RE: SQL log accounting and post_auth
Hi,
And change the insert line with this line
postauth_query = INSERT INTO ${postauth_table} (username, pass,
reply)
VALUES
('%{User-Name}','%{%{User-Password}:-%{Chap-Password}}','%{reply:Packet-
Type}')
yes. but do you REALLY want to log peoples passwords into a nice
database? I've changed/obfuscated ours eg in your case...
It's okay, but when I query my table, I've just realize that with my
line, the password field is empty. And before that, when the Warning
appears, the password field is always CHAP-PASSWORD so he doesn't insert
the real password.
INSERT INTO ${postauth_table} (username, pass, reply) VALUES\
('%{User-Name}','password','%{reply:Packet-Type}')
But you're right, it's better with that.
Thanks
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accouting detail
Hi, I'm using freeradius 2.0.3 and I want to make accounting with the detail
module.
I enable it in the accouting section and the detail module is defined in
radiusd.conf
Here is the accounting section in site-enabled/default file
accounting {
#
# Create a 'detail'ed log of the packets.
# Note that accounting requests which are proxied
# are also logged in the detail file.
detail
#
# Instead of sending the query to the SQL server,
# write it into a log file.
#
sql_log
attr_filter.accounting_response
}
Here is the detail section.
Detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
header = %t
}
But I don't have any file like the detailfile described before. In my radaccdir
I have only the sql-relay file.
And I check all the debug output and the detail module or the rlm_detail is
doesn't call anywhere but it's defined when I start the server.
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/det
ail-%Y%m%d
header = %t
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
So why he doesn't make accounting. Can it be my AP who's doesn't send
accounting packet? For my testing purpose I use a sample D-Link router.
Thanks
Guillaume Chartrand
Technicien informatique
Cégep régional de Lanaudière
Centre administratif, Repentigny
(450) 470-0911 poste 7218
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: accouting detail
Here is my debug output
Message-Authenticator = 0xcdc3f6cb9b506e11e3476d47403cc6c5
Service-Type = Framed-User
User-Name = guillaume\000
Framed-MTU = 1488
State = 0x404778b348a2618bc73c67e1113b0e93
Called-Station-Id = 00-0F-3D-AB-1C-07:testGuillaume
Calling-Station-Id = 00-0E-35-99-F3-E9
NAS-Identifier = D-Link Access Point
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 54Mbps 802.11g
EAP-Message =
0x02e500261900170301001bbb11a33db5048201304fec33b354cbd91bec88a2508b28f74bb154
NAS-IP-Address = 172.20.50.202
NAS-Port = 1
NAS-Port-Id = STA port # 1
+- entering group authorize
++[preprocess] returns ok
expand: %{User-Name} - guillaume
rlm_sql (sql): sql_set_user escaped user -- 'guillaume'
rlm_sql (sql): Reserving sql socket id: 1
expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '%{SQL-User-Name}' ORDER BY id - SELECT
id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER
BY id
query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username =
'guillaume' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = '%{SQL-User-Name}' ORDER BY id - SELECT
id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER
BY id
query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username =
'guillaume' ORDER BY id
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
++? if (ok)
? Evaluating (ok) - TRUE
++? if (ok) - TRUE
++- entering if (ok)
+++[control] returns ok
++- if (ok) returns ok
rlm_eap: EAP packet type response id 229 length 38
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Success
rlm_eap: Freeing handler
++[eap] returns ok
Login OK: [guillaume\000/via Auth-Type = EAP] (from client AP1 port 1 cli
00-0E-35-99-F3-E9)
+- entering group post-auth
rlm_sql (sql): Processing sql_postauth
expand: %{User-Name} - guillaume
rlm_sql (sql): sql_set_user escaped user -- 'guillaume'
expand: INSERT INTO radpostauth (username, pass, reply) VALUES
('%{User-Name}','Password','%{reply:Packet-Type}') - INSERT INTO radpostauth
(username, pass, reply) VALUES ('guillaume','Password','Access-Accept')
expand: /usr/local/var/log/radius/sqltrace.sql -
/usr/local/var/log/radius/sqltrace.sql
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username,
pass, reply) VALUES ('guillaume','Password','Access-Accept')
rlm_sql (sql): Reserving sql socket id: 0
query: INSERT INTO radpostauth (username, pass, reply) VALUES
('guillaume','Password','Access-Accept')
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
MS-MPPE-Recv-Key =
0x8cd2d85433951c41be7a3c5c9c1faa1fd34514cff327bedeea93cb7b7a6c385a
MS-MPPE-Send-Key =
0x6997e9a371ce06bd10afc7824352474dc279a8344ccdad092170b654da859e63
EAP-Message = 0x03e50004
Message-Authenticator = 0x
User-Name = guillaume
Finished request 9.
