RE: SQL log accounting and post_auth
Hi, And change the insert line with this line postauth_query = INSERT INTO ${postauth_table} (username, pass, reply) VALUES ('%{User-Name}','%{%{User-Password}:-%{Chap-Password}}','%{reply:Packet- Type}') yes. but do you REALLY want to log peoples passwords into a nice database? I've changed/obfuscated ours eg in your case... It's okay, but when I query my table, I've just realize that with my line, the password field is empty. And before that, when the Warning appears, the password field is always CHAP-PASSWORD so he doesn't insert the real password. INSERT INTO ${postauth_table} (username, pass, reply) VALUES\ ('%{User-Name}','password','%{reply:Packet-Type}') But you're right, it's better with that. Thanks alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accouting detail
Hi, I'm using freeradius 2.0.3 and I want to make accounting with the detail module. I enable it in the accouting section and the detail module is defined in radiusd.conf Here is the accounting section in site-enabled/default file accounting { # # Create a 'detail'ed log of the packets. # Note that accounting requests which are proxied # are also logged in the detail file. detail # # Instead of sending the query to the SQL server, # write it into a log file. # sql_log attr_filter.accounting_response } Here is the detail section. Detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 header = %t } But I don't have any file like the detailfile described before. In my radaccdir I have only the sql-relay file. And I check all the debug output and the detail module or the rlm_detail is doesn't call anywhere but it's defined when I start the server. Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/det ail-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } So why he doesn't make accounting. Can it be my AP who's doesn't send accounting packet? For my testing purpose I use a sample D-Link router. Thanks Guillaume Chartrand Technicien informatique Cégep régional de Lanaudière Centre administratif, Repentigny (450) 470-0911 poste 7218 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: accouting detail
Here is my debug output Message-Authenticator = 0xcdc3f6cb9b506e11e3476d47403cc6c5 Service-Type = Framed-User User-Name = guillaume\000 Framed-MTU = 1488 State = 0x404778b348a2618bc73c67e1113b0e93 Called-Station-Id = 00-0F-3D-AB-1C-07:testGuillaume Calling-Station-Id = 00-0E-35-99-F3-E9 NAS-Identifier = D-Link Access Point NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x02e500261900170301001bbb11a33db5048201304fec33b354cbd91bec88a2508b28f74bb154 NAS-IP-Address = 172.20.50.202 NAS-Port = 1 NAS-Port-Id = STA port # 1 +- entering group authorize ++[preprocess] returns ok expand: %{User-Name} - guillaume rlm_sql (sql): sql_set_user escaped user -- 'guillaume' rlm_sql (sql): Reserving sql socket id: 1 expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++? if (ok) ? Evaluating (ok) - TRUE ++? if (ok) - TRUE ++- entering if (ok) +++[control] returns ok ++- if (ok) returns ok rlm_eap: EAP packet type response id 229 length 38 rlm_eap: Continuing tunnel setup. ++[eap] returns ok ++[expiration] returns noop ++[logintime] returns noop rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Success rlm_eap: Freeing handler ++[eap] returns ok Login OK: [guillaume\000/via Auth-Type = EAP] (from client AP1 port 1 cli 00-0E-35-99-F3-E9) +- entering group post-auth rlm_sql (sql): Processing sql_postauth expand: %{User-Name} - guillaume rlm_sql (sql): sql_set_user escaped user -- 'guillaume' expand: INSERT INTO radpostauth (username, pass, reply) VALUES ('%{User-Name}','Password','%{reply:Packet-Type}') - INSERT INTO radpostauth (username, pass, reply) VALUES ('guillaume','Password','Access-Accept') expand: /usr/local/var/log/radius/sqltrace.sql - /usr/local/var/log/radius/sqltrace.sql rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply) VALUES ('guillaume','Password','Access-Accept') rlm_sql (sql): Reserving sql socket id: 0 query: INSERT INTO radpostauth (username, pass, reply) VALUES ('guillaume','Password','Access-Accept') rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok MS-MPPE-Recv-Key = 