Freeradius, rlm_perl and tagged attributes from rlm_sql
I'm using Freeradius 2.1.10. I need to reply to NAS same attributes with tags using rlm_sql and rlm_perl. But in result number of tags is missing and in reply only attributes with :0. mysql select * from radreply; ++--+---++--+ | id | username | attribute | op | value| ++--+---++--+ | 1 | testuser@new | Context-Name | = | Internet | | 2 | testuser@new | Service-Name:1| += | GUEST| | 3 | testuser@new | Service-Options:1 | += | 0| | 4 | testuser@new | Service-Name:2| += | INET | | 5 | testuser@new | Service-Options:2 | += | 1| ++--+---++--+ 5 rows in set (0.00 sec) Debug: rlm_perl: Added pair NAS-Port-Type = Virtual Debug: rlm_perl: Added pair CHAP-Password = 0x01d5b5364721d124b36c2fcaf86dc1289b Debug: rlm_perl: Added pair Acct-Session-Id = 6802B4D0-4DAC4ACD Debug: rlm_perl: Added pair Proxy-State = 0x313538 Debug: rlm_perl: Added pair Service-Type = Framed-User Debug: rlm_perl: Added pair CHAP-Challenge = 0xa87b4c6f31d9b71f63a5b54b9482bf1f Debug: rlm_perl: Added pair NAS-IP-Address = 172.26.201.21 Debug: rlm_perl: Added pair NAS-Real-Port = 285216672 Debug: rlm_perl: Added pair Medium-Type = 11 Debug: rlm_perl: Added pair Framed-Protocol = PPP Debug: rlm_perl: Added pair User-Name = testuser@new Debug: rlm_perl: Added pair NAS-Port = 16842752 Debug: rlm_perl: Added pair Acct-Interim-Interval = 1800 Debug: rlm_perl: Added pair Service-Name = GUEST Debug: rlm_perl: Added pair Service-Name = INET Debug: rlm_perl: Added pair Context-Name = Internet Debug: rlm_perl: Added pair Service-Type = Framed-User Debug: rlm_perl: Added pair Framed-IP-Address = 255.255.255.254 Debug: rlm_perl: Added pair Service-Options = 0 Debug: rlm_perl: Added pair Service-Options = 1 Debug: rlm_perl: Added pair Cleartext-Password = testpass Debug: rlm_perl: Added pair Auth-Type = CHAP Info: ++[perl] returns ok Sending Access-Accept of id 180 to 127.0.0.1 port 3 Acct-Interim-Interval = 1800 Service-Name:0 += GUEST Service-Name:0 += INET Context-Name = Internet Service-Type = Framed-User Framed-IP-Address = 255.255.255.254 Service-Options:0 += 0 Service-Options:0 += 1 Proxy-State = 0x313538 Mon Apr 18 17:29:33 2011 : Info: Finished request 3. Mon Apr 18 17:29:33 2011 : Debug: Going to the next request - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
Thank you very much for your responses. Conversely, you could comment out/remove the use Data::Dumper line since you're not using it. It's mainly for debugging and easily printing the entire contents of an object/array/hash/etc. Ok, Kevin, I don't use Data::Dumper and I can run Freeradius with my perl module. My problem is with the hashes that rlm_perl provide to my script ¡rlm_perl add in the reply hash an attribute Relaciones with the value of the attribute Nombre-Completo, and also add Nombre-Completo! Debug: [ldap1] performing user authorization for ana [ldap1] expand: %{Stripped-User-Name} - ana [ldap1] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) - (cn=ana) ... [ldap1] looking for check items in directory... [ldap1] ntPassword - NT-Password == 0x35... [ldap1] looking for reply items in directory... [ldap1] Relaciones - Relaciones += 01 [ldap1] sn - Nombre-Completo = ana WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap1] user ana authorized to use remote access [ldap1] ldap_release_conn: Release Id: 0 [ldap1] returns ok ... rlm_perl: Added pair User-Name = ana rlm_perl: Added pair User-Password = rlm_perl: Added pair Intentos-Reject = 1 rlm_perl: Added pair SQL-User-Name = ana rlm_perl: Added pair Stripped-User-Name = ana rlm_perl: Added pair Calling-Station-Id = xxx rlm_perl: Added pair Nombre-Completo = ana rlm_perl: Added pair Relaciones = 01 *rlm_perl: Added pair Relaciones = ana* rlm_perl: Added pair NT-Password = 0x35... rlm_perl: Added pair Simultaneous-Use = 1 rlm_perl: Added pair Ldap-UserDn = ... Than you Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:Re Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
Your radius client is not sending Digest-Attributes. It's sending Ascend VSAs. Read your NAS documentation how to set up digest authentication if you want that. hi Kalik, I am really sorry to post again the same question, as per your instruction I have check all the clients configurations radiusclient.conf as well as SER configuration ser.cfg, I've uncommented all the modules that will particularly help to do digest authentication in ser.cfg, but still the problem of not getting the values of digest attributes exist, I am using radiusclient 0.5.6 and SER 0.9.6, will it be the problem for incompatible of versions between the radius server and the radius clients or SER. Please tell me the possible problems of not getting these values: 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response' And please tell me the things that I should change in radius server configuration to get these digest attributes. for the information I've mentioning the debug when run in radiusd -X rad_recv: Access-Request packet from host 192.168.1.227 port 33526, id=92, length=252 User-Name = [EMAIL PROTECTED] X-Ascend-Netware-timeout = 1785686126 X-Ascend-Send-Secret = 0x3139322e3136382e312e323237 X-Ascend-Receive-Secret = 0x3438316339313763326231623731373133343937623838636165613864326437326534653832 X-Ascend-IP-Pool-Definition = sip:192.168.1.227 X-Ascend-IPX-Peer-Mode = 0x5245474953544552 Digest-Response = 6d1bf8eacbbddb82a606811f7e5c76ae Service-Type = IAPP-Register X-Ascend-PW-Lifetime = 1785686126 Cisco-AVPair = call-id= [EMAIL PROTECTED] NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 +- entering group authorize ++[preprocess] returns ok perl_pool: item 0x9f48768 asigned new request. Handled so far: 1 found interpetator at address 0x9f48768 rlm_perl: ### rlm_perl: RAD_REQUEST: Digest-Response = 6d1bf8eacbbddb82a606811f7e5c76ae rlm_perl: RAD_REQUEST: X-Ascend-Receive-Secret = 0x3438316339313763326231623731373133343937623838636165613864326437326534653832 rlm_perl: RAD_REQUEST: X-Ascend-IPX-Peer-Mode = 0x5245474953544552 rlm_perl: RAD_REQUEST: Service-Type = IAPP-Register rlm_perl: RAD_REQUEST: X-Ascend-Netware-timeout = 1785686126 rlm_perl: RAD_REQUEST: Cisco-AVPair = call-id= [EMAIL PROTECTED] rlm_perl: RAD_REQUEST: X-Ascend-IP-Pool-Definition = sip:192.168.1.227 rlm_perl: RAD_REQUEST: User-Name = [EMAIL PROTECTED] rlm_perl: RAD_REQUEST: X-Ascend-PW-Lifetime = 1785686126 rlm_perl: RAD_REQUEST: NAS-Port = 5060 rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1 rlm_perl: RAD_REQUEST: X-Ascend-Send-Secret = 0x3139322e3136382e312e323237 rlm_perl: ### rlm_perl: Added pair Digest-Response = 6d1bf8eacbbddb82a606811f7e5c76ae rlm_perl: Added pair X-Ascend-Receive-Secret = 0x3438316339313763326231623731373133343937623838636165613864326437326534653832 rlm_perl: Added pair X-Ascend-IPX-Peer-Mode = 0x5245474953544552 rlm_perl: Added pair Service-Type = IAPP-Register rlm_perl: Added pair X-Ascend-Netware-timeout = 1785686126 rlm_perl: Added pair Cisco-AVPair = call-id= [EMAIL PROTECTED] rlm_perl: Added pair X-Ascend-IP-Pool-Definition = sip:192.168.1.227 rlm_perl: Added pair User-Name = [EMAIL PROTECTED] rlm_perl: Added pair X-Ascend-PW-Lifetime = 1785686126 rlm_perl: Added pair NAS-Port = 5060 rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair X-Ascend-Send-Secret = 0x3139322e3136382e312e323237 rlm_perl: Added pair Reply-Message = Incorrect Password perl_pool total/active/spare [32/0/32] Unreserve perl at address 0x9f48768 ++[perl] returns reject Invalid user: [EMAIL PROTECTED]/no User-Password attribute] (from client 192.168.1.227 port 5060) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - [EMAIL PROTECTED] attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.1.227 port 33528, id=93, length=252 User-Name = [EMAIL PROTECTED] X-Ascend-Netware-timeout = 1785686126 X-Ascend-Send-Secret = 0x3139322e3136382e312e323237 X-Ascend-Receive-Secret = 0x3438316339313763326231623731373133343937623838636165613864326437326534653832 X-Ascend-IP-Pool-Definition = sip:192.168.1.227 X-Ascend-IPX-Peer-Mode = 0x5245474953544552 Digest-Response = 6d1bf8eacbbddb82a606811f7e5c76ae Service-Type = IAPP-Register X-Ascend-PW-Lifetime = 1785686126 Cisco-AVPair = call-id= [EMAIL PROTECTED] NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 +- entering group authorize ++[preprocess] returns ok perl_pool: item 0xa183d50 asigned new request. Handled so far: 1 found
Need to change response type to Access-Challenge from rlm_perl
Hi, Looking through archives for this exact question, I see a post from 2008 ( http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg47423.html) where this exact question was previously asked. Here is my server version info: radiusd: FreeRADIUS Version 2.2.0, for host x86_64-unknown-linux-gnu, built on Feb 17 2013 at 03:34:41 Here's my code: # Construct HTTP request my $authresult = authamis($RAD_REQUEST{'User-Name'},$RAD_REQUEST{'User-Password'}); radiusd::radlog(L_DBG, Result after authamis call - $authresult); if($authresult eq true) { $RAD_CHECK{'Response-Packet-Type'} = Access-Challenge; $RAD_REPLY{'Reply-Message'} = authentication successful; for (keys %RAD_REPLY) { radiusd::radlog(L_DBG, RAD_REPLY: $_ = $RAD_REPLY{$_}); } for (keys %RAD_CHECK) { radiusd::radlog(L_DBG, RAD_CHECK: $_ = $RAD_CHECK{$_}); } for (keys %RAD_CONFIG) { radiusd::radlog(L_DBG, RAD_CONFIG: $_ = $RAD_CONFIG{$_}); } return RLM_MODULE_OK } else { $RAD_REPLY{'Reply-Message'} = authentication failure; return RLM_MODULE_REJECT; } Here is the relevant debug output: Found Auth-Type = perl # Executing group from file /opt/app/freeradius/etc/raddb/sites-enabled/default +- entering group perl {...} rlm_perl: RAD_REQUEST: User-Name = test rlm_perl: RAD_REQUEST: User-Password = 42594190 rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.65.1 rlm_perl: AMIS request: http://amis.jdt.com:8080/auth/authenticate/test/42594190 rlm_perl: Result after authamis call - true rlm_perl: RAD_REPLY: Reply-Message = authentication successful rlm_perl: RAD_CHECK: Response-Packet-Type = Access-Challenge rlm_perl: RAD_CHECK: Auth-Type = perl rlm_perl: RAD_CONFIG: Auth-Type = perl rlm_perl: Added pair User-Name = test rlm_perl: Added pair User-Password = 42594190 rlm_perl: Added pair NAS-IP-Address = 192.168.65.1 rlm_perl: Added pair Reply-Message = authentication successful rlm_perl: Added pair Response-Packet-Type = Access-Challenge rlm_perl: Added pair Auth-Type = perl ++[perl] returns ok # Executing section post-auth from file /opt/app/freeradius/etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 81 to 192.168.65.1 port 53504 Reply-Message = authentication successful Finished request 0. Going to the next request Clearly the Access-Challenge setting is not being honored by the server. Is there another attribute that must be set to configure the response type? Thanks, Walter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RLM_perl and Cisco-AVPair
Hi everyone. Im trying to get RLM_perl to respond with two Cisco-AVPair lines (what would usually be done with += in users) Unfortunately only the first seems to get sent back to the nas - debug output follows rlm_perl: Added pair Cisco-AVPair = ip:dns-servers=10.10.10.10 10.10.10.12 rlm_perl: Added pair Cisco-AVPair = ip:route=10.10.0.0 255.255.255.0 rlm_perl: Added pair Framed-IP-Address = 10.10.10.12 rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.255 rlm_perl: Added pair Auth-Type = perl rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Auth-Type = System modcall[authenticate]: module perl returns ok for request 25 modcall: group Auth-Type returns ok for request 25 Sending Access-Accept of id 56 to 127.0.0.1:34529 Cisco-AVPair = ip:dns-servers=10.10.10.10 10.10.10.12 Framed-IP-Address = 10.10.10.10 Framed-IP-Netmask = 255.255.255.255 Service-Type = Framed-User As you can see, rlm_perl logs that it is adding the pair twice but only the first is returned. I've gone so far as to looking at the code for rlm_perl and it looks to me like it should have worked from what i have done, the coder has asked for a reference to an array. my code basically does this push(@avpairs,'ip:dns-servers=$dns1 $dns2'); push(@avpairs,ip:route=$$thisroute{network} $$thisroute{subnet}); $RAD_REPLY{'Cisco-AVPair'[EMAIL PROTECTED]; Anyone any ideas? Doesn't look like many people use rlm_perl yet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: %RAD_REPLY hash problem
Hello, I've tested adding my vendor specific attributes to check list, and the problem persist. Here is the debug info: rad_recv: Access-Request packet from host x.x.x.x port 32880, id=4, length=75 User-Name = a...@unex.es User-Password = 111 Calling-Station-Id = ... ... [ldap1] performing user authorization for ana [ldap1] expand: %{Stripped-User-Name} - ana [ldap1] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) - (cn=ana) ... [ldap1] Bind was successful ... [ldap1] looking for check items in directory... [ldap1] Relaciones - Relaciones += 06 [ldap1] Relaciones - Relaciones += 01 [ldap1] ntPassword - NT-Password == 0x44... [ldap1] looking for reply items in directory... [ldap1] sn - Nombre-Completo = Ana Gllardo ... [ldap1] user ana authorized to use remote access ... rlm_perl: RAD_REQUEST: User-Name = a...@unex.es rlm_perl: RAD_REQUEST: User-Password = 111 rlm_perl: RAD_REQUEST: Intentos-Reject = 0 rlm_perl: RAD_REQUEST: SQL-User-Name = ana rlm_perl: RAD_REQUEST: Realm = unex.es rlm_perl: RAD_REQUEST: Stripped-User-Name = ana rlm_perl: RAD_REQUEST: Calling-Station-Id = ... rlm_perl: RAD_CHECK: NT-Password = 0x44... rlm_perl: RAD_CHECK: Simultaneous-Use = 1 rlm_perl: RAD_CHECK: Relaciones = ARRAY(0x1d59618) rlm_perl: RAD_CHECK: Ldap-UserDn = ... rlm_perl: RAD_REREPLY: Nombre-Completo = Ana Gallardo rlm_perl: relacion: 06 rlm_perl: relacion: 01 rlm_perl: relacion: 0x44... ... Finally, my solution was delete the undesired member from the hash. # cat /etc/freeradius/perl/checkRelaciones.pm #!/usr/bin/perl use strict; use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK); use constantRLM_MODULE_REJECT=0;# /* immediately reject the request */ use constantRLM_MODULE_OK=2;# /* the module is OK, continue */ sub authorize { solucion_bug; return check_relaciones; } sub solucion_bug { my $r; my @array; if (exists $RAD_CHECK{'Relaciones'} defined $RAD_CHECK{'Relaciones'}){ $r=$RAD_CHECK{'Relaciones'}; if (ref($r) eq ARRAY) { foreach (@{$r}) { #radiusd::radlog(1, relacion: $_); if ($_ =~ /^[0-9]{2}/) { push(@array, $_); } } if ($#array 0){ $RAD_REPLY{'Relaciones'}...@array; } elsif ($#array == 0){ $RAD_REPLY{'Relaciones'}=$array[0]; } } unless (ref($r)) { #radiusd::radlog(1, relacion: $r); if ($r =~ /^[0-9]{2}/) { $RAD_REPLY{'Relaciones'}=$r; } } delete($RAD_CHECK{'Relaciones'}); } } sub check_relaciones { my $r; if (exists $RAD_REPLY{'Relaciones'} defined $RAD_REPLY{'Relaciones'}){ return RLM_MODULE_OK; } else{ $RAD_REPLY{'Codigo-Reject'}=11; #Sin-Relacion-UEX return RLM_MODULE_REJECT; } } Thank you very much. ++ Ana Gallardo Gómez ++ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Strange Problem with chap.
Hello, I am using chilli-coova as hotspot and making its authentication via freeradius. I dont know if you have any experience with this software but, It has 2 kind of login pages. One is a cgi page with clean password, other is a java script making chap authentication. here is the problem. On freeradius i am using rlm_perl authentication for my users. When i use cgi page or radtest tool and send clean password, everything works flawless... But if i decide to use chap somthing strange happens.. If i type correct user/pass freeradus denies it.. But it i type the password wrong, freeradius accepts it.. Heres the debug for freeradius.. 7798-1 is with the right user/pass comination 7798 is the wrong user/pass combination rad_recv: Access-Request packet from host 139.179.14.250 port 33545, id=30, length=285 Vendor-14559-Attr-8 = 0x312e302e3131 User-Name = 7798-1 CHAP-Challenge = 0x091c2ecc9622c2b8072a20db2a85840e CHAP-Password = 0x001143a4c3f8a192f89b9ff9e7f6f85fe0 NAS-IP-Address = 192.168.182.1 Service-Type = Login-User Framed-IP-Address = 192.168.182.2 Calling-Station-Id = 00-14-22-A1-BB-AB Called-Station-Id = 00-0E-0C-6E-6E-7C NAS-Identifier = nas01 Acct-Session-Id = 491944cd0001 NAS-Port-Type = Wireless-802.11 NAS-Port = 1 WISPr-Location-ID = isocc=,cc=,ac=,network=Coova, WISPr-Location-Name = My_HotSpot WISPr-Logoff-URL = http://192.168.182.1:3990/logoff; Message-Authenticator = 0xcf009790c3d4d941242929020db19b43 server lojnet { +- entering group authorize ++[preprocess] returns ok users: Matched entry DEFAULT at line 72 ++[files] returns ok ++[control] returns ok perl_pool: item 0xbe7fd00 asigned new request. Handled so far: 1 found interpetator at address 0xbe7fd00 rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair CHAP-Password = 0x001143a4c3f8a192f89b9ff9e7f6f85fe0 rlm_perl: Added pair WISPr-Logoff-URL = http://192.168.182.1:3990/logoff rlm_perl: Added pair Acct-Session-Id = 491944cd0001 rlm_perl: Added pair Service-Type = Login-User rlm_perl: Added pair Vendor-14559-Attr-8 = 0x312e302e3131 rlm_perl: Added pair Called-Station-Id = 00-0E-0C-6E-6E-7C rlm_perl: Added pair Message-Authenticator = 0xcf009790c3d4d941242929020db19b43 rlm_perl: Added pair CHAP-Challenge = 0x091c2ecc9622c2b8072a20db2a85840e rlm_perl: Added pair NAS-IP-Address = 192.168.182.1 rlm_perl: Added pair Calling-Station-Id = 00-14-22-A1-BB-AB rlm_perl: Added pair WISPr-Location-ID = isocc=,cc=,ac=,network=Coova, rlm_perl: Added pair User-Name = 7798-1 rlm_perl: Added pair NAS-Identifier = nas01 rlm_perl: Added pair Framed-IP-Address = 192.168.182.2 rlm_perl: Added pair NAS-Port = 1 rlm_perl: Added pair WISPr-Location-Name = My_HotSpot rlm_perl: Added pair Reply-Message = Unknown Username Or Password rlm_perl: Added pair Simultaneous-Use = 1 rlm_perl: Added pair Auth-Type = Perl perl_pool total/active/spare [32/0/32] Unreserve perl at address 0xbe7fd00 ++[perl_lojnet] returns reject Invalid user: [7798-1/CHAP-Password] (from client wireless-client port 1 cli 00-14-22-A1-BB-AB) } # server lojnet Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - 7798-1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 21 for 1 seconds Going to the next request Waking up in 0.7 seconds. Sending delayed reject for request 21 Sending Access-Reject of id 30 to 139.179.14.250 port 33545 Reply-Message = Unknown Username Or Password Waking up in 4.9 seconds. Cleaning up request 21 ID 30 with timestamp +1299 Ready to process requests. rad_recv: Access-Request packet from host 139.179.14.250 port 56290, id=34, length=283 Vendor-14559-Attr-8 = 0x312e302e3131 User-Name = 7798 CHAP-Challenge = 0xf5a327d969a14458fc8e232dc2b2dd0e CHAP-Password = 0x00754c55931928ae23c86ffc791482d963 NAS-IP-Address = 192.168.182.1 Service-Type = Login-User Framed-IP-Address = 192.168.182.2 Calling-Station-Id = 00-14-22-A1-BB-AB Called-Station-Id = 00-0E-0C-6E-6E-7C NAS-Identifier = nas01 Acct-Session-Id = 491944cd0001 NAS-Port-Type = Wireless-802.11 NAS-Port = 1 WISPr-Location-ID = isocc=,cc=,ac=,network=Coova, WISPr-Location-Name = My_HotSpot WISPr-Logoff-URL = http://192.168.182.1:3990/logoff; Message-Authenticator = 0x8ccc91235f97010a7c09802979e2cdea server lojnet { +- entering group authorize ++[preprocess] returns ok users: Matched entry DEFAULT at line 72 ++[files] returns ok ++[control] returns ok perl_pool: item 0xc1dfb10 asigned new request. Handled so far: 1 found interpetator at address 0xc1dfb10 rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair CHAP-Password = 0x00754c55931928ae23c86ffc791482d963 rlm_perl: Added pair WISPr
Re:Re Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
You are asking your questions on a wrong list. There is nothing you can do on a radius server in order to get those attributes if radius client is not sending Digest-Attributes. Direct your question to SER server support. hi Kalik, After I've done some changes in dictionary of radius server I can see the output sending digest attributes from the client, but still i didn't get the values at the radius server. Is it the problem of my configuration of radius server or it may be some other client configuration. Please advice, sorry for posting the same question again. Please tell me the possible problems of not getting these values: 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response' here is the full output when I run in debug mode rad_recv: Access-Request packet from host 192.168.1.227 port 33093, id=86, length=271 User-Name = [EMAIL PROTECTED] Digest-Attributes = 0x0a096a6f686e736f6e Digest-Attributes = 0x010f3139322e3136382e312e323237 Digest-Attributes = 0x022a34383166353136663737396231653364366365313331653738656462346265393931356634386439 Digest-Attributes = 0x04137369703a3139322e3136382e312e323237 Digest-Attributes = 0x030a5245474953544552 Digest-Response = b8f4759b0c4462aaa56edd1794da872a Service-Type = Sip-Session Sip-Uri-User = johnson Cisco-AVPair = call-id= [EMAIL PROTECTED] NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 +- entering group authorize ++[preprocess] returns ok perl_pool: item 0x89260f0 asigned new request. Handled so far: 1 found interpetator at address 0x89260f0 rlm_perl: ### rlm_perl: RAD_REQUEST: Digest-Response = b8f4759b0c4462aaa56edd1794da872a rlm_perl: RAD_REQUEST: Service-Type = Sip-Session rlm_perl: RAD_REQUEST: Cisco-AVPair = call-id= [EMAIL PROTECTED] rlm_perl: RAD_REQUEST: User-Name = [EMAIL PROTECTED] rlm_perl: RAD_REQUEST: Sip-Uri-User = johnson rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1 rlm_perl: RAD_REQUEST: NAS-Port = 5060 rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0x89dd638) rlm_perl: ### rlm_perl: Added pair Digest-Response = b8f4759b0c4462aaa56edd1794da872a rlm_perl: Added pair Service-Type = Sip-Session rlm_perl: Added pair Cisco-AVPair = call-id= [EMAIL PROTECTED] rlm_perl: Added pair User-Name = [EMAIL PROTECTED] rlm_perl: Added pair Sip-Uri-User = johnson rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair NAS-Port = 5060 rlm_perl: Added pair Digest-Attributes = 0x0a096a6f686e736f6e rlm_perl: Added pair Digest-Attributes = 0x010f3139322e3136382e312e323237 rlm_perl: Added pair Digest-Attributes = 0x022a34383166353136663737396231653364366365313331653738656462346265393931356634386439 rlm_perl: Added pair Digest-Attributes = 0x04137369703a3139322e3136382e312e323237 rlm_perl: Added pair Digest-Attributes = 0x030a5245474953544552 rlm_perl: Added pair Reply-Message = Incorrect Password perl_pool total/active/spare [32/0/32] Unreserve perl at address 0x89260f0 ++[perl] returns reject Invalid user: [EMAIL PROTECTED]/no User-Password attribute] (from client 192.168.1.227 port 5060) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - [EMAIL PROTECTED] attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.1.227 port 33094, id=87, length=271 User-Name = [EMAIL PROTECTED] Digest-Attributes = 0x0a096a6f686e736f6e Digest-Attributes = 0x010f3139322e3136382e312e323237 Digest-Attributes = 0x022a34383166353136663737396231653364366365313331653738656462346265393931356634386439 Digest-Attributes = 0x04137369703a3139322e3136382e312e323237 Digest-Attributes = 0x030a5245474953544552 Digest-Response = b8f4759b0c4462aaa56edd1794da872a Service-Type = Sip-Session Sip-Uri-User = johnson Cisco-AVPair = call-id= [EMAIL PROTECTED] NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 +- entering group authorize ++[preprocess] returns ok perl_pool: item 0x8a20548 asigned new request. Handled so far: 1 found interpetator at address 0x8a20548 rlm_perl: ### rlm_perl: RAD_REQUEST: Digest-Response = b8f4759b0c4462aaa56edd1794da872a rlm_perl: RAD_REQUEST: Service-Type = Sip-Session rlm_perl: RAD_REQUEST: Cisco-AVPair = call-id= [EMAIL PROTECTED] rlm_perl: RAD_REQUEST: User-Name = [EMAIL PROTECTED] rlm_perl: RAD_REQUEST: Sip-Uri-User = johnson rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1 rlm_perl: RAD_REQUEST: NAS-Port = 5060 rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0x8ab7bd0) rlm_perl
Re: Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce'.