I didn't copy all the debug output because with just one request he made about
1000 lines. If you want all the debug output, I can send it in attached file.
Thank
Guillaume Chartrand
Technicien informatique
Cégep régional de Lanaudière
Centre administratif, Repentigny
(450) 470-0911 poste 7218
-Message d'origine-
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Alan DeKok
Envoyé : 17 avril 2008 10:20
À : FreeRadius users mailing list
Objet : Re: accouting detail
Guillaume Chartrand wrote:
So why he doesn't make accounting. Can it be my AP who's doesn't send
accounting packet? For my testing purpose I use a sample D-Link router.
Yes.
As always, run it in debugging mode to see what it's doing.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL log accounting and post_auth
Hi,
I want to log accounting information and post-auth information in my sql
database. I have an MSSQL database. In my accounting section I uncomment
sql and sql_log. In post_auth section I uncomment sql and sql_log too.
Here is the result I receive with debug mode
Login OK: [guillaume\000/via Auth-Type = EAP] (from client AP1 port 1
cli 00-0E-35-99-F3-E9)
+- entering group post-auth
rlm_sql (sql): Processing sql_postauth
expand: %{User-Name} - guillaume
rlm_sql (sql): sql_set_user escaped user -- 'guillaume'
++[sql] returns noop
rlm_sql_log (sql_log): Processing sql_log_postauth
expand: %{User-Name} - guillaume
expand: %{%{User-Name}:-DEFAULT} - guillaume
rlm_sql_log (sql_log): sql_set_user escaped user -- 'guillaume'
WARNING: Deprecated conditional expansion :-. See man unlang for
details
expand: INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES
('%{User-Name}', '%{User-Password:-Chap-Password}',
'%{reply:Packet-Type}', '%S'); - INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES
('guillaume', 'Chap-Password', 'Access-Accept',
'2008-04-16 09:40:46');
expand: /usr/local/var/log/radius/radacct/sql-relay -
/usr/local/var/log/radius/radacct/sql-relay
++[sql_log] returns ok
MS-MPPE-Recv-Key =
0xddbdd27124caa81a4d0abacd8aa22d99cff95b591717efff32054bbeec88959c
MS-MPPE-Send-Key =
0x1326576688892a9369c4e6f3246aca4a65b572b1767232847b10a93935535b70
EAP-Message = 0x034f0004
Message-Authenticator = 0x
User-Name = guillaume
Finished request 9.
So why the sql module return noop... And didn't insert anything in my
table.
With the sql_log module, I've just insert the post_auth command, not the
other, but in my sql_log section I have other thing like that.
