Freeradius-Users access level issues

KAVYA PRABHAKAR kavyamelinmaneprabhakar at gmail.com
Tue Jan 20 08:55:16 CET 2015


Hi,
I want to configure user access level info in FR. If I am using Cisco I
will be adding following line in users file
Cisco-AVPair = "shell:priv-lvl = 15"

But I want to add NET user access level info to 15,so that I can see the
same in radius response I receive from FR.
Could you please help me know where and what file I have to look into for
this info.
I know similar configuration and was successful when I used other radius
server.But I am not able to relate the same with FR.

Thanks in advance,
Kavya
On 20-Jan-2015 3:39 am, <freeradius-users-request at lists.freeradius.org>
wrote:

> Send Freeradius-Users mailing list submissions to
>         freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
>         freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
>         freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>    1. Freeradius 3 and routers problem (alter1)
>    2. Re: Freeradius 3 and routers problem (Alan DeKok)
>    3. Re: VMPS sql error - WARNING: Unknown module "sql" in string
>       expansion "%" (Arran Cudbard-Bell)
>    4. Re: Re: Freeradius 3 and routers problem (alter1)
>    5. Re: Freeradius 3 and routers problem (Alan DeKok)
>    6. test PEAP (Jim Shi)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 19 Jan 2015 12:29:14 +0100
> From: alter1 <alter1 at onet.pl>
> To: "freeradius-users at lists.freeradius.org"
>         <freeradius-users at lists.freeradius.org>
> Subject: Freeradius 3 and routers problem
> Message-ID:
>         <107867304-c4b8ba06baaf39b736858171721998e8 at pmq5.m5r2.onet>
> Content-Type: text/plain; charset="utf-8"
>
> Hello,
> ?
> I have a network: 3 soho wifi routers Dlink wrt54gl, wrt320n and Asus
> RT-AC52U. On each is the same configuration (wifi wpa2-enterprise with
> radius auth on 192.168.10.x server with 1812 port and secret key for each
> client)
> ?
> Server is Centos 7 based with latest version with ip 192.168.10.x
> # repoquery freeradius
> freeradius-0:3.0.1-6.el7.x86_64
> # tail -19 /etc/raddb/clients.conf
> client rt-a1-2 {
> ??????? ipaddr = 192.168.10.4
> ??????? secret = test1
> ??????? shortname = rt-a1-2
> }
> client rt-a1-1 {
> ??????? ipaddr = 192.168.10.2
> ??????? secret = test2
> ??????? shortname = rt-a1-1
> }
> client rt-a2-1 {
> ??????? ipaddr = 192.168.10.3
> ??????? secret = test3
> ??????? shortname = rt-a2-1
> }
> In /etc/raddb/users par example:
> "test" Cleartext-Password := "test"
> and others in the same format...
> ?
> This server is relay to other dhcp server therefore I have:
> # cat /etc/raddb/sites-available/dhcp.relay
> server dhcp.ens160 {
> ??????? listen {
> ??????????????? ipaddr = *
> ??????????????? port = 67
> ??????????????? type = dhcp
> ??????????????? interface = ens160
> ??????? }
> ??????? dhcp DHCP-Discover {
> ??????????????? update config {
> ??????????????????????? DHCP-Relay-To-IP-Address := 192.168.10.1
> ??????????????? }
> ??????????????? update request {
> ??????????????????????? DHCP-Gateway-IP-Address := 192.168.10.254
> ??????????????? }
> ??????????????? ok
> ??????? }
> ??????? dhcp DHCP-Request {
> ??????????????? update config {
> ??????????????????????? DHCP-Relay-To-IP-Address := 192.168.10.1
> ??????????????? }
> ??????????????? update request {
> ??????????????????????? DHCP-Gateway-IP-Address := 192.168.10.254
> ??????????????? }
> ??????????????? ok
> ??????? }
> }
> On 192.168.10.1 dhcpserver works ok
> ?
> In logs
> /var/log/radius/radius.log
> Mon Jan 19 12:07:14 2015 : Auth: (44) Login OK: [test/<via Auth-Type =
> MSCHAP>] (from client rt-a1-1 port 0 via TLS tunnel)
> Mon Jan 19 12:07:14 2015 : Auth: (45) Login OK: [test/<via Auth-Type =
> EAP>] (from client rt-a1-1 port 13 cli 8c3ae3XXXXXX)
> Mon Jan 19 12:13:23 2015 : Auth: (59) Login OK: [test/<via Auth-Type =
> MSCHAP>] (from client rt-a1-1 port 0 via TLS tunnel)
> Mon Jan 19 12:13:23 2015 : Auth: (60) Login OK: [test/<via Auth-Type =
> EAP>] (from client rt-a1-1 port 13 cli 8c3ae3XXXXXX)
> Mon Jan 19 12:15:18 2015 : Auth: (70) Login OK: [test/<via Auth-Type =
> MSCHAP>] (from client rt-a1-2 port 0 via TLS tunnel)
> Mon Jan 19 12:15:18 2015 : Auth: (71) Login OK: [test/<via Auth-Type =
> EAP>] (from client rt-a1-2 port 0 cli 8C-3A-E3-XX-XX-XX)
