<div>Hi ,</div><div>Marc and Alan Thanx for the reply .</div><div><br></div>What I exactly mean by authorization is <span class="Apple-style-span" style="font-family: monospace; font-size: 16px; white-space: pre; ">Management-Privilege-Level which is defined in RFC 5607</span>, <div>I want to give restricted access to certain resources on my NE to the user accounts. </div><div>basically I want to authorize user accounts based on groups and privileges.</div><div><br></div><div>If a user belongs to certain group and have the previlege level (security admin or administrator) then only he can execute certain commands on the NE.</div><div>right now PAM module is doing this in my NE. I want it to be done by Radius server.</div><div><br></div><div>Now pam_radius_auth module sends "authentication only" in request message so, the server is not doing authorization it seems.</div><div><br></div><div>How can I ask Server to do authorization and when server sends the authorization attributes AVPs in the access-Accept message how to process those values? or PAM module will take care of this thing.?</div><div><br></div><div>I am really not getting how to support this "management-privilege-level" feature using pam-radius-auth.</div><div><br>On Fri, 25 Feb 2011 20:11:32 , freeradius-users-request@lists.freeradius.org wrote<br>Send Freeradius-Users mailing list submissions to<br>
freeradius-users@lists.freeradius.org<br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
http://lists.freeradius.org/mailman/listinfo/freeradius-users<br>
or, via email, send a message with subject or body 'help' to<br>
freeradius-users-request@lists.freeradius.org<br>
<br>
You can reach the person managing the list at<br>
freeradius-users-owner@lists.freeradius.org<br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Freeradius-Users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Re: store and proxy accounting packets (Waqas Toor)<br>
2. Re: store and proxy accounting packets (Alan DeKok)<br>
3. Re: pam_radius_auth query (Marc Phillips)<br>
4. Re: store and proxy accounting packets (Waqas Toor)<br>
5. Re: store and proxy accounting packets (Alan DeKok)<br>
6. Re: store and proxy accounting packets (Waqas Toor)<br>
7. Re: store and proxy accounting packets (Alan DeKok)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Fri, 25 Feb 2011 16:01:06 +0500<br>
From: Waqas Toor <waqasnasirtoor@gmail.com><br>
Subject: Re: store and proxy accounting packets<br>
To: FreeRadius users mailing list<br>
<freeradius-users@lists.freeradius.org><br>
Cc: Alan DeKok <aland@deployingradius.com><br>
Message-ID:<br>
<AANLkTinpZ94e6NpNMJo+fLgSbkreryZvio6=FBPcUpbg@mail.gmail.com><br>
Content-Type: text/plain; charset=ISO-8859-1<br>
<br>
Hi,<br>
<br>
On Thu, Feb 24, 2011 at 11:33 AM, Alan DeKok <aland@deployingradius.com> wrote:<br>
> Waqas Toor wrote:<br>
>> but what to do to get accounting to other client, Also if that fails<br>
>> is it going to create detail files ?<br>
><br>
> ?Did you bother *reading* the "robust-proxy-accounting" file?<br>
><br>
I have configured the robust-proxy-accounting<br>
below is the file<br>
====================================<br>
home_server home1.example.com {<br>
type = acct<br>
ipaddr = 10.1.67.41<br>
port = 1813<br>
secret = freerad<br>
<br>
<br>
status_check = request<br>
username = "test_user_status_check"<br>
<br>
response_window = 6<br>
}<br>
<br>
home_server home2.example.com {<br>
type = acct<br>
ipaddr = 10.1.67.42<br>
port = 1813<br>
secret = freerad<br>
<br>
response_window = 6<br>
}<br>
<br>
home_server acct_detail.example.com {<br>
virtual_server = acct_detail.example.com<br>
}<br>
<br>
home_server_pool acct_pool.example.com {<br>
<br>
home_server = home1.example.com<br>
home_server = home2.example.com<br>
fallback = acct_detail.example.com<br>
<br>
virtual_server = home.example.com<br>
}<br>
<br>
realm acct_realm.example.com {<br>
acct_pool = acct_pool.example.com<br>
}<br>
<br>
server acct_detail.example.com {<br>
accounting {<br>
detail.example.com<br>
}<br>
}<br>
<br>
server home.example.com {<br>
