Re: testing freeRadius
You can use the following command line tools (compiled when you build freeradius): - radtest - radclilent On 9/25/06, Mike May [EMAIL PROTECTED] wrote: Hello Everyone, I am looking for some help with testing my installation of freeRadius. Here is my environment, I have 2 radius servers behind a very tight firewall that I do not admin, I need a way that I can test various forms of auth from the radius servers themselves, is that possible, does freeRadius come with it's own set of testing tools that can be run from the command line. Thanks in advaced Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (Cannot assign requested address) bind() failed
Tommy, I run chillispot with an external radius server. This is not a radius problem here. Are you sure you have loaded the tun driver in your kernel ? Might not be the case with old kernels or Linux embedded on a WRT. On 2/13/06, tommy garsia [EMAIL PROTECTED] wrote: I couldn't get iface tun0 up...because when i start chilli the errors comes up... any suggestion?? is there any way to separate tun0 and chillii still confuse with this one any body running chilli with external radius ?? debik [EMAIL PROTECTED] wrote: See if you got the tun0 interface up when chilli starts. This should start automatically when you are starting chilli. - Original Message - From: tommy garsia To: freeradius-users@lists.freeradius.org Sent: Sunday, February 12, 2006 2:51 PM Subject: (Cannot assign requested address) bind() failed Hello all, I'm trying to run chilli with external radius servere.gthe chilli machine's IP is 172.17.1.200 and then the radius is 172.17.1.222this is the chilli.conf #radiuslisten 127.0.0.1 radiusserver1 172.17.1.222 radiusserver2 172.17.1.222 but, after i start chilli...it shows error like this:: hotspot: chilli --fg --debug ChilliSpot version 1.0 started. chillispot[3181]: ChilliSpot 1.0. Copyright 2002-2005 Mondru AB. Licensed under GPL. ! See http://www.chillispot.org for credits. chillispot[3181]: redir.c: 532: 99 (Cannot assign requested address) bind() failed chillispot[3181]: chilli.c: 3558: Failed to create redir is this a chilli error or radius error?? what should i do with my configuration?? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait multiple reply items
I had a similar problem with an exec script (Freeradius 1.0.5) I found that when the script outputs several comma separated pairs it works fine. I don't know any workaround, other than modifying the script to separate pairs with comma instead of \n. On Sat, 7 Jan 2006 20:21:43 UT, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hello, I have recently migrated to freeradius (latest stable on debian sarge - 1.0.2-4) and faced with the following problem: I use Exec-Program-Wait attribute as a reply item in users file. It returns 3 attributes: NAS-Identifier, Framed-IP-Address and Framed-Route. These attributes are printed on stdout with trailing \n. However they are not returned to the NAS as are not comma separated. Is there any known workaround for this problem? Thanks in advance. Best Regards, George - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fw: authorize and authenticate methods ina custom module
I've done something like this.
You should write a custom script for the authorization section, put
something like this in radiusd.conf
modules {
.
exec myscript {
program = /path/to/myscript %{User-Name}
wait = yes
input_pairs = request
output_pairs = config
packet_type = Access-Accept
}
.
}
authorize {
.
pap
chap
myscript
..
}
Assuming it's a shell script, it has do this:
- retrieve the parameters of the Access-Request. User-Name is passed
as an argument, other attributes can be access from the environment
variables or passed as addition myscript arguments
- then call the cgi with the approriate parameters using curl
- if the user exists, the cgi should return the Password XX to
myscript (I'm assuming PAP/CHAP is used for authentication)
- then myscript will write Password =X to stdout (it will make a
config attribute for freeradius) and then exit(0)
- if the cgi says that the user does not exits. Exit(0) without
writing anything to stdout. This way other authorization modules may
try to find the user.
If the user really does not exist anywhere, the access-reject will be
decided during PAP/CHAP authentication. (a user with no password =
reject)
Yannick Deltroo
On 1/5/06, Susana Macias [EMAIL PROTECTED] wrote:
Thanks a lot Alan,
I would like to explain what I am trying to develop. If someone has any
advise, please tell me. This is my scenario:
Until now, we have a RADIUS server (RADIUS PSI) which only receives
Access-Request packets.
Also we have a CGI application located in the URL http://X.Y.Z.W:8080/nucleo
This application receives a set of parameters as an URL encoded string (all
characters that are not a-z, A-Z or 0-9 are converted to their URL escaped
version) with this form:
Attribute1=Value1Attribute2=Value2... (where Attribute1,
Attribute2... and Value1,Value2... are the differents Attribute/Value pairs
obtained from the Access-Request packet)
The CGI application consults a remote database (and normally authenticate
the user using the telephone number; although there are other variants).
According to the response obtained from the remote resource, the RADIUS
server adds differents Attribute/Value pairs to the reply list, and always
reply with an Access-Accept packet (whether or not the CGI application
authenticate the user successfully)
Now, we want to change to a FreeRadius server.
I only want to call the remote resource (using th! e libcurl library)
passing it the appropiates parameters and collect the information returned
by it in order to create the reply list. As the CGI application performs the
authorize and authenticate activities I am a little embarrassed to say that
I am not sure which function should I implement (authorize or authenticate).