> Mon Jan 19 12:16:10 2015 : Auth: (80) Login OK: [test/<via Auth-Type =
> MSCHAP>] (from client rt-a1-1 port 0 via TLS tunnel)
> Mon Jan 19 12:17:13 2015 : Auth: (85) Login OK: [test/<via Auth-Type =
> EAP>] (from client rt-a1-1 port 13 cli 8c3ae3XXXXXX)
> And all works... But... Ater some period of time 30-60 minutes noone can
> connect to wifi on AP's.
> I tried with alternative firmwares. Still the same.
> After tcpdump connections I have nothing... That mean. I tcpdump iface
> (ens160) and cannot see ANY PACKETS from any AP's to radius server...
> ?
> Problem disappear after restart freeradius (systemctl restart
> radiusd.service). And after some period of time... the same is happen.
> What the point? Where can be a problem?
> I tried to disable renew key on AP in radius configuration but this not
> helps.
> Thanx for help :-)
> ?
> With regards
> MK
> ?
> ?
> ?
>
> ------------------------------
>
> Message: 2
> Date: Mon, 19 Jan 2015 07:44:01 -0500
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: Freeradius 3 and routers problem
> Message-ID: <FE155EBC-B18E-4B96-B77B-0B4807DC21F8 at deployingradius.com>
> Content-Type: text/plain; charset=windows-1252
>
> On Jan 19, 2015, at 6:29 AM, alter1 <alter1 at onet.pl> wrote:
> > I have a network: 3 soho wifi routers Dlink wrt54gl, wrt320n and Asus
> RT-AC52U. On each is the same configuration (wifi wpa2-enterprise with
> radius auth on 192.168.10.x server with 1812 port and secret key for each
> client)
>
>   OK.  That should be simple enough.
> >
> > Mon Jan 19 12:16:10 2015 : Auth: (80) Login OK: [test/<via Auth-Type =
> MSCHAP>] (from client rt-a1-1 port 0 via TLS tunnel)
> > Mon Jan 19 12:17:13 2015 : Auth: (85) Login OK: [test/<via Auth-Type =
> EAP>] (from client rt-a1-1 port 13 cli 8c3ae3XXXXXX)
> > And all works... But... Ater some period of time 30-60 minutes noone can
> connect to wifi on AP?s.
>
>   That?s bad.
>
> > I tried with alternative firmwares. Still the same.
> > After tcpdump connections I have nothing... That mean. I tcpdump iface
> (ens160) and cannot see ANY PACKETS from any AP's to radius server?
>
>   Then the APs are broken.  When a user logs in, the APs should start
> doing RADIUS.
>
> > Problem disappear after restart freeradius (systemctl restart
> radiusd.service).
>
>   Restarting FreeRADIUS doesn?t cause the APs to start sending packets.
> Something else is going on.
>
>   What happens if you reboot the APs instead of FreeRADIUS?
>
>   Alan DeKok.
>
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 19 Jan 2015 20:59:37 +0700
> From: Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: VMPS sql error - WARNING: Unknown module "sql" in string
>         expansion "%"
> Message-ID: <B5E4DF5C-63CC-40EC-AAAA-527498C2DEAE at freeradius.org>
> Content-Type: text/plain; charset=windows-1252
>
>
> > On 19 Jan 2015, at 10:54, Keith Olsen <keith.r.olsen at gmail.com> wrote:
> >
> > Thanks Alan,
> >
> > that resolved it.
> >
> > I?ve spent a fair bit of time getting the VMPS stuff working, in
> particular with a mysql DB, and have been documenting for the project I am
> using this on.
> >
> > I would be more than happy to share the cookbook on configuring the VMPS
> if you think there?s any value.
>
> Yes, definitely.
>
> > I know there is not much call for VMPS, but I know I would have
> appreciated a single source to follow.
> >
> > IF there?s value, let me know where and how I can contribute the
> documentation.
>
> Feel free to add it to the wiki. There's already a cookbook section.
>
> -Arran
>
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 19 Jan 2015 20:58:29 +0100
> From: alter1 <alter1 at onet.pl>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: Re: Freeradius 3 and routers problem
> Message-ID:
>         <107959639-517888edf517a2f20159e5d9a91f7f7a at pmq5.m5r2.onet>
> Content-Type: text/plain; charset="utf-8"
>
> Hello again,
>
>
> I know it might sound impossible, but sometimes I have an idea that radius
> in certain moment sent some like "deauth" packet to radius clients on AP's
> and in this case those clients
> dont talk to radius server anymore. Sorry I haven't so many time to read
> right RFC :-). So just ask :)
>
> After rebooting AP's is the same as I described with radius server. It
> works for 30-60 minutes and then after another... after another...
