anonymous user when proxying
Hi, Some user who are proxied (eduroam) are acconted with username = anonymous@realm I don't want to have anonymous user in my database, do i have to reject anonymous users in post-proxy section or there is something to do to force user to use inner identity? here are files : _pre-proxy-detail-20130213 :_ Wed Feb 13 14:03:47 2013 Packet-Type = Access-Request NAS-Port-Id = AP86/1 Calling-Station-Id = 94-39-E5-B7-CB-51 Called-Station-Id = 00-0B-0E-D2-CD-40:eduroam Service-Type = Framed-User EAP-Message = 0x0201001f01616e6f6e796d6f75734073742d616e64726577732e61632e756b User-Name = anonym...@st-andrews.ac.uk NAS-Port = 25861 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.58.5 NAS-Identifier = Trapeze Message-Authenticator = 0x0393b59dea7efd51d506eb73899531ef Realm = st-andrews.ac.uk EAP-Type = Identity Proxy-State = 0x313031 Wed Feb 13 14:03:48 2013 Packet-Type = Access-Request NAS-Port-Id = AP86/1 Calling-Station-Id = 94-39-E5-B7-CB-51 Called-Station-Id = 00-0B-0E-D2-CD-40:eduroam Service-Type = Framed-User User-Name = anonym...@st-andrews.ac.uk NAS-Port = 25861 State = 0xe5a5ab65e5a7be1056566c4c9fd4c6e8 EAP-Message = 0x020200381500160301002d0129030193958cf5417b1d83d6a46747e4273b6050850d0a2360fec88d289a138166383002000a0100 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.58.5 NAS-Identifier = Trapeze Message-Authenticator = 0x5b389846257ea4135f53a64e6e1c5a48 Realm = st-andrews.ac.uk EAP-Type = EAP-TTLS Proxy-State = 0x313032 Wed Feb 13 14:03:48 2013 Packet-Type = Access-Request NAS-Port-Id = AP86/1 Calling-Station-Id = 94-39-E5-B7-CB-51 Called-Station-Id = 00-0B-0E-D2-CD-40:eduroam Service-Type = Framed-User User-Name = anonym...@st-andrews.ac.uk NAS-Port = 25861 State = 0xe5a5ab65e4a6be1056566c4c9fd4c6e8 EAP-Message = 0x020300061500 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.58.5 NAS-Identifier = Trapeze Message-Authenticator = 0x33638595ef790cd81017538ba1b1aaca Realm = st-andrews.ac.uk EAP-Type = EAP-TTLS Proxy-State = 0x313033 Wed Feb 13 14:03:48 2013 Packet-Type = Access-Request NAS-Port-Id = AP86/1 Calling-Station-Id = 94-39-E5-B7-CB-51 Called-Station-Id = 00-0B-0E-D2-CD-40:eduroam Service-Type = Framed-User User-Name = anonym...@st-andrews.ac.uk NAS-Port = 25861 State = 0xe5a5ab65e7a1be1056566c4c9fd4c6e8 EAP-Message = 0x020401441500160301010611020100543ce46842671b13a26b6cad59606bbe3e16c719ec529a476cad7c24bba97b253fb329f026b315098d3de8579f70193cfec9194b6874fab251539c927a85ef58914e6803758fe652d3f6aa75adb2194f12ed7670d81902cbaed23c93d1f099584e53b0dc7d5b2394cc2354b8681874efa66293cf0c6fa9a900311fb678ca09a4e2b58938f9f0ecc9bf5f2a03a7026b27e883863bf1e2c070716a198a0137441acdca2108707473328f187aefb3304e25fd244a9b799bff15c011f21fe5c4ecc81eff6bcfff66d5bc6ba8af469fc50faa1310e3aa2d395d33ef55c841a54a6e6837403084d77472bb51bca7 EAP-Message = 0x9931b51bda9aa98ad17d58055fef6e5e84b3371403010001011603010028ddea1f8780c6a9d3720778e46e560fd071eb9f9d57122dba9896f9ceb57a1b2a8362520d84d02749 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.58.5 NAS-Identifier = Trapeze Message-Authenticator = 0x7612d9dc287bd580845d59f08dcfbe34 Realm = st-andrews.ac.uk EAP-Type = EAP-TTLS Proxy-State = 0x313034 Wed Feb 13 14:03:48 2013 Packet-Type = Access-Request NAS-Port-Id = AP86/1 Calling-Station-Id = 94-39-E5-B7-CB-51 Called-Station-Id = 00-0B-0E-D2-CD-40:eduroam Service-Type = Framed-User User-Name = anonym...