sql_log {
path = ${radacctdir}/sql-relay
acct_table = radacct
postauth_table = radpostauth
sql_user_name = %{%{User-Name}:-DEFAULT}
Start = INSERT INTO ${acct_table} (AcctSessionId,
UserName, \
NASIPAddress, FramedIPAddress, AcctStartTime,
AcctStopTime, \
AcctSessionTime, AcctTerminateCause) VALUES
\
('%{Acct-Session-Id}', '%{User-Name}',
'%{NAS-IP-Address}', \
'%{Framed-IP-Address}', '%S', '0', '0', '');
Stop = INSERT INTO ${acct_table} (AcctSessionId,
UserName, \
NASIPAddress, FramedIPAddress, AcctStartTime,
AcctStopTime, \
AcctSessionTime, AcctTerminateCause) VALUES
\
('%{Acct-Session-Id}', '%{User-Name}',
'%{NAS-IP-Address}', \
'%{Framed-IP-Address}', '0', '%S',
'%{Acct-Session-Time}', \
'%{Acct-Terminate-Cause}');
Alive = INSERT INTO ${acct_table} (AcctSessionId,
UserName, \
NASIPAddress, FramedIPAddress, AcctStartTime,
AcctStopTime, \
AcctSessionTime, AcctTerminateCause) VALUES
\
('%{Acct-Session-Id}', '%{User-Name}',
'%{NAS-IP-Address}', \
'%{Framed-IP-Address}', '0', '0',
'%{Acct-Session-Time}','');
Post-Auth = INSERT INTO ${postauth_table}
\
(username, pass, reply, authdate) VALUES
\
('%{User-Name}', '%{User-Password:-Chap-Password}',
\
'%{reply:Packet-Type}', '%S');
}
And for the warning for := I look in man unlang but I didn't find where
to change the := in the sql_log module
The sql_relay file contains this line
INSERT INTO radpostauth (username, pass, reply, authdate) VALUES
('guillaume', 'Chap-Password','Access-Accept', '2008-04-16 10:04:59');
And if I take that line and put in my sql query, it's work and
succcesfully insert the info
Thanks
Guillaume
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL log accounting and post_auth
I resolved some part of my question.
The post_auth part is now inserted in my sql database. What I modify is
In mssql.conf add these line
postauth_table = radpostauth
postauth_query = INSERT INTO ${postauth_table} (username, pass, reply) VALUES
('%{User-Name}', '%{User-Password:-Chap-Password}','%{reply:Packet-Type}')
Before that I also created a table who's not in the mssql/schema.sql
It's a table named radpostauth with this command
CREATE TABLE [radpostauth] (
[id] [int] IDENTITY (1, 1) NOT NULL ,
[userName] [varchar] (64) NOT NULL ,
[pass] [varchar] (64) NOT NULL ,
[reply] [varchar] (32) NOT NULL ,
[authdate] [datetime] NOT NULL
)
GO
ALTER TABLE [radpostauth] WITH NOCHECK ADD
CONSTRAINT [DF_radpostauth_userName] DEFAULT ('') FOR [userName],
CONSTRAINT [DF_radpostauth_pass] DEFAULT ('') FOR [pass],
CONSTRAINT [DF_radpostauth_reply] DEFAULT ('') FOR [reply],
CONSTRAINT [DF_radpostauth_authdate] DEFAULT (getdate()) FOR [authdate],
CONSTRAINT [PK_radpostauth] PRIMARY KEY NONCLUSTERED
(
[id]
) ON [PRIMARY]
With theses lines when an INSERT is made to the table, the table automaticly
add the date in the authdate.
So for this, now it's working. But I have nothing in radacct table and even if
I only keep the sql_log in the accounting section, i have nothing in my
sql-relay file.
For the post_auth it can be userful to other person if it's integrated to the
next update of freeradius.
When I write this email I've received the response from A L M Buxey who wrote
this
if you want to use the sql_logging function, ONLY uncomment the sql_log and
configure the sql_log{} section as required. if you activate sql as well,
then it will attempt live SQL insertion into the database for incoming
accounting packets.
So now I comment the sql_log for the post_Auth and leave the sql to make insert
in my database and
I comment sql in accouting section and leave uncomment sql_log but I have
nothing in sql-relay file
which version of FR are you running?
ideally you'd be with 2.x and then just activate the buffered-sql virtual
server
I run 2.0.3
Guillaume Chartrand
Technicien informatique
Cégep régional de Lanaudière
Centre administratif, Repentigny
(450) 470-0911 poste 7218
-Message d'origine-
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Guillaume
Chartrand
Envoyé : 16 avril 2008 10:54
À : FreeRadius users mailing list
Objet : SQL log accounting and post_auth
Hi,
I want to log accounting information and post-auth information in my sql
database. I have an MSSQL database. In my accounting section I uncomment
sql and sql_log. In post_auth section I uncomment sql and sql_log too.