You are (again) sending a request without Digest-Attributes. Try sending one with them. Ivan Kalik Kalik Informatika ISP hi, I check all the clients attributes and start sending the Digest attributes.. now the problem is I can't get those attributes in my perl code by accessing using RAD_REQUEST or RAD_CHECK, so that I can calculate my ha1, ha2 for md5 encryption. Please help. Output log file when run in debug mode by using radiusd -X rad_recv: Access-Request packet from host 192.168.1.227 port 32817, id=222, length=262 User-Name = [EMAIL PROTECTED] Digest-Attributes = \n\006john Digest-Attributes = \001\017192.168.1.227 Digest-Attributes = \002*48281f56caacb6aa62fc3bb31ec98146efeaae15 Digest-Attributes = \004\023sip:192.168.1.227 Digest-Attributes = \003\nREGISTER Digest-Response = 9ae01536efc46358e61f2fe362552af4 Service-Type = SIP Sip-URI-User = john Cisco-AVPair = call-id= [EMAIL PROTECTED] NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 +- entering group authorize ++[preprocess] returns ok perl_pool: item 0x8d08568 asigned new request. Handled so far: 1 found interpetator at address 0x8d08568 rlm_perl: ### rlm_perl: RAD_REQUEST: Digest-Response = 9ae01536efc46358e61f2fe362552af4 rlm_perl: RAD_REQUEST: Service-Type = SIP rlm_perl: RAD_REQUEST: Cisco-AVPair = call-id= [EMAIL PROTECTED] rlm_perl: RAD_REQUEST: User-Name = [EMAIL PROTECTED] rlm_perl: RAD_REQUEST: Sip-URI-User = john rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1 rlm_perl: RAD_REQUEST: NAS-Port = 5060 rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0x8df353c) rlm_perl: ### rlm_perl: Added pair Digest-Response = 9ae01536efc46358e61f2fe362552af4 rlm_perl: Added pair Service-Type = SIP rlm_perl: Added pair Cisco-AVPair = call-id= [EMAIL PROTECTED] rlm_perl: Added pair User-Name = [EMAIL PROTECTED] rlm_perl: Added pair Sip-URI-User = john rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair NAS-Port = 5060 rlm_perl: Added pair Digest-Attributes = \n\006john rlm_perl: Added pair Digest-Attributes = \001\017192.168.1.227 rlm_perl: Added pair Digest-Attributes = \002*48281f56caacb6aa62fc3bb31ec98146efeaae15 rlm_perl: Added pair Digest-Attributes = \004\023sip:192.168.1.227 rlm_perl: Added pair Digest-Attributes = \003\nREGISTER rlm_perl: Added pair Reply-Message = Incorrect Password perl_pool total/active/spare [32/0/32] Unreserve perl at address 0x8d08568 ++[perl] returns ok rlm_digest: Adding Auth-Type = DIGEST ++[digest] returns ok rlm_realm: Looking up realm 192.168.1.227 for User-Name = [EMAIL PROTECTED] rlm_realm: No such realm 192.168.1.227 ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rad_check_password: Found Auth-Type DIGEST auth: type digest +- entering group authenticate rlm_digest: Cleartext-Password or Digest-HA1 is required for authentication. ++[digest] returns invalid auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED]/via Auth-Type = DIGEST] (from client 192.168.1.227 port 5060) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - [EMAIL PROTECTED] attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.1.227 port 32818, id=223, length=262 User-Name = [EMAIL PROTECTED] Digest-Attributes = \n\006john Digest-Attributes = \001\017192.168.1.227 Digest-Attributes = \002*48281f56caacb6aa62fc3bb31ec98146efeaae15 Digest-Attributes = \004\023sip:192.168.1.227 Digest-Attributes = \003\nREGISTER Digest-Response = 9ae01536efc46358e61f2fe362552af4 Service-Type = SIP Sip-URI-User = john Cisco-AVPair = call-id= [EMAIL PROTECTED] NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 +- entering group authorize ++[preprocess] returns ok perl_pool: item 0x8e67348 asigned new request. Handled so far: 1 found interpetator at address 0x8e67348 rlm_perl: ### rlm_perl: RAD_REQUEST: Digest-Response = 9ae01536efc46358e61f2fe362552af4 rlm_perl: RAD_REQUEST: Service-Type = SIP rlm_perl: RAD_REQUEST: Cisco-AVPair = call-id= [EMAIL PROTECTED] rlm_perl: RAD_REQUEST: User-Name = [EMAIL PROTECTED] rlm_perl: RAD_REQUEST: Sip-URI-User = john rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1 rlm_perl: RAD_REQUEST: NAS-Port = 5060 rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0x8efce0c) rlm_perl: ### rlm_perl: Added pair Digest-Response
Re: Question regarding rlm_perl and Access-Challenge
Thanks for the swift reply Dekok. I tried what you suggested and it doesn't work. Looking at dictionary.freeradius.internal and double checking the values in the pair everything looks okay.I'm going to play about with this a bit, but in the mean time here's some more details and I would greatly appreciate it if you would scan over them to see if there is anything obvious I am missing. Here's my authenticate sub. # Function to handle authenticate sub authenticate { # For debugging purposes only log_request_attributes; if (($RAD_REQUEST{'User-Name'} =~ /^test/) ($RAD_REQUEST{'User-Password'} =~ /^pass/)) { $RAD_REPLY{'State'} = challenge; $RAD_REPLY{'Reply-Message'} = Challenge: ; $RAD_REPLY{'Response-Packet-Type'} = Access-Challenge; log_request_attributes; return RLM_MODULE_HANDLED; } else { # Reject user and tell him why $RAD_REPLY{'Reply-Message'} = Denied access by rlm_perl function; return RLM_MODULE_REJECT; } } And here's the debug output: perl_pool: item 0x827b1a0 asigned new request. Handled so far: 1 found interpetator at address 0x827b1a0 rlm_perl: RAD_REQUEST: User-Name = test rlm_perl: RAD_REQUEST: User-Password = pass rlm_perl: RAD_REQUEST: Service-Type = Login-User rlm_perl: RAD_REQUEST: NAS-IP-Address = 10.250.0.170 rlm_perl: RAD_REQUEST: NAS-Port = 6 rlm_perl: RAD_REQUEST: User-Name = test rlm_perl: RAD_REQUEST: User-Password = pass rlm_perl: RAD_REQUEST: Service-Type = Login-User rlm_perl: RAD_REQUEST: NAS-IP-Address = 10.250.0.170 rlm_perl: RAD_REQUEST: NAS-Port = 6 rlm_perl: RAD_REPLY: Reply-Message = Challenge: rlm_perl: RAD_REPLY: Response-Packet-Type = Access-Challenge rlm_perl: RAD_REPLY: State = challenge rlm_perl: Added pair User-Name = test rlm_perl: Added pair User-Password = pass rlm_perl: Added pair Service-Type = Login-User rlm_perl: Added pair NAS-IP-Address = 10.250.0.170 rlm_perl: Added pair NAS-Port = 6 rlm_perl: Added pair Reply-Message = Challenge: rlm_perl: Added pair Response-Packet-Type = Access-Challenge rlm_perl: Added pair State = challenge rlm_perl: Added pair Auth-Type = Perl perl_pool total/active/spare [32/0/32] Unreserve perl at address 0x827b1a0 ++[perl] returns handled There was no response configured: rejecting request 0 == The last line here is confusing me. Looking at the code that spits out this error, it seems to only happen when there is no Response-Packet-Type in a request_post_handler. switch (request-packet-code) { case PW_AUTHENTICATION_REQUEST: gettimeofday(request-next_when, NULL); if (request-reply-code == 0) { /* * Check if the lack of response is intentional. */ vp = pairfind(request-config_items, PW_RESPONSE_PACKET_TYPE); if (!vp) { DEBUG2(There was no response configured: rejecting request %d, request-number); request-reply-code = PW_AUTHENTICATION_REJECT; } else if (vp-vp_integer == 256) { DEBUG2(Not responding to request %d, request-number); } else { request-reply-code = vp-vp_integer; } } On Tue, Aug 19, 2008 at 1:09 PM, Alan DeKok [EMAIL PROTECTED] wrote: Harry J Walsh wrote: I want to develop some test cases for a radius client I am developing and I would like to be able to use rlm_perl to simulate various scenarios. The one I am having major problems with is Access-Challenge. I really like rlm_perl and the flexibility it provides and I would like to be able to specify the reply type. I've looked through documentation and the rlm_perl code for any hints on how to do this and at this stage I'm thinking I'll have to create a new interface to allow my perl script to specify the correct reply type to rlm_perl. Configure the reply with Response-Packet-Type = Access-Challenge, and make sure that the authenticate section returns handled. That should do it. And yes, this isn't documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Harry J Walsh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM on 2.2.0
Hi, On 2012-09-11 4:05 PM, Phil Mayers wrote: On 09/11/2012 07:49 PM, Francois Gaudreault wrote: Hi, I am playing with EAP-SIM on 2.2.0, but I am facing an issue I cannot even understand :S Not because I don't want to, but the error messages are not talking much. I did compute SRES/Kc for my SIM, but after the third triplet, I just have: Don't trim the debug. Critical info is higher up - like the actual radius packet! I always trim it the first time, I don't want to spam the planet in case the issue is simple :) Here is the entire debug (with my IMSI trimmed): rad_recv: Access-Request packet from host 10.0.0.24 port 1051, id=15, length=298 User-Name = i...@wlan.mnc720.mcc302.3gppnetwork.org Calling-Station-Id = 5C-59-48-ED-C4-96 NAS-IP-Address = 10.0.0.24 NAS-Port = 1 Called-Station-Id = 50-A7-33-31-CF-B8:PacketFence-Ruckus Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = 50-A7-33-31-CF-B8 Connect-Info = CONNECT 802.11g EAP-Message = 0x0238013133303237323034303434313338393040776c616e2e6d6e633732302e6d6360322e336770706e6574776f726b2e6f7267 Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 Message-Authenticator = 0x8a5c5a80c992696a2eb8b097b865b86f server packetfence { # Executing section authorize from file /usr/local/pf/raddb//sites-enabled/packetfence +- entering group authorize {...} [suffix] Looking up realm wlan.mnc720.mcc302.3gppnetwork.org for User-Name = i...@wlan.mnc720.mcc302.3gppnetwork.org [suffix] No such realm wlan.mnc720.mcc302.3gppnetwork.org ++[suffix] returns noop ++[preprocess] returns ok rlm_sim_files: authorized user/imsi i...@wlan.mnc720.mcc302.3gppnetwork.org rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 0 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Called-Station-Id = 50-A7-33-31-CF-B8:PacketFence-Ruckus rlm_perl: Added pair Calling-Station-Id = 5C-59-48-ED-C4-96 rlm_perl: Added pair Message-Authenticator = 0x8a5c5a80c992696a2eb8b097b865b86f rlm_perl: Added pair Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 rlm_perl: Added pair User-Name = i...@wlan.mnc720.mcc302.3gppnetwork.org rlm_perl: Added pair NAS-Identifier = 50-A7-33-31-CF-B8 rlm_perl: Added pair EAP-Message = 0x0238013133303237323034303434313338393040776c616e2e6d6e633732302e6d6360322e336770706e6574776f726b2e6f7267 rlm_perl: Added pair Connect-Info = CONNECT 802.11g rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair NAS-IP-Address = 10.0.0.24 rlm_perl: Added pair NAS-Port = 1 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair EAP-Sim-Rand3 = 0xff626ed6104164234aabebecafecafe3 rlm_perl: Added pair EAP-Sim-Rand2 = 0x771634015641aabcd4e5a2a3ab521242 rlm_perl: Added pair EAP-Sim-SRES1 = 0xa0a116fe rlm_perl: Added pair EAP-Sim-SRES2 = 0xc891c365 rlm_perl: Added pair EAP-Sim-KC1 = 0x603c63ecd59340cb rlm_perl: Added pair EAP-Sim-Rand1 = 0xab521824610aca27814bbde2810347a1 rlm_perl: Added pair EAP-Sim-KC3 = 0xa62f0f3aca277041 rlm_perl: Added pair EAP-Sim-KC2 = 0xbdaf3f47b1fc2520 rlm_perl: Added pair EAP-Sim-SRES3 = 0x6daeb494 rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair EAP-Type = SIM ++[packetfence] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 246 ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 15 to 10.0.0.24 port 1051 EAP-Message = 0x01f60014120a0f020002000111010100 Message-Authenticator = 0x State = 0x8c646e1d8c927cd94949c1e5aaf22aa6 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.24 port 1051, id=16, length=348 User-Name = i...@wlan.mnc720.mcc302.3gppnetwork.org Calling-Station-Id = 5C-59-48-ED-C4-96 NAS-IP-Address = 10.0.0.24 NAS-Port = 1 Called-Station-Id = 50-A7-33-31-CF-B8:PacketFence-Ruckus Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = 50-A7-33-31-CF-B8 Connect-Info = CONNECT 802.11g EAP-Message = 0x02f60058120a0e0e00333133303237323034303434313338393040776c616e2e6d6e633732302e6d6360322e336770706e6574776f726b2e6f7267001001000107057ae3c3b294faa5fac85c9cdc58737c87 State = 0x8c646e1d8c927cd94949c1e5aaf22aa6 Vendor-25053-Attr-3 = 0x5061636b657446656e63652d5275636b7573 Message
debug only for rlm_xxx (rlm_perl)
Hello list, is there an option in radiusd.conf how to enable debug logging only for several rlm_modules, e.g. I have rlm_perl and I only want debug messages for this. Thanks for your reply in advance. T. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debug only for rlm_xxx (rlm_perl)
bi...@antworte.me wrote: is there an option in radiusd.conf how to enable debug logging only for several rlm_modules, e.g. I have rlm_perl and I only want debug messages for this. Not at this time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl DEBUG log with garbage output
Rohaizam Abu Bakar [EMAIL PROTECTED] writes: Hi,.. running xlat within rlm_perl.. giving correct result.. but what concern me is that.. in debug log.. there are garbage output as below:- radius_xlat: '.*' radius_xlat: Running registered xlat function of module y5perl for string '%{User-Name}:%{NAS-Identifier}' radius_xlat: 'bacang:JARINGWiF' rlm_perl: Len is 4 , out is NULL?8???Ù¿¿?49(hÕ¿¿?? freespace is 254 radius_xlat: 'NULL' Try this patch: diff -u -r1.13.4.7 rlm_perl.c --- src/modules/rlm_perl/rlm_perl.c 27 Apr 2006 17:35:44 - 1.13.4.7 +++ src/modules/rlm_perl/rlm_perl.c 25 Jan 2007 10:03:51 - @@ -694,7 +694,7 @@ } else if (count 0) { tmp = POPp; ret = strlen(tmp); - strncpy(out,tmp,ret); + strncpy(out,tmp,ret+1); radlog(L_DBG,rlm_perl: Len is %d , out is %s freespace is %d, ret, out,freespace); Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Trucation of octet attribute handled by rlm_perl
Hello everyone I am having a slight problem with rlm_perl and I would really appreciate any advice/help. I have a perl script which rlm_perl adds a value to the DHCP-Classless-Static-Route attribute something like this :- perl script snippets ... my $route = pack('C7', split(/\,/, 16,172,16,10,0,0,2)); ... radiusd::radlog(RADLOG_DEBUG, packed data: . unpack('H*', $route)); ... $RAD_REPLY{'DHCP-Classless-Static-Route'} = $route; ... ### ..but from the debug output I see that the attribute data is truncated at the first octet with value 00 :- ### freeradius -Xx snippets ... Thu Feb 28 10:35:23 2013 : rlm_perl: packed data: 10ac100a02 Thu Feb 28 10:35:23 2013 : Debug: rlm_perl: Added pair DHCP-Classless-Static-Route = ??? ... DHCP-Classless-Static-Route = 0x10ac100a ## Am I doing somthething daft, or is this a possible bug in rlm_perl? I am using freeradius 2.2.0. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl multiple attributes in rad_reply was: Adding Multiple Cisco-AVPairs using rlm_perl
В сообщении от Четверг 26 августа 2010 11:17:45 автор Bjørn Mork написал: Boian Jordanov bjorda...@orbitel.bg writes: On Aug 22, 2010, at 3:06 PM, Alexander Kubatkin wrote: В сообщении от Воскресенье 22 августа 2010 10:48:56 автор Alan DeKok написал: Alexander Kubatkin wrote: This isn't working, i'm trying to put 2 dns-servers in dhcp configuration like this: $RAD_REPLY{'DHCP-Domain-Name-Server'} = [$ns1,$ns2] ; To return multiple items you have to use array ref. Try this way. $data[0] = nameserver_1; $data[1] = nameserver_2; $data[2] = nameserver_3; $data[3] = nameserver_x; $RAD_REPLY{'DHCP-Domain-Name-Server'} = \...@data; Which should be equivalent to doing $RAD_REPLY{'DHCP-Domain-Name-Server'} = [nameserver_1, nameserver_2, nameserver_3, nameserver_x]; so I don't think that's the problem. But we are all guessing, since we haven't yet seen the actual debug output from FreeRADIUS, only selected bits and pieces of the non-working end result. Since we *know* that FreeRADIUS and rlm_perl work when configured correctly, we can deduce that there is something wrong with the configuration. I believe that's the best we can do, given the input available to us. this is with $RAD_REPLY{'DHCP-Domain-Name-Server'} = [$ns1,$ns2] ; Received DHCP-Request of id ef3e6917 from Relay_ip:68 to DHCP-Server_ip:67 DHCP-Opcode = Client-Message DHCP-Hardware-Type = Ethernet DHCP-Hardware-Address-Length = 6 DHCP-Hop-Count = 1 DHCP-Transaction-Id = 4013844759 DHCP-Number-of-Seconds = 73 DHCP-Flags = 0 DHCP-Client-IP-Address = Client_ip DHCP-Your-IP-Address = 0.0.0.0 DHCP-Server-IP-Address = 0.0.0.0 DHCP-Gateway-IP-Address = Relay_ip DHCP-Client-Hardware-Address = Client_mac DHCP-Message-Type = DHCP-Request DHCP-Hostname = kaa-laptop DHCP-Parameter-Request-List = DHCP-Subnet-Mask DHCP-Parameter-Request-List = DHCP-Broadcast-Address DHCP-Parameter-Request-List = DHCP-Time-Offset DHCP-Parameter-Request-List = DHCP-Router-Address DHCP-Parameter-Request-List = DHCP-Domain-Name DHCP-Parameter-Request-List = DHCP-Domain-Name-Server DHCP-Parameter-Request-List = DHCP-Domain-Search DHCP-Parameter-Request-List = DHCP-Hostname DHCP-Parameter-Request-List = DHCP-NETBIOS-Name-Servers DHCP-Parameter-Request-List = DHCP-NETBIOS DHCP-Parameter-Request-List = DHCP-Interface-MTU-Size DHCP-Parameter-Request-List = DHCP-Classless-Static-Route DHCP-Parameter-Request-List = DHCP-NTP-Servers DHCP-Agent-Circuit-Id = 0x000403e50002 server dhcp { Trying sub-section dhcp DHCP-Request {...} +- entering group DHCP-Request {...} [linelog] expand: %{reply:DHCP-Message-Type} - [linelog] ... expanding second conditional [linelog] expand: %{request:DHCP-Message-Type} - DHCP-Request [linelog] expand: %{%{reply:DHCP-Message-Type}:-%{request:DHCP-Message-Type}} - DHCP-Request [linelog] expand: /var/log/linelog - /var/log/linelog [linelog] expand: %{request:DHCP-Client-IP-Address} - Client_ip [linelog] expand: %{DHCP-Transaction-Id} REQUEST: %{%{request:DHCP-Client-IP-Address}:-%{request:DHCP-Requested-IP-Address}} from [%{DHCP-Client-Hardware-Address}] via (%{DHCP-Gateway-IP-Address}) ... option82= %{DHCP- Relay-Agent-Information} - 4013844759 REQUEST: Client_ip from [Client_mac] via (Relay_ip) ... option82= ++[linelog] returns ok acid: 0x000403e50002 arid: 0x00060022b06cdd22 option82: 0x0106000403e5000200060022b06cdd22 prepare_cached(call dhcp_get_all(?,?,@ip,@broadcast,@mask,@gw,@ns1,@ns2,@ntp,@domain,@lease_time)) statement handle DBI::st=HASH(0x80269bb00) still Active at /usr/local/etc/raddb/dhcp.pl line 235 rlm_perl: Added pair DHCP-Your-IP-Address = 0.0.0.0 rlm_perl: Added pair DHCP-Message-Type = DHCP-Request rlm_perl: Added pair DHCP-Hop-Count = 1 rlm_perl: Added pair Tmp-String-0 = OK rlm_perl: Added pair DHCP-Agent-Circuit-Id = 0x000403e50002 rlm_perl: Added pair DHCP-Number-of-Seconds = 73 rlm_perl: Added pair DHCP-Client-IP-Address = Client_ip rlm_perl: Added pair DHCP-Agent-Remote-Id = 0x00060022b06cdd22 rlm_perl: Added pair DHCP-Gateway-IP-Address = Relay_ip rlm_perl: Added pair DHCP-Hardware-Type = Ethernet rlm_perl: Added pair DHCP-Flags = 0 rlm_perl: Added pair DHCP-Hardware-Address-Length = 6 rlm_perl: Added pair DHCP-Hostname = laptop_hostname rlm_perl: Added pair DHCP-Opcode = Client-Message rlm_perl: Added pair DHCP-Transaction-Id = 4013844759 rlm_perl: Added pair DHCP-Client-Hardware-Address = Client_mac rlm_perl: Added pair DHCP-Parameter-Request-List = DHCP-Subnet-Mask rlm_perl: Added pair DHCP-Parameter-Request-List = DHCP-Broadcast-Address rlm_perl: Added pair DHCP
Re: rlm_perl and accounting
On 8/29/06, Alan DeKok [EMAIL PROTECTED] wrote: Pshem Kowalczyk [EMAIL PROTECTED] wrote: So I've compiled the source and gave it a try, but it behaved exactly as the stable version - didn't replace nor removed any attributes. Is this supposed to work? I tested the pre and post proxy methods: ... # Function to handle pre_proxy sub pre_proxy { radiusd::radlog(1, entering pre-proxy); $RAD_REQUEST{'User-Name'} = 'testuser'; You're re-writing the request packet (i.e. the one from the NAS), not the packet that's about to be sent to the home server. Try: $RAD_PROXY_REQUEST{'User-Name'} = 'testuser'; I added: use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK %RAD_PROXY_REQUEST); and it didn't work, change resulted in the following debug: rad_recv: Access-Request packet from host 127.0.0.1 port 32787, id=15, length=62 User-Password = test User-Name = test Service-Type = Framed-User Framed-Protocol = PPP NAS-IP-Address = a.b.c.d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL perl_pool: item 0x8201620 asigned new request. Handled so far: 1 found interpetator at address 0x8201620 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair User-Name = test rlm_perl: Added pair User-Password = test rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair NAS-IP-Address = a.b.c.d rlm_perl: Added pair Proxy-To-Realm = quik rlm_perl: Added pair Stripped-User-Name = test perl_pool total/active/spare [2/0/2] Unreserve perl at address 0x8201620 modcall: group authorize returns ok for request 0 Processing the pre-proxy section of radiusd.conf modcall: entering group pre-proxy for request 0 perl_pool: item 0x840f8c8 asigned new request. Handled so far: 1 found interpetator at address 0x840f8c8 rlm_perl: entering pre-proxy rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair User-Name = test rlm_perl: Added pair User-Password = test rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Realm = quik rlm_perl: Added pair NAS-IP-Address = a.b.c.d rlm_perl: Added pair Stripped-User-Name = test rlm_perl: Added pair Proxy-To-Realm = quik rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair User-Name = test rlm_perl: Added pair User-Password = test rlm_perl: Added pair Proxy-State = 0x3135 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Realm = quik rlm_perl: Added pair NAS-IP-Address = a.b.c.d perl_pool total/active/spare [2/0/2] Unreserve perl at address 0x840f8c8 modcall: group pre-proxy returns ok for request 0 Sending Access-Request of id 22 to x.y.z.103 port 1812 Framed-Protocol = PPP User-Name = test User-Password = test Proxy-State = 0x3135 Service-Type = Framed-User NAS-IP-Address = a.b.c.d So this time the new value of User-Name ('testuser') doesn't even show in the debug. # Function to handle post_proxy sub post_proxy { radiusd::radlog(1, entering post-proxy); $RAD_REPLY{'Framed-IP-Address'} = '10.10.1.1'; That works. The debug log you posted shows that in the reply. Well, yes it works, but it didn't replace the original value: Sending Access-Accept of id 96 to 127.0.0.1 port 32785 Framed-IP-Address = 10.10.1.1 Framed-IP-Address = 192.168.1.65 So now I have two, which confuses the NAS. I tried to remove whole key from the hash using the 'delete' function and add it afterwards, but it didn't seem to work. It looks like the original attributes are added anyway after the results from rlm_perl (version 1.37) In our situation we have to have control over the IPs send to the NASes. Thx for all the hints pshemko - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl behaviour
