Re: Problems with Huntgroup
2012/6/6 Alan DeKok al...@deployingradius.com: Sergio Belkin wrote: Good idea, I've tried appending %{EAP-Type) that to detail.log What does that mean? but sending nothing eg: auth-detail-AP-XXX-DEFAULT--20120606 Between - and - is nothing (Neither TTLS nor PEAP appears) As *ALWAYS*, read the debug output. You're very dedicated to giving as little information as possible. Why? OK, you're right in my next message I will include it :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
2012/6/6 Matthew Newton m...@leicester.ac.uk: On Wed, Jun 06, 2012 at 03:56:54PM -0300, Sergio Belkin wrote: Good idea, I've tried appending %{EAP-Type) that to detail.log but sending nothing eg: auth-detail-AP-XXX-DEFAULT--20120606 Between - and - is nothing (Neither TTLS nor PEAP appears) You've not really explained what you've done. However, I *guess* that you have added %{EAP-Type} to the filename (detailfile) in the detail config. Yes, you guess well Look, though, where detail is getting called, and where eap is called, in the authorize section. It goes in order. The eap module sets EAP-Type, detail is called before. So you need to call the log after eap. But the gotcha is that eap will short circuit the return in the challenges, so you won't call the detail module if you put it after eap. Nice to know it :) I'd suggest you let all the incoming logs go to a single location where they are, then you add a new detail (or linelog) module to post-auth. That can use %{EAP-Type}, as it's *after* EAP has happened. I've tested it and works, nice! But please keep on reading: Alternatively, you can use my other suggestion anywhere you like. If you pick data out of EAP-Message yourself, you get to do what you want with it (and keep the shards when it shatters). Totally untested unlang. if (%{EAP-Message} =~ /^0x19/) { detail_log_peap } elsif (%{EAP-Message} =~ /^0x15/) { detail_log_ttls } else { detail_log_other } Note that things *will* hit detail_log_other. EAP Identity, for instance, before the eap type has been agreed. If you do this in the inner server, be prepared for unexpectedness. In short, understand EAP first. Good, but it sounds somewhat complex :) I just chuck the raw data out with detail and leave it be. The useful stuff is pristinely formatted with gentle loving care by the linelog module, where it sits in a nice greppable format for me. One log entry, in post-auth, after the useful stuff happened. Any more detail needed? Just go to the dirty detail log and dig it out. Happens so rarely it wouldn't matter if it was in binary format and had to be read with a hex editor in Windows... Wow, linelog seems interesting, I've tried but only is logging Access-Request, why? I add my debug (I plan to get rid out of inner-tunnel-peap file): FreeRADIUS Version 2.1.12, for host x86_64-unknown-linux-gnu, built on Jan 3 2012 at 16:18:16 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb-testing/radiusd.conf including configuration file /etc/raddb-testing/proxy.conf including configuration file /etc/raddb-testing/clients.conf including files in directory /etc/raddb-testing/modules/ including configuration file /etc/raddb-testing/modules/chap including configuration file /etc/raddb-testing/modules/mschap including configuration file /etc/raddb-testing/modules/sqlcounter_expire_on_login including configuration file /etc/raddb-testing/modules/exec including configuration file /etc/raddb-testing/modules/realm including configuration file /etc/raddb-testing/modules/checkval including configuration file /etc/raddb-testing/modules/rediswho including configuration file /etc/raddb-testing/modules/passwd including configuration file /etc/raddb-testing/modules/attr_filter including configuration file /etc/raddb-testing/modules/linelog including configuration file /etc/raddb-testing/modules/wimax including configuration file /etc/raddb-testing/modules/pam including configuration file /etc/raddb-testing/modules/inner-eap including configuration file /etc/raddb-testing/modules/echo including configuration file /etc/raddb-testing/modules/soh including configuration file /etc/raddb-testing/modules/replicate including configuration file /etc/raddb-testing/modules/acct_unique including configuration file /etc/raddb-testing/modules/etc_group including configuration file /etc/raddb-testing/modules/pap including configuration file /etc/raddb-testing/modules/expr including configuration file /etc/raddb-testing/modules/smbpasswd including configuration file /etc/raddb-testing/modules/attr_rewrite including configuration file /etc/raddb-testing/modules/radutmp including configuration file /etc/raddb-testing/modules/mac2ip including configuration file /etc/raddb-testing/modules/logintime including configuration file /etc/raddb-testing/modules/sql_log including configuration file /etc/raddb-testing/modules/smsotp including configuration file /etc/raddb-testing/modules/preprocess including configuration file /etc/raddb-testing/modules/policy including configuration file /etc/raddb-testing/modules/cui including configuration file /etc/raddb-testing/modules/perl