Here is the result I receive with debug mode
Login OK: [guillaume\000/via Auth-Type = EAP] (from client AP1 port 1
cli 00-0E-35-99-F3-E9)
+- entering group post-auth
rlm_sql (sql): Processing sql_postauth
expand: %{User-Name} - guillaume
rlm_sql (sql): sql_set_user escaped user -- 'guillaume'
++[sql] returns noop
rlm_sql_log (sql_log): Processing sql_log_postauth
expand: %{User-Name} - guillaume
expand: %{%{User-Name}:-DEFAULT} - guillaume
rlm_sql_log (sql_log): sql_set_user escaped user -- 'guillaume'
WARNING: Deprecated conditional expansion :-. See man unlang for
details
expand: INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES
('%{User-Name}', '%{User-Password:-Chap-Password}',
'%{reply:Packet-Type}', '%S'); - INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES
('guillaume', 'Chap-Password', 'Access-Accept',
'2008-04-16 09:40:46');
expand: /usr/local/var/log/radius/radacct/sql-relay -
/usr/local/var/log/radius/radacct/sql-relay
++[sql_log] returns ok
MS-MPPE-Recv-Key =
0xddbdd27124caa81a4d0abacd8aa22d99cff95b591717efff32054bbeec88959c
MS-MPPE-Send-Key =
0x1326576688892a9369c4e6f3246aca4a65b572b1767232847b10a93935535b70
EAP-Message = 0x034f0004
Message-Authenticator = 0x
User-Name = guillaume
Finished request 9.
So why the sql module return noop... And didn't insert anything in my
table.
With the sql_log module, I've just insert the post_auth command, not the
other, but in my sql_log section I have other thing like that.
sql_log {
path = ${radacctdir}/sql-relay
acct_table = radacct
postauth_table = radpostauth
sql_user_name = %{%{User-Name}:-DEFAULT}
Start = INSERT INTO ${acct_table} (AcctSessionId,
UserName, \
NASIPAddress, FramedIPAddress, AcctStartTime,
AcctStopTime, \
AcctSessionTime, AcctTerminateCause) VALUES
\
('%{Acct-Session-Id}', '%{User-Name}',
'%{NAS-IP-Address}', \
'%{Framed-IP-Address}', '%S', '0', '0', '');
Stop
RE: SQL log accounting and post_auth
Hi,
So for this, now it's working. But I have nothing in radacct table
and even if I only keep the sql_log in the accounting section, i have
nothing in my sql-relay file.
to get the sql-relay file you will need to call sql_log in the
accounting
stanza and ensure that the sql_log is configured in the main server.
It's my accounting section
accounting {
sql_log
# Filter attributes from the accounting response.
attr_filter.accounting_response
}
And in radiusd.conf
sql_log {
path = ${radacctdir}/sql-relay
acct_table = radacct
postauth_table = radpostauth
sql_user_name = %{%{User-Name}:-DEFAULT}
Start = INSERT INTO ${acct_table} (AcctSessionId,
UserName, \
NASIPAddress, FramedIPAddress, AcctStartTime,
AcctStopTime, \
AcctSessionTime, AcctTerminateCause) VALUES
\
('%{Acct-Session-Id}', '%{User-Name}',
'%{NAS-IP-Address}', \
'%{Framed-IP-Address}', '%S', '0', '0', '');
Stop = INSERT INTO ${acct_table} (AcctSessionId,
UserName, \
NASIPAddress, FramedIPAddress, AcctStartTime,
AcctStopTime, \
AcctSessionTime, AcctTerminateCause) VALUES
\
('%{Acct-Session-Id}', '%{User-Name}',
'%{NAS-IP-Address}', \
'%{Framed-IP-Address}', '0', '%S',
'%{Acct-Session-Time}', \
'%{Acct-Terminate-Cause}');
Alive = INSERT INTO ${acct_table} (AcctSessionId,
UserName, \
NASIPAddress, FramedIPAddress, AcctStartTime,
AcctStopTime, \
AcctSessionTime, AcctTerminateCause) VALUES
\
('%{Acct-Session-Id}', '%{User-Name}',
'%{NAS-IP-Address}', \
'%{Framed-IP-Address}', '0', '0',
'%{Acct-Session-Time}','');
Post-Auth = INSERT INTO ${postauth_table}
\
(username, pass, reply, authdate) VALUES
\
('%{User-Name}', '%{User-Password:-Chap-Password}',
\
'%{reply:Packet-Type}', '%S');
}
So it's defined in radiusd.conf and called in accounting section. What
I'm missing?