When I call a perl module via rlm_perl and dont undef %RAD_CHECK and %RAD_REPLY before exiting, rlm_perl duplicates some attributes contained within the hashes. For instance: At entry to rlm_perl instance: $RAD_CHECK{Ldap-Group} is an ARRAY: (GroupA, GroupB) After exiting the script, Added pair Ldap-Group messages appear in debug output. If I call another perl script to dump the %RAD_CHECK hash, it shows: $RAD_CHECK{Ldap-Group } is an ARRAY: (GroupA, GroupB, GroupA, GroupB) If I undef %RAD_CHECK before exiting from the first perl module, the values are not duplicated. I did some analysis of the sequence of events and I believe this is whats happening: - rlm_ldap creates the Ldap-Group attributes on the check list with operator T_OP_CMP_EQ during authorize (Ldap-Group is a checkItem in my ldap.attrmap) - upon return from the perl script, rlm_perl calls pairmove to move the attributes from the RAD_CHECK, RAD_REPLY and RAD_PROXY_REPLY hashes back to the respective pairlist. - pairmove adds attributes to the destination list for operator T_OP_CMP_EQ (takes default case) which creates duplicates Is this expected behaviour of rlm_perl? If so, can it be put on the to do list for rlm_perl documentation updates (or is it there already and I missed it)? Also, this seems to imply that its not possible to change or remove, at least, some types of check or reply attributes from within rlm_perl? Also, the wiki for rlm_perl states that it passes configuration pairs in %RAD_CONFIG. I dont believe this is true (the hash is empty and I checked the source for 1.1.2, 1.1.3 and the latest snapshot and it doesnt create that hash). Is this a feature that is in the works or is the wiki incorrect? I can supply debug output, radiusd.conf and scripts if necessary.. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl authorize
Hi All, I'm trying to authorize a user by using the rlm_perl module only. I.e., I only want the perl script to control the authorization. In radiusd.conf I have set: proxy_requests = no and in the authorize part the files statement is commented (otherwise freeradius will look at the file 'users' for authentication). In the authorize method of my perl script it simply returns RLM_MODULE_OK (to test). When I then send a radius request the authorize failed because of No authenticate method (Auth-Type) configuration found for the request: Rejecting the user. See below for a complete debug output. Can anyone explain why I get this error, and how to fix it? thanks, loz rad_recv: Access-Request packet from host 127.0.0.1:1091, id=20, length=124 User-Name = [EMAIL PROTECTED] User-Password = testpwd NAS-Identifier = starbuster.xxx.net NAS-Port-Id = 444 Acct-Session-Id = 1234567 Acct-Status-Type = Accounting-On WISPr-Location-Name = testlocation modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module chap returns noop rlm_eap: EAP-Message not found modcall[authorize]: module eap returns noop rlm_realm: Looking up realm my_realm for User-Name = [EMAIL PROTECTED] rlm_realm: No such realm my_realm modcall[authorize]: module suffix returns noop modcall[authorize]: module mschap returns noop perl_pool: item 0x8117540 asigned new request. Handled so far: 1 found interpetator at address 0x8117540 rlm_perl: Added pair h323-credit-amount = 100 rlm_perl: Added pair Acct-Session-Id = 1234567 rlm_perl: Added pair Client-IP-Address = 127.0.0.1 rlm_perl: Added pair User-Name = [EMAIL PROTECTED] rlm_perl: Added pair User-Password = testpwd rlm_perl: Added pair NAS-Identifier = starbuster.xxx.net rlm_perl: Added pair Acct-Status-Type = Accounting-On rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair NAS-Port-Id = 444 rlm_perl: Added pair WISPr-Location-Name = testlocation perl_pool total/active/spare [5/0/5] Unreserve perl at address 0x8117540 modcall[authorize]: module perl returns ok modcall: group authorize returns ok auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DHCP routing bug (FreeRadius DHCP reply to Default Gateway)
Hello! I have Freeradius 2.1.6 on freebsd6.2. Freebsd have Default Gateway: DestinationGatewayFlagsRefs Use Netif Expire default192.168.2.150 UGS 0 7922rl1 Default Gateway have mac-address: ? (192.168.2.150) at 00:30:48:35:31:32 on rl1 [ethernet] Freeradius receive DHCP-Discover: [tcpdump] 02:28:25.754215 00:0c:f1:4e:42:36 ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 348: 0.0.0.0.68 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:f1:4e:42:36, length: 306 After authorization Freeradius send reply to Default Gateway(!), not to clinet: [tcpdump] 02:28:25.766341 00:30:4f:21:b4:73 00:30:48:35:31:32, ethertype IPv4 (0x0800), length 342: 192.168.2.252.67 255.255.255.255.68: BOOTP/DHCP, Reply, length: 300 If I delete Default Gateway - FreeRadius dont send anything. If I put interface = rl1 in the listen{} section, I get error: /usr/local/etc/raddb/radiusd.conf[56]: System does not support binding to interfaces. Delete this line from the configuration file. FreeRadiusd debug messages: Received DHCP-Discover of id 2083766121 from 0.0.0.0:68 to 0.0.0.0:67 DHCP-Opcode = Client-Message DHCP-Hardware-Type = Ethernet DHCP-Hardware-Address-Length = 6 DHCP-Hop-Count = 0 DHCP-Transaction-Id = 2083766121 DHCP-Number-of-Seconds = 0 DHCP-Flags = 0 DHCP-Client-IP-Address = 0.0.0.0 DHCP-Your-IP-Address = 0.0.0.0 DHCP-Server-IP-Address = 0.0.0.0 DHCP-Gateway-IP-Address = 0.0.0.0 DHCP-Client-Hardware-Address = 00:0c:f1:4e:42:36 DHCP-Message-Type = DHCP-Discover DHCP-Auto-Config = 1 DHCP-Client-Identifier = 00:0c:f1:4e:42:36 DHCP-Requested-IP-Address = 169.254.184.172 DHCP-Hostname = computer-4cacfb DHCP-Vendor-Class-Identifier = MSFT 5.0 DHCP-Parameter-Request-List = DHCP-Subnet-Mask DHCP-Parameter-Request-List = DHCP-Domain-Name DHCP-Parameter-Request-List = DHCP-Router-Address DHCP-Parameter-Request-List = DHCP-Domain-Name-Server DHCP-Parameter-Request-List = DHCP-NETBIOS-Name-Servers DHCP-Parameter-Request-List = DHCP-NETBIOS-Node-Type DHCP-Parameter-Request-List = DHCP-NETBIOS DHCP-Parameter-Request-List = DHCP-Perform-Router-Discovery DHCP-Parameter-Request-List = DHCP-Static-Routes DHCP-Parameter-Request-List = 249 DHCP-Parameter-Request-List = DHCP-Vendor DHCP-Vendor = 0xdc00 Trying sub-section dhcp DHCP-Discover {...} +- entering group DHCP-Discover {...} expand: %{Packet-Dst-IP-Address} - 0.0.0.0 ++[reply] returns noop rlm_perl: mac: 00:0c:f1:4e:42:36 rlm_perl: DB result: 192.168.2.1 rlm_perl: Added pair DHCP-Your-IP-Address = 0.0.0.0 rlm_perl: Added pair DHCP-Message-Type = DHCP-Discover rlm_perl: Added pair DHCP-Vendor-Class-Identifier = MSFT 5.0 rlm_perl: Added pair DHCP-Hop-Count = 0 rlm_perl: Added pair DHCP-Number-of-Seconds = 0 rlm_perl: Added pair DHCP-Client-IP-Address = 0.0.0.0 rlm_perl: Added pair DHCP-Gateway-IP-Address = 0.0.0.0 rlm_perl: Added pair DHCP-Hardware-Type = Ethernet rlm_perl: Added pair DHCP-Flags = 0 rlm_perl: Added pair DHCP-Hardware-Address-Length = 6 rlm_perl: Added pair DHCP-Hostname = computer-4cacfb rlm_perl: Added pair DHCP-Opcode = Client-Message rlm_perl: Added pair DHCP-Transaction-Id = 2083766121 rlm_perl: Added pair DHCP-Parameter-Request-List = DHCP-Subnet-Mask rlm_perl: Added pair DHCP-Parameter-Request-List = DHCP-Domain-Name rlm_perl: Added pair DHCP-Parameter-Request-List = DHCP-Router-Address rlm_perl: Added pair DHCP-Parameter-Request-List = DHCP-Domain-Name-Server rlm_perl: Added pair DHCP-Parameter-Request-List = DHCP-NETBIOS-Name-Servers rlm_perl: Added pair DHCP-Parameter-Request-List = DHCP-NETBIOS-Node-Type rlm_perl: Added pair DHCP-Parameter-Request-List = DHCP-NETBIOS rlm_perl: Added pair DHCP-Parameter-Request-List = DHCP-Perform-Router-Discovery rlm_perl: Added pair DHCP-Parameter-Request-List = DHCP-Static-Routes rlm_perl: Added pair DHCP-Parameter-Request-List = 249 rlm_perl: Added pair DHCP-Parameter-Request-List = DHCP-Vendor rlm_perl: Added pair DHCP-Client-Hardware-Address = 00:0c:f1:4e:42:36 rlm_perl: Added pair DHCP-Server-IP-Address = 0.0.0.0 rlm_perl: Added pair DHCP-Requested-IP-Address = 169.254.184.172 rlm_perl: Added pair DHCP-Auto-Config = 1 rlm_perl: Added pair DHCP-Vendor = 0xdc00 rlm_perl: Added pair DHCP-Client-Identifier = 00:0c:f1:4e:42:36 rlm_perl: Added pair DHCP-Your-IP-Address = 192.168.2.1 rlm_perl: Added pair DHCP-DHCP-Server-Identifier = 192.168.2.252 rlm_perl: Added pair DHCP-Subnet-Mask = 255.255.255.0 rlm_perl: Added pair DHCP-Gateway-IP-Address = 192.168.2.150 rlm_perl: Added pair DHCP-IP-Address-Lease-Time = 86400 rlm_perl: Added pair DHCP-Router-Address = 192.168.2.150 ++[perl] returns ok ++? if (ok) ? Evaluating (ok) - TRUE ++? if (ok) - TRUE ++- entering if (ok) {...} +++[reply] returns ok ++- if (ok
Re: rlm_perl
Could someone show me how to process an access-accept via rlm_perl? The example in the script example.pl still causes an access-reject nomater what I try. That isn't enough information, except to tell you to return a proper value such as RLM_MODULE_OK. Please post debug output. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: working rlm_perl example
[EMAIL PROTECTED] wrote: I have tried the example.pl and it still gives me a access-reject message. Please provide your rlm_perl configuration and debug output of radiusd -X -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl
Alex rsm alex-...@hotmail.com wrote: And added the following in src/modules/rlm_perl/example.pl sub authorize { print This is a TEST\n; . } However, When I send a simple test request I don't see my debug line. I also don't see the message perl loaded when start Freeradius in debug mode (radiusd -X). I am pretty sure stdout is not plumbed up for rlm_perl, and neither is stderr so you will not see anything. Of course reading the documentation brings enlightenment in the form of 'radiusd::radlog(1, ...);'... :-/ Searching for 'debug' on the wiki page says many useful things: http://wiki.freeradius.org/Rlm_perl ...and even less surprisingly it's the same as whats in src/modules/rlm_perl/example.pl. *sigh* Cheers -- Alexander Clouter .sigmonster says: Mongoose knghtbrd: and the meek shall inherit k-mart - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need to change response type to Access-Challenge from rlm_perl
To answer my own question, I found that using the return code RLM_MODULE_OK triggers the server to respond back with Access-Accept. If I used RLM_MODULE_HANDLED instead, the response packet type was set to what I expected it to be. This makes sense since I expect the client to exchange several messages with me before I finally trigger the Access-Accept message. On Mon, Feb 18, 2013 at 9:00 AM, Walter Goulet wgou...@gmail.com wrote: Hi, Looking through archives for this exact question, I see a post from 2008 ( http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg47423.html) where this exact question was previously asked. Here is my server version info: radiusd: FreeRADIUS Version 2.2.0, for host x86_64-unknown-linux-gnu, built on Feb 17 2013 at 03:34:41 Here's my code: # Construct HTTP request my $authresult = authamis($RAD_REQUEST{'User-Name'},$RAD_REQUEST{'User-Password'}); radiusd::radlog(L_DBG, Result after authamis call - $authresult); if($authresult eq true) { $RAD_CHECK{'Response-Packet-Type'} = Access-Challenge; $RAD_REPLY{'Reply-Message'} = authentication successful; for (keys %RAD_REPLY) { radiusd::radlog(L_DBG, RAD_REPLY: $_ = $RAD_REPLY{$_}); } for (keys %RAD_CHECK) { radiusd::radlog(L_DBG, RAD_CHECK: $_ = $RAD_CHECK{$_}); } for (keys %RAD_CONFIG) { radiusd::radlog(L_DBG, RAD_CONFIG: $_ = $RAD_CONFIG{$_}); } return RLM_MODULE_OK } else { $RAD_REPLY{'Reply-Message'} = authentication failure; return RLM_MODULE_REJECT; } Here is the relevant debug output: Found Auth-Type = perl # Executing group from file /opt/app/freeradius/etc/raddb/sites-enabled/default +- entering group perl {...} rlm_perl: RAD_REQUEST: User-Name = test rlm_perl: RAD_REQUEST: User-Password = 42594190 rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.65.1 rlm_perl: AMIS request: http://amis.jdt.com:8080/auth/authenticate/test/42594190 rlm_perl: Result after authamis call - true rlm_perl: RAD_REPLY: Reply-Message = authentication successful rlm_perl: RAD_CHECK: Response-Packet-Type = Access-Challenge rlm_perl: RAD_CHECK: Auth-Type = perl rlm_perl: RAD_CONFIG: Auth-Type = perl rlm_perl: Added pair User-Name = test rlm_perl: Added pair User-Password = 42594190 rlm_perl: Added pair NAS-IP-Address = 192.168.65.1 rlm_perl: Added pair Reply-Message = authentication successful rlm_perl: Added pair Response-Packet-Type = Access-Challenge rlm_perl: Added pair Auth-Type = perl ++[perl] returns ok # Executing section post-auth from file /opt/app/freeradius/etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 81 to 192.168.65.1 port 53504 Reply-Message = authentication successful Finished request 0. Going to the next request Clearly the Access-Challenge setting is not being honored by the server. Is there another attribute that must be set to configure the response type? Thanks, Walter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: final rlm_perl question, hopefully...
Hi all, Please disregard, I've solved the thing ;-) Silly typo in the return. Z2L - Original Message - From: FreeRadius-ML [EMAIL PROTECTED] To: freeradius-users freeradius-users@lists.freeradius.org Sent: Thursday, July 26, 2007 6:41:21 PM (GMT+0200) Asia/Jerusalem Subject: Fwd: final rlm_perl question, hopefully... Hi All, Ok, after reviewing all the information that was received, I've setup my FreeRadius as following: 1. The authorize and authenticate sections are setup to activate digest and perl. 2. My rlm_perl script utilizes the following lines in order to return the unencrypted user password back to FreeRadius for digest authentication: $RAD_CHECK{'Cleartext-Password'} = xx; # Remove this line for production $RAD_CHECK{'User-Password'}=xx; # Remove this line for production I just put these inside my script for checking, later on this information will be retrieved from an external source. Now, FreeRadius activates my rlm_perl module, no problem, as I can see the various reply fields being setup, however, I'm still getting the following error: rlm_perl: RAD_REQUEST: Client-IP-Address = 192.168.2.80 rlm_perl: RAD_REQUEST: Digest-Response = 632905a2325f672f049800eda7df9ee4 rlm_perl: RAD_REQUEST: User-Name = [EMAIL PROTECTED] rlm_perl: RAD_REQUEST: Service-Type = IAPP-Register rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.2.80 rlm_perl: RAD_REQUEST: NAS-Port = 5060 rlm_perl: RAD_REQUEST: Sip-Uri-User = z2l rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0xbbc93f0) rlm_perl: RAD_REPLY: Reply-Message = User accepted by z2l WSDL rlm_perl: RAD_REPLY: z2l-Duration = 60 rlm_perl: RAD_REPLY: z2l-Status = 2 rlm_perl: RAD_REPLY: z2l-Session = 833abb3d-d047-4d0d-a40e-2e147049f96d rlm_perl: Added pair Reply-Message = User accepted by z2l rlm_perl: Added pair z2l-Duration = 60 rlm_perl: Added pair z2l-Status = 2 rlm_perl: Added pair z2l-Session = 833abb3d-d047-4d0d-a40e-2e147049f96d rlm_perl: Added pair Cleartext-Password = z2l rlm_perl: Added pair User-Password = z2l rlm_perl: Added pair Auth-Type = digest perl_pool total/active/spare [32/0/32] Unreserve perl at address 0xb933260 modcall[authorize]: module perl returns ok for request 5 rlm_realm: Looking up realm 192.168.2.80 for User-Name = [EMAIL PROTECTED] rlm_realm: No such realm 192.168.2.80 modcall[authorize]: module suffix returns noop for request 5 modcall: leaving group authorize (returns ok) for request 5 rad_check_password: Found Auth-Type DIGEST auth: type digest Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_digest: Configuration item User-Password or Digest-HA1 is required for authentication. modcall[authenticate]: module digest returns invalid for request 5 modcall: leaving group authenticate (returns invalid) for request 5 auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED]/no User-Password attribute] (from client 192.168.2.80 port 5060) Delaying request 5 for 1 seconds Finished request 5 Going to the next request Waking up in 3 seconds... Now, my configuration is very very simple. In the authorize I have digest and perl enabled, in authenticate I have only digest enabled. If I read the debug correctly, the authorization is going ok: modcall[authorize]: module perl returns ok for request 5 rlm_realm: Looking up realm 192.168.2.80 for User-Name = [EMAIL PROTECTED] rlm_realm: No such realm 192.168.2.80 modcall[authorize]: module suffix returns noop for request 5 modcall: leaving group authorize (returns ok) for request 5 However, the authentication section fails: rad_check_password: Found Auth-Type DIGEST auth: type digest Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_digest: Configuration item User-Password or Digest-HA1 is required for authentication. modcall[authenticate]: module digest returns invalid for request 5 modcall: leaving group authenticate (returns invalid) for request 5 auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED]/no User-Password attribute] (from client 192.168.2.80 port 5060) So, I'm either returning something in the wrong way, or I've broken something again. Any pointers on the issue would be highly appreciated. Regards, Z2L - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl problem (Detaching!!)
Hi.. FR:1.1.2 FBSD:6.0 My rlm_perl keep logging error as example below. Everytime this happen radiusd will hang and DO NOT respond to any request. But this NEVER happen while running in debug mode and working fine. rlm_perl is used to load timeout based on certain rules.. u can see below my perl script (newtimeou5.pl) and also config files setting. Please help TQ. Error /var/log/radius.log ## Thu Feb 8 12:30:09 2007 : Error: rlm_perl: perl_embed:: module = /usr/local/etc/raddb/newtimeout4.pl , func = authorize exit status= Undefined subroutine main:: called. Thu Feb 8 12:32:00 2007 : rlm_perl: rlm_perl::Detaching. Reloading. Done. Thu Feb 8 12:39:46 2007 : Error: rlm_perl: perl_embed:: module = /usr/local/etc/raddb/newtimeout4.pl , func = authorize exit status= panic: leave_scope inconsistency at /usr/local/etc/raddb/newtimeout4.pl line 184. Thu Feb 8 12:39:47 2007 : rlm_perl: rlm_perl::Detaching. Reloading. Done. Thu Feb 8 14:08:52 2007 : rlm_perl: rlm_perl::Detaching. Reloading. Done. Thu Feb 8 14:22:40 2007 : rlm_perl: rlm_perl::Detaching. Reloading. Done. Thu Feb 8 14:57:25 2007 : rlm_perl: rlm_perl::Detaching. Reloading. Done. Fri Feb 9 09:53:52 2007 : Error: rlm_perl: perl_embed:: module = /usr/local/etc/raddb/newtimeout5.pl , func = authorize exit status= Usage: Encode::is_utf8(sv, check = 0) at /usr/local/lib/perl5/site_perl/5.8.7/Convert/ASN1.pm line 422, DATA line 424. Fri Feb 9 10:21:59 2007 : Error: rlm_perl: perl_embed:: module = /usr/local/etc/raddb/newtimeout5.pl , func = authorize exit status= Undefined subroutine Convert::ASN1::authorize called at /usr/local/lib/perl5/site_perl/5.8.7/Net/LDAP.pm line 759 Fri Feb 9 10:57:59 2007 : Error: rlm_perl: perl_embed:: module = /usr/local/etc/raddb/newtimeout5.pl , func = preacct exit status= Undefined subroutine Convert::ASN1::preacct called at /usr/local/lib/perl5/site_perl/5.8.7/Net/LDAP.pm line 759 ##users DEFAULT NAS-Identifier == Wireless-802.11, Autz-Type := Y5, Auth-Type :Y5 #radiusd.conf# authorize { Autz-Type Y5 { redundant { ldapy51 ldapy52 } y5perl } } modules { perl y5perl { module = /usr/local/etc/raddb/newtimeout5.pl } } authenticate { Auth-Type Y5 { redundant { ldapy51 ldapy52 } } } ## ###newtimeout5.pl sub authorize { ##main my $return_value = 0; $return_value = timeout; print VALUE return: $return_value\n; if ($return_value eq '-1'){ return RLM_MODULE_REJECT; }else{ return RLM_MODULE_OK; } } sub timeout { my $query; my $query2; my $uid=$RAD_REQUEST{'User-Name'}; my $userfrom; my $userconnect=$RAD_REQUEST{'NAS-Identifier'}; my $timeout; if ($userconnect =~ /Wireless-802.11|WiFi/) { $query=Service; $query2 = TimeoutWIFI; } if ($query){ $userfrom = ldapquery($uid,$query); if ($userfrom =~ /Y5PLAT|Y5GOLD/){ $userfrom = WiFi-BTP; }elsif ($userfrom =~ /^Y5$/){ $userfrom = Wireless-802.11; } if ($userconnect eq $userfrom){ print rlm_perl: Local user.. No timeout.. Unlimited!!!\n; return (1); }elsif ($userconnect ne $userfrom){ print rlm_perl: Roaming user.. Timeout will be loaded !!\n; $timeout = ldapquery($uid,$query2); print rlm_perl: $query2:$timeout\n; if (!$timeout){ return (-1); }else{ $RAD_REPLY{'Session-Timeout'} = $timeout; print rlm_perl: NOT YET\n; return (1); } } }else{ print rlm_perl: Not a wifi connection !!!\n; return (1); } } sub ldapquery { my ( $uid, $query ) = @_; my $host = xx; my $value; my $baseDN = ou=Y5,ou=AAA, ou=x, dc=x, dc=; my $ldap = Net::LDAP-new( $host ) or die $@; my $mesg = $ldap-bind ;# an anonymous bind $mesg = $ldap-search( # perform a search base = $baseDN, filter = ((uid=$uid)) ); my $count = $mesg-count; if ($mesg-code) { return (NULL); } if ($count 0
rewrite attribute with perl module
Hi ALL i have attribute Session-Timeout with value 36 at radreply database and want to modify the value when the radius return it when radius replies, i enabled perl module and enable it at post-auth at the perl sub post-auth i added . print attr $RAD_REPLY{'Session-Timeout'} = 5 ; . print attr . return RLM_MODULE_UPDATED but that not affect the return vlaue : Thu Mar 5 23:22:30 2009 : Debug: rlm_perl: RAD_REPLY: Cisco-AVPair = throttle=55 Thu Mar 5 23:22:30 2009 : Debug: rlm_perl: RAD_REPLY: Session-Timeout = 36 Thu Mar 5 23:22:30 2009 : Debug: rlm_perl: RAD_REPLY: Framed-IP-Address = x Thu Mar 5 23:22:30 2009 : Debug: rlm_perl: RAD_REQUEST: SQL-User-Name = user ... Thu Mar 5 23:22:30 2009 : Debug: rlm_perl: RAD_REPLY: Cisco-AVPair = throttle=55 Thu Mar 5 23:22:30 2009 : Debug: rlm_perl: RAD_REPLY: Session-Timeout = 5 Thu Mar 5 23:22:30 2009 : Debug: rlm_perl: RAD_REPLY: Framed-IP-Address = xx but radius sent back Sending Access-Accept of id 1 to 192.168.100.10:32830 Framed-IP-Address := Cisco-AVPair = throttle=55 Session-Timeout = 36 with value of 36 not (5) and then i enabled the perl module on authorize and authentication section at radius.conf and put the same pervious code in the same subs (authorize and authentication ) at perl module , but i got the same result , value not changed and also the same result when change the return code to become RLM_MODULE_UPDATED any hint please ?!! , can i modify the value of reply attributes ? Thanks lot _ Windows Live™ Contacts: Organize your contact list. http://windowslive.com/connect/post/marcusatmicrosoft.spaces.live.com-Blog-cns!503D1D86EBB2B53C!2285.entry?ocid=TXT_TAGLM_WL_UGC_Contacts_032009- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: final rlm_perl question, hopefully...
