Re: how to get linelog() see see packet-types other than access-request
Phil Mayer, Thanks very much for you help on this! Jeff On Wed, May 8, 2013 at 3:42 PM, Phil Mayers p.may...@imperial.ac.uk wrote: On 08/05/2013 20:09, Jeff Smith wrote: Hello, I've got a freeradius server 2.2.0 configured to process requests, and now I'd like to add some logging that would look something like this: Wed May 8 14:53:16 2013 Access-Request for a...@purdue.edu mailto:a...@purdue.edu from MAC address (Calling-Station-Id) 84-3a-4b-0c-46-44 NAS lwsn-b143-wism2-11 I actually have that working, but would like for linelog to also log a line for packet types access-challenge, access-accept, and Can't easily be done for Access-Challenge I'm afraid. The server doesn't pass them through post-auth. access-reject. My /opt/freeradius/etc/raddb/**modules/linelog has: The easiest way is to define another instance of the linelog module, and use Response-Packet-Type in the format of the 2nd module, and call that in any response sections. If this offends your sensibilities, you can wrap the two linelog modules in a policy like so: policy { mylog.authorize { linelog1 } mylog.post-auth { linelog2 } } ...then call mylog. This can be useful for other reasons e.g. using unlang to format attributes before calling the linelog module, and is what we do. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to get linelog() see see packet-types other than access-request
Hello, I've got a freeradius server 2.2.0 configured to process requests, and now I'd like to add some logging that would look something like this: Wed May 8 14:53:16 2013 Access-Request for a...@purdue.edu from MAC address (Calling-Station-Id) 84-3a-4b-0c-46-44 NAS lwsn-b143-wism2-11 I actually have that working, but would like for linelog to also log a line for packet types access-challenge, access-accept, and access-reject. My /opt/freeradius/etc/raddb/modules/linelog has: reference = %{%{Packet-Type}:-format} # # Followed by a series of log messages. Access-Request = %t %{Packet-Type} for %{User-Name} from MAC address (Calling-Station-Id) %{Calling-Station-Id} NAS %{NAS-IDentifier} Access-Reject = Rejected access: %{User-Name} Calling-Station-Id=%{Calling-Station-Id} NAS=%{NAS-IDentifier} Access-Challenge = Sent challenge: %{User-Name} Calling-Station-Id=%{Calling-Station-Id} NAS=%{NAS-IDentifier} Access-Accept = Accepted access: %{User-Name} Calling-Station-Id=%{Calling-Station-Id} NAS=%{NAS-IDentifier} That is, slight changes from the examples given. I've added calls to linelog to the following sections in sites-enabled/default and sites-enabled/inner-tunnel: authorize authenticate preacct accounting post-auth - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re: RE: how to get linelog() see see packet-types other than access-request
Argh. Please accept my apologies -- I accidentally sent the previous message before I had finished composing it. Jeff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: your mail
Andrew, It appears that the problem is in your perl script: ++[perl] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject You need to fix your script. You can run it by hand with perl -d to see how it behaves, or insert print statements in it, etc., until it works the way it should. Jeff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is there a definitive config guide for installing 1.1.7 on Solaris 10
On Tue, 2010-07-13 at 09:49 +0200, Alan DeKok wrote: Update the Solaris dynamic linker path to include the path where the modules were installed. It's some magic Solaris command, and I forget which one... The solaris command to use to add new locations for the loader is crle(1). Carefully reading the manual page is a good idea. He can use ldd(1) to see which libraries can't be found, as in: ldd /path/to/freeradius Can also use something like: truss -fae -vall /path/to/freeradius to see exactly where and why it's dumping core. Jeff -- Jeff Smith jeff.m.sm...@gmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
questions about a custom freeradius configuration
Hi, Our wireless network currently authenticates and authorizes users via freeradius 0.8.1 with a custom module that talks to custom authentication and authorization servers. I'm upgrading the server side to freeradius 1.0.4. At the same time, the people who run the wireless network are switching to using EAP-PEAP with MS-CHAP v2. I'm fairly new to freeradius, but I have been spending a lot of time reading this list, the documents, the O'Reilly book, and experimenting with the server. So far I've been able to do PEAP authentications to the server via the users file. The custom authentication module I referred to in the first paragraph basically re-implemented MS-CHAP v2 and talked to the custom servers on the back end. It would not be easy to wedge into the rlm_eap code. Instead, I'd like to find a solution that makes the fewest possible (if any) modifications to stock freeradius, so we can track releases more closely. I would like to continue using the custom authentication and authorization servers. My thinking on this so far is that I might be able to use the Exec-Program-Wait atribute and/or the rlm_perl modules to call out to the custom servers, which have command-line interfaces. Ideally, I'd be able to do something like this: 1) In the authorization phase, call out to the custom authorization server and ask a question like Is this user who claims to be ``joe'' authorized to use the wireless service? I can get back a yes/no answer and send an Access-Reject with an explanation, or continue on if they are authorized. (I don't think Exec-Program-Wait can help here since I understand it only gets called after the user is authenticated. I could make this check after and only if mschap returns success, though.) 2) In the authorization phase, also call out to the custom authentication server to get pack the NT-Password and add that to the value pairs in the check list in the request packet, so that when EAP-PEAP finally gets down to the MS-CHAP v2 part, the NT-password is available. I have been having a hard time getting my mind around the complexity of RADIUS and freeradius. It may be that I'm taking a completely wrong-headed approach here. If anyone on this list has any thoughts on how this could be done best, I'd appreciate hearing your ideas. Thanks in advance! Jeff -- Jeff Smith Security Analyst - ITaP Identity Access Management Purdue University W. Lafayette IN 47907-1408 Phone: 765-496-8285 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html