Re: Problems with Huntgroup
2012/6/6 Alan DeKok al...@deployingradius.com:
Sergio Belkin wrote:
Good idea, I've tried appending %{EAP-Type) that to detail.log
What does that mean?
but
sending nothing
eg:
auth-detail-AP-XXX-DEFAULT--20120606
Between - and - is nothing (Neither TTLS nor PEAP appears)
As *ALWAYS*, read the debug output.
You're very dedicated to giving as little information as possible. Why?
OK, you're right in my next message I will include it :)
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
--
Sergio Belkin http://www.sergiobelkin.com
Watch More TV http://sebelk.blogspot.com
LPIC-2 Certified - http://www.lpi.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
2012/6/6 Matthew Newton m...@leicester.ac.uk:
On Wed, Jun 06, 2012 at 03:56:54PM -0300, Sergio Belkin wrote:
Good idea, I've tried appending %{EAP-Type) that to detail.log but
sending nothing
eg:
auth-detail-AP-XXX-DEFAULT--20120606
Between - and - is nothing (Neither TTLS nor PEAP appears)
You've not really explained what you've done.
However, I *guess* that you have added %{EAP-Type} to the filename
(detailfile) in the detail config.
Yes, you guess well
Look, though, where detail is getting called, and where eap is
called, in the authorize section. It goes in order. The eap module
sets EAP-Type, detail is called before.
So you need to call the log after eap. But the gotcha is that eap
will short circuit the return in the challenges, so you won't call
the detail module if you put it after eap.
Nice to know it :)
I'd suggest you let all the incoming logs go to a single location
where they are, then you add a new detail (or linelog) module to
post-auth. That can use %{EAP-Type}, as it's *after* EAP has
happened.
I've tested it and works, nice! But please keep on reading:
Alternatively, you can use my other suggestion anywhere you like.
If you pick data out of EAP-Message yourself, you get to do what
you want with it (and keep the shards when it shatters).
Totally untested unlang.
if (%{EAP-Message} =~ /^0x19/) {
detail_log_peap
}
elsif (%{EAP-Message} =~ /^0x15/) {
detail_log_ttls
}
else {
detail_log_other
}
Note that things *will* hit detail_log_other. EAP Identity, for
instance, before the eap type has been agreed. If you do this in
the inner server, be prepared for unexpectedness. In short,
understand EAP first.
Good, but it sounds somewhat complex :)
I just chuck the raw data out with detail and leave it be. The
useful stuff is pristinely formatted with gentle loving care by
the linelog module, where it sits in a nice greppable format for
me. One log entry, in post-auth, after the useful stuff happened.
Any more detail needed? Just go to the dirty detail log and dig it
out. Happens so rarely it wouldn't matter if it was in binary
format and had to be read with a hex editor in Windows...
Wow, linelog seems interesting, I've tried but only is logging
Access-Request, why?