Re: Problems with Huntgroup
On Thu, Jun 07, 2012 at 12:59:24PM -0300, Sergio Belkin wrote: I just chuck the raw data out with detail and leave it be. The useful stuff is pristinely formatted with gentle loving care by the linelog module, where it sits in a nice greppable format for Wow, linelog seems interesting, I've tried but only is logging Access-Request, why? You didn't call it in the accounting{} section? You won't get an EAP-Type in accounting, though. There's no EAP involved there. Matthew rad_recv: Accounting-Request packet from host 10.129.85.1 port 39402, id=192, length=199 Acct-Session-Id = 0026-003A Acct-Status-Type = Stop Acct-Authentic = RADIUS User-Name = fsaze1 NAS-Identifier = AP-PVIII-V NAS-Port = 4 Called-Station-Id = 00-23-69-49-06-2C:sarlanga-I Calling-Station-Id = 60-FA-CD-42-C0-CE NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g Acct-Session-Time = 30 Acct-Input-Packets = 98 Acct-Output-Packets = 26 Acct-Input-Octets = 11164 Acct-Output-Octets = 7989 Event-Timestamp = Jun 7 2012 10:37:44 ART Acct-Terminate-Cause = User-Request # Executing section preacct from file /etc/raddb-testing/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 4,Client-IP-Address = 10.129.85.1,NAS-IP-Address = 10.129.85.1,Acct-Session-Id = 0026-003A,User-Name = fsaze1' [acct_unique] Acct-Unique-Session-ID = 66c3a7d6e3d79d1a. ++[acct_unique] returns ok [suffix] No '@' in User-Name = fsaze1, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /etc/raddb-testing/sites-enabled/default +- entering group accounting {...} [detail]expand: /usr/local-test/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d - /usr/local-test/var/log/radius/radacct/10.129.85.1/detail-20120607 [detail] /usr/local-test/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local-test/var/log/radius/radacct/10.129.85.1/detail-20120607 [detail]expand: %t - Thu Jun 7 10:37:44 2012 ++[detail] returns ok ++[unix] returns ok [radutmp] expand: /usr/local-test/var/log/radius/radutmp - /usr/local-test/var/log/radius/radutmp [radutmp] expand: %{User-Name} - fsaze1 ++[radutmp] returns ok ++[exec] returns noop [attr_filter.accounting_response] expand: %{User-Name} - fsaze1 attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 192 to 10.129.85.1 port 39402 Finished request 0. End of Output -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
2012/6/5 Matthew Newton m...@leicester.ac.uk: On Mon, Jun 04, 2012 at 11:43:07AM -0300, Sergio Belkin wrote: 2012/6/4 Alan DeKok al...@deployingradius.com: The debug for the inner-tunnel *clearly* shows NOT using the files module. So, sorry for the stupid questions but how can I do that It's true what you say about debug output, but I files is in inner-tunnel configuration, I tried putting files above of chap, but doesn't change anything. Look at /etc/raddb-testing/sites-enabled/inner-tunnel-peap You've changed the config, added this file, and not added the files module to it. How a module is added? Mi current file is: That's probably /etc/raddb-testing/sites-enabled/inner-tunnel instead. Yes it is Using different inner-tunnel configs for TTLS and PEAP is just going to cause you pain, unless you REALLY know what you're letting yourself in for. Go back to the default config and use the same for both. I've added this files because I like to separate logs when supplicants are using PEAP or TTLS Is there a better way of doing that? The debug output doesn't lie. If it says the module isn't being called when you've just added it, then the module is not being called and you're configuring things in the wrong place. I don't blame debug :) I want to learn. Sorry but I repeat the question how a module is added? because files is statament is present on both files /etc/raddb-testing/sites-enabled/inner-tunnel-peap and /etc/raddb-testing/sites-enabled/inner-tunnel Thanks again Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
On Wed, Jun 06, 2012 at 10:28:27AM -0300, Sergio Belkin wrote: I've added this files because I like to separate logs when supplicants are using PEAP or TTLS I'd still use just one file, and filter the logs instead. Is there a better way of doing that? There may be several ways. The first one that comes to mind is just pulling the EAP type out of the EAP-Message attributes. PEAP connections will have an EAP-Message attribute that matches the regexp /^0x19/, whereas TTLS connections will match /^0x15/. Alternatively, and probably easier in the long run, add %{EAP-Type} to linelog, so you get the name directly in your logs. Add it in the outer, and you'll see TTLS or PEAP. Add it in the inner, and you'll see the inner EAP type, such as MS-CHAP-V2. I want to learn. Sorry but I repeat the question how a module is added? because files is statament is present on both files /etc/raddb-testing/sites-enabled/inner-tunnel-peap and /etc/raddb-testing/sites-enabled/inner-tunnel Apologies - you're right, it is being called. ++[files] returns noop Add 'preprocess' to the top of the authorize{} section in your inner-tunnel-peap / inner-tunnel files. That's the module that checks huntgroups. Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