pre-proxy {<br>
# Insert pre-proxy rules here<br>
}<br>
<br>
post-proxy {<br>
Post-Proxy-Type Fail {<br>
detail.example.com<br>
}<br>
}<br>
<br>
listen {<br>
type = detail<br>
filename = "${radacctdir}/detail.example.com/detail-*:*"<br>
load_factor = 10<br>
}<br>
accounting {<br>
# You may want accounting policies here...<br>
<br>
update control {<br>
Proxy-To-Realm := "acct_realm.example.com"<br>
}<br>
}<br>
<br>
}<br>
====================================<br>
but it is not working neither its creating any file<br>
here is the debug last lines<br>
===================================<br>
<br>
} # server<br>
radiusd: #### Opening IP addresses and Ports ####<br>
listen {<br>
type = "auth"<br>
ipaddr = *<br>
port = 0<br>
}<br>
listen {<br>
type = "acct"<br>
ipaddr = *<br>
port = 0<br>
}<br>
listen {<br>
type = "control"<br>
listen {<br>
socket = "/usr/local/var/run/radiusd/radiusd.sock"<br>
mode = "rw"<br>
}<br>
}<br>
listen {<br>
type = "detail"<br>
listen {<br>
filename =<br>
"/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*"<br>
load_factor = 10<br>
poll_interval = 1<br>
retry_interval = 30<br>
}<br>
}<br>
listen {<br>
type = "auth"<br>
ipaddr = 127.0.0.1<br>
port = 18120<br>
}<br>
Listening on authentication address * port 1812<br>
Listening on accounting address * port 1813<br>
Listening on command file /usr/local/var/run/radiusd/radiusd.sock<br>
Listening on detail file<br>
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* as<br>
server home.example.com<br>
Detail listener<br>
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state<br>
unopened signalled 0 waiting 1.000000 sec<br>
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel<br>
Listening on proxy address * port 1814<br>
Waking up in 0.9 seconds.<br>
Polling for detail file<br>
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*<br>
Detail listener<br>
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state<br>
unopened signalled 0 waiting 1.134651 sec<br>
Waking up in 1.1 seconds.<br>
Polling for detail file<br>
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*<br>
Detail listener<br>
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state<br>
unopened signalled 0 waiting 1.011006 sec<br>
Waking up in 1.0 seconds.<br>
Polling for detail file<br>
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*<br>
Detail listener<br>
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state<br>
unopened signalled 0 waiting 1.113558 sec<br>
Waking up in 1.1 seconds.<br>
Polling for detail file<br>
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*<br>
Detail listener<br>
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state<br>
unopened signalled 0 waiting 0.903584 sec<br>
Waking up in 0.9 seconds.<br>
Polling for detail file<br>
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*<br>
Detail listener<br>
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state<br>
unopened signalled 0 waiting 1.185763 sec<br>
Waking up in 1.1 seconds.<br>
Polling for detail file<br>
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*<br>
Detail listener<br>
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state<br>
unopened signalled 0 waiting 0.916197 sec<br>
Waking up in 0.9 seconds.<br>
Polling for detail file<br>
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*<br>
Detail listener<br>
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state<br>
unopened signalled 0 waiting 0.925224 sec<br>
Waking up in 0.9 seconds.<br>
Polling for detail file<br>
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*<br>
Detail listener<br>
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state<br>
unopened signalled 0 waiting 1.160946 sec<br>
Waking up in 1.1 seconds.<br>
Polling for detail file<br>
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*<br>
Detail listener<br>
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state<br>
unopened signalled 0 waiting 0.817426 sec<br>
Waking up in 0.8 seconds.<br>
<br>
==================<br>
<br>
I am missing something but could not figure it out what<br>
<br>