0x8cd2d85433951c41be7a3c5c9c1faa1fd34514cff327bedeea93cb7b7a6c385a MS-MPPE-Send-Key = 0x6997e9a371ce06bd10afc7824352474dc279a8344ccdad092170b654da859e63 EAP-Message = 0x03e50004 Message-Authenticator = 0x User-Name = guillaume Finished request 9. I didn't copy all the debug output because with just one request he made about 1000 lines. If you want all the debug output, I can send it in attached file. Thank Guillaume Chartrand Technicien informatique Cégep régional de Lanaudière Centre administratif, Repentigny (450) 470-0911 poste 7218 -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Alan DeKok Envoyé : 17 avril 2008 10:20 À : FreeRadius users mailing list Objet : Re: accouting detail Guillaume Chartrand wrote: So why he doesn't make accounting. Can it be my AP who's doesn't send accounting packet? For my testing purpose I use a sample D-Link router. Yes. As always, run it in debugging mode to see what it's doing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL log accounting and post_auth
Hi, I want to log accounting information and post-auth information in my sql database. I have an MSSQL database. In my accounting section I uncomment sql and sql_log. In post_auth section I uncomment sql and sql_log too. Here is the result I receive with debug mode Login OK: [guillaume\000/via Auth-Type = EAP] (from client AP1 port 1 cli 00-0E-35-99-F3-E9) +- entering group post-auth rlm_sql (sql): Processing sql_postauth expand: %{User-Name} - guillaume rlm_sql (sql): sql_set_user escaped user -- 'guillaume' ++[sql] returns noop rlm_sql_log (sql_log): Processing sql_log_postauth expand: %{User-Name} - guillaume expand: %{%{User-Name}:-DEFAULT} - guillaume rlm_sql_log (sql_log): sql_set_user escaped user -- 'guillaume' WARNING: Deprecated conditional expansion :-. See man unlang for details expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', '%S'); - INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('guillaume', 'Chap-Password', 'Access-Accept', '2008-04-16 09:40:46'); expand: /usr/local/var/log/radius/radacct/sql-relay - /usr/local/var/log/radius/radacct/sql-relay ++[sql_log] returns ok MS-MPPE-Recv-Key = 0xddbdd27124caa81a4d0abacd8aa22d99cff95b591717efff32054bbeec88959c MS-MPPE-Send-Key = 0x1326576688892a9369c4e6f3246aca4a65b572b1767232847b10a93935535b70 EAP-Message = 0x034f0004 Message-Authenticator = 0x User-Name = guillaume Finished request 9. So why the sql module return noop... And didn't insert anything in my table. With the sql_log module, I've just insert the post_auth command, not the other, but in my sql_log section I have other thing like that. sql_log { path = ${radacctdir}/sql-relay acct_table = radacct postauth_table = radpostauth sql_user_name = %{%{User-Name}:-DEFAULT} Start = INSERT INTO ${acct_table} (AcctSessionId, UserName, \ NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ AcctSessionTime, AcctTerminateCause) VALUES \ ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ '%{Framed-IP-Address}', '%S', '0', '0', ''); Stop = INSERT INTO ${acct_table} (AcctSessionId, UserName, \ NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ AcctSessionTime, AcctTerminateCause) VALUES \ ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ '%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}', \ '%{Acct-Terminate-Cause}'); Alive = INSERT INTO ${acct_table} (AcctSessionId, UserName, \ NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ AcctSessionTime, AcctTerminateCause) VALUES \ ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ '%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}',''); Post-Auth = INSERT INTO ${postauth_table} \ (username, pass, reply, authdate) VALUES \ ('%{User-Name}', '%{User-Password:-Chap-Password}', \ '%{reply:Packet-Type}', '%S'); } And for the warning for := I look in man unlang but I didn't find where to change the := in the sql_log module The sql_relay file contains this line INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('guillaume', 'Chap-Password','Access-Accept', '2008-04-16 10:04:59'); And if I take that line and put in my sql query, it's work and succcesfully insert the info Thanks Guillaume - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL log accounting and post_auth