2012/6/6 Matthew Newton m...@leicester.ac.uk: On Wed, Jun 06, 2012 at 10:28:27AM -0300, Sergio Belkin wrote: I've added this files because I like to separate logs when supplicants are using PEAP or TTLS I'd still use just one file, and filter the logs instead. Is there a better way of doing that? There may be several ways. The first one that comes to mind is just pulling the EAP type out of the EAP-Message attributes. PEAP connections will have an EAP-Message attribute that matches the regexp /^0x19/, whereas TTLS connections will match /^0x15/. Alternatively, and probably easier in the long run, add %{EAP-Type} to linelog, so you get the name directly in your logs. Add it in the outer, and you'll see TTLS or PEAP. Add it in the inner, and you'll see the inner EAP type, such as MS-CHAP-V2. Good idea, I've tried appending %{EAP-Type) that to detail.log but sending nothing eg: auth-detail-AP-XXX-DEFAULT--20120606 Between - and - is nothing (Neither TTLS nor PEAP appears) I want to learn. Sorry but I repeat the question how a module is added? because files is statament is present on both files /etc/raddb-testing/sites-enabled/inner-tunnel-peap and /etc/raddb-testing/sites-enabled/inner-tunnel Apologies - you're right, it is being called. ++[files] returns noop :-) Add 'preprocess' to the top of the authorize{} section in your inner-tunnel-peap / inner-tunnel files. That's the module that checks huntgroups. Thanks guys it dit it! I just realize that modules must be appended in inner-tunnel files to load them :) TIA Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
Sergio Belkin wrote: Good idea, I've tried appending %{EAP-Type) that to detail.log What does that mean? but sending nothing eg: auth-detail-AP-XXX-DEFAULT--20120606 Between - and - is nothing (Neither TTLS nor PEAP appears) As *ALWAYS*, read the debug output. You're very dedicated to giving as little information as possible. Why? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
On Wed, Jun 06, 2012 at 03:56:54PM -0300, Sergio Belkin wrote: Good idea, I've tried appending %{EAP-Type) that to detail.log but sending nothing eg: auth-detail-AP-XXX-DEFAULT--20120606 Between - and - is nothing (Neither TTLS nor PEAP appears) You've not really explained what you've done. However, I *guess* that you have added %{EAP-Type} to the filename (detailfile) in the detail config. Look, though, where detail is getting called, and where eap is called, in the authorize section. It goes in order. The eap module sets EAP-Type, detail is called before. So you need to call the log after eap. But the gotcha is that eap will short circuit the return in the challenges, so you won't call the detail module if you put it after eap. I'd suggest you let all the incoming logs go to a single location where they are, then you add a new detail (or linelog) module to post-auth. That can use %{EAP-Type}, as it's *after* EAP has happened. Alternatively, you can use my other suggestion anywhere you like. If you pick data out of EAP-Message yourself, you get to do what you want with it (and keep the shards when it shatters). Totally untested unlang. if (%{EAP-Message} =~ /^0x19/) { detail_log_peap } elsif (%{EAP-Message} =~ /^0x15/) { detail_log_ttls } else { detail_log_other } Note that things *will* hit detail_log_other. EAP Identity, for instance, before the eap type has been agreed. If you do this in the inner server, be prepared for unexpectedness. In short, understand EAP first. I just chuck the raw data out with detail and leave it be. The useful stuff is pristinely formatted with gentle loving care by the linelog module, where it sits in a nice greppable format for me. One log entry, in post-auth, after the useful stuff happened. Any more detail needed? Just go to the dirty detail log and dig it out. Happens so rarely it wouldn't matter if it was in binary format and had to be read with a hex editor in Windows... Add 'preprocess' to the top of the authorize{} section in your inner-tunnel-peap / inner-tunnel files. That's the module that checks huntgroups. Thanks guys it dit it! I just realize that modules must be appended in inner-tunnel files to load them :) Yeah, that's why it's called a virtual server. It's treated the same as the default server, the flow is the same. No module listed there? It doesn't happen. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
