Problems with Huntgroup

Thu Jun 7 17:59:24 CEST 2012

2012/6/6 Matthew Newton <mcn4 at leicester.ac.uk>:
> On Wed, Jun 06, 2012 at 03:56:54PM -0300, Sergio Belkin wrote:
>> Good idea, I've tried appending  %{EAP-Type) that to detail.log but
>> sending nothing
>> eg:
>>
>> auth-detail-AP-XXX-DEFAULT--20120606
>>
>> Between "-" and "-" is nothing (Neither TTLS nor PEAP appears)
>
> You've not really explained what you've done.
>
> However, I *guess* that you have added %{EAP-Type} to the filename
> (detailfile) in the detail config.

Yes, you guess well

>
> Look, though, where detail is getting called, and where eap is
> called, in the authorize section. It goes in order. The eap module
> sets EAP-Type, detail is called before.
>
> So you need to call the log after eap. But the gotcha is that eap
> will short circuit the return in the challenges, so you won't call
> the detail module if you put it after eap.

Nice to know it :)

>
> I'd suggest you let all the incoming logs go to a single location
> where they are, then you add a new detail (or linelog) module to
> post-auth. That can use %{EAP-Type}, as it's *after* EAP has
> happened.

I've tested it and works, nice! But please keep on reading:

>
> Alternatively, you can use my other suggestion anywhere you like.
> If you pick data out of EAP-Message yourself, you get to do what
> you want with it (and keep the shards when it shatters).
>
> Totally untested unlang.
>
> if (%{EAP-Message} =~ /^0x........19/) {
>  detail_log_peap
> }
> elsif (%{EAP-Message} =~ /^0x........15/) {
>  detail_log_ttls
> }
> else {
>  detail_log_other
> }
>
> Note that things *will* hit detail_log_other. EAP Identity, for
> instance, before the eap type has been agreed. If you do this in
> the inner server, be prepared for unexpectedness. In short,
> understand EAP first.

Good,  but it sounds somewhat  complex :)

>
> I just chuck the raw data out with detail and leave it be. The
> useful stuff is pristinely formatted with gentle loving care by
> the linelog module, where it sits in a nice greppable format for
> me. One log entry, in post-auth, after the useful stuff happened.
> Any more detail needed? Just go to the dirty detail log and dig it
> out. Happens so rarely it wouldn't matter if it was in binary
> format and had to be read with a hex editor in Windows...
>

Wow, linelog seems interesting, I've tried but only is logging
Access-Request, why?

I add my debug  (I plan to get rid out of inner-tunnel-peap file):

FreeRADIUS Version 2.1.12, for host x86_64-unknown-linux-gnu, built on
Jan  3 2012 at 16:18:16
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb-testing/radiusd.conf
including configuration file /etc/raddb-testing/proxy.conf
including configuration file /etc/raddb-testing/clients.conf
including files in directory /etc/raddb-testing/modules/
including configuration file /etc/raddb-testing/modules/chap
including configuration file /etc/raddb-testing/modules/mschap
including configuration file
/etc/raddb-testing/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb-testing/modules/exec
including configuration file /etc/raddb-testing/modules/realm
including configuration file /etc/raddb-testing/modules/checkval
including configuration file /etc/raddb-testing/modules/rediswho
including configuration file /etc/raddb-testing/modules/passwd
including configuration file /etc/raddb-testing/modules/attr_filter
including configuration file /etc/raddb-testing/modules/linelog
including configuration file /etc/raddb-testing/modules/wimax
including configuration file /etc/raddb-testing/modules/pam
including configuration file /etc/raddb-testing/modules/inner-eap
including configuration file /etc/raddb-testing/modules/echo
including configuration file /etc/raddb-testing/modules/soh
including configuration file /etc/raddb-testing/modules/replicate
including configuration file /etc/raddb-testing/modules/acct_unique
including configuration file /etc/raddb-testing/modules/etc_group
including configuration file /etc/raddb-testing/modules/pap
including configuration file /etc/raddb-testing/modules/expr
including configuration file /etc/raddb-testing/modules/smbpasswd
including configuration file /etc/raddb-testing/modules/attr_rewrite
including configuration file /etc/raddb-testing/modules/radutmp
including configuration file /etc/raddb-testing/modules/mac2ip
including configuration file /etc/raddb-testing/modules/logintime
including configuration file /etc/raddb-testing/modules/sql_log
including configuration file /etc/raddb-testing/modules/smsotp
including configuration file /etc/raddb-testing/modules/preprocess
including configuration file /etc/raddb-testing/modules/policy
including configuration file /etc/raddb-testing/modules/cui
including configuration file /etc/raddb-testing/modules/perl
including configuration file /etc/raddb-testing/modules/digest
including configuration file /etc/raddb-testing/modules/mac2vlan
including configuration file /etc/raddb-testing/modules/otp
including configuration file /etc/raddb-testing/modules/files
including configuration file /etc/raddb-testing/modules/always
including configuration file /etc/raddb-testing/modules/ntlm_auth
including configuration file /etc/raddb-testing/modules/detail
including configuration file /etc/raddb-testing/modules/krb5
including configuration file /etc/raddb-testing/modules/sradutmp
including configuration file /etc/raddb-testing/modules/opendirectory
including configuration file /etc/raddb-testing/modules/counter
including configuration file /etc/raddb-testing/modules/detail.example.com
including configuration file /etc/raddb-testing/modules/ippool
including configuration file /etc/raddb-testing/modules/expiration
including configuration file /etc/raddb-testing/modules/dynamic_clients
including configuration file /etc/raddb-testing/modules/detail.log
including configuration file /etc/raddb-testing/modules/redis
including configuration file /etc/raddb-testing/modules/ldap
including configuration file /etc/raddb-testing/modules/unix
including configuration file /etc/raddb-testing/eap.conf
including configuration file /etc/raddb-testing/policy.conf
including files in directory /etc/raddb-testing/sites-enabled/
including configuration file /etc/raddb-testing/sites-enabled/status
including configuration file /etc/raddb-testing/sites-enabled/control-socket
including configuration file /etc/raddb-testing/sites-enabled/inner-tunnel
including configuration file /etc/raddb-testing/sites-enabled/default
including configuration file /etc/raddb-testing/sites-enabled/inner-tunnel-peap
main {
       user = "radiusd"
       group = "radiusd"
       allow_core_dumps = no
}
including dictionary file /etc/raddb-testing/dictionary
main {
       name = "radiusd"
       prefix = "/usr/local-test"
       localstatedir = "/usr/local-test/var"
       sbindir = "/usr/local-test/sbin"
       logdir = "/usr/local-test/var/log/radius"
       run_dir = "/usr/local-test/var/run/radiusd"
       libdir = "/usr/local-test/lib"
       radacctdir = "/usr/local-test/var/log/radius/radacct"
       hostname_lookups = no
       max_request_time = 30
       cleanup_delay = 5
       max_requests = 1024
       pidfile = "/usr/local-test/var/run/radiusd/radiusd.pid"
       checkrad = "/usr/local-test/sbin/checkrad"
       debug_level = 0
       proxy_requests = yes
 log {
       stripped_names = yes
       auth = yes
       auth_badpass = no
       auth_goodpass = no
 }
 security {
       max_attributes = 200
       reject_delay = 1
       status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
       retry_delay = 5
       retry_count = 3
       default_fallback = no
       dead_time = 120
       wake_all_if_all_dead = no
 }
 home_server localhost {
       ipaddr = 127.0.0.1
 client 192.168.1.5 {
 Module: Linked to module rlm_linelog
 Module: Instantiating module "linelog" from file
/etc/raddb-testing/modules/linelog
 linelog {
       filename = "/usr/local-test/var/log/radius/linelog"
       permissions = 384
       format = "This is a log message for %{User-Name}"
       reference = "%{%{Packet-Type}:-format}"
conns: 0xec4c700
       ipaddr = 127.0.0.1
       port = 18120
 client admin {
       ipaddr = 127.0.0.1
       require_message_authenticator = no
       secret = "YellowSubmarine"
 }
}
listen {
       type = "auth"
       ipaddr = 127.0.0.1
       port = 18121
}
 ... adding new socket proxy address * port 59646
Listening on authentication address 192.168.1.5 port 1812
Listening on accounting address 192.168.1.5 port 1813
Listening on command file /usr/local-test/var/run/radiusd/radiusd.sock
Listening on status address 127.0.0.1 port 18120 as server status
Listening on authentication address 127.0.0.1 port 18121 as server inner-tunnel
Listening on proxy address 192.168.1.5 port 1814
Ready to process requests.

