Freeradius-Users Digest, Vol 166, Issue 48
Greg Stuart
gstuart at portageps.org
Fri Feb 22 18:55:27 CET 2019
Hello Alan,
Thank you, I am sorry I put to much info there, I was just thinking to
put everything out there just in case.
Greg S
On Fri, Feb 22, 2019 at 12:10 PM <
freeradius-users-request at lists.freeradius.org> wrote:
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Cisco IOS authentication to Freeradius that is linked to AD
> (Greg Stuart)
> 2. Re: Cisco IOS authentication to Freeradius that is linked to
> AD (Alan DeKok)
> 3. Re: Mac-auth (Dave Macias)
> 4. Use expr for reply from sql database (kai.zemke at hauni.com)
> 5. Re: Mac-auth (Dmitriy Andryashin)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 22 Feb 2019 11:00:21 -0500
> From: Greg Stuart <gstuart at portageps.org>
> To: freeradius-users at lists.freeradius.org
> Subject: Cisco IOS authentication to Freeradius that is linked to AD
> Message-ID:
> <CAJuGZELCJhm3mA4+ZjohGJnzKU9y9Vit_KNO9gH4UCVo=
> T5mfw at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Hello,
>
> I am new to freeradius so please go easy on me :) Here is what I am trying
> to do. I am trying to get my Cisco switches to authenticate a user with
> full permissions "lvl 15" by using freeradius that is linked to AD. Using
> AD credentials
>
> Below are the configs:
>
> Switch Config:
>
> aaa group server radius FreeRadius
> server name ppsauth1
> ip radius source-interface GigabitEthernet1/0/50
> !
>
> !
> !
> radius-server attribute 6 mandatory
> !
> radius server ppsauth1
> address ipv4 10.15.0.51 auth-port 1812 acct-port 1813
> key 7 15060E1F107B7977
> !
>
> Switch Debugs:
> test aaa group FreeRadius username password legacy
> Attempting authentication test to server-group FreeRadius using radius
>
> 000175: Feb 22 10:47:38: AAA: parse name=<no string> idb type=-1 tty=-1
> 000176: Feb 22 10:47:38: AAA/MEMORY: create_user (0x8C41E4C)
> user='username' ruser='NULL' ds0=0 port='' rem_addr='NULL'
> authen_type=ASCII servi)
> 000177: Feb 22 10:47:38: RADIUS: Pick NAS IP for u=0x8C41E4C tableid=0
> cfg_addr=0.0.0.0
> 000178: Feb 22 10:47:38: RADIUS(00000000): Config NAS IPv6: ::
> 000179: Feb 22 10:4User authentication request was rejected by server.
>
> TTC-GREG2#7:38: RADIUS: ustruct sharecount=1
> 000180: Feb 22 10:47:38: Radius: radius_port_info() success=0
> radius_nas_port=1
> 000181: Feb 22 10:47:38: RADIUS/ENCODE: Best Local IP-Address
> 192.168.160.47 for Radius-Server 10.15.0.51
> 000182: Feb 22 10:47:38: RADIUS(00000000): Send Access-Request to
> 10.15.0.51:1812 onvrf(0) id 1645/8, len 59
> 000183: Feb 22 10:47:38: RADIUS: authenticator 5F D8 9A 26 5E 67 09 AC -
> E8 D9 4F 9C F9 36 D5 24
> 000184: Feb 22 10:47:38: RADIUS: NAS-IP-Address [4] 6
> 192.168.160.47
> TTC-GREG2#
> 000185: Feb 22 10:47:38: RADIUS: NAS-Port-Type [61] 6 Async
> [0]
> 000186: Feb 22 10:47:38: RADIUS: User-Name [1] 9 "username"
> 000187: Feb 22 10:47:38: RADIUS: User-Password [2] 18 *
> 000188: Feb 22 10:47:38: RADIUS(00000000): Sending a IPv4 Radius Packet
> 000189: Feb 22 10:47:38: RADIUS(00000000): Started 5 sec timeout
> 000190: Feb 22 10:47:39: RADIUS: Received from id 1645/8 10.15.0.51:1812,
> Access-Reject, len 20
> 000191: Feb 22 10:47:39:
> TTC-GREG2# RADIUS: authenticator FC F7 1D 2F 38 08 3A 52 - 80 4D 13 7C 9A
> E9 C1 B7
> 000192: Feb 22 10:47:39: RADIUS: saved authorization data for user 8C41E4C
> at 0
> 000193: Feb 22 10:47:39: AAA/MEMORY: free_user (0x8C41E4C) user='username'
> ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN)
>
>
> Server Info:FreeRadius server running on Ubuntu 18.04 LTS
>
> tcpdump:
> tcpdump -i ens160 -vvv port 1812
> tcpdump: listening on ens160, link-type EN10MB (Ethernet), capture size
> 262144 bytes
> 10:52:36.760284 IP (tos 0x0, ttl 254, id 338, offset 0, flags [none], proto
> UDP (17), length 87)
> TTC-GREG.portageps.org.datametrics > ppsauth1.portageps.org.radius:
> [udp
> sum ok] RADIUS, length: 59
> Access-Request (1), id: 0x0a, Authenticator:
> d77adf09bca33bbc3c9a22d8e057b5d0
> NAS-IP-Address Attribute (4), length: 6, Value:
> TTC-GREG.portageps.org
> 0x0000: c0a8 a02f
> NAS-Port-Type Attribute (61), length: 6, Value: Async
> 0x0000: 0000 0000
> User-Name Attribute (1), length: 9, Value: username
> 0x0000: 6773 7475 6172 74
> User-Password Attribute (2), length: 18, Value:
> 0x0000: 40ee d3ca 65d6 b7a6 48fe 9f81 3460 b73f
> 10:52:37.761280 IP (tos 0x0, ttl 64, id 64656, offset 0, flags [none],
> proto UDP (17), length 48)
> ppsauth1.portageps.org.radius > TTC-GREG.portageps.org.datametrics:
> [bad
> udp cksum 0x6b47 -> 0xf8e3!] RADIUS, length: 20
> Access-Reject (3), id: 0x0a, Authenticator:
> 096e874b36ae47c55b81fa012f1ff749
>
>
> Tail of Radius Log:
>
> tail -f radius.log
> ri Feb 22 10:49:38 2019 : Auth: (77) Login incorrect (No Auth-Type found:
> rejecting the user via Post-Auth-Type = Reject): [username/password] (from
> client LabSwitch por
> t 0)
> Fri Feb 22 10:49:54 2019 : Auth: (78) Login incorrect (No Auth-Type found:
> rejecting the user via Post-Auth-Type = Reject): [username/password] (from
> client LabSw
> itch port 0)
> Fri Feb 22 10:50:02 2019 : Auth: (79) Login incorrect (No Auth-Type found:
> rejecting the user via Post-Auth-Type = Reject): [username/password] (from
> client LabSw
> itch port 0)
> Fri Feb 22 10:51:58 2019 : Auth: (80) Login incorrect (No Auth-Type found:
> rejecting the user via Post-Auth-Type = Reject): [username/password] (from
> client LabSw
> itch port 0)
> Fri Feb 22 10:52:36 2019 : Auth: (81) Login incorrect (No Auth-Type found:
> rejecting the user via Post-Auth-Type = Reject): [username/password] (from
> client LabSw
> itch port 0)
>
> freeradius -X output:
> eady to process requests
> (0) Received Access-Request Id 11 from 192.168.160.47:1645 to
> 10.15.0.51:1812 length 59
> (0) NAS-IP-Address = 192.168.160.47
> (0) NAS-Port-Type = Async
> (0) User-Name = "username"
> (0) User-Password = "password"
> (0) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (0) authorize {
> (0) policy filter_username {
> (0) if (&User-Name) {
> (0) if (&User-Name) -> TRUE
> (0) if (&User-Name) {
> (0) if (&User-Name =~ / /) {
> (0) if (&User-Name =~ / /) -> FALSE
> (0) if (&User-Name =~ /@[^@]*@/ ) {
> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (0) if (&User-Name =~ /\.\./ ) {
> (0) if (&User-Name =~ /\.\./ ) -> FALSE
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
> FALSE
> (0) if (&User-Name =~ /\.$/) {