Hi All, Ok, after reviewing all the information that was received, I've setup my FreeRadius as following: 1. The authorize and authenticate sections are setup to activate digest and perl. 2. My rlm_perl script utilizes the following lines in order to return the unencrypted user password back to FreeRadius for digest authentication: $RAD_CHECK{'Cleartext-Password'} = xx; # Remove this line for production $RAD_CHECK{'User-Password'}=xx; # Remove this line for production I just put these inside my script for checking, later on this information will be retrieved from an external source. Now, FreeRadius activates my rlm_perl module, no problem, as I can see the various reply fields being setup, however, I'm still getting the following error: rlm_perl: RAD_REQUEST: Client-IP-Address = 192.168.2.80 rlm_perl: RAD_REQUEST: Digest-Response = 632905a2325f672f049800eda7df9ee4 rlm_perl: RAD_REQUEST: User-Name = [EMAIL PROTECTED] rlm_perl: RAD_REQUEST: Service-Type = IAPP-Register rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.2.80 rlm_perl: RAD_REQUEST: NAS-Port = 5060 rlm_perl: RAD_REQUEST: Sip-Uri-User = z2l rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0xbbc93f0) rlm_perl: RAD_REPLY: Reply-Message = User accepted by z2l WSDL rlm_perl: RAD_REPLY: z2l-Duration = 60 rlm_perl: RAD_REPLY: z2l-Status = 2 rlm_perl: RAD_REPLY: z2l-Session = 833abb3d-d047-4d0d-a40e-2e147049f96d rlm_perl: Added pair Reply-Message = User accepted by z2l rlm_perl: Added pair z2l-Duration = 60 rlm_perl: Added pair z2l-Status = 2 rlm_perl: Added pair z2l-Session = 833abb3d-d047-4d0d-a40e-2e147049f96d rlm_perl: Added pair Cleartext-Password = z2l rlm_perl: Added pair User-Password = z2l rlm_perl: Added pair Auth-Type = digest perl_pool total/active/spare [32/0/32] Unreserve perl at address 0xb933260 modcall[authorize]: module perl returns ok for request 5 rlm_realm: Looking up realm 192.168.2.80 for User-Name = [EMAIL PROTECTED] rlm_realm: No such realm 192.168.2.80 modcall[authorize]: module suffix returns noop for request 5 modcall: leaving group authorize (returns ok) for request 5 rad_check_password: Found Auth-Type DIGEST auth: type digest Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_digest: Configuration item User-Password or Digest-HA1 is required for authentication. modcall[authenticate]: module digest returns invalid for request 5 modcall: leaving group authenticate (returns invalid) for request 5 auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED]/no User-Password attribute] (from client 192.168.2.80 port 5060) Delaying request 5 for 1 seconds Finished request 5 Going to the next request Waking up in 3 seconds... Now, my configuration is very very simple. In the authorize I have digest and perl enabled, in authenticate I have only digest enabled. If I read the debug correctly, the authorization is going ok: modcall[authorize]: module perl returns ok for request 5 rlm_realm: Looking up realm 192.168.2.80 for User-Name = [EMAIL PROTECTED] rlm_realm: No such realm 192.168.2.80 modcall[authorize]: module suffix returns noop for request 5 modcall: leaving group authorize (returns ok) for request 5 However, the authentication section fails: rad_check_password: Found Auth-Type DIGEST auth: type digest Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_digest: Configuration item User-Password or Digest-HA1 is required for authentication. modcall[authenticate]: module digest returns invalid for request 5 modcall: leaving group authenticate (returns invalid) for request 5 auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED]/no User-Password attribute] (from client 192.168.2.80 port 5060) So, I'm either returning something in the wrong way, or I've broken something again. Any pointers on the issue would be highly appreciated. Regards, Z2L - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Affect Static IP by Freeradius/ASA5510
Hi Sorry to restart the same subject, but actually i am search .. i am search but i don't see any solution ... I use: FreeRadius with a Perl Script A Cisco ASA5510 IOS 8.0 In debug i have: When a user don't have IP, use Pool : == rad_recv: Access-Request packet from host 10.218.7.243:1025, id=31, length=166 User-Name = vpn...@xx.fr User-Password = XXX NAS-Port = 1658880 Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = 62.XX.XX.XX Calling-Station-Id = 88.XX.XX.XX NAS-Port-Type = Virtual Tunnel-Client-Endpoint:0 = 88.XX.XX.XX NAS-IP-Address = 10.218.7.243 Cisco-AVPair = ip:source-ip=88.XX.XX.XXy\223 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: Looking up realm xx.fr for User-Name = vpn...@xx.fr rlm_realm: No such realm xx.fr modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 154 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module files returns ok for request 0 Using perl at 0x8149a00 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Framed-IP-Address = 255.255.255.254 rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP rlm_perl: Added pair Framed-MTU = 576 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Auth-Type = Perl modcall[authorize]: module perl returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Perl auth: type Perl Processing the authenticate section of radiusd.conf modcall: entering group Perl for request 0 Using perl at 0x8149a00 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair h323-credit-amount = 100 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Framed-IP-Address = 255.255.255.254 rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP rlm_perl: Added pair Framed-MTU = 576 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Auth-Type = Perl modcall[authenticate]: module perl returns ok for request 0 modcall: leaving group Perl (returns ok) for request 0 Login OK: [vpn...@xx.fr/XXX] (from client 10.218.7.243 port 1658880 cli 88.XX.XX.XX) Sending Access-Accept of id 31 to 10.218.7.243 port 1025 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP h323-credit-amount = 100 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 31 with timestamp 4989aa4d Nothing to do. Sleeping until we see a request. No problems, the user connect and have a IP of the Pool When i use a user with static IP: rad_recv: Access-Request packet from host 10.218.7.243:1025, id=32, length=166 User-Name = vpn...@xx.fr User-Password = XXX NAS-Port = 1662976 Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = 62.23.17.71 Calling-Station-Id = 88.XX.XX.XX NAS-Port-Type = Virtual Tunnel-Client-Endpoint:0 = 88.XX.XX.XX NAS-IP-Address = 10.218.7.243 Cisco-AVPair = ip:source-ip=88.XX.XX.XXy\223 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: Looking up realm xx.fr for User-Name = vpn...@xx.fr rlm_realm: No such realm xx.fr modcall[authorize]: module suffix returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 1 users: Matched entry DEFAULT at line 154 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module files returns ok for request 1 Using perl at 0x8149a00 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Framed-IP-Address = 10.218.3.41 rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP rlm_perl: Added pair Framed-MTU = 576 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service
Re: Problem with rlm_perl
Ок, я так и сделал. Но дело в том что мой радиус будет авторизовывать и считать несколько сервисов с разных NAS. И очень не плохо было бы их разнести. Причем если запускать radius без режима дебага, то он какое то время будет работать нормально, правда только какое-то. --- Ok, I and have made. But the matter is that my radius will be authenticate and acccounting some services with different NAS. And very much it would be not bad to carry them. And if to start radius without a debug mode it what that time will work normally, the truth only any. - Original Message - From: Anatoly S. Zimin anato...@team.co.ru To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, April 07, 2009 3:45 PM Subject: Re: Problem with rlm_perl Привет! На самом деле, весьма _неудобно_ искать проблемы просто по дебагу + конфиг. Уж лучше описать её хоть на ломаном англ. Это так отступление... А вообще, у rlm_perl весьма много глюков. Например при работе с разными модулями, типа IO::Socket::. Попробуйте все засунуть в один скрипт. Hello. Config: perl auth_perl_pppoe { module = /var/www/radius/radius_auth.pl func_accounting = accounting } perl acc_perl_pppoe { module = /var/www/radius/radius_accounting.pl func_authenticate = authenticate } - authenticate { Auth-Type PPPOE_AUTH { auth_perl_pppoe } } # # Accounting. Log the accounting data. # accounting { Acct-Type PPPOE_ACC { acc_perl_pppoe } detail unix radutmp } this error in radiusd -X: rad_recv: Access-Request packet from host 93.95.41.141 port 53773, id=8, length=146 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 100 NAS-Port-Type = Ethernet User-Name = pppoe_test Calling-Station-Id = 00:13:77:60:60:CB Called-Station-Id = internet NAS-Port-Id = e2_v15 CHAP-Challenge = 0x3b30fc1959ca610275bdc66582b579cf CHAP-Password = 0x013e0573332525cd3ebc797dbe68f0969d NAS-Identifier = ntk-hsgw NAS-IP-Address = 93.95.41.141 +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = pppoe_test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[mschap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 1 [files] users: Matched entry DEFAULT at line 7 [files] users: Matched entry DEFAULT at line 19 ++[files] returns ok ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = PPPOE_AUTH +- entering group PPPOE_AUTH {...} GOT CLONE -1209066800 0x91011d8 rlm_perl: Added pair NAS-Port-Type = Ethernet rlm_perl: Added pair CHAP-Password = 0x013e0573332525cd3ebc797dbe68f0969d rlm_perl: Added pair Huntgroup-Name = ntk_pppoe rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Called-Station-Id = internet rlm_perl: Added pair Calling-Station-Id = 00:13:77:60:60:CB rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair User-Name = pppoe_test rlm_perl: Added pair CHAP-Challenge = 0x3b30fc1959ca610275bdc66582b579cf rlm_perl: Added pair NAS-Identifier = ntk-hsgw rlm_perl: Added pair NAS-IP-Address = 93.95.41.141 rlm_perl: Added pair NAS-Port = 100 rlm_perl: Added pair NAS-Port-Id = e2_v15 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Class = dialup rlm_perl: Added pair Mikrotik-Rate-Limit = 256k rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP rlm_perl: Added pair Auth-Type = PPPOE_AUTH ++[auth_perl_pppoe] returns ok Login OK: [pppoe_test] (from client ntk-hsgw port 100 cli 00:13:77:60:60:CB) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 8 to 93.95.41.141 port 53773 Framed-Protocol = PPP Service-Type = Framed-User Class = 0x6469616c7570 Mikrotik-Rate-Limit = 256k Framed-Compression = Van-Jacobson-TCP-IP Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Accounting-Request packet from host 93.95.41.141 port 57551, id=9, length=157 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 100 NAS-Port-Type = Ethernet User-Name = pppoe_test Calling-Station-Id = 00:13:77:60:60:CB Called-Station-Id = internet NAS-Port-Id = e2_v15 Class = 0x6469616c7570 Acct-Session-Id = 8170005c Framed-IP-Address = 93.95.42.63 Acct-Authentic = RADIUS Event-Timestamp = Apr 7 2009 17:07:22 MSD Acct-Status-Type = Start NAS-Identifier = ntk-hsgw NAS-IP-Address = 93.95.41.141 Acct-Delay-Time = 0 +- entering group preacct
Re: Problem with rlm_perl
Да, это точно баг. У меня была такая проблема, в дебаге работает. А как только включаешь нормальный режим, (почти)сразу начинаются глюки. У меня есть предположение - все дело в форках. (как это не мерзко, но у прекрасного языка perl есть кривые реализации модулей. Которые с багами работают при форке) Я решил свои проблемы объединением скриптов и переписал все на более низком уровне. Т.е. заменил IO::SOcket::Inet на просто Socket. И конечно исключить такие полезные вещи как fork и threads. Бывает глюки появляются в новых версиях, может стоит на несколько подверсий откатится попробовать? (как крайний вариант) Ок, я так и сделал. Но дело в том что мой радиус будет авторизовывать и считать несколько сервисов с разных NAS. И очень не плохо было бы их разнести. Причем если запускать radius без режима дебага, то он какое то время будет работать нормально, правда только какое-то. --- Ok, I and have made. But the matter is that my radius will be authenticate and acccounting some services with different NAS. And very much it would be not bad to carry them. And if to start radius without a debug mode it what that time will work normally, the truth only any. - Original Message - From: Anatoly S. Zimin anato...@team.co.ru To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, April 07, 2009 3:45 PM Subject: Re: Problem with rlm_perl Привет! На самом деле, весьма _неудобно_ искать проблемы просто по дебагу + конфиг. Уж лучше описать её хоть на ломаном англ. Это так отступление... А вообще, у rlm_perl весьма много глюков. Например при работе с разными модулями, типа IO::Socket::. Попробуйте все засунуть в один скрипт. Hello. Config: perl auth_perl_pppoe { module = /var/www/radius/radius_auth.pl func_accounting = accounting } perl acc_perl_pppoe { module = /var/www/radius/radius_accounting.pl func_authenticate = authenticate } - authenticate { Auth-Type PPPOE_AUTH { auth_perl_pppoe } } # # Accounting. Log the accounting data. # accounting { Acct-Type PPPOE_ACC { acc_perl_pppoe } detail unix radutmp } this error in radiusd -X: rad_recv: Access-Request packet from host 93.95.41.141 port 53773, id=8, length=146 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 100 NAS-Port-Type = Ethernet User-Name = pppoe_test Calling-Station-Id = 00:13:77:60:60:CB Called-Station-Id = internet NAS-Port-Id = e2_v15 CHAP-Challenge = 0x3b30fc1959ca610275bdc66582b579cf CHAP-Password = 0x013e0573332525cd3ebc797dbe68f0969d NAS-Identifier = ntk-hsgw NAS-IP-Address = 93.95.41.141 +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = pppoe_test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[mschap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 1 [files] users: Matched entry DEFAULT at line 7 [files] users: Matched entry DEFAULT at line 19 ++[files] returns ok ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = PPPOE_AUTH +- entering group PPPOE_AUTH {...} GOT CLONE -1209066800 0x91011d8 rlm_perl: Added pair NAS-Port-Type = Ethernet rlm_perl: Added pair CHAP-Password = 0x013e0573332525cd3ebc797dbe68f0969d rlm_perl: Added pair Huntgroup-Name = ntk_pppoe rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Called-Station-Id = internet rlm_perl: Added pair Calling-Station-Id = 00:13:77:60:60:CB rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair User-Name = pppoe_test rlm_perl: Added pair CHAP-Challenge = 0x3b30fc1959ca610275bdc66582b579cf rlm_perl: Added pair NAS-Identifier = ntk-hsgw rlm_perl: Added pair NAS-IP-Address = 93.95.41.141 rlm_perl: Added pair NAS-Port = 100 rlm_perl: Added pair NAS-Port-Id = e2_v15 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Class = dialup rlm_perl: Added pair Mikrotik-Rate-Limit = 256k rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP rlm_perl: Added pair Auth-Type = PPPOE_AUTH ++[auth_perl_pppoe] returns ok Login OK: [pppoe_test] (from client ntk-hsgw port 100 cli 00:13:77:60:60:CB) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 8 to 93.95.41.141 port 53773 Framed-Protocol = PPP Service-Type = Framed-User Class = 0x6469616c7570 Mikrotik-Rate
RE: Radius Access-Challenge and Apache
Hi Alan, Thank you for your response. I've been having a lot of trouble reaching the mailing list, my responses are not getting through. Hopefully this one will! Below is the output from the debug mode: rad_recv: Access-Request packet from host 127.0.0.1 port 1026, id=60, length=83 User-Name = dra User-Password = * Service-Type = Authenticate-Only NAS-Identifier = debian-test-dra.vsl.com.au NAS-IP-Address = 127.0.0.1 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = dra, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 54 ++[files] returns ok rlm_perl: Authorize Function Called rlm_perl: Authorization for 127.0.0.1 was granted... rlm_perl: Added pair User-Name = dra rlm_perl: Added pair NAS-Identifier = debian-test-dra.vsl.com.au rlm_perl: Added pair User-Password = * rlm_perl: Added pair Service-Type = Authenticate-Only rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair Auth-Type = Perl ++[perl] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = Perl # Executing group from file /etc/freeradius/sites-enabled/default +- entering group Perl {...} rlm_perl: Log Request Attributes Called rlm_perl:Request: User-Name = dra rlm_perl:Request: User-Password = * rlm_perl:Request: NAS-Identifier = debian-test-dra.vsl.com.au rlm_perl:Request: Service-Type = Authenticate-Only rlm_perl:Request: NAS-IP-Address = 127.0.0.1 rlm_perl: Authenticate Function Called rlm_perl: User: dra Authenticated, now sending access-challenge rlm_perl: Log Reply Attributes Called rlm_perl:Reply: Reply-Message = Please Enter Code rlm_perl:Reply: State = challenge rlm_perl: Added pair User-Name = dra rlm_perl: Added pair User-Password = * rlm_perl: Added pair NAS-Identifier = debian-test-dra.vsl.com.au rlm_perl: Added pair Service-Type = Authenticate-Only rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair Reply-Message = Please Enter Code rlm_perl: Added pair State = challenge rlm_perl: Added pair Response-Packet-Type = Access-Challenge rlm_perl: Added pair Auth-Type = Perl ++[perl] returns handled Sending Access-Challenge of id 60 to 127.0.0.1 port 1026 Reply-Message = Please Enter Code State = 0x6368616c6c656e6765 Finished request 6. Going to the next request Waking up in 4.9 seconds. Cleaning up request 6 ID 60 with timestamp +148 Ready to process requests. The output to the browser at this point looks like this: (Firefox 6.0, but I have tried IE 8.0 too) http://imageshack.us/photo/my-images/856/authenticationrequired2.png/ I turned-up the logging level for Apache too, the following is a complete successful login: [Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(1185): Radius Auth for: debian-test-dra.vsl.com.au requests /test/ : file=/var/www/test/ [Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(762): Found Radius Cookie, now check if it's valid... [Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(1191): Found cookie=8115747392e228c2f612d8fce9b384074e5c2035f36809adchallenge for user=dra : [Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(1195): with RADIUS challenge state set.\n [Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(902): Sending packet on 127.0.0.1:1812 [Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(): RADIUS server requested challenge for user dra [Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(1232): RADIUS authentication for user=dra password=* failed\n [Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(1239): Sending failure message to user=dra\n [Tue Aug 30 09:25:04 2011] [error] [client 10.10.240.240] user dra: authentication failure for /test/: Password Mismatch [Tue Aug 30 09:25:04 2011] [debug] mod_deflate.c(615): [client 10.10.240.240] Zlib: Compressed 482 to 324 : URL /test/ [Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(1185): Radius Auth for: debian-test-dra.vsl.com.au requests /test/ : file=/var/www/test/ [Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(762): Found Radius Cookie, now check if it's valid... [Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(1191): Found cookie=f94377b91a7b4e30ac0a3910ea54ec194e5c2048f36809adchallenge for user=dra : [Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(1195): with RADIUS challenge state set.\n [Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(902): Sending packet on 127.0.0.1:1812 [Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(1256): RADIUS Authentication for user=dra password= OK. Cookie expiry in 5 minutes\n [Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius
Re: rlm_perl with WinXP MS-CHAP clients ?
Hello, It seems that it is not using rlm_perl for authentication. I would assume that this is because according the document I was following, it had me add: Auth-Type Perl { perl } To the authentication section, which means if the Auth-Type is set to perl then using the module perl. However I think that since the client or server is setting the auth type to MS-CHAP since that is what the client is using, it is trying to use the mschap module. I did make the following change under the users file: #DEFAULTAuth-Type = System # Fall-Through = 1 DEFAULT Auth-Type = Perl Fall-Through = 1 As the documention (http://wiki.freeradius.org/index.php/Rlm_perl) said to do so. If anyone has any info it would be helpful. Michael Michael Gale wrote: Hello, I have a freeradius 1.0.X server setup with ppp and pptp using a mysql DB for user authentication. Here I assign static IP's and users to groups. We wish to use rlm_perl instead of the sql module so we can authenticate the users against a in house application. I have build freeradius 1.1.3 from source and it seems to work however since the client is WinXP and the auth type is MS-CHAP it seems to be calling the mschap section under authentication and then exiting. Here is my debug output: rad_recv: Access-Request packet from host 127.0.0.1:32768, id=51, length=141 Service-Type = Framed-User Framed-Protocol = PPP User-Name = baduser MS-CHAP-Challenge = 0x0c09ad640ce7275613b8a0dd51d2f4c6 MS-CHAP2-Response = 0x630065cbdfea16f542fbda8cdc65d7fd3093ca32eebf6779cfb34001c39530a93ea7f5aebd54eea79f2b Calling-Station-Id = .271 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' modcall[authorize]: module mschap returns ok for request 0 rlm_realm: No '@' in User-Name = baduser, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 155 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module files returns ok for request 0 perl_pool: item 0x9d5ad20 asigned new request. Handled so far: 1 found interpetator at address 0x9d5ad20 rlm_perl: MG RAD_REQUEST: Service-Type = Framed-User rlm_perl: MG RAD_REQUEST: Calling-Station-Id = .271 rlm_perl: MG RAD_REQUEST: MS-CHAP-Challenge = 0x0c09ad640ce7275613b8a0dd51d2f4c6 rlm_perl: MG RAD_REQUEST: Client-IP-Address = 127.0.0.1 rlm_perl: MG RAD_REQUEST: Framed-Protocol = PPP rlm_perl: MG RAD_REQUEST: User-Name = baduser rlm_perl: MG RAD_REQUEST: MS-CHAP2-Response = 0x630065cbdfea16f542fbda8cdc65d7fd3093ca32eebf6779cfb34001c39530a93ea7f5aebd54eea79f2b rlm_perl: MG RAD_REQUEST: NAS-IP-Address = 127.0.0.1 rlm_perl: MG RAD_REQUEST: NAS-Port = 0 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Framed-IP-Address = 255.255.255.254 rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP rlm_perl: Added pair Framed-MTU = 576 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Auth-Type = MS-CHAP perl_pool total/active/spare [32/0/32] Unreserve perl at address 0x9d5ad20 modcall[authorize]: module perl returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for baduser with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 0 modcall: leaving group MS-CHAP (returns reject) for request 0 auth: Failed to validate the user. Login incorrect: [baduser/no User-Password attribute] (from client localhost port 0 cli .271) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 51 to 127.0.0.1 port 32768 Waking up in 4 seconds... --- Walking the entire request
Re: rlm_perl
However, When I send a simple test request I don't see my debug line. I also don't see the message perl loaded when start Freeradius in debug mode (radiusd -X). Am I missing anything? Could you post the debug. Might be you don't have rlm_perl built, though the server usually complains about those types of things... -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
%RAD_REPLY hash problem
Hello, I'm working with Freeradius 2.1.10 I want to authorize an user usng a multivaluated attribute (Relaciones), so I use perl. The values of the attribute Relaciones are store in ldap. Nombre-Completo is another attribute store in ldap. Relaciones is a integer value. An user is authorize if have one attribute Relaciones with a positive value (no + sign). Relaciones, Nombre-Completo and Codigo-Reject are vendor specific attributes defined in /usr/share/freeradius/dictionary.rinuex My script perl is: # cat /etc/freeradius/perl/checkRelaciones.pm #!/usr/bin/perl use strict; use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK); #use Data::Dumper; use constantRLM_MODULE_REJECT=0;# /* immediately reject the request */ use constantRLM_MODULE_OK=2;# /* the module is OK, continue */ sub authorize { my $refRelaciones; if (exists $RAD_REPLY{'Relaciones'} defined $RAD_REPLY{'Relaciones'}){ $refRelaciones=$RAD_REPLY{'Relaciones'}; foreach (@{$refRelaciones}) { if ($_ =~ /^[0-9]{2}/) { return RLM_MODULE_OK; } } $RAD_REPLY{'Codigo-Reject'}=11; #Sin-Relacion } return RLM_MODULE_REJECT; } Everything works fine. My problem is that rlm_perl duplicate an attribute in %RAD_REPLY hash. Debug: rad_recv: Access-Request packet from host x.x.x.x port 56822, id=100, length=75 User-Name = a...@unex.es User-Password = Calling-Station-Id = ... server rinuex { ... [ldap1] looking for check items in directory... [ldap1] ntPassword - NT-Password == 0x3.. [ldap1] looking for reply items in directory... [ldap1] Relaciones - Relaciones += 03 [ldap1] sn - Nombre-Completo = Ana Gallardo WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap1] user ana authorized to use remote access [ldap1] ldap_release_conn: Release Id: 0 [ldap1] returns ok ... rlm_perl: Added pair User-Name = a...@unex.es rlm_perl: Added pair User-Password = rlm_perl: Added pair Intentos-Reject = 0 rlm_perl: Added pair SQL-User-Name = ana rlm_perl: Added pair Realm = unex.es rlm_perl: Added pair Stripped-User-Name = ana rlm_perl: Added pair Calling-Station-Id = ... rlm_perl: Added pair Nombre-Completo = Ana Gallardo rlm_perl: Added pair Relaciones = 03 rlm_perl: Added pair Relaciones = Ana Gallardo rlm_perl: Added pair NT-Password = 0x344... rlm_perl: Added pair Simultaneous-Use = 1 rlm_perl: Added pair Ldap-UserDn = ... ++[perl] returns ok ... ++[pap] returns ok ... } # server rinuex Sending Access-Accept of id 100 to x.x.x.x port 56822 Nombre-Completo = Ana Gallardo Relaciones += 03 Relaciones += Ana Gallardo Any ideas?? Sorry for my english and thank you in advance. Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl DEBUG log with garbage output
Hi,.. running xlat within rlm_perl.. giving correct result.. but what concern me is that.. in debug log.. there are garbage output as below:- radius_xlat: '.*' radius_xlat: Running registered xlat function of module y5perl for string '%{User-Name}:%{NAS-Identifier}' radius_xlat: 'bacang:JARINGWiF' rlm_perl: Len is 4 , out is NULL?8???Ù¿¿?49(hÕ¿¿?? freespace is 254 radius_xlat: 'NULL' calling from :- attr_rewrite wifi { ##some code replacewith = %{y5perl:%{User-Name}:%{NAS-Identifier}} } preacct { y5perl wifi files } sub xlat { # some code # return NULL or somevalue return ($value); } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: confused by logging targets for rlm_perl
Olivier Bilodeau wrote: http://wiki.freeradius.org/Rlm_perl#Logging refers to: 0 - Debug 1 - Auth Those are wrong. See src/include/radiusd.h, L_DBG, etc. I've fixed the Wiki. I expected Debug not to go out in radius.log and Auth to do since I specified Auth to yes in radiusd.conf. Yup. With radius -X, as expected, I got everything. Am I missing something here? Is this a bug or a feature(tm)? Bug. See the v2.1.x branch in git for patches to src/modules/rlm_perl/example.pl Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Packet-Original-Timestamp
Бен Томпсон wrote: I tried checking out the git master code, but it just hangs when calling rlm_perl. This is the last line I see when running in debug mode :- Fri Mar 1 12:46:49 2013 : Debug: (0) modsingle[authorize]: calling perl (rlm_perl) for request 0 I need rlm_perl as part of my setup... Is Packet-Original-Timestamp definitely not usable in v2.x? Don't ask leading questions like that. It's rude. It is usable. Arran said it was usable. You were told this. If you want to add Event-Timestamp, when it isn't already there, do: if (!Event-Timestamp) { update request { Event-Timestamp := %l } } Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC-Auth issues with rlm_perl