On Mon, Jun 04, 2012 at 11:43:07AM -0300, Sergio Belkin wrote: 2012/6/4 Alan DeKok al...@deployingradius.com: The debug for the inner-tunnel *clearly* shows NOT using the files module. So, sorry for the stupid questions but how can I do that It's true what you say about debug output, but I files is in inner-tunnel configuration, I tried putting files above of chap, but doesn't change anything. Look at /etc/raddb-testing/sites-enabled/inner-tunnel-peap You've changed the config, added this file, and not added the files module to it. Mi current file is: That's probably /etc/raddb-testing/sites-enabled/inner-tunnel instead. Using different inner-tunnel configs for TTLS and PEAP is just going to cause you pain, unless you REALLY know what you're letting yourself in for. Go back to the default config and use the same for both. The debug output doesn't lie. If it says the module isn't being called when you've just added it, then the module is not being called and you're configuring things in the wrong place. Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
Sergio Belkin wrote: I've appended something like to huntgroups file mb NAS-IP-Address == 10.129.189.1 mb NAS-IP-Address == 10.129.84.1 mb Called-Station-Id == 00-1B-7E-DC-AB-1A:UP-PVIII-I And in users files: pruebita Huntgroup-Name == mb,Cleartext-Password := pruebon But is not working user pruebita does not get an Access-Accept Please could you help me to solve it? You edited the default configuration and broke it. Don't do that. You've set copy_request_to_tunnel, which is good. It means that the huntgroup check will work. You've deleted files from raddb/sites-available/inner-tunnel. That's why it doesn't work. Add it back, and it will work. In 2.1.12, read the comments at the top of raddb/sites-available/inner-tunnel. It tells you how to test the inner-tunnel configuration. It tells you what NOT to do. i.e. tested PEAP before testing that the inner-tunnel config works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
2012/6/4 Alan DeKok al...@deployingradius.com: Sergio Belkin wrote: I've appended something like to huntgroups file mb NAS-IP-Address == 10.129.189.1 mb NAS-IP-Address == 10.129.84.1 mb Called-Station-Id == 00-1B-7E-DC-AB-1A:UP-PVIII-I And in users files: pruebita Huntgroup-Name == mb,Cleartext-Password := pruebon But is not working user pruebita does not get an Access-Accept Please could you help me to solve it? You edited the default configuration and broke it. Don't do that. You've set copy_request_to_tunnel, which is good. It means that the huntgroup check will work. You've deleted files from raddb/sites-available/inner-tunnel. That's why it doesn't work. Add it back, and it will work. In 2.1.12, read the comments at the top of raddb/sites-available/inner-tunnel. It tells you how to test the inner-tunnel configuration. It tells you what NOT to do. i.e. tested PEAP before testing that the inner-tunnel config works. Alan DeKok. - Thanks Alan for you answer. I haven't deleted anything respect to configuration files per default: 32,36c32,36 listen { ipaddr = 127.0.0.1 port = 18120 type = auth } --- #listen { # ipaddr = 127.0.0.1 # port = 18120 # type = auth #} 142c142 # ldap --- ldap 230,232c230,232 # Auth-Type LDAP { # ldap # } --- Auth-Type LDAP { ldap } 271a272,274 # Sergio reply_log 376a380,382 # Sergio post_proxy_log Did I missed something? Thanks in advance -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
Sergio Belkin wrote: I haven't deleted anything respect to configuration files per default: shrug You can believe what you want, or you can believe the server output. Did I missed something? The debug for the inner-tunnel *clearly* shows NOT using the files module. Go fix that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
2012/6/4 Alan DeKok al...@deployingradius.com: The debug for the inner-tunnel *clearly* shows NOT using the files module. So, sorry for the stupid questions but how can I do that It's true what you say about debug output, but I files is in inner-tunnel configuration, I tried putting files above of chap, but doesn't change anything. Please could you help me I've read the file and output, and also run radtest, but I don't figure out what I should do Mi current file is: listen { ipaddr = 127.0.0.1 port = 18121 type = auth } authorize { chap mschap suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } files ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } eap } session { radutmp } post-auth { reply_log Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { post_proxy_log eap } EOF Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
Sergio Belkin wrote: 2012/6/4 Alan DeKok al...@deployingradius.com: The debug for the inner-tunnel *clearly* shows NOT using the files module. So, sorry for the stupid questions but how can I do that If it's in the file, it's used. It's true what you say about debug output, but I files is in inner-tunnel configuration, I tried putting files above of chap, but doesn't change anything. OK. Please could you help me I've read the file and output, and also run radtest, but I don't figure out what I should do ? Run radtest until it works. As input, use the packets the server prints out in debugging mode. Change the server configuration until it works. The whole *point* of debugging mode is to tell you what's going on. The point of printing out the packets is so that you can use them for testing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html