> (0) if (&User-Name =~ /\.$/) -> FALSE
> (0) if (&User-Name =~ /@\./) {
> (0) if (&User-Name =~ /@\./) -> FALSE
> (0) } # if (&User-Name) = notfound
> (0) } # policy filter_username = notfound
> (0) [preprocess] = ok
> (0) [chap] = noop
> (0) [mschap] = noop
> (0) [digest] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: No '@' in User-Name = "username", looking up realm NULL
> (0) suffix: No such realm "NULL"
> (0) [suffix] = noop
> (0) eap: No EAP-Message, not doing EAP
> (0) [eap] = noop
> (0) [files] = noop
> (0) [expiration] = noop
> (0) [logintime] = noop
> (0) pap: WARNING: No "known good" password found for the user. Not setting
> Auth-Type
> (0) pap: WARNING: Authentication will fail unless a "known good" password
> is available
> (0) [pap] = noop
> (0) } # authorize = ok
> (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
> Reject
> (0) Failed to authenticate the user
> (0) Using Post-Auth-Type Reject
> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0) Post-Auth-Type REJECT {
> (0) attr_filter.access_reject: EXPAND %{User-Name}
> (0) attr_filter.access_reject: --> username
> (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (0) [attr_filter.access_reject] = updated
> (0) [eap] = noop
> (0) policy remove_reply_message_if_eap {
> (0) if (&reply:EAP-Message && &reply:Reply-Message) {
> (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (0) else {
> (0) [noop] = noop
> (0) } # else = noop
> (0) } # policy remove_reply_message_if_eap = noop
> (0) } # Post-Auth-Type REJECT = updated
> (0) Login incorrect (No Auth-Type found: rejecting the user via
> Post-Auth-Type = Reject): [username/password] (from client LabSwitch port
> 0)
> (0) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (0) Sending delayed response
> (0) Sent Access-Reject Id 11 from 10.15.0.51:1812 to 192.168.160.47:1645
> length 20
> Waking up in 3.9 seconds.
> (0) Cleaning up request packet ID 11 with timestamp +5
>
>
> Any help would be appreciated. Again what I am trying to do, is log into
> a cisco switch using my AD credentials. I have a freeradius server that is
> linked to AD. The link to AD has been confirmed to work.
>
> Thank you.
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 22 Feb 2019 11:08:41 -0500
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Cisco IOS authentication to Freeradius that is linked to
> AD
> Message-ID: <CB17EFE7-91F3-4FEA-AE9F-C9B26475FD56 at deployingradius.com>
> Content-Type: text/plain; charset=us-ascii
>
> On Feb 22, 2019, at 11:00 AM, Greg Stuart <gstuart at portageps.org> wrote:
> > I am new to freeradius so please go easy on me :) Here is what I am
> trying
> > to do. I am trying to get my Cisco switches to authenticate a user with
> > full permissions "lvl 15" by using freeradius that is linked to AD.
> Using
> > AD credentials
> >
> > Below are the configs:
>
> We don't need to see the switch config or debug output. The FreeRADIUS
> debug log shows everything we need.
>
> > Server Info:FreeRadius server running on Ubuntu 18.04 LTS
> >
> > tcpdump:
> ...
> > Tail of Radius Log:
>
> We don't need those, either.
>
> You get a message when you join the list. That message tells you what
> we *do* need, and what you *should not* post. Please read it.