I add my debug (I plan to get rid out of inner-tunnel-peap file):
FreeRADIUS Version 2.1.12, for host x86_64-unknown-linux-gnu, built on
Jan 3 2012 at 16:18:16
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb-testing/radiusd.conf
including configuration file /etc/raddb-testing/proxy.conf
including configuration file /etc/raddb-testing/clients.conf
including files in directory /etc/raddb-testing/modules/
including configuration file /etc/raddb-testing/modules/chap
including configuration file /etc/raddb-testing/modules/mschap
including configuration file
/etc/raddb-testing/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb-testing/modules/exec
including configuration file /etc/raddb-testing/modules/realm
including configuration file /etc/raddb-testing/modules/checkval
including configuration file /etc/raddb-testing/modules/rediswho
including configuration file /etc/raddb-testing/modules/passwd
including configuration file /etc/raddb-testing/modules/attr_filter
including configuration file /etc/raddb-testing/modules/linelog
including configuration file /etc/raddb-testing/modules/wimax
including configuration file /etc/raddb-testing/modules/pam
including configuration file /etc/raddb-testing/modules/inner-eap
including configuration file /etc/raddb-testing/modules/echo
including configuration file /etc/raddb-testing/modules/soh
including configuration file /etc/raddb-testing/modules/replicate
including configuration file /etc/raddb-testing/modules/acct_unique
including configuration file /etc/raddb-testing/modules/etc_group
including configuration file /etc/raddb-testing/modules/pap
including configuration file /etc/raddb-testing/modules/expr
including configuration file /etc/raddb-testing/modules/smbpasswd
including configuration file /etc/raddb-testing/modules/attr_rewrite
including configuration file /etc/raddb-testing/modules/radutmp
including configuration file /etc/raddb-testing/modules/mac2ip
including configuration file /etc/raddb-testing/modules/logintime
including configuration file /etc/raddb-testing/modules/sql_log
including configuration file /etc/raddb-testing/modules/smsotp
including configuration file /etc/raddb-testing/modules/preprocess
including configuration file /etc/raddb-testing/modules/policy
including configuration file /etc/raddb-testing/modules/cui
including configuration file /etc/raddb-testing/modules/perl
Re: Problems with Huntgroup
On Thu, Jun 07, 2012 at 12:59:24PM -0300, Sergio Belkin wrote:
I just chuck the raw data out with detail and leave it be. The
useful stuff is pristinely formatted with gentle loving care by
the linelog module, where it sits in a nice greppable format for
Wow, linelog seems interesting, I've tried but only is logging
Access-Request, why?
You didn't call it in the accounting{} section?
You won't get an EAP-Type in accounting, though. There's no EAP
involved there.
Matthew
rad_recv: Accounting-Request packet from host 10.129.85.1 port 39402,
id=192, length=199
Acct-Session-Id = 0026-003A
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
User-Name = fsaze1
NAS-Identifier = AP-PVIII-V
NAS-Port = 4
Called-Station-Id = 00-23-69-49-06-2C:sarlanga-I
Calling-Station-Id = 60-FA-CD-42-C0-CE
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 54Mbps 802.11g
Acct-Session-Time = 30
Acct-Input-Packets = 98
Acct-Output-Packets = 26
Acct-Input-Octets = 11164
Acct-Output-Octets = 7989
Event-Timestamp = Jun 7 2012 10:37:44 ART
Acct-Terminate-Cause = User-Request
# Executing section preacct from file /etc/raddb-testing/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 4,Client-IP-Address =
10.129.85.1,NAS-IP-Address = 10.129.85.1,Acct-Session-Id =
0026-003A,User-Name = fsaze1'
[acct_unique] Acct-Unique-Session-ID = 66c3a7d6e3d79d1a.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = fsaze1, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file
/etc/raddb-testing/sites-enabled/default
+- entering group accounting {...}
[detail]expand:
/usr/local-test/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
- /usr/local-test/var/log/radius/radacct/10.129.85.1/detail-20120607
[detail]
/usr/local-test/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/10.129.85.1/detail-20120607
[detail]expand: %t - Thu Jun 7 10:37:44 2012
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /usr/local-test/var/log/radius/radutmp -
/usr/local-test/var/log/radius/radutmp
[radutmp] expand: %{User-Name} - fsaze1
++[radutmp] returns ok
++[exec] returns noop
[attr_filter.accounting_response] expand: %{User-Name} - fsaze1
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 192 to 10.129.85.1 port 39402
Finished request 0.