I resolved some part of my question. The post_auth part is now inserted in my sql database. What I modify is In mssql.conf add these line postauth_table = radpostauth postauth_query = INSERT INTO ${postauth_table} (username, pass, reply) VALUES ('%{User-Name}', '%{User-Password:-Chap-Password}','%{reply:Packet-Type}') Before that I also created a table who's not in the mssql/schema.sql It's a table named radpostauth with this command CREATE TABLE [radpostauth] ( [id] [int] IDENTITY (1, 1) NOT NULL , [userName] [varchar] (64) NOT NULL , [pass] [varchar] (64) NOT NULL , [reply] [varchar] (32) NOT NULL , [authdate] [datetime] NOT NULL ) GO ALTER TABLE [radpostauth] WITH NOCHECK ADD CONSTRAINT [DF_radpostauth_userName] DEFAULT ('') FOR [userName], CONSTRAINT [DF_radpostauth_pass] DEFAULT ('') FOR [pass], CONSTRAINT [DF_radpostauth_reply] DEFAULT ('') FOR [reply], CONSTRAINT [DF_radpostauth_authdate] DEFAULT (getdate()) FOR [authdate], CONSTRAINT [PK_radpostauth] PRIMARY KEY NONCLUSTERED ( [id] ) ON [PRIMARY] With theses lines when an INSERT is made to the table, the table automaticly add the date in the authdate. So for this, now it's working. But I have nothing in radacct table and even if I only keep the sql_log in the accounting section, i have nothing in my sql-relay file. For the post_auth it can be userful to other person if it's integrated to the next update of freeradius. When I write this email I've received the response from A L M Buxey who wrote this if you want to use the sql_logging function, ONLY uncomment the sql_log and configure the sql_log{} section as required. if you activate sql as well, then it will attempt live SQL insertion into the database for incoming accounting packets. So now I comment the sql_log for the post_Auth and leave the sql to make insert in my database and I comment sql in accouting section and leave uncomment sql_log but I have nothing in sql-relay file which version of FR are you running? ideally you'd be with 2.x and then just activate the buffered-sql virtual server I run 2.0.3 Guillaume Chartrand Technicien informatique Cégep régional de Lanaudière Centre administratif, Repentigny (450) 470-0911 poste 7218 -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Guillaume Chartrand Envoyé : 16 avril 2008 10:54 À : FreeRadius users mailing list Objet : SQL log accounting and post_auth Hi, I want to log accounting information and post-auth information in my sql database. I have an MSSQL database. In my accounting section I uncomment sql and sql_log. In post_auth section I uncomment sql and sql_log too. Here is the result I receive with debug mode Login OK: [guillaume\000/via Auth-Type = EAP] (from client AP1 port 1 cli 00-0E-35-99-F3-E9) +- entering group post-auth rlm_sql (sql): Processing sql_postauth expand: %{User-Name} - guillaume rlm_sql (sql): sql_set_user escaped user -- 'guillaume' ++[sql] returns noop rlm_sql_log (sql_log): Processing sql_log_postauth expand: %{User-Name} - guillaume expand: %{%{User-Name}:-DEFAULT} - guillaume rlm_sql_log (sql_log): sql_set_user escaped user -- 'guillaume' WARNING: Deprecated conditional expansion :-. See man unlang for details expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', '%S'); - INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('guillaume', 'Chap-Password', 'Access-Accept', '2008-04-16 09:40:46'); expand: /usr/local/var/log/radius/radacct/sql-relay - /usr/local/var/log/radius/radacct/sql-relay ++[sql_log] returns ok MS-MPPE-Recv-Key = 0xddbdd27124caa81a4d0abacd8aa22d99cff95b591717efff32054bbeec88959c MS-MPPE-Send-Key = 0x1326576688892a9369c4e6f3246aca4a65b572b1767232847b10a93935535b70 EAP-Message = 0x034f0004 Message-Authenticator = 0x User-Name = guillaume Finished request 9. So why the sql module return noop... And didn't insert anything in my table. With the sql_log module, I've just insert the post_auth command, not the other, but in my sql_log section I have other thing like that. sql_log { path = ${radacctdir}/sql-relay acct_table = radacct postauth_table = radpostauth sql_user_name = %{%{User-Name}:-DEFAULT} Start = INSERT INTO ${acct_table} (AcctSessionId, UserName, \ NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ AcctSessionTime, AcctTerminateCause) VALUES \ ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ '%{Framed-IP-Address}', '%S', '0', '0', ''); Stop
