anonymous user when proxying
Hi, Some user who are proxied (eduroam) are acconted with username = anonymous@realm I don't want to have anonymous user in my database, do i have to reject anonymous users in post-proxy section or there is something to do to force user to use inner identity? here are files : _pre-proxy-detail-20130213 :_ Wed Feb 13 14:03:47 2013 Packet-Type = Access-Request NAS-Port-Id = AP86/1 Calling-Station-Id = 94-39-E5-B7-CB-51 Called-Station-Id = 00-0B-0E-D2-CD-40:eduroam Service-Type = Framed-User EAP-Message = 0x0201001f01616e6f6e796d6f75734073742d616e64726577732e61632e756b User-Name = anonym...@st-andrews.ac.uk NAS-Port = 25861 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.58.5 NAS-Identifier = Trapeze Message-Authenticator = 0x0393b59dea7efd51d506eb73899531ef Realm = st-andrews.ac.uk EAP-Type = Identity Proxy-State = 0x313031 Wed Feb 13 14:03:48 2013 Packet-Type = Access-Request NAS-Port-Id = AP86/1 Calling-Station-Id = 94-39-E5-B7-CB-51 Called-Station-Id = 00-0B-0E-D2-CD-40:eduroam Service-Type = Framed-User User-Name = anonym...@st-andrews.ac.uk NAS-Port = 25861 State = 0xe5a5ab65e5a7be1056566c4c9fd4c6e8 EAP-Message = 0x020200381500160301002d0129030193958cf5417b1d83d6a46747e4273b6050850d0a2360fec88d289a138166383002000a0100 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.58.5 NAS-Identifier = Trapeze Message-Authenticator = 0x5b389846257ea4135f53a64e6e1c5a48 Realm = st-andrews.ac.uk EAP-Type = EAP-TTLS Proxy-State = 0x313032 Wed Feb 13 14:03:48 2013 Packet-Type = Access-Request NAS-Port-Id = AP86/1 Calling-Station-Id = 94-39-E5-B7-CB-51 Called-Station-Id = 00-0B-0E-D2-CD-40:eduroam Service-Type = Framed-User User-Name = anonym...@st-andrews.ac.uk NAS-Port = 25861 State = 0xe5a5ab65e4a6be1056566c4c9fd4c6e8 EAP-Message = 0x020300061500 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.58.5 NAS-Identifier = Trapeze Message-Authenticator = 0x33638595ef790cd81017538ba1b1aaca Realm = st-andrews.ac.uk EAP-Type = EAP-TTLS Proxy-State = 0x313033 Wed Feb 13 14:03:48 2013 Packet-Type = Access-Request NAS-Port-Id = AP86/1 Calling-Station-Id = 94-39-E5-B7-CB-51 Called-Station-Id = 00-0B-0E-D2-CD-40:eduroam Service-Type = Framed-User User-Name = anonym...@st-andrews.ac.uk NAS-Port = 25861 State = 0xe5a5ab65e7a1be1056566c4c9fd4c6e8 EAP-Message = 0x020401441500160301010611020100543ce46842671b13a26b6cad59606bbe3e16c719ec529a476cad7c24bba97b253fb329f026b315098d3de8579f70193cfec9194b6874fab251539c927a85ef58914e6803758fe652d3f6aa75adb2194f12ed7670d81902cbaed23c93d1f099584e53b0dc7d5b2394cc2354b8681874efa66293cf0c6fa9a900311fb678ca09a4e2b58938f9f0ecc9bf5f2a03a7026b27e883863bf1e2c070716a198a0137441acdca2108707473328f187aefb3304e25fd244a9b799bff15c011f21fe5c4ecc81eff6bcfff66d5bc6ba8af469fc50faa1310e3aa2d395d33ef55c841a54a6e6837403084d77472bb51bca7 EAP-Message = 0x9931b51bda9aa98ad17d58055fef6e5e84b3371403010001011603010028ddea1f8780c6a9d3720778e46e560fd071eb9f9d57122dba9896f9ceb57a1b2a8362520d84d02749 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.58.5 NAS-Identifier = Trapeze Message-Authenticator = 0x7612d9dc287bd580845d59f08dcfbe34 Realm = st-andrews.ac.uk EAP-Type = EAP-TTLS Proxy-State = 0x313034 Wed Feb 13 14:03:48 2013 Packet-Type = Access-Request NAS-Port-Id = AP86/1 Calling-Station-Id = 94-39-E5-B7-CB-51 Called-Station-Id = 00-0B-0E-D2-CD-40:eduroam Service-Type = Framed-User User-Name = anonym...