End of Output
--
Matthew Newton, Ph.D. m...@le.ac.uk
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, ith...@le.ac.uk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
2012/6/5 Matthew Newton m...@leicester.ac.uk: On Mon, Jun 04, 2012 at 11:43:07AM -0300, Sergio Belkin wrote: 2012/6/4 Alan DeKok al...@deployingradius.com: The debug for the inner-tunnel *clearly* shows NOT using the files module. So, sorry for the stupid questions but how can I do that It's true what you say about debug output, but I files is in inner-tunnel configuration, I tried putting files above of chap, but doesn't change anything. Look at /etc/raddb-testing/sites-enabled/inner-tunnel-peap You've changed the config, added this file, and not added the files module to it. How a module is added? Mi current file is: That's probably /etc/raddb-testing/sites-enabled/inner-tunnel instead. Yes it is Using different inner-tunnel configs for TTLS and PEAP is just going to cause you pain, unless you REALLY know what you're letting yourself in for. Go back to the default config and use the same for both. I've added this files because I like to separate logs when supplicants are using PEAP or TTLS Is there a better way of doing that? The debug output doesn't lie. If it says the module isn't being called when you've just added it, then the module is not being called and you're configuring things in the wrong place. I don't blame debug :) I want to learn. Sorry but I repeat the question how a module is added? because files is statament is present on both files /etc/raddb-testing/sites-enabled/inner-tunnel-peap and /etc/raddb-testing/sites-enabled/inner-tunnel Thanks again Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
On Wed, Jun 06, 2012 at 10:28:27AM -0300, Sergio Belkin wrote:
I've added this files because I like to separate logs when supplicants
are using PEAP or TTLS
I'd still use just one file, and filter the logs instead.
Is there a better way of doing that?
There may be several ways. The first one that comes to mind is
just pulling the EAP type out of the EAP-Message attributes.
PEAP connections will have an EAP-Message attribute that matches
the regexp /^0x19/, whereas TTLS connections will match
/^0x15/.
Alternatively, and probably easier in the long run, add
%{EAP-Type} to linelog, so you get the name directly in your logs.
Add it in the outer, and you'll see TTLS or PEAP. Add it in the
inner, and you'll see the inner EAP type, such as MS-CHAP-V2.
I want to learn. Sorry but I repeat the question how a module is
added? because files is statament is present on both files
/etc/raddb-testing/sites-enabled/inner-tunnel-peap and
/etc/raddb-testing/sites-enabled/inner-tunnel
Apologies - you're right, it is being called.
++[files] returns noop
Add 'preprocess' to the top of the authorize{} section in your
inner-tunnel-peap / inner-tunnel files. That's the module that
checks huntgroups.
Cheers,
Matthew
--
Matthew Newton, Ph.D. m...@le.ac.uk
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, ith...@le.ac.uk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
2012/6/6 Matthew Newton m...@leicester.ac.uk:
On Wed, Jun 06, 2012 at 10:28:27AM -0300, Sergio Belkin wrote:
I've added this files because I like to separate logs when supplicants
are using PEAP or TTLS
I'd still use just one file, and filter the logs instead.
Is there a better way of doing that?
There may be several ways. The first one that comes to mind is
just pulling the EAP type out of the EAP-Message attributes.
PEAP connections will have an EAP-Message attribute that matches
the regexp /^0x19/, whereas TTLS connections will match
/^0x15/.
Alternatively, and probably easier in the long run, add
%{EAP-Type} to linelog, so you get the name directly in your logs.
Add it in the outer, and you'll see TTLS or PEAP. Add it in the
inner, and you'll see the inner EAP type, such as MS-CHAP-V2.
Good idea, I've tried appending %{EAP-Type) that to detail.log but
sending nothing
eg:
auth-detail-AP-XXX-DEFAULT--20120606
Between - and - is nothing (Neither TTLS nor PEAP appears)
I want to learn. Sorry but I repeat the question how a module is
added? because files is statament is present on both files
/etc/raddb-testing/sites-enabled/inner-tunnel-peap and
/etc/raddb-testing/sites-enabled/inner-tunnel
Apologies - you're right, it is being called.
++[files] returns noop
:-)
Add 'preprocess' to the top of the authorize{} section in your
inner-tunnel-peap / inner-tunnel files. That's the module that
checks huntgroups.
Thanks guys it dit it! I just realize that modules must be appended in
inner-tunnel files to load them :)
TIA
Cheers,
Matthew
--
Matthew Newton, Ph.D. m...@le.ac.uk
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, ith...@le.ac.uk
-
--
--
Sergio Belkin http://www.sergiobelkin.com
Watch More TV http://sebelk.blogspot.com
LPIC-2 Certified - http://www.lpi.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
Sergio Belkin wrote:
Good idea, I've tried appending %{EAP-Type) that to detail.log
What does that mean?
but
sending nothing
eg:
auth-detail-AP-XXX-DEFAULT--20120606
Between - and - is nothing (Neither TTLS nor PEAP appears)
As *ALWAYS*, read the debug output.