regards.<br>
Waqas<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Fri, 25 Feb 2011 14:02:33 +0100<br>
From: Alan DeKok <aland@deployingradius.com><br>
Subject: Re: store and proxy accounting packets<br>
To: FreeRadius users mailing list<br>
<freeradius-users@lists.freeradius.org><br>
Message-ID: <4D67A869.7050209@deployingradius.com><br>
Content-Type: text/plain; charset=ISO-8859-1<br>
<br>
Waqas Toor wrote:<br>
>> Did you bother *reading* the "robust-proxy-accounting" file?<br>
>><br>
> I have configured the robust-proxy-accounting<br>
<br>
That doesn't answer the question. The comments in that file describe<br>
how it works. This includes answering your original question.<br>
<br>
> I am missing something but could not figure it out what<br>
<br>
The debug log doesn't show it receiving packets.<br>
<br>
What do you *expect* to happen when it doesn't received packets?<br>
<br>
The answer should be obvious: it's documented in the comments in the<br>
"robust-proxy-accounting" file.<br>
<br>
Go read it.<br>
<br>
Alan DeKok.<br>
<br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Fri, 25 Feb 2011 07:09:14 -0600<br>
From: Marc Phillips <rmarc@copacetic.net><br>
Subject: Re: pam_radius_auth query<br>
To: vijay s sheelavantar <s_vijay65@rediffmail.com><br>
Cc: freeradius-users <freeradius-users@lists.freeradius.org><br>
Message-ID: <20110225130914.GB12219@archwayconcepts.com><br>
Content-Type: text/plain; charset=us-ascii<br>
<br>
vijay s sheelavantar <s_vijay65@rediffmail.com> wrote:<br>
> Hi,<br>
> Please clarify my doubts.<br>
> <br>
> 1. does pam_radius_auth.so support authorization of user accounts? <br>
<br>
the pam module just sends the user info to the radius server.<br>
<br>
The radius server does authorization and authentication. It first authorizes<br>
via your authorization rules you defined. If it passes that, it moves on<br>
to the authentication rules.<br>
<br>
There's nothing special you have to do on the pam module side.<br>
<br>
<br>
R. Marc<br>
<br>
<br>
------------------------------<br>
<br>
Message: 4<br>
Date: Fri, 25 Feb 2011 18:48:40 +0500<br>
From: Waqas Toor <waqasnasirtoor@gmail.com><br>
Subject: Re: store and proxy accounting packets<br>
To: FreeRadius users mailing list<br>
<freeradius-users@lists.freeradius.org><br>
Cc: Alan DeKok <aland@deployingradius.com><br>
Message-ID:<br>
<AANLkTikNCwcteS+oFcb8btnjPiR9+zfX9HgYWwBz6R57@mail.gmail.com><br>
Content-Type: text/plain; charset=ISO-8859-1<br>
<br>
Thank you Alan for you help,<br>
But please can you point out where I am wrong or a line may be which<br>
is a bad config, I am having trouble understanding why the packets are<br>
not being forwarded while being in site-enabled directory.<br>
<br>
I read the file I am still struggling to understand FreeRadius proxy<br>
and virtual servers, treat me as a noob<br>
<br>
Waqas<br>
<br>
On Fri, Feb 25, 2011 at 6:02 PM, Alan DeKok <aland@deployingradius.com> wrote:<br>
> Waqas Toor wrote:<br>
>>> ?Did you bother *reading* the "robust-proxy-accounting" file?<br>
>>><br>
>> I have configured the robust-proxy-accounting<br>
><br>
> ?That doesn't answer the question. ?The comments in that file describe<br>
> how it works. ?This includes answering your original question.<br>
><br>
>> I am missing something but could not figure it out what<br>
><br>
> ?The debug log doesn't show it receiving packets.<br>
><br>
> ?What do you *expect* to happen when it doesn't received packets?<br>
><br>
> ?The answer should be obvious: it's documented in the comments in the<br>
> "robust-proxy-accounting" file.<br>
><br>
> ?Go read it.<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 5<br>
Date: Fri, 25 Feb 2011 14:53:02 +0100<br>
From: Alan DeKok <aland@deployingradius.com><br>
Subject: Re: store and proxy accounting packets<br>
To: FreeRadius users mailing list<br>
<freeradius-users@lists.freeradius.org><br>
Message-ID: <4D67B43E.4020309@deployingradius.com><br>
Content-Type: text/plain; charset=ISO-8859-1<br>
<br>
Waqas Toor wrote:<br>
> Thank you Alan for you help,<br>