@st-andrews.ac.uk NAS-Port = 25861 State = 0xe5a5ab65e6a0be1056566c4c9fd4c6e8 EAP-Message = 0x02050053150017030100480e445bd302a42efdfef640de32d514973a61346521acdd65dc5bc693613769788942c27a2d6094dbc6da60622adb4cdf5554289d9f25f984016a59b3644d7f26e6add7c54d1f707a NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.58.5 NAS-Identifier = Trapeze Message-Authenticator = 0x7bd5e919aa147bf656ec791de2e403ad Realm = st-andrews.ac.uk EAP-Type = EAP-TTLS Proxy-State = 0x313035 Wed Feb 13 14:03:49 2013 Packet-Type = Accounting-Request Acct-Status-Type = Start Acct-Authentic = RADIUS Acct-Multi-Session-Id = SESS-25861-54b752-760627-f3b Acct-Session-Id = SESS-25861-54b752-760627-f3b User-Name = anonym...@st-andrews.ac.uk Event-Timestamp = Feb 13 2013 14:03:49 CET Trapeze-VLAN-Name = EduExterieurs Calling-Station-Id = 94-39-E5-B7-CB-51 NAS-Port-Id = AP86/1 Called-Station-Id = 00-0B-0E-D2-CD-40:eduroam NAS-Port = 25861 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.58.5 NAS-Identifier = Trapeze Acct-Delay-Time = 0 Acct-Unique-Session-Id = b99f09261adf3886 Realm = st-andrews.ac.uk SQL-User-Name = anonym...@st-andrews.ac.uk Proxy-State = 0x313036 Wed Feb 13 14:03:49
Re: few accounting records with same radacctid
nobody? Le 07/02/2013 13:25, Hocine M a écrit : hello, In ma accounting table there are many records with the same radacctid for one username. In this case | 23547 | SESS-50639-54b752-237134-642 | t...@univ-rouen.fr | univ-rouen.fr| 2013-02-07 12:38:54 | NULL| 192.168.58.5 | 00-26-3E-70-99-C0:eduroam | 10.54.1.19 | CC-08-E0-BB-05-7E | | 23554 | SESS-50639-54b752-237134-642 | t...@univ-rouen.fr | univ-rouen.fr| 2013-02-07 12:38:54 | 2013-02-07 12:39:41 | 192.168.58.4 | 00-0B-0E-A9-5B-C0:eduroam | 10.54.1.19 | CC-08-E0-BB-05-7E | Is it a normal records or is the simultaneous-use not working in my case? Thank - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pb with realm
I've done it...it seems working.
Thank a lot.
Le 06/02/2013 11:40, Phil Mayers a écrit :
On 06/02/13 10:03, Hocine M wrote:
Hi ,
I have a problem with some user proxied.
In the accounting-request the username is stripped and realm is NULL.
Why le realm is lost?
The User-Name in the accounting packets is overridden by the User-Name
in the Access-Accept. In your case, your upstream proxy is returning a
bare username in the Accept:
rad_recv: Access-Accept packet from host 193.51.224.109 port 1812,
id=223, length=182
User-Name = pierre.dupont\000
...which you then send back to the NAS:
Sending Access-Accept of id 13 to 192.168.58.5 port 20007
User-Name = pierre.dupont\000
You can (and indeed, should) use a piece of unlang to re-insert /
validate the realm in the case; we have this config:
post-proxy {
# Clean up the reply username
if (proxy-reply:User-Name =~ /^(.*)@.*/) {
# rewrite user@anything to user@theauthrealm
# i.e. we don't trust the reply realm
update proxy-reply {
User-Name := %{1}@%{Realm}
}
}
elsif (proxy-reply:User-Name) {
# no @ i.e. realm in the reply username
# append the realm used for forwarding
update proxy-reply {
User-Name := %{proxy-reply:User-Name}@%{Realm}
}
}
else {
# no reply username at all. add one
update proxy-reply {
User-Name := %{request:User-Name}
}
}
}
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
few accounting records with same radacctid
hello, In ma accounting table there are many records with the same radacctid for one username. In this case | 23547 | SESS-50639-54b752-237134-642 | t...@univ-rouen.fr | univ-rouen.fr| 2013-02-07 12:38:54 | NULL| 192.168.58.5 | 00-26-3E-70-99-C0:eduroam | 10.54.1.19 | CC-08-E0-BB-05-7E | | 23554 | SESS-50639-54b752-237134-642 | t...@univ-rouen.fr | univ-rouen.fr| 2013-02-07 12:38:54 | 2013-02-07 12:39:41 | 192.168.58.4 | 00-0B-0E-A9-5B-C0:eduroam | 10.54.1.19 | CC-08-E0-BB-05-7E | Is it a normal records or is the simultaneous-use not working in my case? Thank - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error syntax in sql accounting.