For the post_auth it can be userful to other person if it's
integrated to the next update of freeradius.
noted - fix and updated has been submitted as bug 545
Just for notice, I have again the warning in debug mode when I do the
post_auth queries
rlm_sql (sql): Processing sql_postauth
expand: %{User-Name} - guillaume
rlm_sql (sql): sql_set_user escaped user -- 'guillaume'
WARNING: Deprecated conditional expansion :-. See man unlang for
details
expand: INSERT INTO radpostauth (username, pass, reply) VALUES
('%{User-Name}',
'%{User-Password:-Chap-Password}','%{reply:Packet-Type}') - INSERT INTO
radpostauth (username, pass, reply) VALUES ('guillaume',
'Chap-Password','Access-Accept')
expand: /usr/local/var/log/radius/sqltrace.sql -
/usr/local/var/log/radius/sqltrace.sql
And I don't know what is it. And it's fot the post_auth. The post_auth
have just this
post-auth {
sql
}
Thank again
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL log accounting and post_auth
I re and reread man unlang
And change the insert line with this line
postauth_query = INSERT INTO ${postauth_table} (username, pass, reply)
VALUES
('%{User-Name}','%{%{User-Password}:-%{Chap-Password}}','%{reply:Packet-
Type}')
It's the value chap-password who's corrected. So for the fix, please
update the insert for the correct value
Thank
For the post_auth it can be userful to other person if it's
integrated to the next update of freeradius.
noted - fix and updated has been submitted as bug 545
Just for notice, I have again the warning in debug mode when I do the
post_auth queries
rlm_sql (sql): Processing sql_postauth
expand: %{User-Name} - guillaume
rlm_sql (sql): sql_set_user escaped user -- 'guillaume'
WARNING: Deprecated conditional expansion :-. See man unlang for
details
expand: INSERT INTO radpostauth (username, pass, reply) VALUES
('%{User-Name}',
'%{User-Password:-Chap-Password}','%{reply:Packet-Type}') - INSERT INTO
radpostauth (username, pass, reply) VALUES ('guillaume',
'Chap-Password','Access-Accept')
expand: /usr/local/var/log/radius/sqltrace.sql -
/usr/local/var/log/radius/sqltrace.sql
And I don't know what is it. And it's fot the post_auth. The post_auth
have just this
post-auth {
sql
}
Thank again
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authorize with SQL and/or AD with ntlm_auth !!!SOLVED!!!
If in the radius.conf mschap section module I insert the same ntlm_auth
line of the exec. The sql don’t work but AD work. If I put nothing in
mschap section. The SQL works but not AD. So what I did make wrong
1) Do not create your own ntlm_auth module.
2) configure ntlm_auth in the mschap module
4) test that AD authentication works (ignoring SQL for now)
3) update the authorize section to look like this:
authorize {
preprocess
sql
if (ok) {
update control {
MS-CHAP-Use-NTLM-Auth := No
}
}
...
After that, both AD and SQL should work.
Alan DeKok.
Thank you it's working now with both AD and SQL.
Guillaume
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL Fall-Through
Hi again,
I want to know what I making wrong. I have an MSSQL database and it's
working great. Now I want to tweak my setup with including some
attribute in group. But it's seems that rlm_sql didn't go see groupcheck
or groupreply. I also put read_groups = yes in mssql.conf
Here is my database and debut output
usergroup
1,guillaume,dynamic
2,jacques,dynamic
Radcheck
1,guillaume,Cleartext-Password,xx,:=
2,jacques,Cleartext-Password,x,:=
Radreply
5, ,guillaume,Fall-Through,Yes,=
Radgroupcheck
2,dynamic,Expiration,4 april 2008,:=
Radgroupreply
1,dynamic,Framed-Compression,Van-Jacobsen-TCP-IP,:=,0
2,dynamic,Framed-Protocol,PPP,:=,0
3,dynamic,Service-Type,Framed-User,:=,0
4,dynamic,Framed-MTU,1500,:=,0
rad_recv: Access-Request packet from host 172.20.50.202 port 1088,
id=49, length=249
Message-Authenticator = 0xacf874dd95a5e7a44477ebe85628c2d2
Service-Type = Framed-User
User-Name = guillaume\000
Framed-MTU = 1488
State = 0x937fe8889b4ef1e0c024c3839183ef26
Called-Station-Id = 00-0F-3D-AB-1C-07:testGuillaume
Calling-Station-Id = 00-0E-35-99-F3-E9
NAS-Identifier = D-Link Access Point
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 54Mbps 802.11g
