Re: FW: customized format of log file
Hi, I'm deploying a WiFi proxy center with FreeRadius now, therefore I need detailed auth/acct log records for statistical purpose. While default format of detail log cannot satisfy my goal there, so is there any way to define my own customized format of auth/acct log file? for example, for auth, I can write AA value while receiving Access-Accept and AJ for Access-Reject into log file. Another question, how to use tab as delimiter of logging instead of default : ? In general, my question is: Can anyone of modules process any content of packets *without replacing and updating original attribute value* by regex, unlang before output of logging? just for logging purpose. Or it's necessary to use Perl? See modules/linelog. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: customized format of log file
Look at the linelog module and be thankful for having the ability to do such things with Freeradius...what would you do if you only had eg NPS? alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Privileges cisco-avpair = shell:priv-lvl=10 doesn't work
Hi, I want assign different privileges to users, these are my users: admin Cleartext-Password := admin cisco-avpair = shell:priv-lvl=15 user1Cleartext-Password := user1 cisco-avpair = shell:priv-lvl=10 user2Cleartext-Password := user2 cisco-avpair = shell:priv-lvl=11 But if I configure a privilege on my cisco switch on level 10, all my users have the same rights. If I debug on my switch, my user1 is not in priv lvl 10.. Any idea how to fix it? Grtz, Ruben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Query help
Issue with doing it that way is you would get decimal values returned which freeradius can't deal with. I am posting a bounty of $200 to someone that writes this in Perl and show instructions on how to install. It must update the replay with Cisco AV pair and be able to work with large values. -Original Message- From: freeradius-users-bounces+jonathan.bastin=peerpointinternet.co.uk@lists.freer adius.org [mailto:freeradius-users-bounces+jonathan.bastin=peerpointinternet.co.uk@lis ts.freeradius.org] On Behalf Of Phil Mayers Sent: 10 October 2012 16:04 To: freeradius-users@lists.freeradius.org Subject: Re: Query help On 10/10/12 15:25, Jonathan Bastin wrote: To me it looks like the value is wrapping. Is this due to that even the interpreter in the site config file is 32-bit only. If this is the case I presume my only resort it perl. If this is the case could someone help me convert this? You could divide by some large factor inside the SQL database, which is likely using 64-bit or arbitrary precision internally. e.g. select sum() / 100 select quota / 100 ...to convert to megabytes, and then compare like that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email (including any attachments) is intended only for the recipient(s) named above. It may contain confidential or privileged information and should not be read, copied or otherwise used by any other person. If you are not the named recipient please contact the sender and delete the email from your system. The author's incumbent expressions, views and thoughts are their own and not necessarily representative of those of the Peer Point Internet Ltd or associated companies. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Privileges cisco-avpair = shell:priv-lvl=10 doesn't work
On Fri, 2012-10-12 at 09:13 +0200, Ruben Blendeman wrote: Hi, I want assign different privileges to users, these are my users: admin Cleartext-Password := admin cisco-avpair = shell:priv-lvl=15 user1Cleartext-Password := user1 cisco-avpair = shell:priv-lvl=10 user2Cleartext-Password := user2 cisco-avpair = shell:priv-lvl=11 But if I configure a privilege on my cisco switch on level 10, all my users have the same rights. If I debug on my switch, my user1 is not in priv lvl 10.. Any idea how to fix it? Have you seen the Wiki? http://wiki.freeradius.org/vendor/Cisco#Shell-Access You're not sending a Service-Type attribute to the switch, according to Cisco[0], it's required to send the shell:priv-lvl= attribute with a corresponding Service-Type attribute. (It might work on later versions of IOS without the latter attribute though). [0] http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a0080178a51.shtml -- Øystein Gyland - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: customized format of log file
Thanks Alan and Stefan at first.
I've studied linelog before and tried to figure it out how to output complete
auth/acct content in the format I want by it. However I'm not sure if linelog
can records multiple lines of records at one time. Because I need to output
this log file just almost the same with detail.logIt seems it can only read one
reference in single linelog module, right?
Or I can reach my goal by implement several instances of linelog responding
multiple attributes in auth/acct requests?
--Below is the example--
reference = %{%{Packet-Type}:-format}
Access-Request ==Packet-Type: ARAccess-Reject ==Packet-Type:
AJAccess-Accept ==Packet-Type: AAAccess-Challenge ==Packet-Type: AC---
It can output the first column Packet-Type of my customized authlog
correctly, but what if I need to output other columns in the same file?
Another question, how to use tab as delimiter to separate values in linelog
file?
I am new in FreeRadius, big thanks for all kindly reply of you guys!