@st-andrews.ac.uk NAS-Port = 25861 State = 0xe5a5ab65e6a0be1056566c4c9fd4c6e8 EAP-Message = 0x02050053150017030100480e445bd302a42efdfef640de32d514973a61346521acdd65dc5bc693613769788942c27a2d6094dbc6da60622adb4cdf5554289d9f25f984016a59b3644d7f26e6add7c54d1f707a NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.58.5 NAS-Identifier = Trapeze Message-Authenticator = 0x7bd5e919aa147bf656ec791de2e403ad Realm = st-andrews.ac.uk EAP-Type = EAP-TTLS Proxy-State = 0x313035 Wed Feb 13 14:03:49 2013 Packet-Type = Accounting-Request Acct-Status-Type = Start Acct-Authentic = RADIUS Acct-Multi-Session-Id = SESS-25861-54b752-760627-f3b Acct-Session-Id = SESS-25861-54b752-760627-f3b User-Name = anonym...@st-andrews.ac.uk Event-Timestamp = Feb 13 2013 14:03:49 CET Trapeze-VLAN-Name = EduExterieurs Calling-Station-Id = 94-39-E5-B7-CB-51 NAS-Port-Id = AP86/1 Called-Station-Id = 00-0B-0E-D2-CD-40:eduroam NAS-Port = 25861 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.58.5 NAS-Identifier = Trapeze Acct-Delay-Time = 0 Acct-Unique-Session-Id = b99f09261adf3886 Realm = st-andrews.ac.uk SQL-User-Name = anonym...@st-andrews.ac.uk Proxy-State = 0x313036 Wed Feb 13 14:03:49
Re: few accounting records with same radacctid
nobody? Le 07/02/2013 13:25, Hocine M a écrit : hello, In ma accounting table there are many records with the same radacctid for one username. In this case | 23547 | SESS-50639-54b752-237134-642 | t...@univ-rouen.fr | univ-rouen.fr| 2013-02-07 12:38:54 | NULL| 192.168.58.5 | 00-26-3E-70-99-C0:eduroam | 10.54.1.19 | CC-08-E0-BB-05-7E | | 23554 | SESS-50639-54b752-237134-642 | t...@univ-rouen.fr | univ-rouen.fr| 2013-02-07 12:38:54 | 2013-02-07 12:39:41 | 192.168.58.4 | 00-0B-0E-A9-5B-C0:eduroam | 10.54.1.19 | CC-08-E0-BB-05-7E | Is it a normal records or is the simultaneous-use not working in my case? Thank - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pb with realm
I've done it...it seems working. Thank a lot. Le 06/02/2013 11:40, Phil Mayers a écrit : On 06/02/13 10:03, Hocine M wrote: Hi , I have a problem with some user proxied. In the accounting-request the username is stripped and realm is NULL. Why le realm is lost? The User-Name in the accounting packets is overridden by the User-Name in the Access-Accept. In your case, your upstream proxy is returning a bare username in the Accept: rad_recv: Access-Accept packet from host 193.51.224.109 port 1812, id=223, length=182 User-Name = pierre.dupont\000 ...which you then send back to the NAS: Sending Access-Accept of id 13 to 192.168.58.5 port 20007 User-Name = pierre.dupont\000 You can (and indeed, should) use a piece of unlang to re-insert / validate the realm in the case; we have this config: post-proxy { # Clean up the reply username if (proxy-reply:User-Name =~ /^(.*)@.*/) { # rewrite user@anything to user@theauthrealm # i.e. we don't trust the reply realm update proxy-reply { User-Name := %{1}@%{Realm} } } elsif (proxy-reply:User-Name) { # no @ i.e. realm in the reply username # append the realm used for forwarding update proxy-reply { User-Name := %{proxy-reply:User-Name}@%{Realm} } } else { # no reply username at all. add one update proxy-reply { User-Name := %{request:User-Name} } } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
few accounting records with same radacctid
hello, In ma accounting table there are many records with the same radacctid for one username. In this case | 23547 | SESS-50639-54b752-237134-642 | t...@univ-rouen.fr | univ-rouen.fr| 2013-02-07 12:38:54 | NULL| 192.168.58.5 | 00-26-3E-70-99-C0:eduroam | 10.54.1.19 | CC-08-E0-BB-05-7E | | 23554 | SESS-50639-54b752-237134-642 | t...@univ-rouen.fr | univ-rouen.fr| 2013-02-07 12:38:54 | 2013-02-07 12:39:41 | 192.168.58.4 | 00-0B-0E-A9-5B-C0:eduroam | 10.54.1.19 | CC-08-E0-BB-05-7E | Is it a normal records or is the simultaneous-use not working in my case? Thank - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error syntax in sql accounting.
