Setting up FreeRADIUS accounting with IP address logging
Hi!
I'm setting up wifi internet in my student dorm (90 people) and thought wpa2
enterprise with FreeRADIUS (version 2.1.8 running on Ubuntu) would be a good
solution, together with the incredibly stable Linksys WRT54GL and dd-wrt. There
are a few problems I cannot figure out though:
1. How to set up plain-text accounting.
I saw in the configuration that the log directory is set to
/var/log/freeradius/radacct so I created the directory and made writable (777
to be sure) but alas, there are no logs.
2. How to get freeRADIUS to work with a DHCP server.
I'm not asking about the experimental built-in DHCP server, as it seems very
limited, but is it possible to somehow log the IP addresses that each user is
assigned? We need to know who was using a certain IP address at a certain time.
3. How to connect using Windows.
It's dead simple to connect to the network with linux, mac and smartphones but
for Windows it seems impossible to find the right combination of settings. I
haven't googled this issue so much, so maybe there's a simple answer. Also,
it's a later problem.
Thankful for a response,
Johan
P.S. I have attached the radiusd.conf file at the end. I haven't changed much
though.
Johan Swetzén
jo...@swetzen.com
radiusd.conf
-*- text -*-
##
## radiusd.conf -- FreeRADIUS server configuration file.
##
## http://www.freeradius.org/
## $Id$
##
##
#
# Read man radiusd before editing this file. See the section
# titled DEBUGGING. It outlines a method where you can quickly
# obtain the configuration you want, without running into
# trouble.
#
# Run the server in debugging mode, and READ the output.
#
# $ radiusd -X
#
# We cannot emphasize this point strongly enough. The vast
# majority of problems can be solved by carefully reading the
# debugging output, which includes warnings about common issues,
# and suggestions for how they may be fixed.
#
# There may be a lot of output, but look carefully for words like:
# warning, error, reject, or failure. The messages there
# will usually be enough to guide you to a solution.
#
# If you are going to ask a question on the mailing list, then
# explain what you are trying to do, and include the output from
# debugging mode (radiusd -X). Failure to do so means that all
# of the responses to your question will be people telling you
# to post the output of radiusd -X.
##
#
# The location of other config files and logfiles are declared
# in this file.
#
# Also general configuration for modules can be done in this
# file, it is exported through the API to modules that ask for
# it.
#
# See man radiusd.conf for documentation on the format of this
# file. Note that the individual configuration items are NOT
# documented in that man page. They are only documented here,
# in the comments.
#
# As of 2.0.0, FreeRADIUS supports a simple processing language
# in the authorize, authenticate, accounting, etc. sections.
# See man unlang for details.
#
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
#
# name of the running server. See also the -n command-line option.
name = freeradius
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
# Should likely be ${localstatedir}/lib/radiusd
db_dir = ${raddbdir}
#
# libdir: Where to find the rlm_* modules.
#
# This should be automatically set at configuration time.
#
# If the server builds and installs, but fails at execution time
# with an 'undefined symbol' error, then you can use the libdir
# directive to work around the problem.
#
# The cause is usually that a library has been installed on your
# system in a place where the dynamic linker CANNOT find it. When
# executing as root (or another user), your personal environment MAY
# be set up to allow the dynamic linker to find the library. When
# executing as a daemon, FreeRADIUS MAY NOT have the same
# personalized configuration.
#
# To work around the problem, find out which library contains that symbol,
# and add the directory containing that library to the end of 'libdir',
# with a colon separating the directory names. NO spaces are allowed.
#
# e.g. libdir = /usr/local/lib:/opt/package/lib
#
# You can also try setting the LD_LIBRARY_PATH environment variable
# in a script which starts the server.
#
# If that does not work, then you can re-configure and re-build the
# server to NOT use shared libraries, via:
#
# ./configure
Group Processing with MySQL
This continues questions related to group processing not always
working as expected,
in particluar why group replies are not sent when the users are
members of groups
for which there are replies in radgroupreply.
I should mention that Alan's response to my previous post a couple weeks ago
was simply to run the server in debug and look at the queries...this is what
I've done here (I hope).
The queries printed out when starting the server in debug show the correct
authorize_group_reply_query, but it never gets run during an auth request.
I began with 2.1.8 on CentOS 5.8 - and have now moved to a clean
2.1.12 (stock) on
CentOS 6.0. All are using a MySQL backend built from the schema by
Mike Machado. The only
change to the tables is the addition of two fields to some tables,
'notes' and 'expires';
none of the FreeRADIUS queries have been altered.
Any help with how to get this working?
