Re: testing freeRadius
You can use the following command line tools (compiled when you build freeradius): - radtest - radclilent On 9/25/06, Mike May [EMAIL PROTECTED] wrote: Hello Everyone, I am looking for some help with testing my installation of freeRadius. Here is my environment, I have 2 radius servers behind a very tight firewall that I do not admin, I need a way that I can test various forms of auth from the radius servers themselves, is that possible, does freeRadius come with it's own set of testing tools that can be run from the command line. Thanks in advaced Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (Cannot assign requested address) bind() failed
Tommy, I run chillispot with an external radius server. This is not a radius problem here. Are you sure you have loaded the tun driver in your kernel ? Might not be the case with old kernels or Linux embedded on a WRT. On 2/13/06, tommy garsia [EMAIL PROTECTED] wrote: I couldn't get iface tun0 up...because when i start chilli the errors comes up... any suggestion?? is there any way to separate tun0 and chillii still confuse with this one any body running chilli with external radius ?? debik [EMAIL PROTECTED] wrote: See if you got the tun0 interface up when chilli starts. This should start automatically when you are starting chilli. - Original Message - From: tommy garsia To: freeradius-users@lists.freeradius.org Sent: Sunday, February 12, 2006 2:51 PM Subject: (Cannot assign requested address) bind() failed Hello all, I'm trying to run chilli with external radius servere.gthe chilli machine's IP is 172.17.1.200 and then the radius is 172.17.1.222this is the chilli.conf #radiuslisten 127.0.0.1 radiusserver1 172.17.1.222 radiusserver2 172.17.1.222 but, after i start chilli...it shows error like this:: hotspot: chilli --fg --debug ChilliSpot version 1.0 started. chillispot[3181]: ChilliSpot 1.0. Copyright 2002-2005 Mondru AB. Licensed under GPL. ! See http://www.chillispot.org for credits. chillispot[3181]: redir.c: 532: 99 (Cannot assign requested address) bind() failed chillispot[3181]: chilli.c: 3558: Failed to create redir is this a chilli error or radius error?? what should i do with my configuration?? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait multiple reply items
I had a similar problem with an exec script (Freeradius 1.0.5) I found that when the script outputs several comma separated pairs it works fine. I don't know any workaround, other than modifying the script to separate pairs with comma instead of \n. On Sat, 7 Jan 2006 20:21:43 UT, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hello, I have recently migrated to freeradius (latest stable on debian sarge - 1.0.2-4) and faced with the following problem: I use Exec-Program-Wait attribute as a reply item in users file. It returns 3 attributes: NAS-Identifier, Framed-IP-Address and Framed-Route. These attributes are printed on stdout with trailing \n. However they are not returned to the NAS as are not comma separated. Is there any known workaround for this problem? Thanks in advance. Best Regards, George - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fw: authorize and authenticate methods ina custom module
I've done something like this. You should write a custom script for the authorization section, put something like this in radiusd.conf modules { . exec myscript { program = /path/to/myscript %{User-Name} wait = yes input_pairs = request output_pairs = config packet_type = Access-Accept } . } authorize { . pap chap myscript .. } Assuming it's a shell script, it has do this: - retrieve the parameters of the Access-Request. User-Name is passed as an argument, other attributes can be access from the environment variables or passed as addition myscript arguments - then call the cgi with the approriate parameters using curl - if the user exists, the cgi should return the Password XX to myscript (I'm assuming PAP/CHAP is used for authentication) - then myscript will write Password =X to stdout (it will make a config attribute for freeradius) and then exit(0) - if the cgi says that the user does not exits. Exit(0) without writing anything to stdout. This way other authorization modules may try to find the user. If the user really does not exist anywhere, the access-reject will be decided during PAP/CHAP authentication. (a user with no password = reject) Yannick Deltroo On 1/5/06, Susana Macias [EMAIL PROTECTED] wrote: Thanks a lot Alan, I would like to explain what I am trying to develop. If someone has any advise, please tell me. This is my scenario: Until now, we have a RADIUS server (RADIUS PSI) which only receives Access-Request packets. Also we have a CGI application located in the URL http://X.Y.Z.W:8080/nucleo This application receives a set of parameters as an URL encoded string (all characters that are not a-z, A-Z or 0-9 are converted to their URL escaped version) with this form: Attribute1=Value1Attribute2=Value2... (where Attribute1, Attribute2... and Value1,Value2... are the differents Attribute/Value pairs obtained from the Access-Request packet) The CGI application consults a remote database (and normally authenticate the user using the telephone number; although there are other variants). According to the response obtained from the remote resource, the RADIUS server adds differents Attribute/Value pairs to the reply list, and always reply with an Access-Accept packet (whether or not the CGI application authenticate the user successfully) Now, we want to change to a FreeRadius server. I only want to call the