Hi everybody, I always have an error in radius.log file : Mon Feb 4 16:16:52 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:01 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:06 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:10 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:15 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:24 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:26 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:34 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:47 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:54 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 I made my radacct accounting table with the schema founf in /etc/freeradius/sql/mysql/schema.sql. I use a mysql server databse. in my sql.conf i use the standard queries for accounting. Any idea? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with username renamed in radacct table
Le 31/01/2013 16:07, Alan DeKok a écrit : Hocine M wrote: For some reasons i don't understand, somtimes when accounting in radacct mysql table the username is renamed in web-portal-ssid where ssid is the SSID Web-Portal based. It's because the NAS is sending web-portal-ssid in the Accounting-Request. Or, your local configuration is updating the User-Name to be web-portal-ssid. There are no other options. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks, My local configuration does not update the User-Name. I noticed in detail file, username changed appear only in stop and Interim-Update accounting packet, and nothing in start accounting packet. But in radacct table for the same username (renamed) the acctstarttime is filled. Thu Jan 31 13:53:55 2013 Acct-Status-Type = Interim-Update Acct-Multi-Session-Id = SESS-4883-54b78e-636521-e703 Acct-Session-Id = SESS-4883-54b78e-636521-e703 User-Name = web-portal-Invites Event-Timestamp = Jan 31 2013 13:53:55 CET Trapeze-VLAN-Name = Invites Calling-Station-Id = 9C-04-EB-85-F4-70 NAS-Port-Id = AP84/1 Called-Station-Id = 00-0B-0E-D2-AB-44:Invites NAS-Port = 57930 Framed-IP-Address = 10.53.1.152 Acct-Session-Time = 23 Acct-Output-Octets = 196179 Acct-Input-Octets = 111779 Acct-Output-Packets = 761 Acct-Input-Packets = 2370 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.58.5 NAS-Identifier = Trapeze Acct-Delay-Time = 0 Acct-Unique-Session-Id = 5d505c20bb72a584 Stripped-User-Name = web-portal-Invites Realm = NULL Timestamp = 1359636835 Thu Jan 31 13:53:55 2013 Acct-Status-Type = Stop Acct-Multi-Session-Id = SESS-4883-54b78e-636521-e703 Acct-Session-Id = SESS-4883-54b78e-636521-e703 User-Name = web-portal-L3Invites Event-Timestamp = Jan 31 2013 13:53:55 CET Trapeze-VLAN-Name = Invites Calling-Station-Id = 9C-04-EB-85-F4-70 NAS-Port-Id = AP84/1 Called-Station-Id = 00-0B-0E-D2-AB-44:L3Invites NAS-Port = 57930 Framed-IP-Address = 10.53.1.152 Acct-Session-Time = 23 Acct-Output-Octets = 196179 Acct-Input-Octets = 111779 Acct-Output-Packets = 761 Acct-Input-Packets = 2370 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.58.5 NAS-Identifier = Trapeze Acct-Delay-Time = 0 Acct-Unique-Session-Id = 5d505c20bb72a584 Stripped-User-Name = web-portal-L3Invites Realm = NULL Timestamp = 1359636835 Is it possibe that the start accounting request is sent to another radius server? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: helps with User-Password
Le 24/01/2013 16:17, a.l.m.bu...@lboro.ac.uk a écrit : Hi, A little question, when i run freeradius in debug mode ( freeradius -XX), ii can't see the User-Password! what method are you using? looks like EAP - in which case , depending on the phase2 method used, you might not see a user-password - for example PEAP (well, PEAPv0/MSCHAPv2) sends challenge-response method inside the EAP tunnel. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yes , exactly...PEAP with MSCHAPV2 is used in this case. Thanks a lot. Hocine. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
helps with User-Password
Hello, A little question, when i run freeradius in debug mode ( freeradius -XX), ii can't see the User-Password! Sending Access-Request of id 167 to 195.220.94.130 port 1812 NAS-Port-Id = AP41/1 Calling-Station-Id = 74-2F-68-ED-12-1C Called-Station-Id = 00-0B-0E-A9-58-80:eduroam Service-Type = Framed-User EAP-Message = 0x0201001a01756e69762d6c696c6c65332e6672406372752e6672 User-Name = univ-lille3...@cru.fr NAS-Port = 61847 This attibute must be displayed? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: helps with User-Password