Thank you
- Andrew Long
Here are the queries for the user's auth request:
[sql] sql_set_user escaped user -- 'memwg150412'
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand:
SELECT id, username, attribute, value, op FROM radcheck WHERE username
= '%{SQL-User-Name}' ORDER BY id -
SELECT id, username, attribute, value, op FROM radcheck WHERE username
= 'memwg150412' ORDER BY id
rlm_sql_mysql: query:
SELECT id, username, attribute, value, op FROM radcheck WHERE username
= 'memwg150412' ORDER BY id
[sql] User found in radcheck table
[sql] expand:
SELECT id, username, attribute, value, op FROM radreply WHERE username
= '%{SQL-User-Name}' ORDER BY id -
SELECT id, username, attribute, value, op FROM radreply WHERE username
= 'memwg150412' ORDER BY id
rlm_sql_mysql: query:
SELECT id, username, attribute, value, op FROM radreply WHERE username
= 'memwg150412' ORDER BY id
[sql] expand:
SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}'
ORDER BY priority -
SELECT groupname FROM radusergroup WHERE username = 'memwg150412'
ORDER BY priority
rlm_sql_mysql: query:
SELECT groupname FROM radusergroup WHERE username = 'memwg150412'
ORDER BY priority
[sql] expand:
SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE
groupname = '%{Sql-Group}' ORDER BY id -
SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE
groupname = 'wolfchase-guest-group' ORDER BY id
rlm_sql_mysql: query:
SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE
groupname = 'wolfchase-guest-group' ORDER BY id
rlm_sql (sql): Released sql socket id: 1
and here is the reply sent:
Sending Access-Accept of id 215 to 192.168.245.1 port 58639
Nomadix-Bw-Down := 768
Nomadix-Bw-Up := 256
Finished request 0.
The problem is that these attributes are from radreply based on the
username, and processing
is not continuing to radgroupreply.
When I manually run:
'SELECT groupname FROM radusergroup WHERE username = 'memwg150412'
ORDER BY priority;'
MySQL returns:
wolfchase-guest-group and processing should continue to
radgroupreply (where there are
reply attributes), but never does.
In sql.conf, we haveread_groups = yes
So the question: why are goups not being processed and how can I fix this?
###
Below is a complete debug from this session:
###
FreeRADIUS Version 2.1.12, for host i686-redhat-linux-gnu, built on
Feb 22 2012 at 15:07:38
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file
NTLM Auth Problem
Hi
I’m using FreeRadius 2.1.12 wih mschap and ntlm_auth external execution
module as follows:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}
I want to run ntlm_auth from command line so enabled auth_log to get
challenge and response:
MS-CHAP-Challenge = 0x8f89ccd88332fd05b75cd39a9d08c296
MS-CHAP2-Response =
0x0100a6a4eb77926c3f1e7f78254b08f720a82a0c1f094749304c3d11cdc8376cbe4373de0d61c2823011
I’m running ntlm_auth from command line with those parameters:
/usr/bin/ntlm_auth --request-nt-key –username=kimia-mo
--challenge=8f89ccd88332fd05b75cd39a9d08c296
--nt-response=0100a6a4eb77926c3f1e7f78254b08f720a82a0c1f094749304c3d11cdc8376cbe4373de0d61c2823011
And Got error:
hex decode of 8f89ccd88332fd05b75cd39a9d08c296 failed! (only got 16 bytes)
with radius –X , I saw that the challenge and response is differ from that
I got in auth_log in same session. So if I run ntlm_auth with new values,
it’s OK! what’s wrong?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS time based authentication with MySQL
Thanks guys,
but I got the same error with these in the pap module configuration. :
pap {
auto_header = yes
}
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/FreeRADIUS-time-based-authentication-with-MySQL-tp5637543p5641190.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up FreeRADIUS accounting with IP address logging
Hi Johan, On Sat, Apr 14, 2012 at 12:06:54PM +0200, Johan Swetzén wrote: I'm setting up wifi internet in my student dorm (90 people) and thought wpa2 enterprise with FreeRADIUS (version 2.1.8 running on Ubuntu) would be a good solution, together with the incredibly stable Linksys WRT54GL and dd-wrt. There are a few problems I cannot figure out though: 2.1.8 is pretty old. You should really run the latest 2.1.12, which fixes a number of bugs. It's easy to get running on debian/ubuntu, as the freeradius source comes with debian packaging stuff. See http://wiki.freeradius.org/Build#Building+Debian+packages However, what you're trying to do will work on 2.1.8. 1. How to set up plain-text accounting. I saw in the configuration that the log directory is set to /var/log/freeradius/radacct so I created the directory and made writable (777 to be sure) but alas, there are no logs. The default config creates this directory and writes logs to it. If you have broken the default config, then it won't work. My guess is a permissions problem, or you've fiddled with the config a lot and broken it, or the NAS is not sending accounting packets. You need to run freeradius as 'freeradius -X' and read the debug output to see what's happening. Look for the 'detail' lines. If you see no accounting packets arrive, work out what's broken on your NAS or network. 2. How to get freeRADIUS to work with a DHCP server. I'm not asking about the experimental built-in DHCP server, as it seems very limited, but is it possible to somehow log the IP addresses that each user is assigned? We need to know who was using a certain IP address at a certain time. a) see the answer to question 1. b) The NAS should return the client's IP address in the *accounting* packets, which you aren't currently getting, so you won't see anything at the moment. The end-user's IP address, if sent, should be in the Framed-IP-Address attribute. Their MAC address should be in the accounting logs, and any auth logs, as the Calling-Station-Id attribute. 