RE: SQL log accounting and post_auth
Hi, So for this, now it's working. But I have nothing in radacct table and even if I only keep the sql_log in the accounting section, i have nothing in my sql-relay file. to get the sql-relay file you will need to call sql_log in the accounting stanza and ensure that the sql_log is configured in the main server. It's my accounting section accounting { sql_log # Filter attributes from the accounting response. attr_filter.accounting_response } And in radiusd.conf sql_log { path = ${radacctdir}/sql-relay acct_table = radacct postauth_table = radpostauth sql_user_name = %{%{User-Name}:-DEFAULT} Start = INSERT INTO ${acct_table} (AcctSessionId, UserName, \ NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ AcctSessionTime, AcctTerminateCause) VALUES \ ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ '%{Framed-IP-Address}', '%S', '0', '0', ''); Stop = INSERT INTO ${acct_table} (AcctSessionId, UserName, \ NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ AcctSessionTime, AcctTerminateCause) VALUES \ ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ '%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}', \ '%{Acct-Terminate-Cause}'); Alive = INSERT INTO ${acct_table} (AcctSessionId, UserName, \ NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ AcctSessionTime, AcctTerminateCause) VALUES \ ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ '%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}',''); Post-Auth = INSERT INTO ${postauth_table} \ (username, pass, reply, authdate) VALUES \ ('%{User-Name}', '%{User-Password:-Chap-Password}', \ '%{reply:Packet-Type}', '%S'); } So it's defined in radiusd.conf and called in accounting section. What I'm missing? For the post_auth it can be userful to other person if it's integrated to the next update of freeradius. noted - fix and updated has been submitted as bug 545 Just for notice, I have again the warning in debug mode when I do the post_auth queries rlm_sql (sql): Processing sql_postauth expand: %{User-Name} - guillaume rlm_sql (sql): sql_set_user escaped user -- 'guillaume' WARNING: Deprecated conditional expansion :-. See man unlang for details expand: INSERT INTO radpostauth (username, pass, reply) VALUES ('%{User-Name}', '%{User-Password:-Chap-Password}','%{reply:Packet-Type}') - INSERT INTO radpostauth (username, pass, reply) VALUES ('guillaume', 'Chap-Password','Access-Accept') expand: /usr/local/var/log/radius/sqltrace.sql - /usr/local/var/log/radius/sqltrace.sql And I don't know what is it. And it's fot the post_auth. The post_auth have just this post-auth { sql } Thank again alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL log accounting and post_auth
I re and reread man unlang And change the insert line with this line postauth_query = INSERT INTO ${postauth_table} (username, pass, reply) VALUES ('%{User-Name}','%{%{User-Password}:-%{Chap-Password}}','%{reply:Packet- Type}') It's the value chap-password who's corrected. So for the fix, please update the insert for the correct value Thank For the post_auth it can be userful to other person if it's integrated to the next update of freeradius. noted - fix and updated has been submitted as bug 545 Just for notice, I have again the warning in debug mode when I do the post_auth queries rlm_sql (sql): Processing sql_postauth expand: %{User-Name} - guillaume rlm_sql (sql): sql_set_user escaped user -- 'guillaume' WARNING: Deprecated conditional expansion :-. See man unlang for details expand: INSERT INTO radpostauth (username, pass, reply) VALUES ('%{User-Name}', '%{User-Password:-Chap-Password}','%{reply:Packet-Type}') - INSERT INTO radpostauth (username, pass, reply) VALUES ('guillaume', 'Chap-Password','Access-Accept') expand: /usr/local/var/log/radius/sqltrace.sql - /usr/local/var/log/radius/sqltrace.sql And I don't know what is it. And it's fot the post_auth. The post_auth have just this post-auth { sql } Thank again alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authorize with SQL and/or AD with ntlm_auth !!!SOLVED!!!