Best Regards,
Okis
From: a.l.m.bu...@lboro.ac.uk
To: okischu...@outlook.com; freeradius-users@lists.freeradius.org
Subject: Re: customized format of log file
Date: Fri, 12 Oct 2012 06:32:24 +
Look at the linelog module and be thankful for having the ability to do such
things with Freeradius...what would you do if you only had eg NPS?
alan
--
This smartphone uses free WiFi around the world with eduroam, now that's what I
call smart.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi
Hi Alan, Alan DeKok schrieb: Freeradius. Using Linux I can send whatever I want as the loginname. If you know you can change the client, than change the client. This is exactly what I want to do! Change the loginname, the clients sends to the Authenticater. It's a Windows 802.1x question, not a question how to configure FR. FR does everything alright. But most FR people here have more knowlegde about Windows 802.1x, than the Windows people in a Windows group/list. bye Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi
Hi Phil, Phil Mayers schrieb: I don't understand - you're saying that, for windows clients: 1. On wi-fi they send host/name.domain.com 2. On LAN, then send... something else? Are you sure? We don't see that. Exactly. On wifi they send hostname on LAN they send: host/hostname hostname is the Windowshostname from the systemsettings. bye Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: customized format of log file
On 10/12/2012 09:46 AM, Chuang Okis wrote:
It can output the first column Packet-Type of my customized authlog
correctly, but what if I need to output other columns in the same file?
Add them to the format.
I don't think you have understood how the linelog modules works. Please
read the sample config again.
Another question, how to use tab as delimiter to separate values in
linelog file?
format = %{var1}\t%{var2}\t%{var3}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi
On 10/12/2012 09:55 AM, Alexandros Gougousoudis wrote: Hi Alan, Alan DeKok schrieb: Freeradius. Using Linux I can send whatever I want as the loginname. If you know you can change the client, than change the client. This is exactly what I want to do! Change the loginname, the clients sends to the Authenticater. It's a Windows 802.1x question, not a question how to configure FR. FR does everything alright. But most FR people here have more knowlegde about Windows 802.1x, than the Windows people in a Windows group/list. To repeat: I don't see that behaviour. In my observation, windows sends host/ on both wired and wireless. Are you sure you aren't mangling the hostnames somehow? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi
Hi, Phil Mayers schrieb: I don't understand - you're saying that, for windows clients: 1. On wi-fi they send host/name.domain.com 2. On LAN, then send... something else? Are you sure? We don't see that. i agree Exactly. On wifi they send hostname on LAN they send: host/hostname hostname is the Windowshostname from the systemsettings. we dont see that. we see host/machinename.domain on both wired and wireless alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi
On 10/12/2012 09:59 AM, Alexandros Gougousoudis wrote: Hi Phil, Phil Mayers schrieb: I don't understand - you're saying that, for windows clients: 1. On wi-fi they send host/name.domain.com 2. On LAN, then send... something else? Are you sure? We don't see that. Exactly. On wifi they send hostname on LAN they send: host/hostname We don't see that behaviour. We consistently see host/. Check you aren't mangling the hostnames in your FreeRADIUS config. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql: can I avoid queries on radcheck?
Hi,
we're using rlm_sql to perform authorization based on a couple of sql
tables ('eduroam_diritto_uso'
and 'eduroam_mac_registrati') , it's working fine.
Now mysql logs show that radiusd is still performing queries on
radcheck, radgroupcheck.
Can I avoid this (since these tables are empty so we're not using them)?
I know this is nothing vital, but if it's easy done...
I've managed to avoid queries on radgroupcheck commenting out the
group_membership_query
in dalup.conf.
I thought that I could now comment out the authorize_check_query to
avoid queries radchek,
but no, I get an error:
[sql] expand: -
[sql] Error generating query; rejecting user
Thanks a lot in advance,
Stefano
authorize {
preprocess
rewrite.calling_station_id
sql
if (%{sql:SELECT count(*) FROM eduroam_mac_registrati AS m,
eduroam_diritto_uso AS d WHERE m.username = d.username AND
m.mac='%{Calling-Station-Id}' and d.diritto='S'} == 1){
ok
update control {
Auth-Type := Accept
}
}
else {
reject
}
auth_log
eap
openldap
mschap
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql: can I avoid queries on radcheck?
On 12/10/12 12:15, Stefano Zanmarchi wrote:
Hi,
we're using rlm_sql to perform authorization based on a couple of sql
tables ('eduroam_diritto_uso'
and 'eduroam_mac_registrati') , it's working fine.