Le 24/01/2013 16:17, Stefan Winter a écrit : Hi, Sending Access-Request of id 167 to 195.220.94.130 port 1812 NAS-Port-Id = AP41/1 Calling-Station-Id = 74-2F-68-ED-12-1C Called-Station-Id = 00-0B-0E-A9-58-80:eduroam Service-Type = Framed-User EAP-Message = 0x0201001a01756e69762d6c696c6c65332e6672406372752e6672 User-Name = univ-lille3...@cru.fr NAS-Port = 61847 This attibute must be displayed? No: there is no User-Password. This is an EAP request. Credentials are sent inside the EAP-Message attribute, and strongly encrypted between the source (user device) and the home RADIUS server at cru.fr. As an intermediate party, this is all you will get. 1This question because somene asked it to me and i was not enable to give an answer. Thanks a lot. Why are you interested in other users' passwords? Greetings, Stefan Winter Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help with proxy settings for EDUROAM
Hello, Could anyone help me? I'm trying setting up freeradius 2.1.12 for eduroam. The local auth works well, but the proxy part not so. here is the configuration : RADIUSD.CONF : prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct name = freeradius confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} db_dir = ${raddbdir} libdir = /usr/lib/freeradius pidfile = ${run_dir}/${name}.pid user = freerad group = freerad max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { type = auth ipaddr = * port = 0 } listen { ipaddr = * port = 0 type = acct } hostname_lookups = no allow_core_dumps = no regular_expressions= yes extended_expressions= yes log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = no auth_badpass = no auth_goodpass = no } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes $INCLUDE proxy.conf $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf $INCLUDE sql.conf } instantiate { exec expr expiration logintime } $INCLUDE policy.conf $INCLUDE sites-enabled/ site-enabled/default : authorize { preprocess if (%{Called-Station-Id} =~ /^([0-9A-F]{2}:){5}[0-9A-F]{2}:L3Invites$/) { sql_l3invites } elsif (%{User-Name} =~ /.*@.*/) { ok } else { update reply { Reply-Message := %{User-Name} : Format Identifiant non valide! } reject } mschap suffix eap { ok = return } pap } authenticate { Auth-Type PAP { pap } Auth-Type MS-CHAP { mschap } eap } preacct { preprocess acct_unique suffix files } accounting { sql_acct exec attr_filter.accounting_response } session { } post-auth { reply_log update reply { Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 } if (%{User-Name} == L3Invite) { update reply { Tunnel-Private-Group-Id := 53 } } switch %{Realm} { case univ-lille3.fr { update reply { Tunnel-Private-Group-Id := 54 } } case etu.univ-lille3.fr { update reply { Tunnel-Private-Group-Id := 55 } } case ext.univ-lille3.fr { update reply { Tunnel-Private-Group-Id := 50 } } } exec Post-Auth-Type REJECT { attr_filter.access_reject linelog } } pre-proxy { pre_proxy_log } post-proxy { post_proxy_log eap Post-Proxy-Type Fail { post_proxy_fail_log } } PROXY.CONF : proxy server { default_fallback = no retry_delay = 5 retry_count = 3 dead_time = 600 } home_server localhost { type = auth ipaddr = 127.0.0.1 port = 1812 secret = testing123 require_message_authenticator = yes response_window = 20 zombie_period = 40 revive_interval = 120 status_check = status-server check_interval = 30 num_answers_to_alive = 3 max_outstanding = 65536 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } realm NULL { } realm univ-lille3.fr { type = radius authhost = LOCAL accthost = LOCAL nostrip } realm etu.univ-lille3.fr { type = radius authhost = LOCAL accthost = LOCAL nostrip } realm ext.univ-lille3.fr { type = radius authhost = LOCAL accthost = LOCAL nostrip } realm DEFAULT { type = radius authhost = rad1.eduroam.fr:1812 accthost = rad1.eduroam.fr:1813 secret = ** nostrip } realm DEFAULT { type = radius authhost = rad2.eduroam.fr:1812 accthost = rad2.eduroam.fr:1813 secret = nostrip } CLIENTS.CONF : client localhost { ipaddr = 127.0.0.1 secret= *** require_message_authenticator = yes } client 193.51.224.109 { secret= shortname = rad1.eduroam.fr } client 130.79.200.23 { secret= shortname = rad2.eduroam.fr } client *** { secret = ** shortname = MX800R-1 nastype = trapeze } client {
redundant with ldap and sql not working
Hi all, I'm trying to do failoverusing redundant section but it seems not working: file : site-enable/eduroam (here the redundant section works fine) authorize { preprocess if (%{User-Name} == L3Test) { redundant { sql_l3Test files } } mschap suffix eap { ok = return } pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } eap } preacct { preprocess acct_unique suffix files } accounting { detail radutmp sql_acct exec attr_filter.accounting_response } session { radutmp } post-auth { exec Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } file : site-enable/eduroam-inner-tunnel where the redundant section doesn't work server eduroam-inner-tunnel { listen { ipaddr = 127.0.0.1 port = 18120 type = auth } authorize { chap mschap suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } redundant { ldap sql_auth } pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } eap } session { radutmp } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } } Maybe it is not possible? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html