Hi everybody, I always have an error in radius.log file : Mon Feb 4 16:16:52 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:01 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:06 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:10 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:15 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:24 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:26 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:34 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:47 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:54 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 I made my radacct accounting table with the schema founf in /etc/freeradius/sql/mysql/schema.sql. I use a mysql server databse. in my sql.conf i use the standard queries for accounting. Any idea? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with username renamed in radacct table
Le 31/01/2013 16:07, Alan DeKok a écrit : Hocine M wrote: For some reasons i don't understand, somtimes when accounting in radacct mysql table the username is renamed in web-portal-ssid where ssid is the SSID Web-Portal based. It's because the NAS is sending web-portal-ssid in the Accounting-Request. Or, your local configuration is updating the User-Name to be web-portal-ssid. There are no other options. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks, My local configuration does not update the User-Name. I noticed in detail file, username changed appear only in stop and Interim-Update accounting packet, and nothing in start accounting packet. But in radacct table for the same username (renamed) the acctstarttime is filled. Thu Jan 31 13:53:55 2013 Acct-Status-Type = Interim-Update Acct-Multi-Session-Id = SESS-4883-54b78e-636521-e703 Acct-Session-Id = SESS-4883-54b78e-636521-e703 User-Name = web-portal-Invites Event-Timestamp = Jan 31 2013 13:53:55 CET Trapeze-VLAN-Name = Invites Calling-Station-Id = 9C-04-EB-85-F4-70 NAS-Port-Id = AP84/1 Called-Station-Id = 00-0B-0E-D2-AB-44:Invites NAS-Port = 57930 Framed-IP-Address = 10.53.1.152 Acct-Session-Time = 23 Acct-Output-Octets = 196179 Acct-Input-Octets = 111779 Acct-Output-Packets = 761 Acct-Input-Packets = 2370 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.58.5 NAS-Identifier = Trapeze Acct-Delay-Time = 0 Acct-Unique-Session-Id = 5d505c20bb72a584 Stripped-User-Name = web-portal-Invites Realm = NULL Timestamp = 1359636835 Thu Jan 31 13:53:55 2013 Acct-Status-Type = Stop Acct-Multi-Session-Id = SESS-4883-54b78e-636521-e703 Acct-Session-Id = SESS-4883-54b78e-636521-e703 User-Name = web-portal-L3Invites Event-Timestamp = Jan 31 2013 13:53:55 CET Trapeze-VLAN-Name = Invites Calling-Station-Id = 9C-04-EB-85-F4-70 NAS-Port-Id = AP84/1 Called-Station-Id = 00-0B-0E-D2-AB-44:L3Invites NAS-Port = 57930 Framed-IP-Address = 10.53.1.152 Acct-Session-Time = 23 Acct-Output-Octets = 196179 Acct-Input-Octets = 111779 Acct-Output-Packets = 761 Acct-Input-Packets = 2370 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.58.5 NAS-Identifier = Trapeze Acct-Delay-Time = 0 Acct-Unique-Session-Id = 5d505c20bb72a584 Stripped-User-Name = web-portal-L3Invites Realm = NULL Timestamp = 1359636835 Is it possibe that the start accounting request is sent to another radius server? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: helps with User-Password
Le 24/01/2013 16:17, a.l.m.bu...@lboro.ac.uk a écrit : Hi, A little question, when i run freeradius in debug mode ( freeradius -XX), ii can't see the User-Password! what method are you using? looks like EAP - in which case , depending on the phase2 method used, you might not see a user-password - for example PEAP (well, PEAPv0/MSCHAPv2) sends challenge-response method inside the EAP tunnel. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yes , exactly...PEAP with MSCHAPV2 is used in this case. Thanks a lot. Hocine. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
helps with User-Password
Hello, A little question, when i run freeradius in debug mode ( freeradius -XX), ii can't see the User-Password! Sending Access-Request of id 167 to 195.220.94.130 port 1812 NAS-Port-Id = AP41/1 Calling-Station-Id = 74-2F-68-ED-12-1C Called-Station-Id = 00-0B-0E-A9-58-80:eduroam Service-Type = Framed-User EAP-Message = 0x0201001a01756e69762d6c696c6c65332e6672406372752e6672 User-Name = univ-lille3...@cru.fr NAS-Port = 61847 This attibute must be displayed? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: helps with User-Password
Le 24/01/2013 16:17, Stefan Winter a écrit : Hi, Sending Access-Request of id 167 to 195.220.94.130 port 1812 NAS-Port-Id = AP41/1 Calling-Station-Id = 74-2F-68-ED-12-1C Called-Station-Id = 00-0B-0E-A9-58-80:eduroam Service-Type = Framed-User EAP-Message = 0x0201001a01756e69762d6c696c6c65332e6672406372752e6672 User-Name = univ-lille3...@cru.fr NAS-Port = 61847 This attibute must be displayed? No: there is no User-Password. This is an EAP request. Credentials are sent inside the EAP-Message attribute, and strongly encrypted between the source (user device) and the home RADIUS server at cru.fr. As an intermediate party, this is all you will get. 1This question because somene asked it to me and i was not enable to give an answer. Thanks a lot. Why are you interested in other users' passwords? Greetings, Stefan Winter Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help with proxy settings for EDUROAM
Hello,
Could anyone help me?
