Question about dictionaries

Alan DeKok aland at deployingradius.com
Tue Sep 19 23:30:07 CEST 2017


On Sep 19, 2017, at 5:14 PM, Chris Kukkonen <chris at mindworkssec.com> wrote:
> 
> I am attempting to use a vendors dictionary:
> /usr/share/freeradius/dictionary/dictionary.brocade and I believe it is not
> being read. I have removed commented lines from dictionary.

  We already know what they contain.  There is no need to post them to the list.

> Dictionaries in /usr/share/freeradius are root/root but I am not sure if
> these are actually used.

  Yes, they're used.

> When starting radiusd, I am not able to confirm dictionary.brocade is
> loaded, and my clients are not receiving their attributes.
> 
> [root at vader ~]# /usr/sbin/radiusd -X
...
> including dictionary file /etc/raddb/dictionary      <------  This is where
> I would expect to see the dictionary.brocade called out

  It loads *hundreds* of dictionary files.  It doesn't print all of the filenames.

> I attempted to start radiusd with -Xx in case that is helpful, but I still
> am not sure if this is reading the dictionary.

  Yes, it's reading the dictionaries.

> My users contains:
> 
> swadmin         Cleartext-Password := "supersecret"
>                Brocade-Auth-Role = "admin",
>                Brocade-AVPairs1 = "HomeLF=128",
>                Brocade-AVPairs2 = "LFRoleList=admin:1-128",
>                Brocade-AVPairs3 = "ChassisRole=admin"
> 
> swuser          Cleartext-Password := "supersecret"
>                Brocade-Auth-Role = "user",
>                Brocade-AVPairs1 = "HomeLF=128",
>                Brocade-AVPairs2 = "LFRoleList=user:1-128",
>                Brocade-AVPairs3 = "ChassisRole=user",
>                Brocade-Passwd-ExpiryDate = "10/01/2017",
>                Brocade-Passwd-WarnPeriod = "31"

  If the server wasn't reading the dictionaries, it would not be able to parse those entries in the "users" file.

  If you read the debug output, you'll see it prints out the name of the "users" file it's loading.

  It's also printing out that it's matching the appropriate entry in the "user" file:

> (6) files: users: Matched entry swadmin at line 240

  You'll *also* see it USING the Brocade attributes:

> (6) eap_peap: Got tunneled reply code 11
> (6) eap_peap:   Brocade-Auth-Role = "admin"
> (6) eap_peap:   Brocade-AVPairs1 = "HomeLF=128"
> (6) eap_peap:   Brocade-AVPairs2 = "LFRoleList=admin:1-128"
> (6) eap_peap:   Brocade-AVPairs3 = "ChassisRole=admin"

  As always, it helps to READ the debug output.  If you're worried about it using Brocade attributes... search the debug output for the word "Brocade". 

  The real issue is that it's not sending those attributes in the Access-Accept.  Again, reading the debug output will tell you why.  Because the "default" virtual server isn't running the "files" module.  It's only being run in the "inner-tunnel" virtual server.

  If you want the inner-tunnel reply to be used as the default reply to the client, read raddb/mods-available/eap, and look for "use_tunneled_reply".

  Alan DeKok.




More information about the Freeradius-Users mailing list