Server: Debian 6 (Squeeze) 2.6.32-5-amd64 FreeRadius: 2.1.10 (Debian package) Client: HP E-MSM460 AP (MSCHAPv2, Use message authenticator) Authentication methods for the MSM460 are: MSCHAPv2, MSCHAP, CHAP, EAP MD5 and PAP. I'm trying to set up a simple MAC-Auth based network using HP 2610 switches and MSM640 wireless APs as radius clients. I've added the AP to the clients.conf and configured the AP to use MAC-based authentication and it appears to be talking to FreeRadius using MSCHAPv2 correctly. We only have a few dozen clients, so I'm using the perl module to read and cache a text file of MAC addresses. My script watches the file's mtime and re-loads it as necessary. I've followed the instructions on http://wiki.freeradius.org/Rlm_perl, but I get the following error: /etc/freeradius/users[204]: Parse error (check) for entry DEFAULT: Unknown value Perl for attribute Auth-Type After some trial and error, I found that adding perl to the authorize and authenticate sections of sites-available/inner-tunnel would get rid of the error, but I have no idea if that solved the problem or merely masked it and caused he next one. There appears to be something seriously wrong with the way this config is working, because rlm_perl is calling the AUTHORIZE function but not AUTHENTICATE. I've pasted the debug of an authentication attempt below. It appears to be taking the CLIENT mschap authentication and somehow applying those attributes to mangle USER authentication. rad_recv: Access-Request packet from host 192.168.0.29 port 35063, id=48, length =275 Acct-Session-Id = 1ca83cd8-00013b2c NAS-Port = 0 NAS-Port-Type = Wireless-802.11 NAS-Identifier = CN18D332BD NAS-IP-Address = 192.168.0.29 User-Name = 984b4af5bf40 Calling-Station-Id = 98:4b:4a:f5:bf:40 Called-Station-Id = 2c:41:38:f4:f5:c0 Service-Type = Login-User MS-CHAP-Challenge = 0x5ec43b8666ef945c1db7a14cc42da516 MS-CHAP2-Response = 0x3000f12947d93103bfe476001a4f8d6fcc6800 00fe6dae7fbe3907cbb43186ffcc0ed0f6f16a31b47731bdba Colubris-AVPair = ssid=TSV-UC Colubris-AVPair = phytype=IEEE802dot11n Message-Authenticator = 0xf6affdfe1901c35141d3128eed2c515e # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = 984b4af5bf40, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 204 ++[files] returns ok rlm_perl: AUTHORIZE rlm_perl: RAD_REQUEST: NAS-Port-Type = Wireless-802.11 rlm_perl: RAD_REQUEST: Acct-Session-Id = 1ca83cd8-00013b2c rlm_perl: RAD_REQUEST: Service-Type = Login-User rlm_perl: RAD_REQUEST: Called-Station-Id = 2c:41:38:f4:f5:c0 rlm_perl: RAD_REQUEST: Calling-Station-Id = 98:4b:4a:f5:bf:40 rlm_perl: RAD_REQUEST: Message-Authenticator = 0xf6affdfe1901c35141d3128eed2c515e rlm_perl: RAD_REQUEST: MS-CHAP-Challenge = 0x5ec43b8666ef945c1db7a14cc42da516 rlm_perl: RAD_REQUEST: User-Name = 984b4af5bf40 rlm_perl: RAD_REQUEST: NAS-Identifier = CN18D332BD rlm_perl: RAD_REQUEST: MS-CHAP2-Response = 0x3000f12947d93103bfe476001a4f8d6fcc68fe6dae7fbe3907cbb43186ffcc0ed0f6f16a31b47731bdba rlm_perl: RAD_REQUEST: Colubris-AVPair = ARRAY(0x127d4d8) rlm_perl: RAD_REQUEST: NAS-Port = 0 rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.0.29 rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Acct-Session-Id = 1ca83cd8-00013b2c rlm_perl: Added pair Service-Type = Login-User rlm_perl: Added pair Called-Station-Id = 2c:41:38:f4:f5:c0 rlm_perl: Added pair Calling-Station-Id = 98:4b:4a:f5:bf:40 rlm_perl: Added pair Message-Authenticator = 0xf6affdfe1901c35141d3128eed2c515e rlm_perl: Added pair MS-CHAP-Challenge = 0x5ec43b8666ef945c1db7a14cc42da516 rlm_perl: Added pair User-Name = 984b4af5bf40 rlm_perl: Added pair NAS-Identifier = CN18D332BD rlm_perl: Added pair MS-CHAP2-Response = 0x3000f12947d93103bfe476001a4f8d6fcc68fe6dae7fbe3907cbb43186ffcc0ed0f6f16a31b47731bdba rlm_perl: Added pair Colubris-AVPair = ssid=TSV-UC rlm_perl: Added pair Colubris-AVPair = phytype=IEEE802dot11n rlm_perl: Added pair NAS-Port = 0 rlm_perl: Added pair NAS-IP-Address = 192.168.0.29 rlm_perl: Added pair Auth-Type = MSCHAP ++[perl] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext
Re: rlm_perl DEBUG log with garbage output
It's work!!.. thanks.. --haizam - Original Message - From: Bjørn Mork [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, January 25, 2007 6:05 PM Subject: Re: rlm_perl DEBUG log with garbage output Rohaizam Abu Bakar [EMAIL PROTECTED] writes: Hi,.. running xlat within rlm_perl.. giving correct result.. but what concern me is that.. in debug log.. there are garbage output as below:- radius_xlat: '.*' radius_xlat: Running registered xlat function of module y5perl for string '%{User-Name}:%{NAS-Identifier}' radius_xlat: 'bacang:JARINGWiF' rlm_perl: Len is 4 , out is NULL?8???Ù¿¿?49(hÕ¿¿?? freespace is 254 radius_xlat: 'NULL' Try this patch: diff -u -r1.13.4.7 rlm_perl.c --- src/modules/rlm_perl/rlm_perl.c 27 Apr 2006 17:35:44 - 1.13.4.7 +++ src/modules/rlm_perl/rlm_perl.c 25 Jan 2007 10:03:51 - @@ -694,7 +694,7 @@ } else if (count 0) { tmp = POPp; ret = strlen(tmp); - strncpy(out,tmp,ret); + strncpy(out,tmp,ret+1); radlog(L_DBG,rlm_perl: Len is %d , out is %s freespace is %d, ret, out,freespace); Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS Issue -
Hi Alan, I'm facing the issue with configuration EAP-TTLS, LDAP and Perl and using test client as eapol_test. Please find the debug logs below: rad_recv: Access-Request packet from host 127.0.0.1 port 45673, id=0, length=206 User-Name = NAS-IP-Address = 127.0.0.1 Calling-Station-Id = 02-00-00-00-00-01 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x02360175736572317676746e746b6a6b636b76656469756366767672636e657563756b6c766465637475726a646a666b676e7267 Message-Authenticator = 0x065b1291e4b6cff7cecc69db3a9b5b83 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = , looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 0 length 54 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Calling-Station-Id = 02-00-00-00-00-01 rlm_perl: Added pair Message-Authenticator = 0x065b1291e4b6cff7cecc69db3a9b5b83 rlm_perl: Added pair User-Name = rlm_perl: Added pair EAP-Message = 0x02360175736572317676746e746b6a6b636b76656469756366767672636e657563756b6c766465637475726a646a666b676e7267 rlm_perl: Added pair Connect-Info = CONNECT 11Mbps 802.11b rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair Auth-Type = EAP ++[perl] returns ok ++[files] returns noop [ldap] performing user authorization for [ldap] expand: %{Stripped-User-Name} - [ldap] ... expanding second conditional [ldap] expand: %{User-Name} - [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=) [ldap] expand: dc=example,dc=com - dc=example,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 192.168.1.103:389, authentication 0 [ldap] bind as cn=admin,dc=example,dc=com/ to 192.168.1.103:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=example,dc=com, with filter (uid=) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword - Cleartext-Password == [ldap] userPassword - Password-With-Header == [ldap] looking for reply items in directory... [ldap] user authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok [pap] Config already contains known good password. Ignoring Password-With-Header [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group EAP {...} rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Calling-Station-Id = 02-00-00-00-00-01 rlm_perl: Added pair Message-Authenticator = 0x065b1291e4b6cff7cecc69db3a9b5b83 rlm_perl: Added pair User-Name = rlm_perl: Added pair EAP-Message = 0x02360175736572317676746e746b6a6b636b76656469756366767672636e657563756b6c766465637475726a646a666b676e7267 rlm_perl: Added pair Connect-Info = CONNECT 11Mbps 802.11b rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair h323-credit-amount = 100 rlm_perl: Added pair Cleartext-Password = rlm_perl: Added pair Password-With-Header = rlm_perl: Added pair Ldap-UserDn = uid=,ou=people,dc=example,dc=com rlm_perl: Added pair Auth-Type = EAP ++[perl] returns ok [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 127.0.0.1 port 45673 h323-credit-amount = 100 EAP-Message = 0x010100061520 Message-Authenticator = 0x State = 0x2a7f4cbf2a7e5963e2206d31c110709d Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 45673, id=1, length=271 User-Name = NAS-IP-Address = 127.0.0.1 Calling-Station-Id = 02-00-00-00-00-01 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x020100651500160301005a01560301507c49a86cfabf980d6b3d94daf27fe3f600a2320dbc3427626ca4b918ad885f2800390038003500160013000a00330032002f000500040015001200090014001100080006000300ff0201040023 State = 0x2a7f4cbf2a7e5963e2206d31c110709d Message-Authenticator = 0x7984af4d41a5bfd6c39d9a472fe0cc17 # Executing section authorize from file /etc/freeradius/sites-enabled/default
RE: static IP's with rlm_perl
Hello, Here is the debug info: From the information it looks like I have added the information correctly however it is not sent to the client: --snip-- rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Framed-Netmask = 255.255.255.255 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Framed-IP-Address = 192.168.77.200 rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP rlm_perl: Added pair Framed-MTU = 576 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair NT-Password = 213C197ADF831F46188DC68E3F46860F rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Auth-Type = MS-CHAP .. Sending Access-Accept of id 70 to 127.0.0.1 port 32809 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Framed-Netmask = 255.255.255.255 MS-CHAP2-Success = 0xa4533d41433543323433323341454632313338464643433730443243453533314646353533423131354634 MS-MPPE-Recv-Key = 0xae0f9b99af199f01fe9ab857a793739a MS-MPPE-Send-Key = 0x3c24917e4b02abdc1bd303ea21d95b71 MS-MPPE-Encryption-Policy = 0x0002 MS-MPPE-Encryption-Types = 0x0004 --snip-- So any feedback would be helpful, the whole debug info is below: --snip-- rad_recv: Access-Request packet from host 127.0.0.1:32809, id=70, length=146 Service-Type = Framed-User Framed-Protocol = PPP User-Name = rigvpn_user1 MS-CHAP-Challenge = 0xee068979e7bafef383f8c90f3520d8e9 MS-CHAP2-Response = 0xa400809dff2ecb2017413f1b7b5b71e5e1f3cee84de052f0d485d683d9350d9fd4b4410744a13cc2de0c Calling-Station-Id = .271 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' modcall[authorize]: module mschap returns ok for request 0 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 175 users: Matched entry DEFAULT at line 187 modcall[authorize]: module files returns ok for request 0 perl_pool: item 0x8eecac0 asigned new request. Handled so far: 1 found interpetator at address 0x8eecac0 rlm_perl: PASON RPM AUTH REQUEST: Service-Type = Framed-User rlm_perl: PASON RPM AUTH REQUEST: Calling-Station-Id = .271 rlm_perl: PASON RPM AUTH REQUEST: MS-CHAP-Challenge = 0xee068979e7bafef383f8c90f3520d8e9 rlm_perl: PASON RPM AUTH REQUEST: Client-IP-Address = 127.0.0.1 rlm_perl: PASON RPM AUTH REQUEST: Framed-Protocol = PPP rlm_perl: PASON RPM AUTH REQUEST: User-Name = rigvpn_user1 rlm_perl: PASON RPM AUTH REQUEST: MS-CHAP2-Response = 0xa400809dff2ecb2017413f1b7b5b71e5e1f3cee84de052f0d485d683d9350d9fd4b4410744a13cc2de0c rlm_perl: PASON RPM AUTH REQUEST: NAS-IP-Address = 127.0.0.1 rlm_perl: PASON RPM AUTH REQUEST: NAS-Port = 0 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Framed-Netmask = 255.255.255.255 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Framed-IP-Address = 192.168.77.200 rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP rlm_perl: Added pair Framed-MTU = 576 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair NT-Password = 213C197ADF831F46188DC68E3F46860F rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Auth-Type = MS-CHAP perl_pool total/active/spare [32/0/32] Unreserve perl at address 0x8eecac0 modcall[authorize]: module perl returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: Found NT-Password rlm_mschap: Told to do MS-CHAPv2 for rigvpn_user1 with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module mschap returns ok for request 0 modcall: leaving group MS-CHAP (returns ok) for request 0 Login OK: [rigvpn_user1/no User-Password attribute] (from client localhost port 0 cli .271) Sending Access-Accept of id 70 to 127.0.0.1 port 32809 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Framed-Netmask = 255.255.255.255 MS-CHAP2-Success = 0xa4533d41433543323433323341454632313338464643433730443243453533314646353533423131354634 MS-MPPE-Recv-Key = 0xae0f9b99af199f01fe9ab857a793739a MS-MPPE-Send-Key = 0x3c24917e4b02abdc1bd303ea21d95b71 MS-MPPE-Encryption-Policy = 0x0002 MS
Cannot control attribute ordering via rlm_perl
Hi, First, the version I'm using: # freeradius -v freeradius: FreeRADIUS Version 2.1.8, for host x86_64-pc-linux-gnu, [...] I'm trying to control the attribute-ordering when using rlm_perl. Thus far my experience is that this is not possible. My theory is that this is due to the hash-tables used as the interface between the C and Perl worlds. Here is a small example that demonstrates the problem. I've turned on the users and perl modules in the authorize section (in that order). These are the important bits from the users file and the example.pl file. (from the users file) steve Cleartext-Password := testing Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 172.16.3.33, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP, WiMAX-Packet-Data-Flow-Id = 1, WiMAX-Service-Data-Flow-Id = 1, WiMAX-Service-Profile-Id = 2 (from the example.pl) sub authorize { return RLM_MODULE_NOOP; } The debug log of the server is below. The interesting bits are (a) the rlm_perl: Added pair and (b) the attribute-order in the packet that the server sends in reply - the order is changed. The ordering is important to for me as I want those three WiMAX attributes packed inside a parent attribute WiMAX-Packet-Flow-Descriptor. If I turn off the perl module (or place it before the files module) the packing works as expected. I put all this down to the attribute-list being rebuilt (by rlm_perl) from the %RAD_REPLY table. The hash-table has no concept of ordering, so it ends up randomised. The above is a contrived example - what I really want to do is add those three WiMAX attributes in my perl script. But due to the ordering problems I think I am wasting my time and need to come up with another solution. Can anyone see how I can control the ordering of attributes coming out of the perl script? Thanks, Claude Brown. Vividwireless. rad_recv: Access-Request packet from host 127.0.0.1 port 50265, id=2, length=63 User-Name = steve User-Password = testing Message-Authenticator = 0xc8b10e777a7ea53a261c855029fd0b58 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = steve, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry steve at line 76 ++[files] returns ok GOT CLONE -1588651264 0x1a0e160 rlm_perl: Added pair User-Name = steve rlm_perl: Added pair User-Password = testing rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair Message-Authenticator = 0xc8b10e777a7ea53a261c855029fd0b58 rlm_perl: Added pair WiMAX-Service-Data-Flow-Id = 1 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Framed-Routing = Broadcast-Listen rlm_perl: Added pair WiMAX-Packet-Data-Flow-Id = 1 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Framed-Filter-Id = std.ppp rlm_perl: Added pair Framed-IP-Address = 172.16.3.33 rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.0 rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP rlm_perl: Added pair WiMAX-Service-Profile-Id = 2 rlm_perl: Added pair Framed-MTU = 1500 rlm_perl: Added pair Cleartext-Password = testing ++[perl] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password testing [pap] Using clear text password testing [pap] User authenticated successfully ++[pap] returns ok Login OK: [steve] (from client localhost port 0) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 2 to 127.0.0.1 port 50265 WiMAX-Service-Data-Flow-Id = 1 Service-Type = Framed-User Framed-Routing = Broadcast-Listen WiMAX-Packet-Data-Flow-Id = 1 Framed-Protocol = PPP Framed-Filter-Id = std.ppp Framed-IP-Address = 172.16.3.33 Framed-IP-Netmask = 255.255.255.0 Framed-Compression = Van-Jacobson-TCP-IP WiMAX-Service-Profile-Id = 2 Framed-MTU = 1500 Finished request 0. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Affect IP with script perl into freeradius
t...@kalik.net a écrit : thanks for your return. I have added: $RAD_REPLY{'Framed-IP-Address'} = 10.218.6.1; return RLM_MODULE_OK; but no change, he use the pool included into the cisco ASA (10.218.4.5) a error of me ? Do a debug (radiusd -X) and see did the attribute make it into the Access-Accept packet. If it is sent to Cisco - the problem is on ASA. Do debug aaa there and see why is it ignoring static IP address. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ok, first this is the debug of Freeradius: rad_recv: Access-Request packet from host 10.218.7.243:1025, id=50, length=165 User-Name = usertest User-Password = XXX NAS-Port = 1011712 Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = 62.XX.XX.XX Calling-Station-Id = 88.XX.XX.XX NAS-Port-Type = Virtual Tunnel-Client-Endpoint:0 = 88.XX.XX.XX NAS-IP-Address = 10.218.7.243 Cisco-AVPair = ip:source-ip=88.166.47.158y\223 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = usertest, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 1 users: Matched entry DEFAULT at line 154 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module files returns ok for request 1 Using perl at 0x8146460 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Framed-IP-Address = 10.218.4.120 rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.0 rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP rlm_perl: Added pair Framed-MTU = 576 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Auth-Type = Perl modcall[authorize]: module perl returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type Perl auth: type Perl Processing the authenticate section of radiusd.conf modcall: entering group Perl for request 1 Using perl at 0x8146460 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair h323-credit-amount = 100 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Framed-IP-Address = 255.255.255.254 rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.0 rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP rlm_perl: Added pair Framed-MTU = 576 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Auth-Type = Perl modcall[authenticate]: module perl returns ok for request 1 modcall: leaving group Perl (returns ok) for request 1 Login OK: [usertest/XX] (from client 10.218.7.243 port 1011712 cli 88.xx.xx.xx) Sending Access-Accept of id 50 to 10.218.7.243 port 1025 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Framed-IP-Netmask = 255.255.255.0 h323-credit-amount = 100 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 50 with timestamp 497f20c3 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl with WinXP MS-CHAP clients ?
Hello, I have a freeradius 1.0.X server setup with ppp and pptp using a mysql DB for user authentication. Here I assign static IP's and users to groups. We wish to use rlm_perl instead of the sql module so we can authenticate the users against a in house application. I have build freeradius 1.1.3 from source and it seems to work however since the client is WinXP and the auth type is MS-CHAP it seems to be calling the mschap section under authentication and then exiting. Here is my debug output: rad_recv: Access-Request packet from host 127.0.0.1:32768, id=51, length=141 Service-Type = Framed-User Framed-Protocol = PPP User-Name = baduser MS-CHAP-Challenge = 0x0c09ad640ce7275613b8a0dd51d2f4c6 MS-CHAP2-Response = 0x630065cbdfea16f542fbda8cdc65d7fd3093ca32eebf6779cfb34001c39530a93ea7f5aebd54eea79f2b Calling-Station-Id = .271 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' modcall[authorize]: module mschap returns ok for request 0 rlm_realm: No '@' in User-Name = baduser, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 155 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module files returns ok for request 0 perl_pool: item 0x9d5ad20 asigned new request. Handled so far: 1 found interpetator at address 0x9d5ad20 rlm_perl: MG RAD_REQUEST: Service-Type = Framed-User rlm_perl: MG RAD_REQUEST: Calling-Station-Id = .271 rlm_perl: MG RAD_REQUEST: MS-CHAP-Challenge = 0x0c09ad640ce7275613b8a0dd51d2f4c6 rlm_perl: MG RAD_REQUEST: Client-IP-Address = 127.0.0.1 rlm_perl: MG RAD_REQUEST: Framed-Protocol = PPP rlm_perl: MG RAD_REQUEST: User-Name = baduser rlm_perl: MG RAD_REQUEST: MS-CHAP2-Response = 0x630065cbdfea16f542fbda8cdc65d7fd3093ca32eebf6779cfb34001c39530a93ea7f5aebd54eea79f2b rlm_perl: MG RAD_REQUEST: NAS-IP-Address = 127.0.0.1 rlm_perl: MG RAD_REQUEST: NAS-Port = 0 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Framed-IP-Address = 255.255.255.254 rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP rlm_perl: Added pair Framed-MTU = 576 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Auth-Type = MS-CHAP perl_pool total/active/spare [32/0/32] Unreserve perl at address 0x9d5ad20 modcall[authorize]: module perl returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for baduser with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 0 modcall: leaving group MS-CHAP (returns reject) for request 0 auth: Failed to validate the user. Login incorrect: [baduser/no User-Password attribute] (from client localhost port 0 cli .271) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 51 to 127.0.0.1 port 32768 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 51 with timestamp 451194b6 Nothing to do. Sleeping until we see a request. -- Michael Gale Red Hat Certified Engineer Network Administrator Pason Systems Corp. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_perl
Hi, Thanks for your reply. i am going here to post the debug logs. from the log it seems rlm_per is loaded successfully but when i am trying to call authorize and authenticate function from example.pl, the functions are not calling well. Here is full configuration what i did to work with perl module. radreply table: --- 123456 Auth-Type := perl --- radiusd.conf - modules area: perl { module = /usr/local/etc/example.pl func_accounting = accounting func_authenticate = authenticate func_authorize = authorize func_preacct = preacct func_checksimul = checksimul func_xlat = xlat } authorize { preprocess chap suffix perl } authenticate { Auth-Type Perl { perl } } - example.pl sub authorize { return RLM_MODULE_OK; } sub authenticate { if ($RAD_REQUEST{'User-Name'} =~ /^baduser/i) { $RAD_REPLY{'Reply-Message'} = Denied access; return RLM_MODULE_REJECT; } else { $RAD_REPLY{'h323-credit-time'} = \h323-credit-time=200\; return RLM_MODULE_OK; } } Here is the Log: === Wed Sep 28 07:50:45 2005 : Info: Detach perl 0x93af7a0 Wed Sep 28 07:50:45 2005 : rlm_perl: rlm_perl::Detaching. Reloading. Done. Wed Sep 28 07:50:45 2005 : Info: detach at 0x93af7a0 returned status 0 Wed Sep 28 07:50:45 2005 : Info: Detach perl 0x94b0ec8 Wed Sep 28 07:50:45 2005 : rlm_perl: rlm_perl::Detaching. Reloading. Done. Wed Sep 28 07:50:45 2005 : Info: detach at 0x94b0ec8 returned status 0 Wed Sep 28 07:50:45 2005 : Info: Detach perl 0x950b550 Wed Sep 28 07:50:45 2005 : rlm_perl: rlm_perl::Detaching. Reloading. Done. Wed Sep 28 07:50:45 2005 : Info: detach at 0x950b550 returned status 0 Wed Sep 28 07:50:45 2005 : Info: Detach perl 0x9565480 Wed Sep 28 07:50:45 2005 : rlm_perl: rlm_perl::Detaching. Reloading. Done. Wed Sep 28 07:50:45 2005 : Info: detach at 0x9565480 returned status 0 Wed Sep 28 07:50:45 2005 : Info: Detach perl 0x95bf180 Wed Sep 28 07:50:45 2005 : rlm_perl: rlm_perl::Detaching. Reloading. Done. Wed Sep 28 07:50:45 2005 : Info: detach at 0x95bf180 returned status 0 Wed Sep 28 07:50:45 2005 : rlm_perl: rlm_perl::Detaching. Reloading. Done. Wed Sep 28 07:50:48 2005 : Info: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked Wed Sep 28 07:50:48 2005 : Info: rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius Wed Sep 28 07:50:48 2005 : Info: rlm_sql_mysql: Starting connect to MySQL server for #0 Wed Sep 28 07:50:48 2005 : Info: rlm_sql_mysql: Starting connect to MySQL server for #1 = I AM REALLY SORRY FOR BIG THREAD. Yours, Abdul Lateef Computer Programmer HATIF COM Mob: +974 - 5405022 Tel: +974 - 4883068 ICQ: 276994704 YM!: abdul_zu Fax: +974 - 4883063 Doha Qatar http://www.hatif.com __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejected proxy requests not making it to the client
I'm not sure how the script could be blocking the server after it's already ran and returned the updated packet so the proxying can take place which does happen: • rlm_perl: Changing User-Name: legg...@yubiauth.mcs.example.com • rlm_perl: Added pair NAS-Port-Type = Virtual • rlm_perl: Added pair Service-Type = Authenticate-Only • rlm_perl: Added pair Auth-Type = System • rlm_perl: Added pair Calling-Station-Id = client.mcs.example.com • rlm_perl: Added pair User-Name = legg...@yubiauth.mcs.example.com • rlm_perl: Added pair User-Password = 654321 • rlm_perl: Added pair NAS-Identifier = sshd • rlm_perl: Added pair Stripped-User-Name = leggett • rlm_perl: Added pair NAS-IP-Address = 192.168.6.203 • rlm_perl: Added pair NAS-Port = 32448 • rlm_perl: Added pair Ldap-UserDn = uid=leggett,ou=people,dc=mcs,dc=example,dc=com • Cached username is legg...@yubiauth.mcs.example.com, list username is legg...@yubiauth.mcs.example.com • ++[get_domain] returns updated • [suffix] Looking up realm yubiauth.mcs.example.com for User-Name = legg...@yubiauth.mcs.example.com • [suffix] Found realm yubiauth.mcs.example.com • [suffix] Adding Stripped-User-Name = leggett • [suffix] Adding Realm = yubiauth.mcs.example.com • [suffix] Proxying request from user leggett to realm yubiauth.mcs.example.com • [suffix] Preparing to proxy authentication request to realm yubiauth.mcs.example.com • Cached username is leggett, list username is legg...@yubiauth.mcs.example.com • ++[suffix] returns updated The request packet then gets proxied off, comes back and this script is never called again. The same script gets called the same way on successful requests and this script is only called in the authorize phase. I've also tested that when one of the failure cases is reached (return RLM_MODULE_FAIL) that a fail packet is sent back to the client and no proxying ever takes place which is what I would expect. The script is at http://pastebin.com/gB91jj8W. On Jul 2, 2013, at 12:20 PM, Alan DeKok al...@deployingradius.com wrote: Ti Leggett wrote: Tue Jul 2 10:39:04 2013 : Error: WARNING: Unresponsive child for request 0, in component core module thread Fix your scripts so that they don't block the server. The upstream server does get the request, send the reject back to the proxy and the proxy receives the reject but doesn't seem to send the reject back to the client. When the user types the password successfully everything works fine - the client gets an OK and none of the hung request errors show up. The default configuration doesn't have this issue. Access-Requests can be proxied. Access-Rejects can be returned through a proxy to a client. A debug log of one of these failed sessions is at http://pastebin.com/8n7snaBV. Any ideas what might be going on? The debug log shows nothing interesting. The most probable issue is that your scripts are blocking the server. Fix that. You can verify this by configuring a test system *without* your scripts. Or a test user, which bypasses the scripts. It will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with PAP autentification on freeradius-3.0.0