I'm trying setting up freeradius 2.1.12 for eduroam.
The local auth works well, but the proxy part not so.
here is the configuration :
RADIUSD.CONF :
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
name = freeradius
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
user = freerad
group = freerad
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions= yes
extended_expressions= yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
$INCLUDE sql.conf
}
instantiate {
exec
expr
expiration
logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/
site-enabled/default :
authorize {
preprocess
if (%{Called-Station-Id} =~
/^([0-9A-F]{2}:){5}[0-9A-F]{2}:L3Invites$/) {
sql_l3invites
}
elsif (%{User-Name} =~ /.*@.*/) {
ok
}
else {
update reply {
Reply-Message := %{User-Name} : Format Identifiant non
valide!
}
reject
}
mschap
suffix
eap {
ok = return
}
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type MS-CHAP {
mschap
}
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
sql_acct
exec
attr_filter.accounting_response
}
session {
}
post-auth {
reply_log
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
}
if (%{User-Name} == L3Invite) {
update reply {
Tunnel-Private-Group-Id := 53
}
}
switch %{Realm} {
case univ-lille3.fr {
update reply {
Tunnel-Private-Group-Id := 54
}
}
case etu.univ-lille3.fr {
update reply {
Tunnel-Private-Group-Id := 55
}
}
case ext.univ-lille3.fr {
update reply {
Tunnel-Private-Group-Id := 50
}
}
}
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
linelog
}
}
pre-proxy {
pre_proxy_log
}
post-proxy {
post_proxy_log
eap
Post-Proxy-Type Fail {
post_proxy_fail_log
}
}
PROXY.CONF :
proxy server {
default_fallback = no
retry_delay = 5
retry_count = 3
dead_time = 600
}
home_server localhost {
type = auth
ipaddr = 127.0.0.1
port = 1812
secret = testing123
require_message_authenticator = yes
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
max_outstanding = 65536
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
realm NULL {
}
realm univ-lille3.fr {
type = radius
authhost = LOCAL
accthost = LOCAL
nostrip
}
realm etu.univ-lille3.fr {
type = radius
authhost = LOCAL
accthost = LOCAL
nostrip
}
realm ext.univ-lille3.fr {
type = radius
authhost = LOCAL
accthost = LOCAL
nostrip
}
realm DEFAULT {
type = radius
authhost = rad1.eduroam.fr:1812
accthost = rad1.eduroam.fr:1813
secret = **
nostrip
}
realm DEFAULT {
type = radius
authhost = rad2.eduroam.fr:1812
accthost = rad2.eduroam.fr:1813
secret =
nostrip
}
CLIENTS.CONF :
client localhost {
ipaddr = 127.0.0.1
secret= ***
require_message_authenticator = yes
}
client 193.51.224.109 {
secret=
shortname = rad1.eduroam.fr
}
client 130.79.200.23 {
secret=
shortname = rad2.eduroam.fr
}
client *** {
secret = **
shortname = MX800R-1
nastype = trapeze
}
client {
redundant with ldap and sql not working
Hi all,
I'm trying to do failoverusing redundant section but it seems not working:
file : site-enable/eduroam (here the redundant section works fine)
authorize {
preprocess
if (%{User-Name} == L3Test) {
redundant {
sql_l3Test
files
}
}
mschap
suffix
eap {
ok = return
}
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
radutmp
sql_acct
exec
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
file : site-enable/eduroam-inner-tunnel where the redundant section
doesn't work
server eduroam-inner-tunnel {
listen {
ipaddr = 127.0.0.1
port = 18120
type = auth
}
authorize {
chap
mschap
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
redundant {
ldap
sql_auth
}
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
eap
}
session {
radutmp
}
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
}
Maybe it is not possible?
Thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