Thank you very much in advance
Best wishes,
Susana
- Original Message -
From: Alan DeKok
To: FreeRadius users mailing list
Sent: Tuesday, January 03, 2006 4:31 PM
Subject: Re: authorize and authenticate methods ina custom module
Susana Macias wrote:
I have started working with the RADIUS protocol (and with FreeRadius
in particular) three weeks ago. Congratulations for the product, it is
really powerful!
Thanks.
But, when are the authorize() and authenticate() methods called?
When a packet comes in. See doc/aaa.txt
Is it necessary to include in the radiusd.conf the name of the
instance (of the new module created) in the authorize section in order
to call its authorize() method?
Yes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Correo Yahoo!
Comprueba qué es nuevo, aquí
http://correo.yahoo.es
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adapting Reply-Msg to Reject cause
Hello, I'm using Freeradius with rlm_sql sqlcounter to authorize access to hotspots. I would like to set a specific Reply-Message (which is displayed in the user browser) depending the Reject cause, for instance: - Reply-Msg=Account has expired (if reject because of Expiration == ) - Reply-Msg=Time credit is exhausted (if reject because of Max-All-Session := ) - Reply-Msg=Access not allowed from this NAS (if reject because of Nas-Identifier !=) - Reply-Msg=Wrong password (if cannot authenticate) How can I do that without writing a custom authorization script ? Thanks for yout help. Yannick Deltroo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem writing config attributes from script
I got it working. I was actually trying to write a value not compatible with the post-auth type, defined in the dictionnary. That's why the output of my script was not taken into account by freeradius. To pass parameters from my authentication script to my post-authentication script, I've defined my own new Prepaid attribute (in /etc/raddb/dictionnary) ATTRIBUTE Prepaid 3000string The correct format for scripts outputing several attributes is to use a , to separate the pairs. Scripts should output something like : Prepaid = my parameters here , Password = test On 12/22/05, Yannick Deltroo [EMAIL PROTECTED] wrote: Does not work any better with , or ; or between the pairs. After the script is executed, the config environment variables do not contain the output of the script: AUTH_TYPE=CHAP PWD=/root SHLVL=1 _=/usr/bin/printenv If I only write a Password=XXX from the script, the output is taken into account. See the env variable then: PASSWORD=test AUTH_TYPE=CHAP PWD=/root SHLVL=1 _=/usr/bin/printenv My tests show that the only pair accepted from the script is Password = X. Any other single attribute is just ignored. Could it be a problem with attributes dictionnaries ? On 12/21/05, Alan DeKok [EMAIL PROTECTED] wrote: Yannick Deltroo [EMAIL PROTECTED] wrote: of just Password =, i.e. somehting like Post-Auth-Type = THIRD_SCRIPT Password = X I cannot authenticate. Chap authentication fails (see debug log below) Put a , in between the two items, just like you do in the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem writing config attributes from script
Hereafter is the debug output for an access request (freeradius 1.0.5).
My external script authorize_prepaid_account writes this to the output
Post-auth-Type := new_prepaid_account
Password == test
However these config attributes are not taken into account for
processing by other modules. The chap authentication module does not
see any password.
Which is actually true, my second dump script just dump the config
attributes ... there's no Post-Auth-Type or Password attribute.
I guess my output format is not correct, and not parsed by freeradius.
What should be the output format for config attributes ?
Thanks for your help
Starting - reading configuration files ...
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
..
exec: wait = yes
exec: program = /etc/raddb/scripts/authorize %{User-Name}
exec: input_pairs = request
exec: output_pairs = config
exec: packet_type = Access-Request
Module: Instantiated exec (authorize_prepaid_account)
.
exec: wait = yes
exec: program = /etc/raddb/scripts/dump %{User-Name}
exec: input_pairs = config
exec: output_pairs = reply
exec: packet_type = Access-Request
Module: Instantiated exec (dump)
.
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 172.16.0.2:2121, id=0, length=240
User-Name = prepaid1
CHAP-Challenge = 0x4f8d8594b5f54d2ed0b4d5e2677cf6f7
CHAP-Password = 0x00427a8e6d6f41280fd0974fbbab1f4fcc
NAS-IP-Address = 0.0.0.0
Service-Type = Login-User
Framed-IP-Address = 192.168.182.13
Calling-Station-Id = 00-04-23-6C-89-87
Called-Station-Id = 00-0F-66-A3-24-71
NAS-Identifier = deltroo_1
Acct-Session-Id = 43a926ed
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Message-Authenticator = 0xf7d949b9e72693fe8c1f85e47afe3131
WISPr-Logoff-URL = http://192.168.182.1:3990/logoff;
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
radius_xlat: '/var/log/radius/radacct/172.16.0.2/auth-detail-20051221'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
modcall[authorize]: module auth_log returns ok for request 0
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module chap returns ok for request 0
modcall[authorize]: module mschap returns noop for request 0
radius_xlat: '/etc/raddb/scripts/authorize prepaid1'
Exec-Program: /etc/raddb/scripts/authorize prepaid1
Exec-Program output: Post-Auth-Type := new_prepaid_account Password == test
Exec-Program-Wait: plaintext: Post-Auth-Type := new_prepaid_account
Password == test
Exec-Program: returned: 0
modcall[authorize]: module authorize_prepaid_account returns ok
for request 0
users: Matched entry DEFAULT at line 148
modcall[authorize]: module files returns ok for request 0
radius_xlat: 'prepaid1'
rlm_sql (sql): sql_set_user escaped user -- 'prepaid1'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = 'prepaid1' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): User prepaid1 not found in radcheck
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM .
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM .
rlm_sql (sql): User prepaid1 not found in radgroupcheck
rlm_sql (sql): User not found
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module sql returns notfound for request 0
radius_xlat: '/etc/raddb/scripts/dump prepaid1'
Exec-Program: /etc/raddb/scripts/dump prepaid1
Exec-Program output: Reply-Message += Dump script executed
Exec-Program-Wait: value-pairs: Reply-Message += Dump script executed
Exec-Program: returned: 0
modcall[authorize]: module dump returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type CHAP
auth: type CHAP
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
Re: Problem writing config attributes from script
Alan, thanks for your help.
I've read the rlm_exec documentation in the configuration file before
posting on the list.
As you can see, I actually run two scripts in the authorization section.
The first script to run is authorize_prepaid_account, which is
correctly set to output to config, as per the documentation. Then, I
run a second script called dump, just to write environment variables
to a file (to see what's going on). dump does not output any pairs,
so whether it's set to write to reply or config should not have an
impact.
When I play around with what the authorize_prepaid_account script is
doing, I can reproduce this strange behavior:
1- If authorize_prepaid_account only outputs Password = X, then
everything works fine. I can authorize/authenticate. My dump file
shows that Password = was correctly written to config attributes.
2- If I modify authorize_prepaid_account to output two pairs instead
of just Password =, i.e. somehting like
Post-Auth-Type = THIRD_SCRIPT
Password = X
I cannot authenticate. Chap authentication fails (see debug log below)
My dump file shows that the output of authorize_prepaid_account was
not taken into account. (No Post-Auth-Type, No password written to
config = chap fails)
The server is running with the exact same configuration in case 1 and case 2.
I'm just commenting out lines in my script manually.
Am I missing something about the correct format for a script output ?
I guess, it's one pair per line ?
I'm using freeradius 1.0.5
radius.log
exec authorize_prepaid_account {
wait = yes
program = /etc/raddb/scripts/authorize %{User-Name}
output_pairs = config
packet_type = Access-Request
}
exec dump {
wait = yes
program = /etc/raddb/scripts/dump %{User-Name}
input_pairs = config
output_pairs = reply
packet_type = Access-Request
}
authorize {
preprocess
auth_log
chap
mschap
authorize_prepaid_account
files
sql
dump
}
=
Daemon debug output
exec: wait = yes
exec: program = /etc/raddb/scripts/authorize %{User-Name}
exec: input_pairs = request
exec: output_pairs = config
exec: packet_type = Access-Request
.
exec: wait = yes
exec: program = /etc/raddb/scripts/dump %{User-Name}
exec: input_pairs = config
exec: output_pairs = reply
exec: packet_type = Access-Request
..
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_chap: login attempt by prepaid1 with CHAP password
rlm_chap: Could not find clear text password for user prepaid1
modcall[authenticate]: module chap returns invalid for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.
Login incorrect (rlm_chap: Clear text password not available):
[prepaid1/CHAP-Password] (from client WRT54G port 0 cli
00-04-23-6C-89-87)
=
On 12/21/05, Alan DeKok [EMAIL PROTECTED] wrote:
Yannick Deltroo [EMAIL PROTECTED] wrote:
However these config attributes are not taken into account for
processing by other modules.
Because you're putting the attributes into the reply item list, not
the config item list.
Module: Instantiated exec (authorize_prepaid_account)
.
exec: wait = yes
exec: program = /etc/raddb/scripts/dump %{User-Name}
exec: input_pairs = config
exec: output_pairs = reply
See? Change output_pairs to config, and it should work.
The documentation for rlm_exec explains this.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem writing config attributes from script
Does not work any better with , or ; or between the pairs. After the script is executed, the config environment variables do not contain the output of the script: AUTH_TYPE=CHAP PWD=/root SHLVL=1 _=/usr/bin/printenv If I only write a Password=XXX from the script, the output is taken into account. See the env variable then: PASSWORD=test AUTH_TYPE=CHAP PWD=/root SHLVL=1 _=/usr/bin/printenv My tests show that the only pair accepted from the script is Password = X. Any other single attribute is just ignored. Could it be a problem with attributes dictionnaries ? On 12/21/05, Alan DeKok [EMAIL PROTECTED] wrote: Yannick Deltroo [EMAIL PROTECTED] wrote: of just Password =, i.e. somehting like Post-Auth-Type = THIRD_SCRIPT Password = X I cannot authenticate. Chap authentication fails (see debug log below) Put a , in between the two items, just like you do in the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