>
> > freeradius -X output:
> > eady to process requests
> > (0) Received Access-Request Id 11 from 192.168.160.47:1645 to
>
> With lots of stuff deleted...
>
> > Any help would be appreciated. Again what I am trying to do, is log
> into
> > a cisco switch using my AD credentials. I have a freeradius server that
> is
> > linked to AD. The link to AD has been confirmed to work.
>
> What do you mean "linked to AD"? That the FreeRADIUS machine has joined
> the AD domain?
>
> That's nice, but FreeRADIUS doesn't know that. There's no magic in the
> server (or OS) saying "look users up in AD"
>
> The issuer here is that you haven't configured FreeRADIUS to do anything
> with AD. i.e. it doesn't use LDAP or ntlm_auth to authenticate the users.
> That's why it's rejecting the users.
>
> Please read my documentation on AD integration:
> http://deployingradius.com/documents/configuration/active_directory.html
>
> If you look through the config files for "Active Directory", you will
> see a number of comments with what to do, and what to configure. Those
> should help, too.
>
> Alan DeKok.
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Fri, 22 Feb 2019 11:46:37 -0500
> From: Dave Macias <davama at gmail.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Mac-auth
> Message-ID:
> <CA+nFYV-cedRFGS-c5-CdVO93sWBEVdkb+7Ww5zvee=
> LyfbWxfw at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> My 2 cents,
>
> your authorized_macs looks closer to a DB.
> Thought of sql? Might be neater maybe
>
> First time i see mac-auth in this way. It is interesting. Though if not too
> many clients a flat file should be ok.
> If you want a custom reply msg you could do that in the default config. Or
> if a log use the linelog module.
>
> Not sure if you authorized_macs file which you "suggest/think" is possible.
> Maybe someone more experience could chime in.
> Be patient
>
> Hope this helps
> Dave
>
> On Fri, Feb 22, 2019 at 2:40 AM Dmitriy Andryashin <
> safokoi.sikrone at gmail.com> wrote:
>
> > Help everyone!
> >
> > I'm working with Freeradius 3.0.15
> > And trying to implement authentification by MAC and NAS-Port and
> > NAS-IP-Address and files module.
> >
> > The solution i found by now is to assign key variable in
> > mods-available/files
> >
> > files authorized_macs {
> > key = "%{Calling-Station-ID}-%{NAS-Port}-%{NAS-IP-Address}"
> > usersfile = ${confdir}/authorized_macs
> > }
> >
> > And in authorized_macs have string
> > 00-24-54-05-8D-CB-5002-192.168.100.2
> >
> > It works.
> >
> > Is there a neat way to do it? Check attributes separetelly.
> >
> > For example:
> > authorized_macs contents:
> >
> > 00-24-54-05-8D-CB
> > Cleartext-Password := 00-24-54-05-8D-CB
> > NAS-Port == 5002
> > NAS-IP-Address = 192.168.100.2
> > Reply-Message = "Device with MAC Address %{Calling-Station-Id}
> > authorized for network access"
> >
> > I appreciate any help)
> >
> > --
> > Best regards, Dmitri
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
>
> ------------------------------
>
> Message: 4
> Date: Fri, 22 Feb 2019 16:57:58 +0000
> From: <kai.zemke at hauni.com>
> To: <freeradius-users at lists.freeradius.org>
> Subject: Use expr for reply from sql database
> Message-ID: <021f782c6aec40a8b5aa9a735ebe70ac at KNS102.HAUNI.KOERBER.DE>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi,
>
> I do have freeradius setup with a sql configuration. My mysql server is
> running the scheme that is proposed on the freeradius wiki.
>
> So far everything is doing fine. Now I want to replay with an
> Egress-VLANID.
>
> If I enter the value hexencoded everything works fine.