Hi, I have problem with PAP autentification on freeradius-3.0.0, but on freeradius-2.2.1 everythink works correct. Could you please help me, thx. Debug output for freeradius-3.0.0: radiusd@tdrad1test:/storage/app/radius/raddb/auth-new$ /storage/app/radius/freeradius-3.0.0/sbin/radiusd -X -d /storage/app/radius/raddb/auth-new radiusd: FreeRADIUS Version 3.0.0, for host x86_64-unknown-linux-gnu, built on May 14 2013 at 16:22:54 Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... ... Listening on proxy address * port 0 Listening on auth address * port 1812 as server default Listening on auth address * port 1645 as server default Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 50633, id=15, length=115 NAS-Port-Type = Virtual Service-Type = Framed-User Calling-Station-Id = 421905012405 Called-Station-Id = l2tp.vps Framed-Protocol = PPP User-Name = l...@radiustest.sk User-Password = l2tp Connect-Info = 864 NAS-IP-Address = 213.151.234.114 (0) # Executing section authorize from file /storage/app/radius/raddb/auth-new/sites-enabled/default (0) group authorize { (0) - entering group authorize {...} (0) [chap] = noop (0) suffix : Looking up realm radiustest.sk for User-Name = l...@radiustest.sk (0) suffix : Found realm DEFAULT (0) suffix : Adding Stripped-User-Name = l2tp (0) suffix : Adding Realm = DEFAULT (0) suffix : Authentication realm is LOCAL. (0) [suffix] = ok rlm_perl: Added pair NAS-Port-Type = Virtual rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Called-Station-Id = l2tp.vps rlm_perl: Added pair Calling-Station-Id = 421905012405 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair User-Name = l...@radiustest.sk rlm_perl: Added pair User-Password = l2tp rlm_perl: Added pair Connect-Info = 864 rlm_perl: Added pair Realm = DEFAULT rlm_perl: Added pair Stripped-User-Name = l2tp rlm_perl: Added pair NAS-IP-Address = 213.151.234.114 rlm_perl: Added pair Current-Time = 1368711260 rlm_perl: Added pair Password-With-Header = {SSHA}cAgh2LCe5649EzEAbc+nAfIOvOyOJSmU+sKiPA== rlm_perl: Added pair VPDN_SERVICE_ID = User-GPRS-L2TP (0) [perl] = ok (0) [pap] = updated (0) Found Auth-Type = PAP (0) # Executing group from file /storage/app/radius/raddb/auth-new/sites-enabled/default (0) group PAP { (0) - entering group PAP {...} (0) pap : login attempt with password l2tp (0) pap : Using SSHA encryption. (0) ERROR: pap : SSHA password check failed (0) pap : Passwords don't match (0) [pap] = reject (0) Failed to authenticate the user. (0) Login incorrect (pap: SSHA password check failed): [l...@radiustest.sk/l2tp] (from client localhost port 0 cli 421905012405) Debug output for freeradius-2.2.1: radiusd@tdrad1test:/storage/app/radius/raddb/auth$ /storage/app/radius/freeradius/sbin/radiusd -X -d /storage/app/radius/raddb/auth radiusd: FreeRADIUS Version 2.2.1, for host x86_64-unknown-linux-gnu, built on May 2 2013 at 09:22:02 Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... ... Listening on authentication address * port 1812 Listening on authentication address * port 1645 Listening on proxy address * port 37677 Listening on command file ../../log/radius/radius_auth.sock Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 57436, id=196, length=115 NAS-Port-Type = Virtual Service-Type = Framed-User Calling-Station-Id = 421905012405 Called-Station-Id = l2tp.vps Framed-Protocol = PPP User-Name = l...@radiustest.sk User-Password = l2tp Connect-Info = 864 NAS-IP-Address = 213.151.234.114 # Executing section authorize from file /storage/app/radius/raddb/auth/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [suffix] Looking up realm radiustest.sk for User-Name = l...@radiustest.sk [suffix] Found realm DEFAULT [suffix] Adding Stripped-User-Name = l2tp [suffix] Adding Realm = DEFAULT [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[files] returns noop rlm_perl: Added pair NAS-Port-Type = Virtual rlm_perl: Added pair
Re: Separate rlm_perl in each virtual server
Alexander Shikoff wrote: Now radiusd receives a DHCP packet and: Received DHCP-Discover of id fcb1c6c0 from 193.200.84.232:67 to 193.200.85.245:67 [...] server dhcp { Trying sub-section dhcp DHCP-Discover {...} +- entering group DHCP-Discover {...} rlm_perl: -authorization.pl- : post_auth ^^^ Post *all* of the debug output. You've deleted the pieces which can help solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl radiusd::radlog $type codes
The rlm_perl Documentation (in the Wiki) lists the $type values for radiusd::radlog($type, $message) as 0 - Debug 1 - Auth 2 - Proxy 3 - Info 4 - Error while include/radiusd.h says #define L_DBG 1 #define L_AUTH 2 #define L_INFO 3 #define L_ERR 4 #define L_PROXY 5 #define L_ACCT 6 #define L_CONS 128 and I can see no translation in src/modules/rlm_perl.c. Am I missing something or is this a documentation error? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl DEBUG log with garbage output
Bjørn Mork wrote: Try this patch: Looking at the code, it appears the strncpy is even more wrong than just adding +1. I've committed a different fix which should avoid other errors (like potential buffer overflows with data taken from rlm_perl). It's only exploitable by people who can control the Perl scripts that the server runs, so it's not a real problem. But it should be fixed. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius not working in normal mode but working in debug mode
Hello, Please see the debug log: (log output from command freeradius -fxx -l stdout) and with freeradius -X it works fine. My issue is that debug mode freeradius -X the authentication works great but once I try with normal mode it doesn't. I have checked all the permissions all are correct. Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.99 port 5, id=24, length=177 Threads: total/active/spare threads = 5/0/5 Waking up in 0.9 seconds. Thread 5 got semaphore Thread 5 handling request 0, (1 handled so far) User-Name = TEST.COM\\user1 Calling-Station-Id = 005e5523 EAP-Message = 0x023f01544553542e434f4d5c75736572317676646a65687563697275656b63746a6869747568666365726465666c747269726668626775747464686467 Message-Authenticator = 0x07222d989a50a5ab3ad1a36ec1fe32d8 [thread] # Executing section authorize from file /etc/freeradius/sites-enabled/default [thread] +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = TEST.COM\user1, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [ntdomain] Looking up realm TEST.COM for User-Name = TEST.COM\user1 [ntdomain] No such realm TEST.COM ++[ntdomain] returns noop [eap] EAP packet type response id 0 length 63 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_perl: Added pair User-Name = TEST.COM\\user1 rlm_perl: Added pair EAP-Message = 0x023f01544553542e434f4d5c75736572317676646a65687563697275656b63746a6869747568666365726465666c747269726668626775747464686467 rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair NAS-IP-Address = 192.168.1.99 rlm_perl: Added pair Calling-Station-Id = 005e5523 rlm_perl: Added pair Message-Authenticator = 0x07222d989a50a5ab3ad1a36ec1fe32d8 rlm_perl: Added pair Auth-Type = EAP ++[perl] returns ok [files] users: Matched entry DEFAULT at line 147 ++[files] returns ok [ldap] performing user authorization for TEST.COM\user1 [ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) - (uid=user1) [ldap] expand: dc=example,dc=com - dc=example,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 192.168.1.120:389, authentication 0 [ldap] bind as cn=admin,dc=example,dc=com/yubico to 192.168.1.120:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=example,dc=com, with filter (uid=user1) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword - Cleartext-Password == yubico [ldap] userPassword - Password-With-Header == yubico [ldap] looking for reply items in directory... [ldap] user TEST.COM\user1 authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok [pap] Config already contains known good password. Ignoring Password-With-Header [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group EAP {...} rlm_perl: Added pair User-Name = TEST.COM\\user1 rlm_perl: Added pair EAP-Message = 0x023f01544553542e434f4d5c75736572317676646a65687563697275656b63746a6869747568666365726465666c747269726668626775747464686467 rlm_perl: Added pair Calling-Station-Id = 005e5523 rlm_perl: Added pair NAS-IP-Address = 192.168.1.99 rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair Message-Authenticator = 0x07222d989a50a5ab3ad1a36ec1fe32d8 rlm_perl: Added pair Cleartext-Password = yubico rlm_perl: Added pair Password-With-Header = yubico rlm_perl: Added pair Ldap-UserDn = uid=user1,ou=people,dc=example,dc=com rlm_perl: Added pair Auth-Type = EAP ++[perl] returns noop [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 24 to 192.168.1.99 port 5 EAP-Message = 0x010100061920 Message-Authenticator = 0x State = 0x122bbc42122aa5a2412bf0f529fb8dfe Finished request 0. Going to the next request Thread 5 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.1.99 port 5, id=25, length=348 Waking up in 0.9 seconds. Thread 4 got semaphore Thread 4 handling request 1, (1 handled so far) User-Name = TEST.COM\\user1 Calling-Station-Id = 005e5523 EAP-Message = 0x020100d8190016030100cd01c9030151189e9c9fbe653e32873d8edf71da69da00c2f53aba302ad4fd7b82cc7df16d5cc014c00a0039003800880087c00fc00500350084c012c00800160013c00dc003000ac013c00900330032009a009900450044c00ec004002f009600410007c011c007c00cc002000500040
Re: rlm_perl authorize
Authorize and authentication are two separate and distinct things. You notice that in the users file, either explicitly, or through a default, an Auth-Type is set. Always. If you want to have only your perl module handle authorization, then it also must set an Auth-Type. Mind you, the chap/mschap/eap modules work, so you might as well let them take care of setting an Auth-Type for things they handle, and you only worry about everything else. On Tue, 2004-02-17 at 03:41, loz wrote: Hi All, I'm trying to authorize a user by using the rlm_perl module only. I.e., I only want the perl script to control the authorization. In radiusd.conf I have set: proxy_requests = no and in the authorize part the files statement is commented (otherwise freeradius will look at the file 'users' for authentication). In the authorize method of my perl script it simply returns RLM_MODULE_OK (to test). When I then send a radius request the authorize failed because of No authenticate method (Auth-Type) configuration found for the request: Rejecting the user. See below for a complete debug output. Can anyone explain why I get this error, and how to fix it? thanks, loz rad_recv: Access-Request packet from host 127.0.0.1:1091, id=20, length=124 User-Name = [EMAIL PROTECTED] User-Password = testpwd NAS-Identifier = starbuster.xxx.net NAS-Port-Id = 444 Acct-Session-Id = 1234567 Acct-Status-Type = Accounting-On WISPr-Location-Name = testlocation modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module chap returns noop rlm_eap: EAP-Message not found modcall[authorize]: module eap returns noop rlm_realm: Looking up realm my_realm for User-Name = [EMAIL PROTECTED] rlm_realm: No such realm my_realm modcall[authorize]: module suffix returns noop modcall[authorize]: module mschap returns noop perl_pool: item 0x8117540 asigned new request. Handled so far: 1 found interpetator at address 0x8117540 rlm_perl: Added pair h323-credit-amount = 100 rlm_perl: Added pair Acct-Session-Id = 1234567 rlm_perl: Added pair Client-IP-Address = 127.0.0.1 rlm_perl: Added pair User-Name = [EMAIL PROTECTED] rlm_perl: Added pair User-Password = testpwd rlm_perl: Added pair NAS-Identifier = starbuster.xxx.net rlm_perl: Added pair Acct-Status-Type = Accounting-On rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair NAS-Port-Id = 444 rlm_perl: Added pair WISPr-Location-Name = testlocation perl_pool total/active/spare [5/0/5] Unreserve perl at address 0x8117540 modcall[authorize]: module perl returns ok modcall: group authorize returns ok auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help: login incorrect with FR 2.2.1
On Fri, May 17, 2013 at 2:09 AM, Wang, Yu ywan...@fsu.edu wrote: Hello, I upgraded FR from 2.1.10 to 2.2.1. Everything went well except about 25% of our wireless users cannot authenticate after the upgrade. The backend authentication server is Active Directory and we use ntlm_auth from winbind to pass MSCHAPv2 response from FR to AD. rlm_perl: Added pair NT-Password = 0x33343133344331374133364243314244413638324232323239443431 [pap] Normalizing NT-Password from hex encoding Just curious. Does ALL the failed user have NT-Password attribute added by rlm_perl? IIRC the reason for using ntlm_auth is that AD would NOT give out NT-Passowrd when running in LDAP mode. Or to put it another way, if you had access to NT-Password (e.g. stored in another database, whatever), then you won't need ntlm_auth at all. If fo DO use ntlm_auth (which I don't see from the debug log), try removing NT-Password from the list of attributes added by rlm_perl. My guess is whatever your rlm_perl data source is out of sync with your AD. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl and proxy
Hi, I'm trying to implement proxy using rlm_perl, I've applied the patch that should allow me to modify the attributes, but it doesn't seem to work. (freeradius 1.1.2) Perl code: # Function to handle pre_proxy sub pre_proxy { radiusd::radlog(1, entering pre-proxy); my %hash = (); $hash{'User-Name'} = testuser; $hash{'Operator'} = :=; $RAD_REPLY{'User-Name'} = \%hash; return RLM_MODULE_UPDATED; } # Function to handle post_proxy sub post_proxy { radiusd::radlog(1, entering post-proxy); my %hash = (); $hash{'Framed-IP-Address'} = 10.10.1.1; $hash{'Operator'} = :=; $RAD_REPLY{'Framed-IP-Address'} = \%hash; return RLM_MODULE_UPDATED; } and then debug from radius: rad_recv: Access-Request packet from host 127.0.0.1:32777, id=31, length=219 User-Password = password User-Name = [EMAIL PROTECTED] Acct-Session-Id = erx atm 8/0.16901030:169.1030:0239293057 Service-Type = Framed-User Framed-Protocol = PPP Connect-Info = speed:UBR NAS-Port-Type = xDSL NAS-Port = 1084818438 NAS-Port-Id = atm 8/0.16901030:169.1030 NAS-IP-Address = 10.10.1.2 NAS-Identifier = CH_RAN_11 ERX-Qos-Profile-Name = qos-3584k_shape ERX-Ingress-Policy-Name = 128k_rate Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 rlm_realm: Looking up realm somwhere.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm DEFAULT rlm_realm: Adding Stripped-User-Name = test1 rlm_realm: Proxying request from user test1 to realm DEFAULT rlm_realm: Adding Realm = DEFAULT rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 1 perl_pool: item 0x81fc008 asigned new request. Handled so far: 2 found interpetator at address 0x81fc008 rlm_perl: Added pair REALM = somwhere.com rlm_perl: Added pair Proxy-To-Realm = quik rlm_perl: Added pair Stripped-User-Name = test1 perl_pool total/active/spare [3/0/3] Unreserve perl at address 0x81fc008 modcall[authorize]: module perl returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 Processing the pre-proxy section of radiusd.conf modcall: entering group pre-proxy for request 1 perl_pool: item 0x85ea2a8 asigned new request. Handled so far: 2 found interpetator at address 0x85ea2a8 rlm_perl: entering pre-proxy rlm_perl: Added pair User-Name = testuser rlm_perl: Added pair Realm = somwhere.com rlm_perl: Added pair Stripped-User-Name = test1 rlm_perl: Added pair Proxy-To-Realm = quik perl_pool total/active/spare [3/0/3] Unreserve perl at address 0x85ea2a8 modcall[pre-proxy]: module perl returns updated for request 1 modcall: leaving group pre-proxy (returns updated) for request 1 As you can see it modified the User-Name attribute (at least it claims it did), but: Sending Access-Request of id 1 to 10.10.12.103 port 1812 User-Password = password User-Name = test1 Acct-Session-Id = erx atm 8/0.16901030:169.1030:0239293057 Service-Type = Framed-User Framed-Protocol = PPP Connect-Info = speed:UBR NAS-Port-Type = xDSL NAS-Port = 1084818438 NAS-Port-Id = atm 8/0.16901030:169.1030 NAS-IP-Address = 10.10.1.2 NAS-Identifier = CH_RAN_11 ERX-Qos-Profile-Name = qos-3584k_shape ERX-Ingress-Policy-Name = 128k_rate Proxy-State = 0x3331 It doesn't send it, what's more: rad_recv: Access-Accept packet from host 10.10.12.103:1812, id=1, length=30 Framed-IP-Address = 192.168.1.65 Proxy-State = 0x3331 Processing the post-proxy section of radiusd.conf modcall: entering group post-proxy for request 1 perl_pool: item 0x89bb2e0 asigned new request. Handled so far: 2 found interpetator at address 0x89bb2e0 rlm_perl: entering post-proxy rlm_perl: Added pair Framed-IP-Address = 10.10.1.1 rlm_perl: Added pair Realm = somwhere.com rlm_perl: Added pair Stripped-User-Name = test1 rlm_perl: Added pair Proxy-To-Realm = quik rlm_perl: Added pair Proxy-State = 0x3331 rlm_perl: Added pair Framed-IP-Address = 192.168.1.65 perl_pool total/active/spare [3/0/3] Unreserve perl at address 0x89bb2e0 modcall[post-proxy]: module perl returns updated for request 1 modcall: leaving group post-proxy (returns updated) for request 1 authorize: Skipping authorize in post-proxy stage rad_check_password: Found Auth-Type rad_check_password: Auth-Type = Accept, accepting the user Sending Access-Accept of id 31 to 127.0.0.1 port 32777 Framed-IP-Address := 10.10.1.1 Framed-IP-Address = 192.168.1.65 Finished request 1 So in both cases it retaind original values of the attributes. How do i fix this? regards pshemko - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Separate rlm_perl in each virtual server
On Sun, Jan 30, 2011 at 08:47:17AM +0100, Alan DeKok wrote: Alexander Shikoff wrote: Now radiusd receives a DHCP packet and: Received DHCP-Discover of id fcb1c6c0 from 193.200.84.232:67 to 193.200.85.245:67 [...] server dhcp { Trying sub-section dhcp DHCP-Discover {...} +- entering group DHCP-Discover {...} rlm_perl: -authorization.pl- : post_auth ^^^ Post *all* of the debug output. You've deleted the pieces which can help solve the problem. -- MINO-RIPE FreeRADIUS Version 2.1.10, for host amd64-portbld-freebsd8.0, built on Nov 2 2010 at 21:47:55 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/ISG_DHCP including configuration file /usr/local/etc/raddb/modules/ISG_Auth including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/dhcp including configuration file /usr/local/etc/raddb/sites-enabled/dhcp-authorization.conf main { user = freeradius group = freeradius allow_core_dumps = no } including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir = /var logdir = /var/log/radius libdir = /usr/local/lib/freeradius-2.1.10 radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/local/sbin/checkrad debug_level = 0 proxy_requests = no log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security
Re:Re Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
Good. Now you are getting Digest-Attributes. Now uncomment digest entry in authorize section of default or whatever virtual server is processing this. Hi Kalik, As per your instruction I've uncommented all the digest entry in authorize and authenticate section in the sites-enabled/default file, unfortunately I still didn't get the values of these attributes in my perl code to authenticate. I am confusing what should I emphasized, please help. *I am submitting the complete radius log when it run in debug mode before authenticate a user here* FreeRADIUS Version 2.0.3, for host i686-pc-linux-gnu, built on Apr 9 2008 at 21:42:16 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/clients.conf including configuration file /usr/local/etc/raddb/snmp.conf including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir = /usr/local/var logdir = /usr/local/var/log/radius libdir = /usr/local/lib radacctdir = /usr/local/var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /usr/local/var/run/radiusd/radiusd.pid checkrad = /usr/local/sbin/checkrad debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 shortname = localhost nastype = other } client 192.168.1.227 { require_message_authenticator = no secret = johnson } radiusd: Loading Realms and Home Servers radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = Password Has Expired } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = You are calling outside your allowed timespan minimum-timeout = 60 } } radiusd: Loading Virtual Servers server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_perl Module: Instantiating perl perl { module = /usr/local/etc/raddb/myperltemp.pl func_authorize = authorize func_authenticate = authenticate func_accounting = accounting func_preacct = preacct func_checksimul = checksimul func_detach = detach func_xlat = xlat func_pre_proxy = pre_proxy func_post_proxy = post_proxy func_post_auth = post_auth } perl { max_clones = 32 start_clones = 32 min_spare_clones = 0 max_spare_clones = 32 cleanup_delay = 5 max_request_per_clone = 0 } Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = auto auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_digest Module: Instantiating digest Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = /usr/local/etc/raddb/huntgroups hints = /usr/local/etc/raddb/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = suffix delimiter = @ ignore_default = no ignore_null = no } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating
Re:Re Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
1. First rule is to start with default configuration and then make changes. 2. I don't see any modules running here - only perl and preprocess. You have obviously made major changes to the default configuration. 3. Go back to the default configuration uncomment digest entries and get digest authentication working with an entry in users file: http://wiki.freeradius.org/Digest 4. Once that is working add your perl module into the mix. As i said before digest attributes might be in $RAD_CHECK rather than $RAD_REQUEST. Ivan Kalik Kalik Informatika ISP Dana 6/5/2008, johnson elangbam [EMAIL PROTECTED] piše: Good. Now you are getting Digest-Attributes. Now uncomment digest entry in authorize section of default or whatever virtual server is processing this. Hi Kalik, As per your instruction I've uncommented all the digest entry in authorize and authenticate section in the sites-enabled/default file, unfortunately I still didn't get the values of these attributes in my perl code to authenticate. I am confusing what should I emphasized, please help. *I am submitting the complete radius log when it run in debug mode before authenticate a user here* FreeRADIUS Version 2.0.3, for host i686-pc-linux-gnu, built on Apr 9 2008 at 21:42:16 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/clients.conf including configuration file /usr/local/etc/raddb/snmp.conf including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir = /usr/local/var logdir = /usr/local/var/log/radius libdir = /usr/local/lib radacctdir = /usr/local/var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /usr/local/var/run/radiusd/radiusd.pid checkrad = /usr/local/sbin/checkrad debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 shortname = localhost nastype = other } client 192.168.1.227 { require_message_authenticator = no secret = johnson } radiusd: Loading Realms and Home Servers radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = Password Has Expired } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = You are calling outside your allowed timespan minimum-timeout = 60 } } radiusd: Loading Virtual Servers server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_perl Module: Instantiating perl perl { module = /usr/local/etc/raddb/myperltemp.pl func_authorize = authorize func_authenticate = authenticate func_accounting = accounting func_preacct = preacct func_checksimul = checksimul func_detach = detach func_xlat = xlat func_pre_proxy = pre_proxy func_post_proxy = post_proxy func_post_auth = post_auth } perl { max_clones = 32 start_clones = 32 min_spare_clones = 0 max_spare_clones = 32 cleanup_delay = 5 max_request_per_clone = 0 } Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = auto auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_digest Module: Instantiating digest Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = /usr/local/etc/raddb/huntgroups hints = /usr/local/etc/raddb/hints with_ascend_hack
Re: Freeradius 3.0 hints, rlm_perl
Hello Arran, DEFAULT User-Name =~ ^v104([^@]+) User-Name := %{1}@V104.GMVL.DE Can you got some debug output or even just the value of the User-Name? It may just be the escaping is less crazy than it used to be. username is: v104\Administrator but radius puts it internally as v104\\Administrator. This is how it looks like in 2.2.0: rad_recv: Access-Request packet from host 10.104.1.0 port 54489, id=59, length=58 User-Name = v104\\Administrator User-Password = Pa$$w0rd # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[control] returns notfound [preprocess]expand: %{User-Name} - v104\Administrator [preprocess] hints: Matched DEFAULT at 1 [preprocess]expand: %{1}@V104.GMVL.DE - administra...@v104.gmvl.de ++[preprocess] returns ok Found Auth-Type = perl # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} rlm_perl: Added pair User-Name = administra...@v104.gmvl.de rlm_perl: Added pair User-Password = Pa$$w0rd rlm_perl: Added pair NAS-IP-Address = 10.104.1.0 rlm_perl: Added pair Reply-Message = Enter SMS one time password rlm_perl: Added pair State = 72641523 rlm_perl: Added pair Response-Packet-Type = Access-Challenge rlm_perl: Added pair Auth-Type = perl No. That just means you don't have a reject {} section in Post-Auth, it has nothing to do with the perl module. I see, I'll try that and report back. Can you provide a backtrace please? I'll see if I can fix it. I'll do that. I found another small bug in the debian packages generated by debian/rules binary in the 2.2.0 release: Initscript puts pid file in /var/run/freeradius But Freeradius wants to put it in /var/run/radius, so it does not start: Sun Jul 21 19:36:34 2013 : Error: Failed creating PID file /var/run/radiusd/radiusd.pid: No such file or directory Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debug only for rlm_xxx (rlm_perl)
It's a pity. OK. How can I have a minimal logging to log ONLY requests (i.e. rejects and accepts)? Is there a way to do this? Thanks for your reply in advance. Tom. On Thu, 11 Mar 2010 17:56:27 +0100, Alan DeKok al...@deployingradius.com wrote: bi...@antworte.me wrote: is there an option in radiusd.conf how to enable debug logging only for several rlm_modules, e.g. I have rlm_perl and I only want debug messages for this. Not at this time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
confused by logging targets for rlm_perl
Hi there! It's been a while.. François turned out to be our official freeradius-users correspondent lately ;) So, I'm changing some things in our rlm_perl module and tried to make a better use of the logging facilities provided by the freeradius core. http://wiki.freeradius.org/Rlm_perl#Logging refers to: 0 - Debug 1 - Auth 2 - Proxy 3 - Info 4 - Error However in practice my tests today revealed behavior that I would prefer be clarified by one of the gurus here. With file logging, auth = yes and sending messages with radiusd::radlog() I found that: Debug, Info and Error goes to the radius.log file while Auth does not. I haven't tried Proxy or Acct (which is available according to src/main/log.c). I expected Debug not to go out in radius.log and Auth to do since I specified Auth to yes in radiusd.conf. With radius -X, as expected, I got everything. Am I missing something here? Is this a bug or a feature(tm)? Running freeradius 2.1.12. Thanks, -- Olivier Bilodeau obilod...@inverse.ca :: +1.514.447.4918 *115 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Packet-Original-Timestamp
2013/3/1 Alan DeKok al...@deployingradius.com: Бен Томпсон wrote: I tried checking out the git master code, but it just hangs when calling rlm_perl. This is the last line I see when running in debug mode :- Fri Mar 1 12:46:49 2013 : Debug: (0) modsingle[authorize]: calling perl (rlm_perl) for request 0 I need rlm_perl as part of my setup... Is Packet-Original-Timestamp definitely not usable in v2.x? Don't ask leading questions like that. It's rude. It is usable. Arran said it was usable. You were told this. Hi Alan I am sorry, it was not intended to be rude. I misread Arran's email, and misunderstood what he told me. If you want to add Event-Timestamp, when it isn't already there, do: if (!Event-Timestamp) { update request { Event-Timestamp := %l } } Many thanks, I will try this. Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: static IP's with rlm_perl