If in the radius.conf mschap section module I insert the same ntlm_auth line of the exec. The sql don’t work but AD work. If I put nothing in mschap section. The SQL works but not AD. So what I did make wrong 1) Do not create your own ntlm_auth module. 2) configure ntlm_auth in the mschap module 4) test that AD authentication works (ignoring SQL for now) 3) update the authorize section to look like this: authorize { preprocess sql if (ok) { update control { MS-CHAP-Use-NTLM-Auth := No } } ... After that, both AD and SQL should work. Alan DeKok. Thank you it's working now with both AD and SQL. Guillaume - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL Fall-Through
Hi again, I want to know what I making wrong. I have an MSSQL database and it's working great. Now I want to tweak my setup with including some attribute in group. But it's seems that rlm_sql didn't go see groupcheck or groupreply. I also put read_groups = yes in mssql.conf Here is my database and debut output usergroup 1,guillaume,dynamic 2,jacques,dynamic Radcheck 1,guillaume,Cleartext-Password,xx,:= 2,jacques,Cleartext-Password,x,:= Radreply 5, ,guillaume,Fall-Through,Yes,= Radgroupcheck 2,dynamic,Expiration,4 april 2008,:= Radgroupreply 1,dynamic,Framed-Compression,Van-Jacobsen-TCP-IP,:=,0 2,dynamic,Framed-Protocol,PPP,:=,0 3,dynamic,Service-Type,Framed-User,:=,0 4,dynamic,Framed-MTU,1500,:=,0 rad_recv: Access-Request packet from host 172.20.50.202 port 1088, id=49, length=249 Message-Authenticator = 0xacf874dd95a5e7a44477ebe85628c2d2 Service-Type = Framed-User User-Name = guillaume\000 Framed-MTU = 1488 State = 0x937fe8889b4ef1e0c024c3839183ef26 Called-Station-Id = 00-0F-3D-AB-1C-07:testGuillaume Calling-Station-Id = 00-0E-35-99-F3-E9 NAS-Identifier = D-Link Access Point NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x023100261900170301001b37f64ad3eba1ecf9db603f2431312964a27e49ca72e0f0d1 588d99 NAS-IP-Address = 172.20.50.202 NAS-Port = 1 NAS-Port-Id = STA port # 1 +- entering group authorize ++[preprocess] returns ok expand: %{User-Name} - guillaume rlm_sql (sql): sql_set_user escaped user -- 'guillaume' rlm_sql (sql): Reserving sql socket id: 2 expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++? if (ok) ? Evaluating ok - TRUE ++? if (ok) - TRUE ++- entering if (ok) +++[control] returns ok ++- if (ok) returns ok rlm_eap: EAP packet type response id 49 length 38 rlm_eap: Continuing tunnel setup. ++[eap] returns ok ++[expiration] returns noop ++[logintime] returns noop rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Success rlm_eap: Freeing handler ++[eap] returns ok Sending Access-Accept of id 49 to 172.20.50.202 port 1088 MS-MPPE-Recv-Key = 0xc65d46cf1ee515a044585d7158c6c0dd39d183728c7541316f1171f701729069 MS-MPPE-Send-Key = 0x338d0bb6e1edd84602c3795eb3dc12da8e04b1b85dd988013a7e621e3f40399a EAP-Message = 0x03310004 Message-Authenticator = 0x User-Name = guillaume Finished request 9. Going to the next request Thank Guillaume Chartrand - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authorize with SQL and/or AD with ntlm_auth
++[eap] returns reject auth: Failed to validate the user. PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE So the last part if I understand is when the authentification section is call, he try to authentification with my module ntlm_auth but it fail and I don't know why. If in the radius.conf mschap section module I insert the same ntlm_auth line of the exec. The sql don't work but AD work. If I put nothing in mschap section. The SQL works but not AD. So what I did make wrong Thank Guillaume Chartrand - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius push attribute to wireless connection
Hi, I'm using Freeradius 2.0, I configurated it with an sql database and the principal job of the radius server is to authorize and authenticate my wireless user over my network. What I want to do is to give some attribute to the user when is connected. Like Session-Timeout, bandwith and some other stuff. Here some entry in my database usergroup 1,guillaume,dynamic 2,jacques,dynamic Radcheck 1,guillaume,Cleartext-Password,xx,:= 2,jacques,Cleartext-Password,x,:= Radreply 3,guillaume,Session-Timeout,30,:= It's an Mssql database Here the debug info with radiusd -X rlm_sql (sql): sql_set_user escaped user -- 'guillaume' rlm_sql (sql): Reserving sql socket id: 2 expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok I have access but my session didn't disconnect after 30 sec. So can I do that with wireless configuration? My goal is to give some guest user a limited time and an expiration date. Thanks Guillaume Chartrand - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius push attribute to wireless connection
