In the specification port 2083/tcp use for authentication and accounting. But in config i can set only one type: home_server tls { ipaddr = 127.0.0.1 port = 2083 type = auth secret = testing123 proto = tcp status_check = none .... } Hi, there are any ideas how to implement it? Best regards, Vyacheslav
On 20 Aug 2012, at 21:06, Вячеслав Адаманов <adamanov@gmail.com> wrote:
In the specification port 2083/tcp use for authentication and accounting. But in config i can set only one type: home_server tls { ipaddr = 127.0.0.1 port = 2083 type = auth secret = testing123 proto = tcp status_check = none .... }
Hi, there are any ideas how to implement it?
have you tried auth+acct?
Yes. If set "type = auth+acct" in listen section, I get error: Invalid type "auth+acct" in listen section. 2012/8/20 Arran Cudbard-Bell <a.cudbardb@freeradius.org>:
On 20 Aug 2012, at 21:06, Вячеслав Адаманов <adamanov@gmail.com> wrote:
In the specification port 2083/tcp use for authentication and accounting. But in config i can set only one type: home_server tls { ipaddr = 127.0.0.1 port = 2083 type = auth secret = testing123 proto = tcp status_check = none .... }
Hi, there are any ideas how to implement it?
have you tried auth+acct? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- __________________________ Vyacheslav Adamanov 87500, Ukraine, Mariupol, st. Apatova 136а mob: +38 (067) 621 32 61 email: adamanov@gmail.com www: http://hl.ua
Today compiled last git master and get:
listen { type = "auth+acct" /opt/freeradius/etc/raddb/sites-enabled/tls[7]: Invalid type "auth+acct" in listen section.
host sbin # ./radiusd -Xv radiusd: FreeRADIUS Version 3.0.0, for host i686-pc-linux-gnu, built on Aug 21 2012 at 10:24:18 Copyright (C) 1999-2011 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Functionality: accounting, authentication, coa, control-socket, detail, dhcp, dynamic clients, proxy, regex-posix, session-management, stats, tcp, TLS, unlang, vmps, Best regards, Vyacheslav 2012/8/21 Alan DeKok <aland@deployingradius.com>:
Вячеслав Адаманов wrote:
Yes. If set "type = auth+acct" in listen section, I get error: Invalid type "auth+acct" in listen section.
Then you're not running the git "master" branch.
Only the master branch supports radsec.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- __________________________ Vyacheslav Adamanov 87500, Ukraine, Mariupol, st. Apatova 136а mob: +38 (067) 621 32 61 email: adamanov@gmail.com www: http://hl.ua
I use default "tls" server config file. Hmm, but when set type = auth in stdout:
(0) Application data status 7 (0) tls_recv: Accounting-Request packet from host 192.168.1.20 port 46103, id=17, length=236 Invalid packet code 4 sent from client open port 46103 : IGNORED Waking up in 0.1 seconds. (3) Cleaning up request packet ID 16 with timestamp +78 Waking up in 24.4 seconds. (0) Application data status 7 (0) tls_recv: Accounting-Request packet from host 192.168.1.20 port 46103, id=17, length=236 Invalid packet code 4 sent from client open port 46103 : IGNORED Waking up in 21.6 seconds. Waking up in 0.9 seconds. Reached idle timeout on socket authentication from client (192.168.1.20, 46103) -> (*, 2083) ... closing socket authentication from client (192.168.1.20, 46103) -> (*, 2083) Ready to process requests.
When change type = acct i get:
Waking up in 29.1 seconds. (0) Application data status 7 (0) tls_recv: Access-Request packet from host 46.162.7.89 port 46135, id=1, length=147 Invalid packet code 1 sent from client open-host port 46135 : IGNORED
Is it possible to redirect requests for authorization and accounting to other defined virtual servers ? Best regards, Vyacheslav 2012/8/21 Alan DeKok <aland@deployingradius.com>:
Вячеслав Адаманов wrote:
Today compiled last git master and get:
Huh. That *used* to work.