rad_recv: Accounting-Request packet from host 10.129.85.1 port 39402,
id=192, length=199
       Acct-Session-Id = "00000026-0000003A"
       Acct-Status-Type = Stop
       Acct-Authentic = RADIUS
       User-Name = "fsaze1"
       NAS-Identifier = "AP-PVIII-V"
       NAS-Port = 4
       Called-Station-Id = "00-23-69-49-06-2C:sarlanga-I"
       Calling-Station-Id = "60-FA-CD-42-C0-CE"
       NAS-Port-Type = Wireless-802.11
       Connect-Info = "CONNECT 54Mbps 802.11g"
       Acct-Session-Time = 30
       Acct-Input-Packets = 98
       Acct-Output-Packets = 26
       Acct-Input-Octets = 11164
       Acct-Output-Octets = 7989
       Event-Timestamp = "Jun  7 2012 10:37:44 ART"
       Acct-Terminate-Cause = User-Request
# Executing section preacct from file /etc/raddb-testing/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 4,Client-IP-Address =
10.129.85.1,NAS-IP-Address = 10.129.85.1,Acct-Session-Id =
"00000026-0000003A",User-Name = "fsaze1"'
[acct_unique] Acct-Unique-Session-ID = "66c3a7d6e3d79d1a".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "fsaze1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file
/etc/raddb-testing/sites-enabled/default
+- entering group accounting {...}
[detail]        expand:
/usr/local-test/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/10.129.85.1/detail-20120607
[detail] /usr/local-test/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/10.129.85.1/detail-20120607
[detail]        expand: %t -> Thu Jun  7 10:37:44 2012
++[detail] returns ok
++[unix] returns ok
[radutmp]       expand: /usr/local-test/var/log/radius/radutmp ->
/usr/local-test/var/log/radius/radutmp
[radutmp]       expand: %{User-Name} -> fsaze1
++[radutmp] returns ok
++[exec] returns noop
[attr_filter.accounting_response]       expand: %{User-Name} -> fsaze1
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 192 to 10.129.85.1 port 39402
Finished request 0.

End of Output

Thanks in advance

>
>> > Add 'preprocess' to the top of the authorize{} section in your
>> > inner-tunnel-peap / inner-tunnel files. That's the module that
>> > checks huntgroups.
>>
>> Thanks guys it dit it! I just realize that modules must be appended in
>> inner-tunnel files to load them :)
>
> Yeah, that's why it's called a virtual server. It's treated the
> same as the default server, the flow is the same. No module
> listed there? It doesn't happen.
>
> Matthew
>
>
> --
> Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
>
> Systems Architect (UNIX and Networks), Network Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
--
Sergio Belkin  http://www.sergiobelkin.com
Watch More TV http://sebelk.blogspot.com
LPIC-2 Certified - http://www.lpi.org