remote resource (using th! e libcurl library) passing it the appropiates parameters and collect the information returned by it in order to create the reply list. As the CGI application performs the authorize and authenticate activities I am a little embarrassed to say that I am not sure which function should I implement (authorize or authenticate). Thank you very much in advance Best wishes, Susana - Original Message - From: Alan DeKok To: FreeRadius users mailing list Sent: Tuesday, January 03, 2006 4:31 PM Subject: Re: authorize and authenticate methods ina custom module Susana Macias wrote: I have started working with the RADIUS protocol (and with FreeRadius in particular) three weeks ago. Congratulations for the product, it is really powerful! Thanks. But, when are the authorize() and authenticate() methods called? When a packet comes in. See doc/aaa.txt Is it necessary to include in the radiusd.conf the name of the instance (of the new module created) in the authorize section in order to call its authorize() method? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Correo Yahoo! Comprueba qué es nuevo, aquí http://correo.yahoo.es - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adapting Reply-Msg to Reject cause
Hello, I'm using Freeradius with rlm_sql sqlcounter to authorize access to hotspots. I would like to set a specific Reply-Message (which is displayed in the user browser) depending the Reject cause, for instance: - Reply-Msg=Account has expired (if reject because of Expiration == ) - Reply-Msg=Time credit is exhausted (if reject because of Max-All-Session := ) - Reply-Msg=Access not allowed from this NAS (if reject because of Nas-Identifier !=) - Reply-Msg=Wrong password (if cannot authenticate) How can I do that without writing a custom authorization script ? Thanks for yout help. Yannick Deltroo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem writing config attributes from script
I got it working. I was actually trying to write a value not compatible with the post-auth type, defined in the dictionnary. That's why the output of my script was not taken into account by freeradius. To pass parameters from my authentication script to my post-authentication script, I've defined my own new Prepaid attribute (in /etc/raddb/dictionnary) ATTRIBUTE Prepaid 3000string The correct format for scripts outputing several attributes is to use a , to separate the pairs. Scripts should output something like : Prepaid = my parameters here , Password = test On 12/22/05, Yannick Deltroo [EMAIL PROTECTED] wrote: Does not work any better with , or ; or between the pairs. After the script is executed, the config environment variables do not contain the output of the script: AUTH_TYPE=CHAP PWD=/root SHLVL=1 _=/usr/bin/printenv If I only write a Password=XXX from the script, the output is taken into account. See the env variable then: PASSWORD=test AUTH_TYPE=CHAP PWD=/root SHLVL=1 _=/usr/bin/printenv My tests show that the only pair accepted from the script is Password = X. Any other single attribute is just ignored. Could it be a problem with attributes dictionnaries ? On 12/21/05, Alan DeKok [EMAIL PROTECTED] wrote: Yannick Deltroo [EMAIL PROTECTED] wrote: of just Password =, i.e. somehting like Post-Auth-Type = THIRD_SCRIPT Password = X I cannot authenticate. Chap authentication fails (see debug log below) Put a , in between the two items, just like you do in the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem writing config attributes from script
Hereafter is the debug output for an access request (freeradius 1.0.5). My external script authorize_prepaid_account writes this to the output Post-auth-Type := new_prepaid_account Password == test However these config attributes are not taken into account for processing by other modules. The chap authentication module does not see any password. Which is actually true, my second dump script just dump the config attributes ... there's no Post-Auth-Type or Password attribute. I guess my output format is not correct, and not parsed by freeradius. What should be the output format for config attributes ? Thanks for your help Starting - reading configuration files ... Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) .. exec: wait = yes exec: program = /etc/raddb/scripts/authorize %{User-Name} exec: input_pairs = request exec: output_pairs = config exec: packet_type = Access-Request Module: Instantiated exec (authorize_prepaid_account) . exec: wait = yes exec: program = /etc/raddb/scripts/dump %{User-Name} exec: input_pairs = config exec: output_pairs = reply exec: packet_type = Access-Request Module: Instantiated exec (dump) . Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 172.16.0.2:2121, id=0, length=240 User-Name = prepaid1 CHAP-Challenge = 0x4f8d8594b5f54d2ed0b4d5e2677cf6f7 CHAP-Password = 0x00427a8e6d6f41280fd0974fbbab1f4fcc NAS-IP-Address = 0.0.0.0 Service-Type = Login-User Framed-IP-Address = 192.168.182.13 Calling-Station-Id = 00-04-23-6C-89-87 Called-Station-Id = 00-0F-66-A3-24-71 NAS-Identifier = deltroo_1 Acct-Session-Id = 43a926ed NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Message-Authenticator = 0xf7d949b9e72693fe8c1f85e47afe3131 WISPr-Logoff-URL = http://192.168.182.1:3990/logoff; Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 radius_xlat: '/var/log/radius/radacct/172.16.0.2/auth-detail-20051221' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to modcall[authorize]: module auth_log returns ok for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 radius_xlat: '/etc/raddb/scripts/authorize prepaid1' Exec-Program: /etc/raddb/scripts/authorize prepaid1 Exec-Program output: Post-Auth-Type := new_prepaid_account Password == test Exec-Program-Wait: plaintext: Post-Auth-Type := new_prepaid_account Password == test Exec-Program: returned: 0 modcall[authorize]: module authorize_prepaid_account returns ok for request 0 users: Matched entry DEFAULT at line 148 modcall[authorize]: module files returns ok for request 0 radius_xlat: 'prepaid1' rlm_sql (sql): sql_set_user escaped user -- 'prepaid1' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'prepaid1' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): User prepaid1 not found in radcheck radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM . radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM . rlm_sql (sql): User prepaid1 not found in radgroupcheck rlm_sql (sql): User not found rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns notfound for request 0 radius_xlat: '/etc/raddb/scripts/dump prepaid1' Exec-Program: /etc/raddb/scripts/dump prepaid1 Exec-Program output: Reply-Message += Dump script executed Exec-Program-Wait: value-pairs: Reply-Message += Dump script executed Exec-Program: returned: 0 modcall[authorize]: module dump returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type CHAP auth: type CHAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0
Re: Problem writing config attributes from script
Alan, thanks for your help. I've read the rlm_exec documentation in the configuration file before posting on the list. As you can see, I actually run two scripts in the authorization section. The first script to run is authorize_prepaid_account, which is correctly set to output to config, as per the documentation. Then, I run a second script called dump, just to write environment variables to a file (to see what's going on). dump does not output any pairs, so whether it's set to write to reply or config should not have an impact. When I play around with what the authorize_prepaid_account script is doing, I can reproduce this strange behavior: 1- If authorize_prepaid_account only outputs Password = X, then everything works fine. I can authorize/authenticate. My dump file shows that Password = was correctly written to config attributes. 2- If I modify authorize_prepaid_account to output two pairs instead of just Password =, i.e. somehting like Post-Auth-Type = THIRD_SCRIPT Password = X I cannot authenticate. Chap authentication fails (see debug log below) My dump file shows that the output of authorize_prepaid_account was not taken into account. (No Post-Auth-Type, No password written to config = chap fails) The server is running with the exact same configuration in case 1 and case 2. I'm just commenting out lines in my script manually. Am I missing something about the correct format for a script output ? I guess, it's one pair per line ? I'm using freeradius 1.0.5 radius.log exec authorize_prepaid_account { wait = yes program = /etc/raddb/scripts/authorize %{User-Name} output_pairs = config packet_type = Access-Request } exec dump { wait = yes program = /etc/raddb/scripts/dump %{User-Name} input_pairs = config output_pairs = reply packet_type = Access-Request } authorize { preprocess auth_log chap mschap authorize_prepaid_account files sql dump } = Daemon debug output exec: wait = yes exec: program = /etc/raddb/scripts/authorize %{User-Name} exec: input_pairs = request exec: output_pairs = config exec: packet_type = Access-Request . exec: wait = yes exec: program = /etc/raddb/scripts/dump %{User-Name} exec: input_pairs = config exec: output_pairs = reply exec: packet_type = Access-Request .. Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_chap: login attempt by prepaid1 with CHAP password rlm_chap: Could not find clear text password for user prepaid1 modcall[authenticate]: module chap returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [prepaid1/CHAP-Password] (from client WRT54G port 0 cli 00-04-23-6C-89-87) = On 12/21/05, Alan DeKok [EMAIL PROTECTED] wrote: Yannick Deltroo [EMAIL PROTECTED] wrote: However these config attributes are not taken into account for processing by other modules. Because you're putting the attributes into the reply item list, not the config item list. Module: Instantiated exec (authorize_prepaid_account) . exec: wait = yes exec: program = /etc/raddb/scripts/dump %{User-Name} exec: input_pairs = config exec: output_pairs = reply See? Change output_pairs to config, and it should work. The documentation for rlm_exec explains this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem writing config attributes from script
Does not work any better with , or ; or between the pairs. After the script is executed, the config environment variables do not contain the output of the script: AUTH_TYPE=CHAP PWD=/root SHLVL=1 _=/usr/bin/printenv If I only write a Password=XXX from the script, the output is taken into account. See the env variable then: PASSWORD=test AUTH_TYPE=CHAP PWD=/root SHLVL=1 _=/usr/bin/printenv My tests show that the only pair accepted from the script is Password = X. Any other single attribute is just ignored. Could it be a problem with attributes dictionnaries ? On 12/21/05, Alan DeKok [EMAIL PROTECTED] wrote: Yannick Deltroo [EMAIL PROTECTED] wrote: of just Password =, i.e. somehting like Post-Auth-Type = THIRD_SCRIPT Password = X I cannot authenticate. Chap authentication fails (see debug log below) Put a , in between the two items, just like you do in the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html