Hello, No, that did not work, with the setting below the debug shows: --snip-- . rlm_perl: Added pair Framed-IP-Address = ��M ... Sending Access-Accept of id 73 to 127.0.0.1 port 32813 Framed-IP-Address = 255.255.255.254 --snip-- Before when I was setting it with a string I looked fine in the logs: --snip-- rlm_perl: Added pair Framed-IP-Address = 192.168.77.200 (however it was not sent out) ... Sending Access-Accept of id 71 to 127.0.0.1 port 32811 Framed-IP-Address = 255.255.255.254 --snip-- Thanks for the suggestion. Michael Garber, Neal wrote: $RAD_REPLY{'Framed-IP-Address'} = '192.168.77.200'; See if the following helps: use Socket; . . . $RAD_REPLY{'Framed-IP-Address'} = inet_aton('192.168.77.200'); - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Michael Gale Red Hat Certified Engineer Network Administrator Pason Systems Corp. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_perl
hi friends, I am really sorry to post it again. Because still i did not find any reply to solve my problems. --- Abdul Lateef [EMAIL PROTECTED] wrote: Hi, Thanks for your reply. i am going here to post the debug logs. from the log it seems rlm_per is loaded successfully but when i am trying to call authorize and authenticate function from example.pl, the functions are not calling well. Here is full configuration what i did to work with perl module. radreply table: --- 123456Auth-Type := perl --- radiusd.conf - modules area: perl { module = /usr/local/etc/example.pl func_accounting = accounting func_authenticate = authenticate func_authorize = authorize func_preacct = preacct func_checksimul = checksimul func_xlat = xlat } authorize { preprocess chap suffix perl } authenticate { Auth-Type Perl { perl } } - example.pl sub authorize { return RLM_MODULE_OK; } sub authenticate { if ($RAD_REQUEST{'User-Name'} =~ /^baduser/i) { $RAD_REPLY{'Reply-Message'} = Denied access; return RLM_MODULE_REJECT; } else { $RAD_REPLY{'h323-credit-time'} = \h323-credit-time=200\; return RLM_MODULE_OK; } } Here is the Log: === Wed Sep 28 07:50:45 2005 : Info: Detach perl 0x93af7a0 Wed Sep 28 07:50:45 2005 : rlm_perl: rlm_perl::Detaching. Reloading. Done. Wed Sep 28 07:50:45 2005 : Info: detach at 0x93af7a0 returned status 0 Wed Sep 28 07:50:45 2005 : Info: Detach perl 0x94b0ec8 Wed Sep 28 07:50:45 2005 : rlm_perl: rlm_perl::Detaching. Reloading. Done. Wed Sep 28 07:50:45 2005 : Info: detach at 0x94b0ec8 returned status 0 Wed Sep 28 07:50:45 2005 : Info: Detach perl 0x950b550 Wed Sep 28 07:50:45 2005 : rlm_perl: rlm_perl::Detaching. Reloading. Done. Wed Sep 28 07:50:45 2005 : Info: detach at 0x950b550 returned status 0 Wed Sep 28 07:50:45 2005 : Info: Detach perl 0x9565480 Wed Sep 28 07:50:45 2005 : rlm_perl: rlm_perl::Detaching. Reloading. Done. Wed Sep 28 07:50:45 2005 : Info: detach at 0x9565480 returned status 0 Wed Sep 28 07:50:45 2005 : Info: Detach perl 0x95bf180 Wed Sep 28 07:50:45 2005 : rlm_perl: rlm_perl::Detaching. Reloading. Done. Wed Sep 28 07:50:45 2005 : Info: detach at 0x95bf180 returned status 0 Wed Sep 28 07:50:45 2005 : rlm_perl: rlm_perl::Detaching. Reloading. Done. Wed Sep 28 07:50:48 2005 : Info: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked Wed Sep 28 07:50:48 2005 : Info: rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius Wed Sep 28 07:50:48 2005 : Info: rlm_sql_mysql: Starting connect to MySQL server for #0 Wed Sep 28 07:50:48 2005 : Info: rlm_sql_mysql: Starting connect to MySQL server for #1 = I AM REALLY SORRY FOR BIG THREAD. Yours, Abdul Lateef Computer Programmer HATIF COM Mob: +974 - 5405022 Tel: +974 - 4883068 ICQ: 276994704 YM!: abdul_zu Fax: +974 - 4883063 Doha Qatar http://www.hatif.com __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com Yours, Abdul Lateef Computer Programmer HATIF COM Mob: +974 - 5405022 Tel: +974 - 4883068 ICQ: 276994704 YM!: abdul_zu Fax: +974 - 4883063 Doha Qatar http://www.hatif.com __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debug only for rlm_xxx (rlm_perl)
Hi Doug, I will try this. But - without my patch, the compile goes OK. Thanks Thomas. On Wed, 17 Mar 2010 15:15:20 -0700, Doug Hardie bc...@lafn.org wrote: Only one of those errors references the code you added. There should have been a line in my earlier email like: struct stat sb; The other errors indicate a problem with the normal build includes. How did you try and rebuild it? I suspect there is a way to just rebuild rlm_perl, but I haven't tried to do that on version 2. I suspect you may need to rebuild the entire freeradius. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: missing rlm_perl.so in the built from src file
I built a fresh freeradius on a ubuntu server from source files. When I add perl module and start the freeradiusin the debug mode, it is asking for rlm_perl.so that can not find it. It seems the make file does not create the shared lib file for perl module. Is there any change should be made in Makefile to create rlm_perl.so file? The configure script won't add the entries to the MakeFile if it can't find the headers it needs to build rlm_perl. If you look in the output of './configure' you'll see a message like 'Failed to find headers, silently not building rlm_perl'. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: rlm-perl lc usernames
Here is the debug using radtest radtest RadUser [EMAIL PROTECTED] localhost 10 testing123 .. rlm_perl: RAD_REQUEST: User-Name = RadUser .. rlm_perl: Added pair User-Name = raduser .. Sending Access-Accept of id 225 to 127.0.0.1 port 38149 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = 254 That worked out as expected. Probably something to do with username format. Alan thinks that he found a bug: http://lists.freeradius.org/pipermail/freeradius-users/2008-September/msg00543.html Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tagged attributes problem and rlm_perl in FreeRADIUS 2.1.4
Alexandr Kovalenko wrote: Then I have few questions: 1. How could this be that it worked in 1.1.7 (but only 1st auth attempt, all further didn't, until restart)? shrug Look at the code. I don't want to debug it. 2. Is there any work-in-progress project on adding support for tagged attributes in rlm_perl? Nope. As always, patches are welcome. 3. Is there any workaround to make it work? Edit the source code. 4. Which of these modules: rlm_python, rlm_exec, rlm_anything other user programmable support tagged attributes? The python module looks like it should. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Centos 5.3 problem
I was running freeradius 2.0.5 on my Centos 5.2 server using rlm_perl. When I upgraded to 5.3 I get : rlm_perl: perl_parse failed: /billing/bin/billing.pl not found or has syntax errors. I googled it and found that this may be caused by libperl.so not being linked properly or Data::Dumper that needs to be recompiled. I have done everything that the mailing list suggested but the problem persists. Debug billing.pl in the IDE (get something like EPIC). Trace it and you should find exactly what's wrong. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl authorize
loz [EMAIL PROTECTED] wrote: I'm trying to authorize a user by using the rlm_perl module only. I.e., I only want the perl script to control the authorization. That's nice. How will the user be authenticated? and in the authorize part the files statement is commented (otherwise freeradius will look at the file 'users' for authentication). Nonsense. When I then send a radius request the authorize failed because of No authenticate method (Auth-Type) configuration found for the request: Rejecting the user. See below for a complete debug output. Can anyone explain why I get this error, and how to fix it? You tell the server how to authenticate the user. See doc/aaa.txt for background on what the server does. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi-valued LDAP attribute
In a continuation to my previous issue about how to reference an LDAP attribute in post-auth, I am now wondering how to iterate through a multi-valued attribute in a perl script I call from post-auth. In the debug you can see all three values are returned: Multi-value attributes are an array in Perl. I'm no perl expert, but shouldn't I be able to reference all three values with $RAD_REPLY{'Person-Type'}? No. That entry is an array. You need @{$RAD_REPLY{'Person-Type'}}, and then de-reference each entry from there. I'm still having no luck trying to get all of the values off this multi-valued attribute.. I believe I've got the perl syntax correct but when I try to dereference @{$RAD_REPLY{'Person-Type'}} to check through all values, I get: rlm_perl: perl_embed:: module = /etc/freeradius/groupcheck.pl , func = post_auth exit status= Can't use string (employee) as an ARRAY ref while strict refs in use at /etc/freeradius/groupcheck.pl line 112. It appears as though $RAD_REPLY{'Person-Type'} is a string not an array.. if I ask for value, I get employee.. But again, all three values are returned: ... [ldap] looking for reply items in directory... [ldap] personType - Person-Type = employee [ldap] personType - Person-Type = fulltime [ldap] personType - Person-Type = it WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user atrack authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ... I did notice the following in the post-auth debug: ... rlm_perl: Added pair User-Name = atrack rlm_perl: Added pair MS-MPPE-Recv-Key = 0xc8bf3146d6b3966f0838e304da9bf9d2 rlm_perl: Added pair Person-Type = employee rlm_perl: Added pair EAP-Message = 0x03090004 rlm_perl: Added pair MS-MPPE-Send-Key = 0x46948d82b0b42f60dd31e93a0d643790 ... So, for Person-Type, only the one value, employee, is passed to the perl module? Shouldn't there be another two lines of this for the other two values? I (finally) upgraded to 2.1.12, with same results. How can I get the other values? Or, is there a better way to do this? Thanks, A.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to debug rlm_perl in multithread?
HI, FreeRadius. when run radiusd -X it works fine. But when run in multithread (without -X) it core dump after ten or twelve queriest to radiusd. please help any. -- Eugen Konkov mailto:kes-...@yandex.ru - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to debug rlm_perl in multithread?
Eugen Konkov wrote: HI, FreeRadius. when run radiusd -X it works fine. But when run in multithread (without -X) it core dump after ten or twelve queriest to radiusd. please help any. Read doc/bugs Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Migrating to threaded rlm_perl
Rolling back to Freeradius 2.1.10 solved problem with memory leaks. I did not debug it, but it seems like accountig problem in 2.1.11. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Migrating-to-threaded-rlm-perl-tp4506040p4521029.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Migrating to threaded rlm_perl
Energ wrote: Rolling back to Freeradius 2.1.10 solved problem with memory leaks. I did not debug it, but it seems like accountig problem in 2.1.11. rlm_detail seems to have an issue. Patch is in github, v2.1.x branch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: post-auth problem
Andrea Gabellini [EMAIL PROTECTED] wrote: But If I reject the request via the rlm_perl module (returning RLM_MODULE_REJECT) I can't see anything. In debug mode the server doesn't execute the post-auth module in such situation. Try using the Post-Auth-Type Reject block in 1.0.0. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Blank User-name attribute
It looks like the %RAD_REQUEST hash is empty by the time you get to the authenticate function in the perl script. I've set up the log_request_attributes function for just standard output like thus: sub log_request_attributes { print ### Request attributes debug ##\n; for (keys %RAD_REQUEST) { print hello\n; ... And in the debug output from the radiusd -X, you'll see this: auth: type perl Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 perl_pool: item 0x9413670 asigned new request. Handled so far: 1 found interpetator at address 0x9413670 ### Request attributes debug ## rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Framed-Routing = Broadcast-Listen rlm_perl: Added pair Framed-Protocol = PPP ... You can see that we never get a 'hello', because it nevers enters the for loop in the log function since %RAD_REQUEST is empty. I'm not sure what I've done to make it disappear. Thanks for the response! Boyan Jordanov wrote: On Sunday 06 November 2005 02:35, Gustave Nylander wrote: I have freeradias 1.0.5 installed with the rlm_perl module, and the trouble I'm having is that the user-name attribute is an empty string within the 'authenticate' routine I have for the perl script. Please see in example.pl that comes with 1.0.5 there is a function log_request_attributes. Call this function right after you enter your authentuicate function, run radius in debug and send output. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and accounting
Justin Church [EMAIL PROTECTED] wrote: Anything in this debug indicate why the server doesn't send Accounting-Response? The server didn't log the accounting information anywhere, therefore it's not safe to tell the NAS that the accoutning information was stored on the server. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Retrieve 'Aruba-Location-Id' from RAD_REQUEST
Hi, Thanks for the suggestion. I added log_request_attributes; in authorize function and it already has sub log_request_attributes in the perl script. When run FR in debug mode, the Aruba-Location-ID does present but when I call $ RAD_REQUEST{'Aruba-Location-Id'} from rlm_perl, it came up empty. logs? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_eap: Identity does not match User-Name...
hi, i found the same question and also this topic already on the mailinglist, but no solution which works for me. i'm already debugging this thing the whole day, without any solution. i'm using 802.1x with clients: winXP sp2 method: EAP-MSCHAPv2 server: 2.0.0-pre1 it works all fine, as long as i'm not supply any domain-name. if i supply a domain-name it immediately fails with rlm_eap: Identity does not match User-Name, setting from EAP Identity. could anybody help me with that? and yes, there is no entry in users for EAP. thx michael ** * DEBUG LOG ** rad_recv: Access-Request packet from host 192.168.0.240 port 1645, id=66, length=149 User-Name = DOMAINXYZ\\mipa Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = 00-1A-E2-D8-3D-81 Calling-Station-Id = 00-80-C8-39-16-92 EAP-Message = 0x0202001601454e54455250524953455c7061747a6572 Message-Authenticator = 0xfe2f2b31d8a812b6338524fe5618414e NAS-Port-Type = Ethernet NAS-Port = 50001 NAS-IP-Address = 192.168.0.240 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_eap: EAP packet type response id 2 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 modcall[authorize]: module files returns noop for request 0 perl_pool: item 0x816a2d8 asigned new request. Handled so far: 1 found interpetator at address 0x816a2d8 rlm_perl: Added pair NAS-Port-Type = Ethernet rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Calling-Station-Id = 00-80-C8-39-16-92 rlm_perl: Added pair Called-Station-Id = 00-1A-E2-D8-3D-81 rlm_perl: Added pair Message-Authenticator = 0xfe2f2b31d8a812b6338524fe5618414e rlm_perl: Added pair User-Name = DOMAINXYZ\\mipa rlm_perl: Added pair EAP-Message = 0x0202001601454e54455250524953455c7061747a6572 rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair NAS-IP-Address = 192.168.0.240 rlm_perl: Added pair NAS-Port = 50001 rlm_perl: Added pair Framed-MTU = 1500 rlm_perl: Added pair Auth-Type = EAP perl_pool total/active/spare [32/0/32] Unreserve perl at address 0x816a2d8 modcall[authorize]: module perl returns ok for request 0 modcall[authorize]: module expiration returns noop for request 0 modcall[authorize]: module logintime returns noop for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module eap returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. Found Post-Auth-Type Processing the post-auth section of radiusd.conf modcall: entering group REJECT for request 0 radius_xlat: 'DOMAINXYZ\\mipa' attr_filter: Matched entry DEFAULT at line 11 modcall[post-auth]: module attr_filter.access_reject returns updated for request 0 modcall: group REJECT returns updated for request 0 Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 66 to 192.168.0.240 port 1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 66 with timestamp 475edfcb Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius AS DHCP + rlm_perl
Hi everybody. FreeRadius ver. 2.1.10 from git My problem is string : === ++[perl] returns reject from radiusd -X debug The last strings in perl script that executed : radiusd::radlog(L_ERR, --- RLM_MODULE_OK ---.RLM_MODULE_OK.) if $DEBUG; return RLM_MODULE_OK; As you can see from output radiusd -X log message --- RLM_MODULE_OK --- then I`m expected some thing like that ++[perl] returns ok I think maybe it`s because I`m using wrong return code and tried to return 3 , but it didn`t help. Please give me advice. Thanks. radiusd -X output is : FreeRADIUS Version 2.1.10, for host i386-unknown-freebsd7.2, built on Jul 30 2010 at 11:27:44 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including configuration file /usr/local/etc/raddb/sites-enabled/control-socket including configuration file /usr/local/etc/raddb/sites-enabled/dhcp main { user = freeradius group = freeradius allow_core_dumps = no } including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir = /var logdir = /var/log libdir = /usr/local/lib/freeradius-2.1.9 radacctdir = /var/log/radacct hostname_lookups
Re: Freeradius AS DHCP + rlm_perl
30.07.2010 19:03, Urazaev Vadim пишет: Hi everybody. FreeRadius ver. 2.1.10 from git My problem is string : === ++[perl] returns reject from radiusd -X debug The last strings in perl script that executed : radiusd::radlog(L_ERR, --- RLM_MODULE_OK ---.RLM_MODULE_OK.) if $DEBUG; return RLM_MODULE_OK; As you can see from output radiusd -X log message --- RLM_MODULE_OK --- then I`m expected some thing like that ++[perl] returns ok I think maybe it`s because I`m using wrong return code and tried to return 3 , but it didn`t help. Please give me advice. Thanks. radiusd -X output is : FreeRADIUS Version 2.1.10, for host i386-unknown-freebsd7.2, built on Jul 30 2010 at 11:27:44 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including configuration file /usr/local/etc/raddb/sites-enabled/control-socket including configuration file /usr/local/etc/raddb/sites-enabled/dhcp main { user = freeradius group = freeradius allow_core_dumps = no } including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir = /var logdir = /var/log libdir = /usr/local/lib/freeradius-2.1.9 radacctdir = /var/log/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5
RE: rlm_perl
Hi Arran, Thank you for the response. I add perl in the sites-available/default file as follow: authorize { # # The preprocess module takes care of sanitizing some bizarre # attributes in the request, and turning them into attributes # which are more standard. # # It takes care of processing the 'raddb/hints' and the # 'raddb/huntgroups' files. preprocess ldap perl . } And added the following into raddb/modules/perl file perl { module = path/example.pl } And added the following in src/modules/rlm_perl/example.pl sub authorize { print This is a TEST\n; . } However, When I send a simple test request I don't see my debug line. I also don't see the message perl loaded when start Freeradius in debug mode (radiusd -X). Am I missing anything? I appreciate it. ASM From: a.cudba...@freeradius.org Subject: Re: rlm_perl Date: Thu, 29 Sep 2011 19:39:55 +0200 To: freeradius-users@lists.freeradius.org On 29 Sep 2011, at 19:25, Alex rsm wrote:Hi, How can I configure Freeradius to call example.pl perl script in the rlm_perl module? i.e., I want the perl script to be called when Freeradius receives a request. read/modify raddb/modules/perl and list perl in sites-available/default authorize {} Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debug only for rlm_xxx (rlm_perl)
On 11 March 2010, at 03:43, bi...@antworte.me bi...@antworte.me wrote: Hello list, is there an option in radiusd.conf how to enable debug logging only for several rlm_modules, e.g. I have rlm_perl and I only want debug messages for this. Thanks for your reply in advance. It can be done via some modifications to the module source. Here is the approach I use in my modules: At the top of each function: int rdebug; rdebug = !stat(/var/log/radacct/radius_debug, sb); Then after each DEBUG entry add: if (rdebug) radlog (L_AUTH, %s, auth_msg); Note the L_AUTH is the level, the auth_msg is the message in the DEBUG statement. You can also add our own debugging that way that goes beyond that provided in the original module. To turn on this debugging just touch the filename listed in the stat command above. Debugging for that module will start. Disable it by deleting that file. You can change the file name to anything convenient for you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Possible bug in rlm_perl
I think I may have found a bug in rlm_perl? I have written script with the aid of another freeradius list member that checks to see if a user is in a certain samba windows group. If they are not in the group (the wireless group) the module rejects the login. The module works perfectly except for those users who's usernames begin with a letter t. For instance ISD\josh will succeed but ISD\\ted will fail. I have done much testing and cant find my script to be the issue. Look below for debug output for the perl module. Notice that right after the ++[files] line I print out the radius items for debugging. Notice the User-Name value is correct going into the perl script. Notice on the exit of the perl script on each debug that the username is correct. Then notice later in each debug where these lines are: Login OK: [ISD\\josh] (from client CCISD-REMC-Radius port 0 via TLS tunnel) but when the username begins with a t it fails here like this: Login incorrect: [ISD\tbraun] (from client CCISD-REMC-Radius port 0 via TLS tunnel) Notice only one backslash. I have tried to make it succeed by adding backslashes (for users that start with t) but no success. It will do ISD\\\tbraun and ISD\tbraun but never ISD\\tbraun. Therefore, with users that start with t I always get User-name does not match eap identity failure. Thanks for any help. At the very bottom after the debug output you will find my simple perl script that is well commented. -Josh --- Successful attempt ++[files] returns noop They key is User-Name and the value is ISD\\josh.They key is EAP-Message and the value is 0x020900061a03.They key is EAP-Type and the value is MS-CHAP-V2.They key is State and the value is 0xfeecb38bffe5a965a0ca1cd92ce6c42b.They key is FreeRADIUS-Proxied-To and the value is 127.0.0.1. rlm_perl: Added pair User-Name = ISD\josh rlm_perl: Added pair EAP-Message = 0x020900061a03 rlm_perl: Added pair EAP-Type = MS-CHAP-V2 rlm_perl: Added pair State = 0xfeecb38bffe5a965a0ca1cd92ce6c42b rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair Proxy-To-Realm = LOCAL ++[perl] returns updated ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok Login OK: [ISD\\josh] (from client CCISD-REMC-Radius port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x User-Name = ISD\\josh [peap] Got tunneled reply RADIUS code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x User-Name = ISD\\josh [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later - End snip of successful attempt - - Failed attempt from user who's username begins with a t (tbraun) - ++[files] returns noop They key is User-Name and the value is ISD\\tbraun.They key is EAP-Message and the value is 0x0207000f014953445c74627261756e.They key is EAP-Type and the value is Identity.They key is FreeRADIUS-Proxied-To and the value is 127.0.0.1.rlm_perl: Added pair User-Name = ISD\tbraun rlm_perl: Added pair EAP-Message = 0x0207000f014953445c74627261756e rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair Proxy-To-Realm = LOCAL rlm_perl: Added pair EAP-Type = MS-CHAP-V2 ++[perl] returns updated ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Identity does not match User-Name, setting from EAP Identity. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [ISD\tbraun] (from client CCISD-REMC-Radius port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 3 [peap] Got tunneled reply RADIUS code 3 [peap] Tunneled authentication was rejected. [peap] FAILURE --- End of snip of failed attempt --- Begin paste of perl script -- #!/usr/bin/perl -w use strict; # use ... use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK); use Data::Dumper; # This is hash wich hold original request from radius #my %RAD_REQUEST; # In this hash you add values that will be returned to NAS. #my %RAD_REPLY; #This is for check items #my %RAD_CHECK; # # This the remapping of return values # use constantRLM_MODULE_REJECT=0;# /* immediately reject the request */ use constantRLM_MODULE_FAIL= 1;# /* module failed, don't reply */ use constantRLM_MODULE_OK=2;# /* the module is OK, continue */ use constant
Re: Possible bug in rlm_perl
Josh Hiner wrote: I think I may have found a bug in rlm_perl? I have written script with the aid of another freeradius list member that checks to see if a user is in a certain samba windows group. If they are not in the group (the wireless group) the module rejects the login. The module works perfectly except for those users who's usernames begin with a letter t. For instance ISD\josh will succeed but ISD\\ted will fail. I have done much testing and cant find my script to be the issue. Look below for debug output for the perl module. Notice that right after the ++[files] line I print out the radius items for debugging. Notice the User-Name value is correct going into the perl script. Notice on the exit of the perl script on each debug that the username is correct. Then notice later in each debug where these lines are: Login OK: [ISD\\josh] (from client CCISD-REMC-Radius port 0 via TLS tunnel) but when the username begins with a t it fails here like this: Login incorrect: [ISD\tbraun] (from client CCISD-REMC-Radius port 0 via TLS tunnel) Notice only one backslash. I have tried to make it succeed by adding backslashes (for users that start with t) but no success. It will do ISD\\\tbraun and ISD\tbraun but never ISD\\tbraun. Therefore, with users that start with t I always get User-name does not match eap identity failure. Thanks for any help. At the very bottom after the debug output you will find my simple perl script that is well commented. -Josh --- Successful attempt ++[files] returns noop They key is User-Name and the value is ISD\\josh.They key is EAP-Message and the value is 0x020900061a03.They key is EAP-Type and the value is MS-CHAP-V2.They key is State and the value is 0xfeecb38bffe5a965a0ca1cd92ce6c42b.They key is FreeRADIUS-Proxied-To and the value is 127.0.0.1. rlm_perl: Added pair User-Name = ISD\josh rlm_perl: Added pair EAP-Message = 0x020900061a03 rlm_perl: Added pair EAP-Type = MS-CHAP-V2 rlm_perl: Added pair State = 0xfeecb38bffe5a965a0ca1cd92ce6c42b rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair Proxy-To-Realm = LOCAL ++[perl] returns updated ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok Login OK: [ISD\\josh] (from client CCISD-REMC-Radius port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x User-Name = ISD\\josh [peap] Got tunneled reply RADIUS code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x User-Name = ISD\\josh [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later - End snip of successful attempt - - Failed attempt from user who's username begins with a t (tbraun) - ++[files] returns noop They key is User-Name and the value is ISD\\tbraun.They key is EAP-Message and the value is 0x0207000f014953445c74627261756e.They key is EAP-Type and the value is Identity.They key is FreeRADIUS-Proxied-To and the value is 127.0.0.1.rlm_perl: Added pair User-Name = ISD\tbraun rlm_perl: Added pair EAP-Message = 0x0207000f014953445c74627261756e rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair Proxy-To-Realm = LOCAL rlm_perl: Added pair EAP-Type = MS-CHAP-V2 ++[perl] returns updated ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Identity does not match User-Name, setting from EAP Identity. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [ISD\tbraun] (from client CCISD-REMC-Radius port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 3 [peap] Got tunneled reply RADIUS code 3 [peap] Tunneled authentication was rejected. [peap] FAILURE --- End of snip of failed attempt --- Begin paste of perl script -- #!/usr/bin/perl -w use strict; # use ... use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK); use Data::Dumper; # This is hash wich hold original request from radius #my %RAD_REQUEST; # In this hash you add values that will be returned to NAS. #my %RAD_REPLY; #This is for check items #my %RAD_CHECK; # # This the remapping of return values # use constantRLM_MODULE_REJECT=0;# /* immediately reject the request */ use constantRLM_MODULE_FAIL= 1;# /* module failed, don't reply */ use constantRLM_MODULE_OK=2;# /* the module is OK, continue */ use