EAP-Message =
0x023100261900170301001b37f64ad3eba1ecf9db603f2431312964a27e49ca72e0f0d1
588d99
NAS-IP-Address = 172.20.50.202
NAS-Port = 1
NAS-Port-Id = STA port # 1
+- entering group authorize
++[preprocess] returns ok
expand: %{User-Name} - guillaume
rlm_sql (sql): sql_set_user escaped user -- 'guillaume'
rlm_sql (sql): Reserving sql socket id: 2
expand: SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT
id,UserName,Attribute,Value,op FROM radcheck WHERE Username =
'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'guillaume' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id,UserName,Attribute,Value,op FROM radreply
WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT
id,UserName,Attribute,Value,op FROM radreply WHERE Username =
'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'guillaume' ORDER BY id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++? if (ok)
? Evaluating ok - TRUE
++? if (ok) - TRUE
++- entering if (ok)
+++[control] returns ok
++- if (ok) returns ok
rlm_eap: EAP packet type response id 49 length 38
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Success
rlm_eap: Freeing handler
++[eap] returns ok
Sending Access-Accept of id 49 to 172.20.50.202 port 1088
MS-MPPE-Recv-Key =
0xc65d46cf1ee515a044585d7158c6c0dd39d183728c7541316f1171f701729069
MS-MPPE-Send-Key =
0x338d0bb6e1edd84602c3795eb3dc12da8e04b1b85dd988013a7e621e3f40399a
EAP-Message = 0x03310004
Message-Authenticator = 0x
User-Name = guillaume
Finished request 9.
Going to the next request
Thank
Guillaume Chartrand
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authorize with SQL and/or AD with ntlm_auth
++[eap] returns reject auth: Failed to validate the user. PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE So the last part if I understand is when the authentification section is call, he try to authentification with my module ntlm_auth but it fail and I don't know why. If in the radius.conf mschap section module I insert the same ntlm_auth line of the exec. The sql don't work but AD work. If I put nothing in mschap section. The SQL works but not AD. So what I did make wrong Thank Guillaume Chartrand - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius push attribute to wireless connection
Hi,
I'm using Freeradius 2.0, I configurated it with an sql database and the
principal job of the radius server is to authorize and authenticate my
wireless user over my network. What I want to do is to give some
attribute to the user when is connected. Like Session-Timeout, bandwith
and some other stuff. Here some entry in my database
usergroup
1,guillaume,dynamic
2,jacques,dynamic
Radcheck
1,guillaume,Cleartext-Password,xx,:=
2,jacques,Cleartext-Password,x,:=
Radreply
3,guillaume,Session-Timeout,30,:=
It's an Mssql database
Here the debug info with radiusd -X
rlm_sql (sql): sql_set_user escaped user -- 'guillaume'
rlm_sql (sql): Reserving sql socket id: 2
expand: SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT
id,UserName,Attribute,Value,op FROM radcheck WHERE Username =
'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'guillaume' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id,UserName,Attribute,Value,op FROM radreply
WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT
id,UserName,Attribute,Value,op FROM radreply WHERE Username =
'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'guillaume' ORDER BY id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
I have access but my session didn't disconnect after 30 sec. So can I do
that with wireless configuration? My goal is to give some guest user
a limited time and an expiration date.
Thanks
Guillaume Chartrand
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius push attribute to wireless connection
What is in the Access-Accept packet?
Ivan Kalik
Kalik Informatika ISP
Sending Access-Accept of id 98 to 172.20.50.202 port 1037
Session-Timeout := 30
MS-MPPE-Recv-Key =
0x7a1997f1239667f0efeb3c4461711ac3467845bad3fc11db5ceaaae6b4161ec7
MS-MPPE-Send-Key =
0x23e0e4835b830081fe1b624d8f10fc7afa1459a87b814479a83f5fbcbab949ef
EAP-Message = 0x03620004
Message-Authenticator = 0x
User-Name = guillaume
Finished request 9.