> But please can you point out where I am wrong or a line may be which<br>
> is a bad config, I am having trouble understanding why the packets are<br>
> not being forwarded while being in site-enabled directory.<br>
<br>
As I said, the debug log you posted shows *no* packets being received.<br>
<br>
How can it forward packets it doesn't receive?<br>
<br>
How can you debug the failure to proxy packets, when it doesn't<br>
receive any packets?<br>
<br>
> I read the file I am still struggling to understand FreeRadius proxy<br>
> and virtual servers, treat me as a noob<br>
<br>
I'm asking you to read the documents, and the messages on this list.<br>
Nothing more.<br>
<br>
Alan DeKok.<br>
<br>
<br>
------------------------------<br>
<br>
Message: 6<br>
Date: Fri, 25 Feb 2011 19:10:53 +0500<br>
From: Waqas Toor <waqasnasirtoor@gmail.com><br>
Subject: Re: store and proxy accounting packets<br>
To: FreeRadius users mailing list<br>
<freeradius-users@lists.freeradius.org><br>
Cc: Alan DeKok <aland@deployingradius.com><br>
Message-ID:<br>
<AANLkTinubNyY8nagxyVNK+G+DAOgqn8oV+ALiEiAVYsF@mail.gmail.com><br>
Content-Type: text/plain; charset=ISO-8859-1<br>
<br>
Ahaan, Ok below is an accounting packet and and its response<br>
also please tell me if the the lines that i get while in debug mode are normal ?<br>
<br>
Polling for detail file<br>
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*<br>
Detail listener<br>
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state<br>
unopened signalled 0 waiting 1.159171 sec<br>
Waking up in 1.1 seconds.<br>
<br>
=================================================<br>
Waking up in 0.8 seconds.<br>
Polling for detail file<br>
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*<br>
Detail listener<br>
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state<br>
unopened signalled 0 waiting 1.058084 sec<br>
Waking up in 1.0 seconds.<br>
rad_recv: Accounting-Request packet from host 2.2.2.2 port 10044,<br>
id=248, length=248<br>
Acct-Status-Type = Start<br>
WiMAX-Beginning-Of-Session = 1<br>
WiMAX-IP-Technology = Reserved-0<br>
WiMAX-Prepaid-Indicator = 0<br>
Acct-Session-Id = "12033268"<br>
Acct-Multi-Session-Id = "9a7f45c70eb9cfc263d4b7f5db740d25"<br>
non-hw-flow-info = "\000\000\000"<br>
Framed-IP-Address = 175.110.77.76<br>
User-Name = "002682D1A232@test_cpe.com"<br>
Calling-Station-Id = "002682d1a232"<br>
NAS-Identifier = "WASN"<br>
WiMAX-hHA-IP-MIP4 = 0.0.0.0<br>
NAS-IP-Address = 2.2.2.2<br>
WiMAX-BS-Id = 0x303030303066303030663130<br>
WiMAX-GMT-Timezone-offset = 18000<br>
Event-Timestamp = "Feb 25 2011 18:36:49 PKT"<br>
Huawei-Attr-218 = 0x00000000<br>
NAS-Port-Type = Wireless-802.16<br>
# Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default<br>
+- entering group preacct {...}<br>
++[preprocess] returns ok<br>
[acct_unique] WARNING: Attribute NAS-Port was not found in request,<br>
unique ID MAY be inconsistent<br>
[acct_unique] Hashing ',Client-IP-Address = 2.2.2.2,NAS-IP-Address =<br>
2.2.2.2,Acct-Session-Id = "12033268",User-Name =<br>
"002682D1A232@test_cpe.com"'<br>
[acct_unique] Acct-Unique-Session-ID = "8b9e32f20020add2".<br>
++[acct_unique] returns ok<br>
[suffix] Looking up realm "test_cpe.com" for User-Name =<br>
"002682D1A232@test_cpe.com"<br>
[suffix] No such realm "test_cpe.com"<br>
++[suffix] returns noop<br>
++[files] returns noop<br>
# Executing section accounting from file<br>
/usr/local/etc/raddb/sites-enabled/default<br>
+- entering group accounting {...}<br>
[detail] expand:<br>
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d<br>
-> /usr/local/var/log/radius/radacct/2.2.2.2/detail-20110225<br>
[detail] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d<br>
expands to /usr/local/var/log/radius/radacct/2.2.2.2/detail-20110225<br>
[detail] expand: %t -> Fri Feb 25 18:35:11 2011<br>
++[detail] returns ok<br>
++[unix] returns noop<br>
[radutmp] expand: /usr/local/var/log/radius/radutmp -><br>
/usr/local/var/log/radius/radutmp<br>
[radutmp] expand: %{User-Name} -> 002682D1A232@test_cpe.com<br>
rlm_radutmp: No NAS-Port seen. Cannot do anything.<br>