You're very dedicated to giving as little information as possible. Why?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
On Wed, Jun 06, 2012 at 03:56:54PM -0300, Sergio Belkin wrote:
Good idea, I've tried appending %{EAP-Type) that to detail.log but
sending nothing
eg:
auth-detail-AP-XXX-DEFAULT--20120606
Between - and - is nothing (Neither TTLS nor PEAP appears)
You've not really explained what you've done.
However, I *guess* that you have added %{EAP-Type} to the filename
(detailfile) in the detail config.
Look, though, where detail is getting called, and where eap is
called, in the authorize section. It goes in order. The eap module
sets EAP-Type, detail is called before.
So you need to call the log after eap. But the gotcha is that eap
will short circuit the return in the challenges, so you won't call
the detail module if you put it after eap.
I'd suggest you let all the incoming logs go to a single location
where they are, then you add a new detail (or linelog) module to
post-auth. That can use %{EAP-Type}, as it's *after* EAP has
happened.
Alternatively, you can use my other suggestion anywhere you like.
If you pick data out of EAP-Message yourself, you get to do what
you want with it (and keep the shards when it shatters).
Totally untested unlang.
if (%{EAP-Message} =~ /^0x19/) {
detail_log_peap
}
elsif (%{EAP-Message} =~ /^0x15/) {
detail_log_ttls
}
else {
detail_log_other
}
Note that things *will* hit detail_log_other. EAP Identity, for
instance, before the eap type has been agreed. If you do this in
the inner server, be prepared for unexpectedness. In short,
understand EAP first.
I just chuck the raw data out with detail and leave it be. The
useful stuff is pristinely formatted with gentle loving care by
the linelog module, where it sits in a nice greppable format for
me. One log entry, in post-auth, after the useful stuff happened.
Any more detail needed? Just go to the dirty detail log and dig it
out. Happens so rarely it wouldn't matter if it was in binary
format and had to be read with a hex editor in Windows...
Add 'preprocess' to the top of the authorize{} section in your
inner-tunnel-peap / inner-tunnel files. That's the module that
checks huntgroups.
Thanks guys it dit it! I just realize that modules must be appended in
inner-tunnel files to load them :)
Yeah, that's why it's called a virtual server. It's treated the
same as the default server, the flow is the same. No module
listed there? It doesn't happen.
Matthew
--
Matthew Newton, Ph.D. m...@le.ac.uk
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, ith...@le.ac.uk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
On Mon, Jun 04, 2012 at 11:43:07AM -0300, Sergio Belkin wrote: 2012/6/4 Alan DeKok al...@deployingradius.com: The debug for the inner-tunnel *clearly* shows NOT using the files module. So, sorry for the stupid questions but how can I do that It's true what you say about debug output, but I files is in inner-tunnel configuration, I tried putting files above of chap, but doesn't change anything. Look at /etc/raddb-testing/sites-enabled/inner-tunnel-peap You've changed the config, added this file, and not added the files module to it. Mi current file is: That's probably /etc/raddb-testing/sites-enabled/inner-tunnel instead. Using different inner-tunnel configs for TTLS and PEAP is just going to cause you pain, unless you REALLY know what you're letting yourself in for. Go back to the default config and use the same for both. The debug output doesn't lie. If it says the module isn't being called when you've just added it, then the module is not being called and you're configuring things in the wrong place. Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
Sergio Belkin wrote: I've appended something like to huntgroups file mb NAS-IP-Address == 10.129.189.1 mb NAS-IP-Address == 10.129.84.1 mb Called-Station-Id == 00-1B-7E-DC-AB-1A:UP-PVIII-I And in users files: pruebita Huntgroup-Name == mb,Cleartext-Password := pruebon But is not working user pruebita does not get an Access-Accept Please could you help me to solve it? You edited the default configuration and broke it. Don't do that. You've set copy_request_to_tunnel, which is good. It means that the huntgroup check will work. You've deleted files from raddb/sites-available/inner-tunnel. That's why it doesn't work. Add it back, and it will work. In 2.1.12, read the comments at the top of raddb/sites-available/inner-tunnel. It tells you how to test the inner-tunnel configuration. It tells you what NOT to do. i.e. tested PEAP before testing that the inner-tunnel config works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
2012/6/4 Alan DeKok al...@deployingradius.com:
Sergio Belkin wrote:
I've appended something like to huntgroups file
mb NAS-IP-Address == 10.129.189.1
mb NAS-IP-Address == 10.129.84.1
mb Called-Station-Id == 00-1B-7E-DC-AB-1A:UP-PVIII-I
And in users files:
pruebita Huntgroup-Name == mb,Cleartext-Password := pruebon
But is not working user pruebita does not get an Access-Accept
Please could you help me to solve it?