Now mysql logs show that radiusd is still performing queries on
radcheck, radgroupcheck.
Can I avoid this (since these tables are empty so we're not using them)?
If you don't want to run the sql queries, just remove the sql module
from the authorize section.
I know this is nothing vital, but if it's easy done...
I've managed to avoid queries on radgroupcheck commenting out the
group_membership_query
in dalup.conf.
I thought that I could now comment out the authorize_check_query to
avoid queries radchek,
but no, I get an error:
[sql] expand: -
[sql] Error generating query; rejecting user
Thanks a lot in advance,
Stefano
authorize {
preprocess
rewrite.calling_station_id
sql
Just remove the line above. You might need to add sql to the
instantiate { } section, to ensure the module is loaded and available
for the XLAT you use below.
if (%{sql:SELECT count(*) FROM eduroam_mac_registrati AS m,
eduroam_diritto_uso AS d WHERE m.username = d.username AND
m.mac='%{Calling-Station-Id}' and d.diritto='S'} == 1){
ok
update control {
Auth-Type := Accept
}
}
else {
reject
}
auth_log
eap
openldap
mschap
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi
Hi, Phil Mayers schrieb: We don't see that behaviour. We consistently see host/. Check you aren't mangling the hostnames in your FreeRADIUS config. Strange, but thanks for watching. We're not mangeling anything in FR. That's what I see, running FR in Debug-Mode. Maybe because we're running on a NT4-Sambadomain and are not using a AD? Since XP SP3 we establish a machine-auth via exporting, textediting and importing the profile-xml of the specific LAN-interface, we're authenticating using EAP-TLS, CN of the cert is the hostname. Machine-auth via WLAN is done by a registry-change. Ok, I'll keep looking. bye Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql: can I avoid queries on radcheck?
Exactly what I needed. Just one more thing. Why does the mysql log show that the query performed with XLAT is now performed 3 times in a row per access request? Thank you, Stefano [output from mysql:] 121012 14:20:39 394 Query SELECT count(*) FROM eduroam_mac_registrati AS m, eduroam_diritto_uso AS d WHERE m.username = d.username AND m.mac='98-4b-4a-f5-bf-41' and d.diritto='S' 393 Query SELECT count(*) FROM eduroam_mac_registrati AS m, eduroam_diritto_uso AS d WHERE m.username = d.username AND m.mac='98-4b-4a-f5-bf-41' and d.diritto='S' 392 Query SELECT count(*) FROM eduroam_mac_registrati AS m, eduroam_diritto_uso AS d WHERE m.username = d.username AND m.mac='98-4b-4a-f5-bf-41' and d.diritto='S' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi
The behavior _is_ configurable, but as you have observed for your particular network, the default is not to attempt machine auth. It is configurable on a per-network connection basis, I'm getting fuzzy on if it's adapter or SSID based. If the OP is observing such behavior, he needs to figure out why (what turned it on, is it consistent or the same for all users) and work with that. Dave. Quoting Phil Mayers p.may...@imperial.ac.uk: On 10/12/2012 09:55 AM, Alexandros Gougousoudis wrote: Hi Alan, Alan DeKok schrieb: Freeradius. Using Linux I can send whatever I want as the loginname. If you know you can change the client, than change the client. This is exactly what I want to do! Change the loginname, the clients sends to the Authenticater. It's a Windows 802.1x question, not a question how to configure FR. FR does everything alright. But most FR people here have more knowlegde about Windows 802.1x, than the Windows people in a Windows group/list. To repeat: I don't see that behaviour. In my observation, windows sends host/ on both wired and wireless. Are you sure you aren't mangling the hostnames somehow? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi
Hi David, David Mitton schrieb: If the OP is observing such behavior, he needs to figure out why (what turned it on, is it consistent or the same for all users) and work with that. It is consistent for all machines in the network. To figure out why this happend, is exactly what I want to do. But I need a good point to start. At least in MS-TechNet is no usable information about that behauviour. But - as always - it depends also on the kind of question. Maybe I used the wrong keywords for the search. At the moment I can't see any light at the end of the tunnel. Bye Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi
On 12/10/12 13:48, David Mitton wrote: The behavior _is_ configurable, but as you have observed for your particular network, the default is not to attempt machine auth. It is configurable on a per-network connection basis, I'm getting fuzzy on if it's adapter or SSID based. No, you've misunderstood the point I'm making. I am aware that machine and user auth are configurable (FYI, it's per-adapter on LAN, per SSID on wireless). The issue the OP seems to be facing is that, when *doing* machine auth, he gets different format names on wired versus wireless. Windows doesn't do that, so either his RADIUS config or Wi-Fi network is mangling them. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi
On 12/10/12 13:59, Alexandros Gougousoudis wrote: Hi David, David Mitton schrieb: If the OP is observing such behavior, he needs to figure out why (what turned it on, is it consistent or the same for all users) and work with that. It is consistent for all machines in the network. To figure out why this happend, is exactly what I want to do. But I need a good point to start. At least in MS-TechNet is no usable information about that behauviour. But - as always - it depends also on the kind of question. Maybe I used the wrong keywords for the search. At the moment I can't see any light at the end of the tunnel. It's interesting that the problem occurs on your wireless network. Is it possible your wireless networking equipment is mangling the hostnames? Which vendor are you using? Have you verified that you really are receiving hostname instead of host/hostname? Verified with a reliable tool i.e. tcpdump on the RADIUS server? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi
Phil Mayers schrieb: Is it possible your wireless networking equipment is mangling the hostnames? Which vendor are you using? Mhh, I can check that again, it's an old Linksys-AP. I'll see if that happens also with the other more professional hardware we have. Have you verified that you really are receiving hostname instead of host/hostname? Verified with a reliable tool i.e. tcpdump on the RADIUS server? No, I just took the Debug-Mode from FR. But it's good to know, that the normal behaviour of windows is to use a unique Loginname for all kind of machine-based auth. Bye Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql: can I avoid queries on radcheck?
On 12 Oct 2012, at 13:23, Stefano Zanmarchi zanmar...@gmail.com wrote: Exactly what I needed. Just one more thing. Why does the mysql log show that the query performed with XLAT is now performed 3 times in a row per access request? Thank you, Stefano [output from mysql:] 121012 14:20:39 394 Query SELECT count(*) FROM eduroam_mac_registrati AS m, eduroam_diritto_uso AS d WHERE m.username = d.username AND m.mac='98-4b-4a-f5-bf-41' and d.diritto='S' 393 Query SELECT count(*) FROM eduroam_mac_registrati AS m, eduroam_diritto_uso AS d WHERE m.username = d.username AND m.mac='98-4b-4a-f5-bf-41' and d.diritto='S' 392 Query SELECT count(*) FROM eduroam_mac_registrati AS m, eduroam_diritto_uso AS d WHERE m.username = d.username AND m.mac='98-4b-4a-f5-bf-41' and d.diritto='S' Sent pull request to fixup that code a bit. The authorize query will now just go ahead and run the reply query and the rest of the queries if authorize_check_query is null. There are still some advantages to using the proper reply table and the sql module (adding multiple reply attributes for example). -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreedRadius mysql Redhat 6.3 missing?
I installed the RedHat 6.3 freeradius-2.1.12-4.el6_3.x86_64 rpm earlier, not realizing it didn't include mysql. However, I don't see a mysql version available. Is there one that is updated by RedHat? -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreedRadius mysql Redhat 6.3 missing?
On 10/12/2012 11:37 AM, Mike Diggins wrote: I installed the RedHat 6.3 freeradius-2.1.12-4.el6_3.x86_64 rpm earlier, not realizing it didn't include mysql. However, I don't see a mysql version available. Is there one that is updated by RedHat? $ yum info freeradius\* | grep Name Name: freeradius Name: freeradius-debuginfo Name: freeradius-krb5 Name: freeradius-ldap Name: freeradius-mysql Name: freeradius-perl Name: freeradius-postgresql Name: freeradius-python Name: freeradius-unixODBC Name: freeradius-utils -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreedRadius mysql Redhat 6.3 missing?
That's odd, why am I only seeing freeradius? # yum info freeradius\* | grep Name Unable to read consumer identity Name: freeradius -Mike On 12/10/2012 12:22 PM, John Dennis wrote: On 10/12/2012 11:37 AM, Mike Diggins wrote: I installed the RedHat 6.3 freeradius-2.1.12-4.el6_3.x86_64 rpm earlier, not realizing it didn't include mysql. However, I don't see a mysql version available. Is there one that is updated by RedHat? $ yum info freeradius\* | grep Name Name: freeradius Name: freeradius-debuginfo Name: freeradius-krb5 Name: freeradius-ldap Name: freeradius-mysql Name: freeradius-perl Name: freeradius-postgresql Name: freeradius-python Name: freeradius-unixODBC Name: freeradius-utils - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreedRadius mysql Redhat 6.3 missing?
On 2012-10-12 1:22 PM, Mike Diggins wrote: Unable to read consumer identity Because your RHN stuff appears to be broken. -- Francois Gaudreault, ing. jr fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
