Dear all, As the subject, i need the log that i said in the subject. Help me please...!
----- Original Message ----- From: [email protected] To: [email protected] Sent: Thursday, 14 May, 2009 5:33:33 PM GMT +07:00 Bangkok, Hanoi, Jakarta Subject: Freeradius-Users Digest, Vol 49, Issue 53 Send Freeradius-Users mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..." Today's Topics: 1. Release 2.1.6 will be on Monday (Alan DeKok) 2. Re: rlm_perl to authenticate against data in ldap (Ivan Kalik) 3. question about windows users (Bartosz Chodzinski) ---------------------------------------------------------------------- Message: 1 Date: Thu, 14 May 2009 12:12:57 +0200 From: Alan DeKok <[email protected]> Subject: Release 2.1.6 will be on Monday To: FreeRadius users mailing list <[email protected]> Message-ID: <[email protected]> Content-Type: text/plain; charset=ISO-8859-1 Unless any last-minute panics come up. The release candidate is available on: http://git.freeradius.org/pre/ If there are no other comments, that "tar" file will become the official 2.1.6 release. Alan DeKok. ------------------------------ Message: 2 Date: Thu, 14 May 2009 11:33:05 +0100 (BST) From: "Ivan Kalik" <[email protected]> Subject: Re: rlm_perl to authenticate against data in ldap To: "FreeRadius users mailing list" <[email protected]> Message-ID: <[email protected]> Content-Type: text/plain;charset=utf-8 > I browsed the mailing list for possible solutions to the problem I have > but unfortunately I didn't find any (or something I missed I dunno) > > We have this Cisco ISG 7301 router that we are using that are passing the > Remote-ID av pair as its User-Name (just a copy not that it matters) > Now, the remote ID format is ascii in format but hexadecimal in meaning > 0000079d010100660000000000000000000050544e55544147303033000705000064 > > We would only want to authenticate the part after the 20 zeroes > "50544e55544147303033000705000064". By the way the length before this > substring is always fixed (18 bytes) so we only want the part after 18 > bytes. > > is it possible to parse this string in perl then passing the result string > to ldap for authentication? Yes, it will be passed as $RAD_REQUEST{'User-Name'}. Rewrite the username to what you think it should be in perl. Just list perl before ldap in authorize. Ivan Kalik Kalik Informatika ISP ------------------------------ Message: 3 Date: Thu, 14 May 2009 12:33:24 +0200 From: Bartosz Chodzinski <[email protected]> Subject: question about windows users To: [email protected] Message-ID: <[email protected]> Content-Type: text/plain; charset="iso-8859-1" Hi, I have freeradius with eap support on debian etch, radius v1.1.3 "everthing" working fine but I'd like to have much more simple configuration only by certificate and nothing more, so I have few question: 1. fragment of my log first, before question Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.5.206:1812, id=182, length=159 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "PC-01\\Administrator" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0200001b014e4c504c2d4943455c41646d696e6973747261746f72 Message-Authenticator = 0xe0b4e2966553f890137d9e56bebd0b3d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "PC-01\Administrator", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 my users file contain: "PC-01\\Administrator" User-Password == "passwd" how can I avoid this value PC-01 ?, its really annoying, I would like to have only real user, PC-01 is "my computer -> properties -> computer name -> full computer name". I would like to have only username (with no matter of case sensitive). sth like "administrator" User-Password == "passwd" 2. I would like to use only certificate to check wheter or not some computer should have network connection, I dont care about login or password, if client has a valid cacert.pem installed on pc (windows xp) it should grant acces to network, is it possible to do that? I tried do sth like: users: DEFAULT Auth-Type := Accept but it didn't work the perfect way for me is possiblity to set up something in radiusd.conf and live file users empty 3. when I read log from freeradius -X I see that one pc need to have 7requests in freeradius and in 8-th request is accepted, is it ok? modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Success rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 8 modcall: leaving group authenticate (returns ok) for request 8 Sending Access-Accept of id 193 to 192.168.5.206 port 1812 MS-MPPE-Recv-Key = 0xc349694508a365a56e56e085069e36270cb13b60c3cc7847129b2386a7062dde MS-MPPE-Send-Key = 0xf93f6de4f455056df7f1d88aa3d12a26cd1a71994fdf6c31bb726612eaf2f038 EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "PC-01\\Administrator" Finished request 8 ----------------------------------------------- my configuration files: eap.conf eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_file = /etc/freeradius/eap/newkey.pem certificate_file = /etc/freeradius/eap/newcert.pem CA_file = /etc/freeradius/eap/eapCA/cacert.pem dh_file = /etc/freeradius/eap/dh random_file = /etc/freeradius/eap/random fragment_size = 1024 include_length = yes check_crl = no } peap { default_eap_type = mschapv2 } mschapv2 { } } radiusd.conf prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/freeradius log_file = ${logdir}/radius.log libdir = /usr/lib/freeradius pidfile = ${run_dir}/freeradius.pid user = freerad group = freerad max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 shadow = /etc/shadow radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes } ldap { server = "ldap.your.domain" basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } $INCLUDE ${confdir}/sql.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session sqlmod-inst = sql key = User-Name reset = daily query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session sqlmod-inst = sql key = User-Name reset = monthly query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } } instantiate { exec expr } authorize { preprocess mschap suffix eap files } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp } session { radutmp } post-auth { } pre-proxy { } post-proxy { eap } -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090514/e08978a1/attachment.html> ------------------------------ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 49, Issue 53 ************************************************ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