You edited the default configuration and broke it. Don't do that.
You've set copy_request_to_tunnel, which is good. It means that the
huntgroup check will work.
You've deleted files from raddb/sites-available/inner-tunnel.
That's why it doesn't work. Add it back, and it will work.
In 2.1.12, read the comments at the top of
raddb/sites-available/inner-tunnel. It tells you how to test the
inner-tunnel configuration. It tells you what NOT to do.
i.e. tested PEAP before testing that the inner-tunnel config works.
Alan DeKok.
-
Thanks Alan for you answer.
I haven't deleted anything respect to configuration files per default:
32,36c32,36
listen {
ipaddr = 127.0.0.1
port = 18120
type = auth
}
---
#listen {
# ipaddr = 127.0.0.1
# port = 18120
# type = auth
#}
142c142
# ldap
---
ldap
230,232c230,232
# Auth-Type LDAP {
# ldap
# }
---
Auth-Type LDAP {
ldap
}
271a272,274
# Sergio
reply_log
376a380,382
# Sergio
post_proxy_log
Did I missed something?
Thanks in advance
--
--
Sergio Belkin http://www.sergiobelkin.com
Watch More TV http://sebelk.blogspot.com
LPIC-2 Certified - http://www.lpi.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
Sergio Belkin wrote: I haven't deleted anything respect to configuration files per default: shrug You can believe what you want, or you can believe the server output. Did I missed something? The debug for the inner-tunnel *clearly* shows NOT using the files module. Go fix that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
2012/6/4 Alan DeKok al...@deployingradius.com:
The debug for the inner-tunnel *clearly* shows NOT using the files
module.
So, sorry for the stupid questions but how can I do that
It's true what you say about debug output, but I files is in
inner-tunnel configuration, I tried putting files above of chap, but
doesn't change anything.
Please could you help me I've read the file and output, and also run
radtest, but I don't figure out what I should do
Mi current file is:
listen {
ipaddr = 127.0.0.1
port = 18121
type = auth
}
authorize {
chap
mschap
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
files
ldap
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
eap
}
session {
radutmp
}
post-auth {
reply_log
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
post_proxy_log
eap
}
EOF
Thanks in advance!
--
--
Sergio Belkin http://www.sergiobelkin.com
Watch More TV http://sebelk.blogspot.com
LPIC-2 Certified - http://www.lpi.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Huntgroup
Sergio Belkin wrote: 2012/6/4 Alan DeKok al...@deployingradius.com: The debug for the inner-tunnel *clearly* shows NOT using the files module. So, sorry for the stupid questions but how can I do that If it's in the file, it's used. It's true what you say about debug output, but I files is in inner-tunnel configuration, I tried putting files above of chap, but doesn't change anything. OK. Please could you help me I've read the file and output, and also run radtest, but I don't figure out what I should do ? Run radtest until it works. As input, use the packets the server prints out in debugging mode. Change the server configuration until it works. The whole *point* of debugging mode is to tell you what's going on. The point of printing out the packets is so that you can use them for testing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