Here the access-accept, the ip address shown below is the Access Point IP, is
it possible that the AP cannot send this kind of attribute?
Dana 2/4/2008, Guillaume Chartrand
[EMAIL PROTECTED] piše:
Hi,
I'm using Freeradius 2.0, I configurated it with an sql database and the
principal job of the radius server is to authorize and authenticate my
wireless user over my network. What I want to do is to give some
attribute to the user when is connected. Like Session-Timeout, bandwith
and some other stuff. Here some entry in my database
usergroup
1,guillaume,dynamic
2,jacques,dynamic
Radcheck
1,guillaume,Cleartext-Password,xx,:=
2,jacques,Cleartext-Password,x,:=
Radreply
3,guillaume,Session-Timeout,30,:=
It's an Mssql database
Here the debug info with radiusd -X
rlm_sql (sql): sql_set_user escaped user -- 'guillaume'
rlm_sql (sql): Reserving sql socket id: 2
expand: SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT
id,UserName,Attribute,Value,op FROM radcheck WHERE Username =
'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'guillaume' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id,UserName,Attribute,Value,op FROM radreply
WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT
id,UserName,Attribute,Value,op FROM radreply WHERE Username =
'guillaume' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'guillaume' ORDER BY id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
I have access but my session didn't disconnect after 30 sec. So can I do
that with wireless configuration? My goal is to give some guest user
a limited time and an expiration date.
Thanks
Guillaume Chartrand
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Two authorize instance
Guillaume Chartrand wrote:
I use freeradius 2.0.0 on red hat enterprise 3 AS and I set the
authorize section to check the user credential with an sql database.
This configuration works.
But I want to know and how to do that if it's possible, if the user
isn't the sql database, can freeradius check another database, like an
ldap database. So when the user is in the sql database he gain access,
if not he look in a ldap database and if he are present with valid
credential, he gain access.
Yes.
...
sql
if (notfound) {
ldap
}
See man unlang.
Alan DeKok.
I write the if in my authorize section.. here some of my config in
site-enabled/default
authorize {
preprocess
chap
mschap
unix
suffix
sql
if (notfound) {
ntlm_auth
}
eap
expiration
logintime
pap
}
authenticate {
ntlm_auth
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
}
And here is my radiusd.conf
modules {
exec ntlm_auth {
wait = no
program = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{mschap:NT-Domain:-intranet}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
}
$INCLUDE eap.conf
mschap {
with_ntdomain_hack = yes
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{mschap:NT-Domain:-intranet}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
}
}
If I comment in the mschap module the ntlm_auth and the user is present
in sql, he's accepted. If he's not in sql but in my Active directory
database, he's rejected
If I comment out the ntlm_auth line, my sql user is rejected but my AD
user was accepted. So Where I'm wrong, I want to use both authorize
database.
Thank
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Two authorize instance
Hi everybody,
I use freeradius 2.0.0 on red hat enterprise 3 AS and I set the authorize
section to check the user credential with an sql database. This configuration
works.
But I want to know and how to do that if it's possible, if the user isn't the
sql database, can freeradius check another database, like an ldap database. So
when the user is in the sql database he gain access, if not he look in a ldap
database and if he are present with valid credential, he gain access.
Here my current authorize and authentification section :
authorize {
preprocess
chap
mschap
unix
suffix
sql
eap
expiration
logintime
pap
}
authenticate {
ntlm_auth
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
}
Guillaume Chartrand
Technicien informatique
Cégep régional de Lanaudière
Centre administratif, Repentigny
(450) 470-0911 poste 7218
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wifi with Welcome message?
Hi, Is it possible to send or execute a script to a user when he authenticated thru wi-fi connection with particular NAS. Like when user joe successfully authenticated with the sql database, if he was connected with NAS IP address X, he receive a Welcome message X and if he authenticated with NAS Y, he receive Welcome message Y. Currently I have Freeradius 2.0 with authentification on a mssql database and it work and give an ip address to the client when is authenticated. Guillaume - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can freeRadius do that?