>
> But if I enter the value with the expr function the replied value is
> always zero and I have the following entry in my radius.log
>
> sql: Error parsing value: Unknown or invalid value "%{expr: 0x31000000 +
> 105}" for attribute Egress-VLANID)
>
> Do I have to mask certain characters in order to make this work?
>
> Example:
> Egress-VLANID = `%{expr: 0x31000000 + 105}`
>
> Best regards
> Kai
>
>
>
> ________________________________
>
> Diese E-Mail kann vertrauliche Informationen enthalten. Das unerlaubte
> Kopieren sowie die unbefugte Weitergabe dieser Informationen sind nicht
> gestattet. Sollten Sie diese E-Mail irrt?mlich erhalten haben, informieren
> Sie bitte den Absender und l?schen diese E-Mail.
> This e-mail may contain confidential information, which should not be
> copied or distributed without authorization. If you have received this
> e-mail message by mistake, please inform the sender and delete it from your
> system.
>
>
> ------------------------------
>
> Message: 5
> Date: Sat, 23 Feb 2019 01:08:45 +0800
> From: Dmitriy Andryashin <safokoi.sikrone at gmail.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Mac-auth
> Message-ID:
> <
> CAAGcXdyZGzDMZh+fhurxxSp4YOsSTm7+fBdb7GRce+vDoj1-jg at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Flat text file seems to be acceptable, it's a lightweight and can be used
> without need of another packages, and also can be gererated by a script.
>
> Is there a way to check 3 attributes separately in files module, to make
> file became readible? Or it can only make decisions on a single key
> parameter?
>
> Thank you.
>
> On Sat, Feb 23, 2019 at 12:46 AM Dave Macias <davama at gmail.com> wrote:
>
> > My 2 cents,
> >
> > your authorized_macs looks closer to a DB.
> > Thought of sql? Might be neater maybe
> >
> > First time i see mac-auth in this way. It is interesting. Though if not
> too
> > many clients a flat file should be ok.
> > If you want a custom reply msg you could do that in the default config.
> Or
> > if a log use the linelog module.
> >
> > Not sure if you authorized_macs file which you "suggest/think" is
> possible.
> > Maybe someone more experience could chime in.
> > Be patient
> >
> > Hope this helps
> > Dave
> >
> > On Fri, Feb 22, 2019 at 2:40 AM Dmitriy Andryashin <
> > safokoi.sikrone at gmail.com> wrote:
> >
> > > Help everyone!
> > >
> > > I'm working with Freeradius 3.0.15
> > > And trying to implement authentification by MAC and NAS-Port and
> > > NAS-IP-Address and files module.
> > >
> > > The solution i found by now is to assign key variable in
> > > mods-available/files
> > >
> > > files authorized_macs {
> > > key = "%{Calling-Station-ID}-%{NAS-Port}-%{NAS-IP-Address}"
> > > usersfile = ${confdir}/authorized_macs
> > > }
> > >
> > > And in authorized_macs have string
> > > 00-24-54-05-8D-CB-5002-192.168.100.2
> > >
> > > It works.
> > >
> > > Is there a neat way to do it? Check attributes separetelly.
> > >
> > > For example:
> > > authorized_macs contents:
> > >
> > > 00-24-54-05-8D-CB
> > > Cleartext-Password := 00-24-54-05-8D-CB
> > > NAS-Port == 5002
> > > NAS-IP-Address = 192.168.100.2
> > > Reply-Message = "Device with MAC Address %{Calling-Station-Id}
> > > authorized for network access"
> > >
> > > I appreciate any help)
> > >
> > > --
> > > Best regards, Dmitri
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
>
>
> --
> С уважением к Вам, Дмитрий.
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> ------------------------------
>
> End of Freeradius-Users Digest, Vol 166, Issue 48
> *************************************************
>
--
*Greg Stuart*
Infrastructure Operations Specialist
Portage Public Schools
P:269.323.5103
More information about the Freeradius-Users
mailing list