returns notfound
TEST-authorize: username=abc
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Calling-Station-Id = 5C-59-48-F0-34-8B
rlm_perl: Added pair Called-Station-Id = 00-0D-67-12-15-80:SSO_BelAir-PMIP-8021x
rlm_perl: Added pair Message-Authenticator = 0xb952dcdfcec1e39a79c029ccdc94c2ca
rlm_perl: Added pair User-Name = abc
rlm_perl: Added pair NAS-Identifier = belair
rlm_perl: Added pair EAP-Message = 0x020801616263
rlm_perl: Added pair Connect-Info = CONNECT 11Mbps 802.11b
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair NAS-IP-Address = 10.0.0.31
rlm_perl: Added pair NAS-Port = 0
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair Auth-Type = EAP
++[perl] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 19 to 10.0.0.31 port 50071
EAP-Message = 0x0101001604108bc56309ea2103957c2aee6450696f68
Message-Authenticator = 0x
State = 0x2c81558c2c8051de6687486c2848c067
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.0.31 port 50071, id=20,
length=185
User-Name = abc
NAS-IP-Address = 10.0.0.31
NAS-Identifier = belair
NAS-Port = 0
Called-Station-Id = 00-0D-67-12-15-80:SSO_BelAir-PMIP-8021x
Calling-Station-Id = 5C-59-48-F0-34-8B
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message = 0x020100060319
State = 0x2c81558c2c8051de6687486c2848c067
Message-Authenticator = 0x959b11a51401f767f5b52bc58298d730
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = abc, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
Re: rlm_perl - dbi - freetds works on radiusd -X but fails to sql connect in background
selinux was the culprit, thank you very much! On Wed, Jan 7, 2009 at 2:22 PM, nes pa nesp...@gmail.com wrote: I've changed the example.pl perl script so it 'use DBI;' to query a Sybase server via freetds. Any hints welcome for solution or better tools to debug/strace into the perl script. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl
Abdul Lateef [EMAIL PROTECTED] writes: I am really sorry to post it again. I'm curious... what good do you think that possibly could do? Because still i did not find any reply to solve my problems. I noticed you got this answer: Run the server in Debug mode and see what happens. Maybe you missed it? Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with rlm_perl.
It is: *quote* use Data::Dumper; /*quote* in example.pl that causes the trouble. Many thanks. I commented this string out and freeradius is running. I wonder if this library inclusion could be automated at the configure stage... In my case, it happened automatically by itself. An answer to this question would interest me, too! If this is not possible, then which is the simpliest aproach to simulating a radius wrapper environment to debug a perl script? If anyone here has something to say about this issue, please share. -- Best regards. Yevgeny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: static IP's with rlm_perl
On Friday 20 October 2006 10:32, Michael Gale wrote: Hello, No, that did not work, with the setting below the debug shows: --snip-- Framed-IP-Address = 255.255.255.254 Where is that attribute/value pair being added? If that is being set after your perl functions are processed, then it's possible the operator being used is allowing that attribute to be overwritten. Framed-IP-Address is not in the default FreeRADIUS config, so you've most likely added it somewhere and that is causing your problem. Kevin Bonner pgpydH6rbysTz.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Retrieve 'Aruba-Location-Id' from RAD_REQUEST
Hi,
Thanks for the suggestion. I added log_request_attributes; in authorize
function and it already has sub log_request_attributes in the perl script.
When run FR in debug mode, the Aruba-Location-ID does present but when I call
$ RAD_REQUEST{'Aruba-Location-Id'} from rlm_perl, it came up empty.
and logs (radiusd -X) from this too. :-)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