Hi, I just want to know if freeradius server can do what I want to deploy in my environnement. I want to deploy freeradius to taking care of security and authorization for my wireless network. What I want to do is like many hotel in my country. The user open is laptop with wireless capability, is automaticly connected to the wireless network but if he want to use the internet connection, when he first run is browser, he's automaticly redirect to an authentification page that ask him a username and a password. So is it freeradius who's handle this or another software or combination of software. Like a freeradius server and a proxy or freeradius with third party software. Can someone help me with my interrogation. Thanks a lot Guillaume Chartrand Technicien informatique Cégep régional de Lanaudière Centre administratif, Repentigny (450) 470-0911 poste 7218 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Can freeRadius do that?
-Message d'origine- De : [EMAIL PROTECTED] [mailto:freeradius-users-[EMAIL PROTECTED] De la part de Tim White Envoyé : 11 mars 2008 15:09 À : FreeRadius users mailing list Objet : Re: Can freeRadius do that? I'm using freeradius, with CoovaChilli, and a Squid Proxy (to reduce internet traffic). Wich AP do you use. Do you know if Cisco AP or D-Link AP is supported by CoovaChilli without modifying firmware APs. Guillaume Thank Works a charm Tim Alan DeKok wrote: Guillaume Chartrand wrote: ... What I want to do is like many hotel in my country. The user open is laptop with wireless capability, is automaticly connected to the wireless network but if he want to use the internet connection, when he first run is browser, he's automaticly redirect to an authentification page that ask him a username and a password. So is it freeradius who's handle this or another software or combination of software. Like a freeradius server and a proxy or freeradius with third party software. See Chillispot or CoovaChilli. What you want is a captive portal. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius SQL + EAP + Windows client
to 172.20.50.202 port 1063
EAP-Message =
0x010800261900170301001b43e26227f37525d5072bc3647428c3fafce33dd5f49b549f0194e0
Message-Authenticator = 0x
State = 0x520c3ced550425a3a459d69bfb6e15b4
Finished request 7.
Going to the next request
Waking up in 0.4 seconds.
rad_recv: Access-Request packet from host 172.20.50.202 port 1063, id=8,
length=249
Message-Authenticator = 0x7c5457d18a2ab93316e3cb7416ec9acb
Service-Type = Framed-User
User-Name = guillaume\000
Framed-MTU = 1488
State = 0x520c3ced550425a3a459d69bfb6e15b4
Called-Station-Id = 00-0F-3D-AB-1C-07:testGuillaume
Calling-Station-Id = 00-0E-35-99-F3-E9
NAS-Identifier = D-Link Access Point
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 54Mbps 802.11g
EAP-Message =
0x020800261900170301001b3116a7abe82507e5348d4e6f2e108f5b1c80d2e51db813beebcc1f
NAS-IP-Address = 172.20.50.202
NAS-Port = 1
NAS-Port-Id = STA port # 1
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
rlm_realm: No '@' in User-Name = guillaume, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
expand: %{User-Name} - guillaume
rlm_sql (sql): sql_set_user escaped user -- 'guillaume'
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '%{SQL-User-Name}' ORDER BY id - SELECT
id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER
BY id
query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username =
'guillaume' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = '%{SQL-User-Name}' ORDER BY id - SELECT
id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER
BY id
query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username =
'guillaume' ORDER BY id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
rlm_eap: EAP packet type response id 8 length 38
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this
session.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - guillaume
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.4 seconds.
Waking up in 0.1 seconds.
Waking up in 0.1 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 8 to 172.20.50.202 port 1063
EAP-Message = 0x04080004
Message-Authenticator = 0x
Waking up in 3.4 seconds.
Cleaning up request 0 ID 0 with timestamp +14
Waking up in 0.1 seconds.
Cleaning up request 1 ID 1 with timestamp +14
Cleaning up request 2 ID 2 with timestamp +14
Cleaning up request 3 ID 3 with timestamp +15
Cleaning up request 4 ID 4 with timestamp +15
Cleaning up request 5 ID 5 with timestamp +15
Cleaning up request 6 ID 6 with timestamp +15
Waking up in 0.1 seconds.
Cleaning up request 7 ID 7 with timestamp +15
Waking up in 1.0 seconds.
Cleaning up request 8 ID 8 with timestamp +15
Ready to process requests.
Thanks for the help
Guillaume Chartrand
Technicien informatique
Cégep régional de Lanaudière
Centre administratif, Repentigny
(450) 470-0911 poste 7218
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