What is in the Access-Accept packet? Ivan Kalik Kalik Informatika ISP Sending Access-Accept of id 98 to 172.20.50.202 port 1037 Session-Timeout := 30 MS-MPPE-Recv-Key = 0x7a1997f1239667f0efeb3c4461711ac3467845bad3fc11db5ceaaae6b4161ec7 MS-MPPE-Send-Key = 0x23e0e4835b830081fe1b624d8f10fc7afa1459a87b814479a83f5fbcbab949ef EAP-Message = 0x03620004 Message-Authenticator = 0x User-Name = guillaume Finished request 9. Here the access-accept, the ip address shown below is the Access Point IP, is it possible that the AP cannot send this kind of attribute? Dana 2/4/2008, Guillaume Chartrand [EMAIL PROTECTED] piše: Hi, I'm using Freeradius 2.0, I configurated it with an sql database and the principal job of the radius server is to authorize and authenticate my wireless user over my network. What I want to do is to give some attribute to the user when is connected. Like Session-Timeout, bandwith and some other stuff. Here some entry in my database usergroup 1,guillaume,dynamic 2,jacques,dynamic Radcheck 1,guillaume,Cleartext-Password,xx,:= 2,jacques,Cleartext-Password,x,:= Radreply 3,guillaume,Session-Timeout,30,:= It's an Mssql database Here the debug info with radiusd -X rlm_sql (sql): sql_set_user escaped user -- 'guillaume' rlm_sql (sql): Reserving sql socket id: 2 expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok I have access but my session didn't disconnect after 30 sec. So can I do that with wireless configuration? My goal is to give some guest user a limited time and an expiration date. Thanks Guillaume Chartrand - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Two authorize instance
Guillaume Chartrand wrote: I use freeradius 2.0.0 on red hat enterprise 3 AS and I set the authorize section to check the user credential with an sql database. This configuration works. But I want to know and how to do that if it's possible, if the user isn't the sql database, can freeradius check another database, like an ldap database. So when the user is in the sql database he gain access, if not he look in a ldap database and if he are present with valid credential, he gain access. Yes. ... sql if (notfound) { ldap } See man unlang. Alan DeKok. I write the if in my authorize section.. here some of my config in site-enabled/default authorize { preprocess chap mschap unix suffix sql if (notfound) { ntlm_auth } eap expiration logintime pap } authenticate { ntlm_auth Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap } And here is my radiusd.conf modules { exec ntlm_auth { wait = no program = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{mschap:NT-Domain:-intranet} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} } $INCLUDE eap.conf mschap { with_ntdomain_hack = yes ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{mschap:NT-Domain:-intranet} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} } } If I comment in the mschap module the ntlm_auth and the user is present in sql, he's accepted. If he's not in sql but in my Active directory database, he's rejected If I comment out the ntlm_auth line, my sql user is rejected but my AD user was accepted. So Where I'm wrong, I want to use both authorize database. Thank - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Two authorize instance
Hi everybody, I use freeradius 2.0.0 on red hat enterprise 3 AS and I set the authorize section to check the user credential with an sql database. This configuration works. But I want to know and how to do that if it's possible, if the user isn't the sql database, can freeradius check another database, like an ldap database. So when the user is in the sql database he gain access, if not he look in a ldap database and if he are present with valid credential, he gain access. Here my current authorize and authentification section : authorize { preprocess chap mschap unix suffix sql eap expiration logintime pap } authenticate { ntlm_auth Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap } Guillaume Chartrand Technicien informatique Cégep régional de Lanaudière Centre administratif, Repentigny (450) 470-0911 poste 7218 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wifi with Welcome message?
Hi, Is it possible to send or execute a script to a user when he authenticated thru wi-fi connection with particular NAS. Like when user joe successfully authenticated with the sql database, if he was connected with NAS IP address X, he receive a Welcome message X and if he authenticated with NAS Y, he receive Welcome message Y. Currently I have Freeradius 2.0 with authentification on a mssql database and it work and give an ip address to the client when is authenticated. Guillaume - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can freeRadius do that?