> A few hours ago I compiled my favorite distro - gentoo and emerge
> freeradius for this platform.
>
> I flashed wrt54gl with dd-wrt firmware (for better testing client from
> linksys dd-wrt shell)
> # radius-client test test 192.168.10.19 1812 link1
> Accept
>
> I repeated it every 2 hours and ... is still working without any problems.
> But because of nighttime I can prove it tomorrowe with real wifi clients.
> I'll back soon
>
> With regards,
> MK
>
> The only difference is that is net-dialup/freeradius-2.2.5 version - not 3
> like in centos distr.
>
> W dniu 2015-01-19 13:44:01 u?ytkownik Alan DeKok <
> aland at deployingradius.com> napisa?:
> > On Jan 19, 2015, at 6:29 AM, alter1 <alter1 at onet.pl> wrote:
> > > I have a network: 3 soho wifi routers Dlink wrt54gl, wrt320n and Asus
> RT-AC52U. On each is the same configuration (wifi wpa2-enterprise with
> radius auth on 192.168.10.x server with 1812 port and secret key for each
> client)
> >
> >   OK.  That should be simple enough.
> > >
> > > Mon Jan 19 12:16:10 2015 : Auth: (80) Login OK: [test/<via Auth-Type =
> MSCHAP>] (from client rt-a1-1 port 0 via TLS tunnel)
> > > Mon Jan 19 12:17:13 2015 : Auth: (85) Login OK: [test/<via Auth-Type =
> EAP>] (from client rt-a1-1 port 13 cli 8c3ae3XXXXXX)
> > > And all works... But... Ater some period of time 30-60 minutes noone
> can connect to wifi on AP?s.
> >
> >   That?s bad.
> >
> > > I tried with alternative firmwares. Still the same.
> > > After tcpdump connections I have nothing... That mean. I tcpdump iface
> (ens160) and cannot see ANY PACKETS from any AP's to radius server?
> >
> >   Then the APs are broken.  When a user logs in, the APs should start
> doing RADIUS.
> >
> > > Problem disappear after restart freeradius (systemctl restart
> radiusd.service).
> >
> >   Restarting FreeRADIUS doesn?t cause the APs to start sending packets.
> Something else is going on.
> >
> >   What happens if you reboot the APs instead of FreeRADIUS?
> >
> >   Alan DeKok.
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
>
>
>
>
>
> ------------------------------
>
> Message: 5
> Date: Mon, 19 Jan 2015 15:06:56 -0500
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: Freeradius 3 and routers problem
> Message-ID: <2D43F89A-7262-4C5D-955E-BD0A1330B194 at deployingradius.com>
> Content-Type: text/plain; charset=us-ascii
>
> On Jan 19, 2015, at 2:58 PM, alter1 <alter1 at onet.pl> wrote:
> > I know it might sound impossible, but sometimes I have an idea that
> radius in certain moment sent some like "deauth" packet to radius clients
> on AP's and in this case those clients
> > dont talk to radius server anymore.
>
>   There is no such RADIUS packet.
>
> > After rebooting AP's is the same as I described with radius server. It
> works for 30-60 minutes and then after another... after another...
> > A few hours ago I compiled my favorite distro - gentoo and emerge
> freeradius for this platform.
>
>   Take your APs, and throw them in the garbage.  Then, buy APs that work.
>
>   Alan DeKok.
>
>
>
> ------------------------------
>
> Message: 6
> Date: Mon, 19 Jan 2015 14:08:13 -0800
> From: Jim Shi <hanmao_shi at apple.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: test PEAP
> Message-ID: <F64B0806-2459-4B40-94C2-A86FD367777A at apple.com>
> Content-Type: text/plain;       charset=windows-1252
>
>  I try test PEAP following steps described in
>
> http://www.freesoftwaremagazine.com/articles/howto_incremental_setup_freeradius_server_eap_authentications
>
> it says to send the following to radius server:
>
> $ cat eapol_test.conf.peap
> network={
> eap=PEAP
> eapol_flags=0
> key_mgmt=IEEE8021X
> identity="testuser"
> password="password"
> ca_cert="/home/gcheng/myCA/cacert.pem"
> phase2="auth=MSCHAPV2"
> anonymous_identity="anonymous"
> }
>
> When running the test, I noticed that it sends ?anonymous? user to the
> server  and the server try to authenticate user ?anonymous? and failed.
> Any ideas what is ?anonymous? here?  Do we need set up password for
> ?anonymous? on the server?
>
>
> Thanks
> Jim
>
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> End of Freeradius-Users Digest, Vol 117, Issue 56
> *************************************************
>


More information about the Freeradius-Users mailing list