3. How to connect using Windows. It's dead simple to connect to the network with linux, mac and smartphones but for Windows it seems impossible to find the right combination of settings. I haven't googled this issue so much, so maybe there's a simple answer. Also, it's a later problem. If you're using Active Directory: http://wiki.freeradius.org/freeradius_active_directory_integration_howto If not, see the same page especially http://wiki.freeradius.org/freeradius_active_directory_integration_howto#Configuration+of+users and the MS-CHAP-Use-NTLM-Auth := 0 bit. In short, you need to use PEAP with MS-CHAPv2, or EAP-TLS (certificates/PKI), if you're using Windows = 7. P.S. I have attached the radiusd.conf file at the end. I haven't changed much though. That file is essentially useless, it's the whole config that matters, and that's only a very small part. You need to send the debug output from 'freeradius -X' next time. Cheers Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NTLM Auth Problem
with radius –X , I saw that the challenge and response is differ from that I got in auth_log in same session. So if I run ntlm_auth with new values, it’s OK! what’s wrong? Freeradius processes the mschapv2 challenge into a different format required by samba. There's nothing wrong. This is expected. -- Sent from my phone. Please excuse brevity and typos. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up FreeRADIUS accounting with IP address logging
On Sat, Apr 14, 2012 at 5:06 PM, Johan Swetzén jo...@swetzen.com wrote: Hi! I'm setting up wifi internet in my student dorm (90 people) and thought wpa2 enterprise with FreeRADIUS (version 2.1.8 running on Ubuntu) would be a good solution, together with the incredibly stable Linksys WRT54GL and dd-wrt. There are a few problems I cannot figure out though: 1. How to set up plain-text accounting. I saw in the configuration that the log directory is set to /var/log/freeradius/radacct so I created the directory and made writable (777 to be sure) but alas, there are no logs. Your NAS needs to send accounting packets. IIRC dd-wrt does NOT send accounting packets when used in 802.1x/WPA2-enterprise. chilispot, however, DOES send accounting packets. So you either need to change your NAS, or change your setup with dd-wrt to use captive portal with chillispot. 2. How to get freeRADIUS to work with a DHCP server. I'm not asking about the experimental built-in DHCP server, as it seems very limited, but is it possible to somehow log the IP addresses that each user is assigned? We need to know who was using a certain IP address at a certain time. The easiest way? Use v2.1.x branch from git, activate its DHCP server, and use dhcp_sqlippool, which would use DB to hand out IP addresses :) AFAIK some NAS (e.g. mikrotik: http://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server ) can ask a radius server for IP address (in standard framed-ip-address attribute), and hand it to DHCP clients. But since you say you use dd-wrt, it might not apply to you. 3. How to connect using Windows. It's dead simple to connect to the network with linux, mac and smartphones but for Windows it seems impossible to find the right combination of settings. I haven't googled this issue so much, so maybe there's a simple answer. Also, it's a later problem. If you use captive portal setup, it's easy. If you use 802.1x, you probably need to make sure that FR tries PEAP-MSCHAP first (e.g. by changing default EAP type di eap.conf?) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Building with 32-bit Module on 64-bit Machine
I can't find a 64-bit version of the experimental module I want to include when manually building FR, but I want to run on a 64-bit machine. Is this possible? Maybe I could force it to configure and make FR in 32-bit mode? But would it then be a pain to install the 32-bit versions of all the FR dependencies? Thanks for your help, Eric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building with 32-bit Module on 64-bit Machine
On Sun, Apr 15, 2012 at 11:05 AM, Eric Geier m...@egeier.com wrote: I can't find a 64-bit version of the experimental module FR (from freeradius.org) is distributed as source. There's no 64-bit version of the experimental module in the source. You can build it as either 32 or 64bit. If you use a binary package, you should ask its maintainer directly. I want to include when manually building FR, but I want to run on a 64-bit machine. Is this possible? I don't see why not. As long as you also have the necessary 64bit dependencies (e.g. 64bit ruby is needed to build 64bit FR + rlm_ruby) Maybe I could force it to configure and make FR in 32-bit mode? But would it then be a pain to install the 32-bit versions of all the FR dependencies? There are lots of experimental module. Which one do you want? You might be able to find prebuilt binaries already. For example, if you use Ubuntu/debian, see http://wiki.1tux.org/wiki/Freeradius/Installation/Ubuntu-Debian If you use RHEL/Centos/fedora, it should have rlm_wimax included in official package even if it's officially marked as experimental. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
