Re: how to get linelog() see see packet-types other than access-request

2013-05-09 Thread Jeff Smith 
Phil Mayer,

Thanks very much for you help on this!

Jeff


On Wed, May 8, 2013 at 3:42 PM, Phil Mayers p.may...@imperial.ac.uk wrote:

 On 08/05/2013 20:09, Jeff Smith wrote:

 Hello,

 I've got a freeradius server 2.2.0 configured to process requests, and
 now I'd like to add some logging that would look something like this:

 Wed May  8 14:53:16 2013 Access-Request for a...@purdue.edu
 mailto:a...@purdue.edu from MAC address (Calling-Station-Id)

 84-3a-4b-0c-46-44 NAS lwsn-b143-wism2-11

 I actually have that working, but would like for linelog to also log a
 line for packet types access-challenge, access-accept, and


 Can't easily be done for Access-Challenge I'm afraid. The server doesn't
 pass them through post-auth.

  access-reject.  My /opt/freeradius/etc/raddb/**modules/linelog has:


 The easiest way is to define another instance of the linelog module, and
 use Response-Packet-Type in the format of the 2nd module, and call that
 in any response sections. If this offends your sensibilities, you can
 wrap the two linelog modules in a policy like so:

 policy {
   mylog.authorize {
 linelog1
   }
   mylog.post-auth {
 linelog2
   }
 }

 ...then call mylog. This can be useful for other reasons e.g. using
 unlang to format attributes before calling the linelog module, and is what
 we do.
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/**
 list/users.html http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

how to get linelog() see see packet-types other than access-request

2013-05-08 Thread Jeff Smith 
Hello,

I've got a freeradius server 2.2.0 configured to process requests, and now
I'd like to add some logging that would look something like this:

Wed May  8 14:53:16 2013 Access-Request for a...@purdue.edu from MAC
address (Calling-Station-Id) 84-3a-4b-0c-46-44 NAS lwsn-b143-wism2-11

I actually have that working, but would like for linelog to also log a line
for packet types access-challenge, access-accept, and access-reject.  My
/opt/freeradius/etc/raddb/modules/linelog has:

reference = %{%{Packet-Type}:-format}

#
#  Followed by a series of log messages.
Access-Request = %t %{Packet-Type} for %{User-Name} from MAC
address (Calling-Station-Id) %{Calling-Station-Id} NAS %{NAS-IDentifier}
Access-Reject = Rejected access: %{User-Name}
Calling-Station-Id=%{Calling-Station-Id} NAS=%{NAS-IDentifier}
Access-Challenge = Sent challenge: %{User-Name}
Calling-Station-Id=%{Calling-Station-Id} NAS=%{NAS-IDentifier}
Access-Accept = Accepted access: %{User-Name}
Calling-Station-Id=%{Calling-Station-Id} NAS=%{NAS-IDentifier}

That is, slight changes from the examples given.

I've added calls to linelog to the following sections in
sites-enabled/default and sites-enabled/inner-tunnel:
authorize
authenticate
preacct
accounting
post-auth
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

re: RE: how to get linelog() see see packet-types other than access-request

2013-05-08 Thread Jeff Smith 
Argh.  Please accept my apologies -- I accidentally sent the previous
message before I had finished composing it.

Jeff
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: your mail

2012-10-10 Thread Jeff Smith 
Andrew,

It appears that the problem is in your perl script:

 ++[perl] returns reject
 Failed to authenticate the user.
 Using Post-Auth-Type Reject 

You need to fix your script.  You can run it by hand with perl -d  to
see how it behaves, or insert print statements in it, etc., until it
works the way it should.

Jeff

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Is there a definitive config guide for installing 1.1.7 on Solaris 10

2010-07-13 Thread Jeff Smith 
On Tue, 2010-07-13 at 09:49 +0200, Alan DeKok wrote: 
 Update the Solaris dynamic linker path to include the path where the
 modules were installed.  It's some magic Solaris command, and I forget
 which one...

The solaris command to use to add new locations for the loader is
crle(1).  Carefully reading the manual page is a good idea.

He can use ldd(1) to see which libraries can't be found, as in:

ldd /path/to/freeradius

Can also use something like:

truss -fae -vall /path/to/freeradius

to see exactly where and why it's dumping core.

Jeff
-- 
Jeff Smith jeff.m.sm...@gmail.com

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

questions about a custom freeradius configuration

2005-07-27 Thread Jeff Smith 

Hi,

Our wireless network currently authenticates and authorizes users via 
freeradius 0.8.1 with a custom module that talks to custom 
authentication and authorization servers.


I'm upgrading the server side to freeradius 1.0.4.  At the same time, 
the people who run the wireless network are switching to using EAP-PEAP 
with MS-CHAP v2.


I'm fairly new to freeradius, but I have been spending a lot of time 
reading this list, the documents, the O'Reilly book, and experimenting 
with the server.  So far I've been able to do PEAP authentications to 
the server via the users file.


The custom authentication module I referred to in the first paragraph 
basically re-implemented MS-CHAP v2 and talked to the custom servers on 
the back end.  It would not be easy to wedge into the rlm_eap code. 
Instead, I'd like to find a solution that makes the fewest possible (if 
any) modifications to stock freeradius, so we can track releases more 
closely. I would like to continue using the custom authentication and 
authorization servers.


My thinking on this so far is that I might be able to use the 
Exec-Program-Wait atribute and/or the rlm_perl modules to call out to 
the custom servers, which have command-line interfaces.  Ideally, I'd be 
able to do something like this:


1) In the authorization phase, call out to the custom authorization 
server and ask a question like Is this user who claims to be ``joe'' 
authorized to use the wireless service?  I can get back a yes/no answer 
and send an Access-Reject with an explanation, or continue on if they 
are authorized.  (I don't think Exec-Program-Wait can help here since I 
understand it only gets called after the user is authenticated.  I could 
make this check after and only if mschap returns success, though.)


2) In the authorization phase, also call out to the custom 
authentication server to get pack the NT-Password and add that to the 
value pairs in the check list in the request packet, so that when 
EAP-PEAP finally gets down to the MS-CHAP v2 part, the NT-password is 
available.


I have been having a hard time getting my mind around the complexity of 
RADIUS and freeradius.  It may be that I'm taking a completely 
wrong-headed approach here.  If anyone on this list has any thoughts on 
how this could be done best, I'd appreciate  hearing your ideas.


Thanks in advance!

Jeff
--
Jeff Smith
Security Analyst - ITaP Identity  Access Management
Purdue University
W. Lafayette IN 47907-1408
Phone: 765-496-8285
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html