Hi, I just want to know if freeradius server can do what I want to deploy in my environnement. I want to deploy freeradius to taking care of security and authorization for my wireless network. What I want to do is like many hotel in my country. The user open is laptop with wireless capability, is automaticly connected to the wireless network but if he want to use the internet connection, when he first run is browser, he's automaticly redirect to an authentification page that ask him a username and a password. So is it freeradius who's handle this or another software or combination of software. Like a freeradius server and a proxy or freeradius with third party software. Can someone help me with my interrogation. Thanks a lot Guillaume Chartrand Technicien informatique Cégep régional de Lanaudière Centre administratif, Repentigny (450) 470-0911 poste 7218 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Can freeRadius do that?
-Message d'origine- De : [EMAIL PROTECTED] [mailto:freeradius-users-[EMAIL PROTECTED] De la part de Tim White Envoyé : 11 mars 2008 15:09 À : FreeRadius users mailing list Objet : Re: Can freeRadius do that? I'm using freeradius, with CoovaChilli, and a Squid Proxy (to reduce internet traffic). Wich AP do you use. Do you know if Cisco AP or D-Link AP is supported by CoovaChilli without modifying firmware APs. Guillaume Thank Works a charm Tim Alan DeKok wrote: Guillaume Chartrand wrote: ... What I want to do is like many hotel in my country. The user open is laptop with wireless capability, is automaticly connected to the wireless network but if he want to use the internet connection, when he first run is browser, he's automaticly redirect to an authentification page that ask him a username and a password. So is it freeradius who's handle this or another software or combination of software. Like a freeradius server and a proxy or freeradius with third party software. See Chillispot or CoovaChilli. What you want is a captive portal. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius SQL + EAP + Windows client
to 172.20.50.202 port 1063 EAP-Message = 0x010800261900170301001b43e26227f37525d5072bc3647428c3fafce33dd5f49b549f0194e0 Message-Authenticator = 0x State = 0x520c3ced550425a3a459d69bfb6e15b4 Finished request 7. Going to the next request Waking up in 0.4 seconds. rad_recv: Access-Request packet from host 172.20.50.202 port 1063, id=8, length=249 Message-Authenticator = 0x7c5457d18a2ab93316e3cb7416ec9acb Service-Type = Framed-User User-Name = guillaume\000 Framed-MTU = 1488 State = 0x520c3ced550425a3a459d69bfb6e15b4 Called-Station-Id = 00-0F-3D-AB-1C-07:testGuillaume Calling-Station-Id = 00-0E-35-99-F3-E9 NAS-Identifier = D-Link Access Point NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020800261900170301001b3116a7abe82507e5348d4e6f2e108f5b1c80d2e51db813beebcc1f NAS-IP-Address = 172.20.50.202 NAS-Port = 1 NAS-Port-Id = STA port # 1 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = guillaume, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop expand: %{User-Name} - guillaume rlm_sql (sql): sql_set_user escaped user -- 'guillaume' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok rlm_eap: EAP packet type response id 8 length 38 rlm_eap: Continuing tunnel setup. ++[eap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - guillaume attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.4 seconds. Waking up in 0.1 seconds. Waking up in 0.1 seconds. Sending delayed reject for request 8 Sending Access-Reject of id 8 to 172.20.50.202 port 1063 EAP-Message = 0x04080004 Message-Authenticator = 0x Waking up in 3.4 seconds. Cleaning up request 0 ID 0 with timestamp +14 Waking up in 0.1 seconds. Cleaning up request 1 ID 1 with timestamp +14 Cleaning up request 2 ID 2 with timestamp +14 Cleaning up request 3 ID 3 with timestamp +15 Cleaning up request 4 ID 4 with timestamp +15 Cleaning up request 5 ID 5 with timestamp +15 Cleaning up request 6 ID 6 with timestamp +15 Waking up in 0.1 seconds. Cleaning up request 7 ID 7 with timestamp +15 Waking up in 1.0 seconds. Cleaning up request 8 ID 8 with timestamp +15 Ready to process requests. Thanks for the help Guillaume Chartrand Technicien informatique Cégep régional de Lanaudière Centre administratif, Repentigny (450) 470-0911 poste 7218 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html