rlm_radumtp: WARNING: checkrad will probably not work!<br>
++[radutmp] returns noop<br>
[sql] expand: %{User-Name} -> 002682D1A232@test_cpe.com<br>
[sql] sql_set_user escaped user --> '002682D1A232@test_cpe.com'<br>
[sql] expand: INSERT into accounting (RadAcctId, AcctSessionId,<br>
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,<br>
AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,<br>
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets,<br>
AcctOutputOctets, CalledStationId, CallingStationId,<br>
AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress,<br>
AcctStartDelay, AcctStopDelay, XAscendSessionSvrKey, AcctStatusType)<br>
VALUES('', '%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',<br>
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port-Id}',<br>
'%{NAS-Port-Type}', TO_DATE('%S','yyyy-mm-dd hh24:mi:ss'), NULL, '0',<br>
'%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0',<br>
'%{Called-Station-Id}', '%{Calling-Station-Id}', '',<br>
'%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',<br>
'%{Acct-Delay-Time}', '0', '%{X-Ascend-Session-Svr-Key}',<br>
'%{Acct-Status-Type}') -> INSERT into accounting (RadAcctId,<br>
AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId,<br>
NASPortType, AcctSta<br>
rlm_sql (sql): Reserving sql socket id: 0<br>
rlm_sql (sql): Released sql socket id: 0<br>
++[sql] returns ok<br>
++[exec] returns noop<br>
[attr_filter.accounting_response] expand: %{User-Name} -><br>
002682D1A232@test_cpe.com<br>
attr_filter: Matched entry DEFAULT at line 12<br>
++[attr_filter.accounting_response] returns updated<br>
Sending Accounting-Response of id 248 to 2.2.2.2 port 10044<br>
Finished request 9.<br>
Cleaning up request 9 ID 248 with timestamp +20<br>
Going to the next request<br>
Waking up in 0.7 seconds.<br>
<br>
=======================================================<br>
<br>
<br>
On Fri, Feb 25, 2011 at 6:53 PM, Alan DeKok <aland@deployingradius.com> wrote:<br>
> Waqas Toor wrote:<br>
>> Thank you Alan for you help,<br>
>> But please can you point out where I am wrong or a line may be which<br>
>> is a bad config, I am having trouble understanding why the packets are<br>
>> not being forwarded while being in site-enabled directory.<br>
><br>
> ?As I said, the debug log you posted shows *no* packets being received.<br>
><br>
> ?How can it forward packets it doesn't receive?<br>
><br>
> ?How can you debug the failure to proxy packets, when it doesn't<br>
> receive any packets?<br>
><br>
>> I read the file I am still struggling to understand FreeRadius proxy<br>
>> and virtual servers, treat me as a noob<br>
><br>
> ?I'm asking you to read the documents, and the messages on this list.<br>
> Nothing more.<br>
><br>
> ?Alan DeKok.<br>
> -<br>
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html<br>
><br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 7<br>
Date: Fri, 25 Feb 2011 15:39:53 +0100<br>
From: Alan DeKok <aland@deployingradius.com><br>
Subject: Re: store and proxy accounting packets<br>
To: FreeRadius users mailing list<br>
<freeradius-users@lists.freeradius.org><br>
Message-ID: <4D67BF39.8070803@deployingradius.com><br>
Content-Type: text/plain; charset=ISO-8859-1<br>
<br>
Waqas Toor wrote:<br>
> Ahaan, Ok below is an accounting packet and and its response<br>
> also please tell me if the the lines that i get while in debug mode are normal ?<br>
<br>
Yes, but...<br>
<br>
> [suffix] Looking up realm "test_cpe.com" for User-Name =<br>
> "002682D1A232@test_cpe.com"<br>
> [suffix] No such realm "test_cpe.com"<br>
<br>
That should be fixed.<br>
<br>
Alan DeKok.<br>
<br>
<br>
------------------------------<br>
<br>
-<br>
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html<br>
<br>
<br>End of Freeradius-Users Digest, Vol 70, Issue 99<br>
************************************************<br>
</div><br><A HREF="http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signatureline.htm@Middle?" target="_blank"><IMG SRC="http://sigads.rediff.com/RealMedia/ads/adstream_nx.ads/www.rediffmail.com/signatureline.htm@Middle"></A>