RE: Rlm_perl causes segfault (want perl to rewrite attributes)
Yes, that helps exactly - thanks. I also found a way to work around the problem without translation - by having a multiple-entry DEFAULT line to direct each ssid to it's own dbm lookup table. It took some re-reading of the rlm_dbm docs to figure out, but it works... Although I now have three dbm files instead of 1. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Boian Jordanov Sent: Saturday, February 12, 2005 11:31 AM To: freeradius-users@lists.freeradius.org Subject: Re: Rlm_perl causes segfault (want perl to rewrite attributes) On Sat, Feb 12, 2005 at 01:02:34AM -0600, Dudley Atkinson wrote: I'd like to implement the rlm_perl to rewrite some attributes, and I get a segfault. I've included the debug and the perl -VV so maybe someone more knowledgeable can tell me why it fails (or give me a good pointer). First apply patches from bug 111 and 179 to fresh rlm_perl taken from CVS Attr_rewrite won't work for this, because I want to change the User-Name based on what the Cisco-AVPair is. If attr_rewrite will work for this situation, I'm all ears (or eyes as the case may be), but I couldn't see how to do that from the faq/doc/googles. You can do this with attr_rewrite and perl xlat. attr_rewrite test { attribute = User-Name # may be packet, reply, proxy, proxy_reply or config searchin = packet searchfor = \.* replacewith = %{perl:%{Cisco-AVPair[*]} } ignore_case = no new_attribute = no max_matches = 1 ## If set to yes then the replace string will be appended to the original string append = no } in your perl script sub xlat { @CiscoAVPair = @_; #some code here return $username; } and put test (name of instance of attr_rewrite) in authorize section. I hope this will help. -- Best Regards, Boian Jordanov SNE Orbitel - the Internet Company tel. +359 2 4004 723 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl and empty user name variable
I have freeradius 1.05 configured with rlm_perl to handle authentication, and the problem seems to be that the $RAD_REQUEST{'User-Name'} variable is an empty string within the perl script I have set up. The perl script is based on the example.pl script provided with freeradius. My users file has one line: DEFAULT Auth-Type := Perl_Auth The applicable sections of radiusd.conf are: modules section: perl { module = /home/rpm/test_rad.pl func_authenticate = authenticate func_authorize = authorize } authorize { files } authenticate { Auth-Type Perl_Auth { perl } } The perl script itself has the variables toward the top uncommented, and the authenticate sub is: sub authenticate { # For debugging purposes only log_request_attributes; if ($RAD_REQUEST{'User-Name'} ==) { return RLM_MODULE_REJECT; } if ($RAD_REQUEST{'User-Name'} =~ /^fred/i) { # Reject user and tell him why $RAD_REPLY{'Reply-Message'} = Denied access by rlm_perl function; return RLM_MODULE_REJECT; } else { # Accept user and set some attribute $RAD_REPLY{'h323-credit-amount'} = 100; return RLM_MODULE_OK; } } All authentication attempts get caught with the empty string check in the code above. Below is the radiusd debug: rad_recv: Access-Request packet from host 127.0.0.1:43349, id=196, length=55 User-Name = gus User-Password = 123 NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 users: Matched entry DEFAULT at line 1 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Perl_Auth auth: type Perl_Auth Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_perl: Added pair Auth-Type = Perl_Auth modcall[authenticate]: module perl returns reject for request 0 modcall: group Auth-Type returns reject for request 0 auth: Failed to validate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius AS DHCP + rlm_perl
On 07/30/2010 12:57 PM, Urazaev Vadim wrote: [16 pages of debug output snipped for brevity] Sorry Guys for disturb you, problem was in eval{} block in my perl script inside which command return always return reject code. Anyway Thanks for all. And for that I had to page through 16 pages of debug output? Please have the courtesy to trim irrelevant material. Thanks! -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MSCHAP Auth fails
Hello out there, I'm testing the FreeRADIUS Version 2.1.12 Modul with AD Integration following the deployingradius.com Guide. Installed winbind and samba Version 3.6.3 and ntlm_auth tests are fine. Now i'm testing with radtest while running radius in Debug mod. The following line has been added to users: DEFAULT Auth-Type = mschap This is the output from radtest: radtest -t mschap User001 USERPW localhost 0 s3cr3t Sending Access-Request of id 61 to 127.0.0.1 port 1812 User-Name = User001 NAS-IP-Address = 172.16.28.168 NAS-Port = 0 Message-Authenticator = 0x MS-CHAP-Challenge = 0x7e9462ca7fbf5d20 MS-CHAP-Response = 0x0001a42d3b5b243dede8b6 dc20fc78f0fdad458a494f649cca2b rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=61, length=38 MS-CHAP-Error = \000E=691 R=1 And this from radiusd -X: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 48471, id=105, length=133 User-Name = User001 NAS-IP-Address = 172.16.28.168 NAS-Port = 0 Message-Authenticator = 0x5d1a20d2d2c7897d376d003f73153552 MS-CHAP-Challenge = 0x28d302e62ccf7399 MS-CHAP-Response = 0x0001f7b8cd66af90b5791f b4b09421dbbf2cbed180e7e72304b5 server packetfence { # Executing section authorize from file /etc/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = User001, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[preprocess] returns ok [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 2 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_perl: Added pair User-Name = User001 rlm_perl: Added pair MS-CHAP-Response = 0x0001f7b8cd66af90b5791f b4b09421dbbf2cbed180e7e72304b5 rlm_perl: Added pair NAS-Port = 0 rlm_perl: Added pair NAS-IP-Address = 172.16.28.168 rlm_perl: Added pair MS-CHAP-Challenge = 0x28d302e62ccf7399 rlm_perl: Added pair Message-Authenticator = 0x5d1a20d2d2c7897d376d003f73153552 rlm_perl: Added pair Auth-Type = MSCHAP ++[packetfence] returns noop Found Auth-Type = MSCHAP # Executing group from file /etc/raddb/sites-enabled/packetfence +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv1 with NT-Password [mschap]expand: %{Stripped-User-Name} - [mschap]... expanding second conditional [mschap]expand: %{mschap:User-Name:-None} - User001 [mschap]expand: --username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}} - --username=User001 [mschap] mschap1: 28 [mschap]expand: --challenge=%{mschap:Challenge:-00} - --challenge=28d302e62ccf7399 [mschap]expand: #ntresponse=%{mschap:NT-Response:-00} - #ntresponse=f7b8cd66af90b5791fb4b09421dbbf2cbed180e7e72304b5 Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] MS-CHAP-Response is incorrect. ++[mschap] returns reject Failed to authenticate the user. Login incorrect (mschap: External script says Logon failure (0xc06d)): [User001] (from client 127.0.0.1 port 0) The ntlm_auth is well configured in mschap module (--ntresponse)! Thanks for helping. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius not unescaping \ and
Ok, debug logs and config files are attached. It looks like the problem could be with rlm_perl. as the proxying happens correctly if we disable the perl module completely. However, even with no logic happening in the perl script, additional \'s are added to the attributes. Please see the attached log of a login attempt for Username: murray/A\ Password: A\ which is eventually proxied as User-Name = A User-Password = A Thanks, Murray On Fri, Sep 3, 2010 at 3:33 PM, Alan DeKok al...@deployingradius.com wrote: Murray Long wrote: I am running the latest version provided by Ubuntu, 2.1.8+dfsg-1ubuntu1 Is this not considered recent? I will try 2.1.9 from the freeradius site and see how that goes. Well.. it works in the current 2.1.x branch. How about posting debug logs? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html perl_module.pm Description: Perl program radiusd.conf Description: Binary data FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan 5 2010 at 02:49:11 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf main { allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/freeradius libdir = /usr/lib/freeradius radacctdir = /var/log/freeradius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = /var/run/freeradius/freeradius.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log sectiong { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } log_auth = no log_auth_badpass = no log_auth_goodpass = no log_stripped_names = no security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home Servers realm murray { authhost = 10.0.0.101:1812 accthost = 10.0.0.101:1813 secret = secret } realm NULL { } realm default { } realm default { } # realm default radiusd: Loading Clients client 0.0.0.0/0 { require_message_authenticator = no secret = secret shortname = swak } radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr } radiusd: Loading Virtual Servers server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_perl Module: Instantiating perl perl { module = /etc/freeradius/perl_module.pm func_authorize = authorize func_authenticate = authenticate func_accounting = accounting func_preacct = preacct func_checksimul = checksimul func_detach = detach func_xlat = xlat func_pre_proxy = pre_proxy func_post_proxy = post_proxy func_post_auth = post_auth func_recv_coa = recv_coa func_send_coa = send_coa } Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = crypt auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = /etc/freeradius/huntgroups hints = /etc/freeradius/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating realm_prefix realm realm_prefix { format = prefix delimiter = / ignore_default = no ignore_null = no } Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = /var/log/freeradius/radacct/%{NAS-Identifier}/%Y-%m-%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port } Module: Checking accounting {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = * port = 1812 } listen { type = acct ipaddr = * port = 1813 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Status-Server packet
Re: rlm_perl
Alexander Clouter a...@digriz.org.uk writes: Alex rsm alex-...@hotmail.com wrote: And added the following in src/modules/rlm_perl/example.pl sub authorize { print This is a TEST\n; . } However, When I send a simple test request I don't see my debug line. I also don't see the message perl loaded when start Freeradius in debug mode (radiusd -X). I am pretty sure stdout is not plumbed up for rlm_perl, and neither is stderr so you will not see anything. Oh, but they are. At least in debug mode I don't think Alex (the other one :-) really enabled the perl module. It will NOT be silent in debug mode. You should see something like this when the module is instantiated: Module: Linked to module rlm_perl Module: Instantiating module perl from file /etc/freeradius/modules/perl perl { module = /etc/freeradius/example.pl func_authorize = authorize func_authenticate = authenticate func_accounting = accounting func_preacct = preacct func_checksimul = checksimul func_detach = detach func_xlat = xlat func_pre_proxy = pre_proxy func_post_proxy = post_proxy func_post_auth = post_auth func_recv_coa = recv_coa func_send_coa = send_coa } And with the following /etc/freeradius/example.pl: use constantRLM_MODULE_REJECT=0;# /* immediately reject the request */ use constantRLM_MODULE_FAIL= 1;# /* module failed, don't reply */ use constantRLM_MODULE_OK=2;# /* the module is OK, continue */ use constantRLM_MODULE_HANDLED= 3;# /* the module handled the request, so stop. */ use constantRLM_MODULE_INVALID= 4;# /* the module considers the request invalid. */ use constantRLM_MODULE_USERLOCK= 5;# /* reject the request (user is locked out) */ use constantRLM_MODULE_NOTFOUND= 6;# /* user not found */ use constantRLM_MODULE_NOOP= 7;# /* module succeeded without doing anything */ use constantRLM_MODULE_UPDATED= 8;# /* OK (pairs modified) */ use constantRLM_MODULE_NUMCODES= 9;# /* How many return codes there are */ sub authorize { print Here\n; return RLM_MODULE_NOOP; } I get: rad_recv: Access-Request packet from host 127.0.0.1 port 41702, id=236, length=43 User-Name = foo User-Password = bar # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = foo, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop Here rlm_perl: Added pair User-Name = foo rlm_perl: Added pair User-Password = bar rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 ++[perl] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - foo attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 236 to 127.0.0.1 port 41702 Waking up in 4.9 seconds. Cleaning up request 0 ID 236 with timestamp +132 Ready to process requests. Note the Here right before the rlm_perl: debug lines. That's the perl scripts stdout. But there's no use looking for output from the perl script if the rlm_perl module isn't loaded. Of course reading the documentation brings enlightenment in the form of 'radiusd::radlog(1, ...);'... :-/ Sure. That's essential if you want to log something useful in production mode. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: trigger an Access Challenge
Sorry for sending this message twice, but I forgot the debug output. --- Thanks for reply. But the client that I use, only supports PAP and CHAP requests and neither of them initiates the server to send an Access Challenge. That is why I tried to create the challenge with the help of the perl module. Then I realized that freeradius.net unfortunatly doesn't include this module. After spending serveral hours in setting up a linux environment I'm in despair of this perl script. Perhaps somebody can tell me why it doesn't work!? sub authenticate { # For debugging purposes only log_request_attributes; if ($RAD_REQUEST{'User-Name'} =~ /^baduser/i) { # Reject user and tell him why $RAD_REPLY{'Reply-Message'} = Denied access by rlm_perl function; return RLM_MODULE_REJECT; } else { # send the challenge $RAD_REPLY{'State'} = challenge; $RAD_REPLY{'Reply-Message'} = challenge: ; $RAD_CHECK{'Response-Packet-Type'} = Access-Challenge; return RLM_MODULE_HANDLED; } } If I'm not completely wrong, it's the same that worked for this guy: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg47425.html But the server doesn't send the reply to the client (Timeout at clientside) rad_recv: Access-Request packet from host 10.0.1.131:57004, id=7, length=71 User-Name = radius NAS-IP-Address = 10.0.1.131 CHAP-Password = 0x7826d3a1143b969ddf5ea1599a9483574a CHAP-Challenge = 0x9899ee060e58b9864898d5fa165a2455 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = radius, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry radius at line 52 modcall[authorize]: module files returns ok for request 0 perl_pool: item 0xb809a5f0 asigned new request. Handled so far: 1 found interpetator at address 0xb809a5f0 rlm_perl: Added pair User-Password = pass rlm_perl: Added pair Auth-Type = Perl perl_pool total/active/spare [5/0/5] Unreserve perl at address 0xb809a5f0 modcall[authorize]: module perl returns ok for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Perl auth: type Perl Processing the authenticate section of radiusd.conf modcall: entering group Perl for request 0 perl_pool: item 0xb8181050 asigned new request. Handled so far: 1 found interpetator at address 0xb8181050 rlm_perl: RAD_REQUEST: Client-IP-Address = 10.0.1.131 rlm_perl: RAD_REQUEST: CHAP-Challenge = 0x9899ee060e58b9864898d5fa165a2455 rlm_perl: RAD_REQUEST: CHAP-Password = 0x7826d3a1143b969ddf5ea1599a9483574a rlm_perl: RAD_REQUEST: User-Name = radius rlm_perl: RAD_REQUEST: NAS-IP-Address = 10.0.1.131 rlm_perl: RAD_REPLY: Reply-Message = challenge: rlm_perl: RAD_REPLY: User-Password = pass rlm_perl: RAD_REPLY: State = challenge rlm_perl: Added pair Reply-Message = challenge: rlm_perl: Added pair User-Password = pass rlm_perl: Added pair State = challenge rlm_perl: Added pair Response-Packet-Type = Access-Challenge rlm_perl: Added pair Auth-Type = Perl perl_pool total/active/spare [5/0/5] Unreserve perl at address 0xb8181050 modcall[authenticate]: module perl returns handled for request 0 modcall: leaving group Perl (returns handled) for request 0 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.0.1.131:57004, id=7, length=71 Discarding duplicate request from client localhost:57004 - ID: 7 --- Walking the entire request list --- Waking up in 4 seconds... rad_recv: Access-Request packet from host 10.0.1.131:57004, id=7, length=71 Discarding duplicate request from client localhost:57004 - ID: 7 --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 7 with timestamp 49a4220b Nothing to do. Sleeping until we see a request. If this makes sense to somebody, I would be thankful for an advice :-) Regards, Ronny -Ursprüngliche Nachricht- Von: freeradius-users-bounces+voigt=bi-web...@lists.freeradius.org [mailto:freeradius-users-bounces+voigt=bi-web...@lists.freeradius.org] Im Auftrag von t...@kalik.net Gesendet: Dienstag, 24. Februar 2009 00:07 An: FreeRadius users mailing list Betreff: Re: trigger an Access Challenge I want to test a radius client with the freeradius server. Access Requests and Replies
rlm_perl - authorize - authenticate issue
Hi, I am using freeradius (rlm_perl) for a VoIP system for a long time now and today I tried to use it for routing purposes as well. In my authorize function of my perl script I am assigning the routing info to $RAD_REPLY : ... my @final_routing = ( MLPAMPLA01/1/$calling_num/$called_num/$calling_num/$called_num/xxx.xxx.xxx.xxx:1720, MLPAMPLA02/1/$calling_num/$called_num/$calling_num/$called_num/yyy.yyy.yyy.yyy:1720, ); ... $RAD_REPLY{'Cisco-Command-Code'} = [EMAIL PROTECTED]; ... My authenticate section is very simple for now (accept everything): sub authenticate { return RLM_MODULE_OK; } My problem is that when freeradius accepts a message it processes the authorize section correctly : rlm_perl: Added pair Cisco-Command-Code = MLPAMPLA01/1//d//d/xxx.xxx.xxx.xxx:1720 rlm_perl: Added pair Cisco-Command-Code = MLPAMPLA02/1//d//d/yyy.yyy.yyy.yyy:1720 and when it processes the authenticate section it adds the above two pairs one more time leading to this reply : Sending Access-Accept of id 139 to zzz.zzz.zzz.zzz port 1814 Cisco-Command-Code += MLPAMPLA01/1//d//d/xxx.xxx.xxx.xxx:1720 Cisco-Command-Code += MLPAMPLA02/1//d//d/yyy.yyy.yyy.yyy:1720 Cisco-Command-Code += MLPAMPLA01/1//d//d/xxx.xxx.xxx.xxx:1720 Cisco-Command-Code += MLPAMPLA02/1//d//d/yyy.yyy.yyy.yyy:1720 ...which is not the desired result. In which part does the second addition of the attributes occur? The debug output follows : Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 rlm_realm: Looking up realm LLL for User-Name = [EMAIL PROTECTED] rlm_realm: No such realm LLL modcall[authorize]: module suffix returns noop for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 0 perl_pool: item 0x950f330 asigned new request. Handled so far: 1 found interpetator at address 0x950f330 rlm_perl: Added pair Cisco-Command-Code = MLPAMPLA01/1//d//d/xxx.xxx.xxx.xxx:1720 rlm_perl: Added pair Cisco-Command-Code = MLPAMPLA02/1//d//d/yyy.yyy.yyy.yyy:1720 rlm_perl: Added pair Auth-Type = PERL perl_pool total/active/spare [10/0/10] Unreserve perl at address 0x950f330 modcall[authorize]: module perl returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type PERL auth: type PERL Processing the authenticate section of radiusd.conf modcall: entering group PERL for request 0 perl_pool: item 0xa009ae0 asigned new request. Handled so far: 1 found interpetator at address 0xa009ae0 rlm_perl: Added pair Cisco-Command-Code = MLPAMPLA01/1//d//d/xxx.xxx.xxx.xxx:1720 rlm_perl: Added pair Cisco-Command-Code = MLPAMPLA02/1//d//d/yyy.yyy.yyy.yyy:1720 rlm_perl: Added pair Auth-Type = PERL perl_pool total/active/spare [10/0/10] Unreserve perl at address 0xa009ae0 modcall[authenticate]: module perl returns ok for request 0 modcall: leaving group PERL (returns ok) for request 0 Sending Access-Accept of id 17 to ooo.ooo.ooo.ooo port 1814 Cisco-Command-Code += MLPAMPLA01/1//d//d/xxx.xxx.xxx.xxx:1720 Cisco-Command-Code += MLPAMPLA02/1//d//d/yyy.yyy.yyy.yyy:1720 Cisco-Command-Code += MLPAMPLA01/1//d//d/xxx.xxx.xxx.xxx:1720 Cisco-Command-Code += MLPAMPLA02/1//d//d/yyy.yyy.yyy.yyy:1720 Finished request 0 -- --- Apostolos Pantsiopoulos Kinetix Tele.com Support Center email: [EMAIL PROTECTED], [EMAIL PROTECTED] Tel. Fax: +30 2310556134 Mobile : +30 6937069097 MSN : [EMAIL PROTECTED] WWW: http://www.kinetix.gr/ --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: authentication sub in perl
Ok, openSLL is installed on my server. No more issue on EAP. However, my debug line in sub authenticate still is not being called: #example.pl # Function to handle authorize sub authorize { print TEST-authorize: username=$RAD_REQUEST{'User-Name'}\n; # For debugging purposes only # log_request_attributes; # Here's where your authorization code comes # You can call another function from here: test_call; return RLM_MODULE_OK; } # Function to handle authenticate sub authenticate { print TEST-authenticate\n; # For debugging purposes only # log_request_attributes; if ($RAD_REQUEST{'User-Name'} =~ /^baduser/i) { # Reject user and tell him why $RAD_REPLY{'Reply-Message'} = Denied access by rlm_perl function; return RLM_MODULE_REJECT; } else { # Accept user and set some attribute $RAD_REPLY{'h323-credit-amount'} = 100; return RLM_MODULE_OK; } } and here is the debug: Cleaning up request 9 ID 9 with timestamp +7 Ready to process requests. rad_recv: Access-Request packet from host 10.0.0.31 port 50071, id=19, length=169 User-Name = abc NAS-IP-Address = 10.0.0.31 NAS-Identifier = belair NAS-Port = 0 Called-Station-Id = 00-0D-67-12-15-80:SSO_BelAir-PMIP-8021x Calling-Station-Id = 5C-59-48-F0-34-8B Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x020801616263 Message-Authenticator = 0xb952dcdfcec1e39a79c029ccdc94c2ca +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = abc, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 0 length 8 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [sql] expand: %{User-Name} - abc [sql] sql_set_user escaped user -- 'abc' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'abc' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'abc' ORDER BY priority rlm_sql (sql): Released sql socket id: 1 [sql] User abc not found ++[sql] returns notfound TEST-authorize: username=abc rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Calling-Station-Id = 5C-59-48-F0-34-8B rlm_perl: Added pair Called-Station-Id = 00-0D-67-12-15-80:SSO_BelAir-PMIP-8021x rlm_perl: Added pair Message-Authenticator = 0xb952dcdfcec1e39a79c029ccdc94c2ca rlm_perl: Added pair User-Name = abc rlm_perl: Added pair NAS-Identifier = belair rlm_perl: Added pair EAP-Message = 0x020801616263 rlm_perl: Added pair Connect-Info = CONNECT 11Mbps 802.11b rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair NAS-IP-Address = 10.0.0.31 rlm_perl: Added pair NAS-Port = 0 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair Auth-Type = EAP ++[perl] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 19 to 10.0.0.31 port 50071 EAP-Message = 0x0101001604108bc56309ea2103957c2aee6450696f68 Message-Authenticator = 0x State = 0x2c81558c2c8051de6687486c2848c067 Finished request 10. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.31 port 50071, id=20, length=185 User-Name = abc NAS-IP-Address = 10.0.0.31 NAS-Identifier = belair NAS-Port = 0 Called-Station-Id = 00-0D-67-12-15-80:SSO_BelAir-PMIP-8021x Calling-Station-Id = 5C-59-48-F0-34-8B Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x020100060319 State = 0x2c81558c2c8051de6687486c2848c067 Message-Authenticator = 0x959b11a51401f767f5b52bc58298d730 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = abc, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 1 length 6
Re: rlm_perl - dbi - freetds works on radiusd -X but fails to sql connect in background
selinux was the culprit, thank you very much! On Wed, Jan 7, 2009 at 2:22 PM, nes pa nesp...@gmail.com wrote: I've changed the example.pl perl script so it 'use DBI;' to query a Sybase server via freetds. Any hints welcome for solution or better tools to debug/strace into the perl script. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl
Abdul Lateef [EMAIL PROTECTED] writes: I am really sorry to post it again. I'm curious... what good do you think that possibly could do? Because still i did not find any reply to solve my problems. I noticed you got this answer: Run the server in Debug mode and see what happens. Maybe you missed it? Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with rlm_perl.
It is: *quote* use Data::Dumper; /*quote* in example.pl that causes the trouble. Many thanks. I commented this string out and freeradius is running. I wonder if this library inclusion could be automated at the configure stage... In my case, it happened automatically by itself. An answer to this question would interest me, too! If this is not possible, then which is the simpliest aproach to simulating a radius wrapper environment to debug a perl script? If anyone here has something to say about this issue, please share. -- Best regards. Yevgeny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: static IP's with rlm_perl
On Friday 20 October 2006 10:32, Michael Gale wrote: Hello, No, that did not work, with the setting below the debug shows: --snip-- Framed-IP-Address = 255.255.255.254 Where is that attribute/value pair being added? If that is being set after your perl functions are processed, then it's possible the operator being used is allowing that attribute to be overwritten. Framed-IP-Address is not in the default FreeRADIUS config, so you've most likely added it somewhere and that is causing your problem. Kevin Bonner pgpydH6rbysTz.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Retrieve 'Aruba-Location-Id' from RAD_REQUEST
Hi, Thanks for the suggestion. I added log_request_attributes; in authorize function and it already has sub log_request_attributes in the perl script. When run FR in debug mode, the Aruba-Location-ID does present but when I call $ RAD_REQUEST{'Aruba-Location-Id'} from rlm_perl, it came up empty. and logs (radiusd -X) from this too. :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html