Looking at the source code, the TCP sockets *always* accept both types of packets. So you should be able to just use "auth", and it should also accept accounting packets.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- __________________________ Vyacheslav Adamanov 87500, Ukraine, Mariupol, st. Apatova 136а mob: +38 (067) 621 32 61 email: adamanov@gmail.com www: http://hl.ua
Вячеслав Адаманов wrote:
I use default "tls" server config file. Hmm, but when set type = auth in stdout:
Not much useful.
When change type = acct i get:
Also not much useful. I'll see if I can take a look at it. No promises, though.
Is it possible to redirect requests for authorization and accounting to other defined virtual servers ?
Put the "listen" section into a "server" section: server foo { listen { ... } authorize { ... } accounting { ... } } Alan DeKok.
Sory, I'm not very good at programming. Very similar to the verification of the type incoming packet in tls_listen.c start from 357 line: switch(packet->code) { case PW_AUTHENTICATION_REQUEST: if (listener->type != RAD_LISTEN_AUTH) goto bad_packet; FR_STATS_INC(auth, total_requests); fun = rad_authenticate; break; case PW_ACCOUNTING_REQUEST: if (listener->type != RAD_LISTEN_ACCT) goto bad_packet; FR_STATS_INC(acct, total_requests); fun = rad_accounting; break; case PW_STATUS_SERVER: if (!mainconfig.status_server) { FR_STATS_INC(auth, total_unknown_types); DEBUG("WARNING: Ignoring Status-Server request due to security configuration"); rad_free(&sock->packet); request->packet = NULL; return 0; } fun = rad_status_server; break; default: bad_packet: FR_STATS_INC(auth, total_unknown_types); DEBUG("Invalid packet code %d sent from client %s port %d : IGNORED", packet->code, client->shortname, packet->src_port); rad_free(&sock->packet); request->packet = NULL; return 0; } /* switch over packet types */ or am I wrong? Best regards, Vyacheslav 2012/8/21 Alan DeKok <aland@deployingradius.com>:
Вячеслав Адаманов wrote:
I use default "tls" server config file. Hmm, but when set type = auth in stdout:
Not much useful.
When change type = acct i get:
Also not much useful.
I'll see if I can take a look at it. No promises, though.
Is it possible to redirect requests for authorization and accounting to other defined virtual servers ?
Put the "listen" section into a "server" section:
server foo { listen { ... }
authorize { ... }
accounting { ... } }
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- __________________________ Vyacheslav Adamanov 87500, Ukraine, Mariupol, st. Apatova 136а mob: +38 (067) 621 32 61 email: adamanov@gmail.com www: http://hl.ua
With this config i can receive and handle only packets the same type as specified listen section: server tls { listen { ipaddr = * port = 2083 type = auth proto = tcp clients = radsec tls { ..... } authorize { ..... } authenticate { ..... } post-auth { ..... } preacct { ..... } accounting { ..... } } } Can I receive packets authorization and accounting on one tls port and redirect non-tls packets to the server, authorization and accounting? Best regards, Vyacheslav 2012/8/21 Alan DeKok <aland@deployingradius.com>:
Вячеслав Адаманов wrote:
Sory, I'm not very good at programming. Very similar to the verification of the type incoming packet in tls_listen.c start from 357 line:
Yes. The verification is there.
But if you want to parse "auth+acct", you need to edit more than that.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- __________________________ Vyacheslav Adamanov 87500, Ukraine, Mariupol, st. Apatova 136а mob: +38 (067) 621 32 61 email: adamanov@gmail.com www: http://hl.ua
Sorry : server tls { listen { ipaddr = * port = 2083 type = auth proto = tcp clients = radsec tls { ..... } } authorize { ..... } authenticate { ..... } post-auth { ..... } preacct { ..... } accounting { ..... } } 2012/8/21 Вячеслав Адаманов <adamanov@gmail.com>:
With this config i can receive and handle only packets the same type as specified listen section:
server tls { listen { ipaddr = * port = 2083 type = auth proto = tcp clients = radsec tls { ..... }
authorize { ..... } authenticate { ..... } post-auth { ..... } preacct { ..... } accounting { ..... } } }
Can I receive packets authorization and accounting on one tls port and redirect non-tls packets to the server, authorization and accounting?
Best regards, Vyacheslav
2012/8/21 Alan DeKok <aland@deployingradius.com>:
Вячеслав Адаманов wrote:
Sory, I'm not very good at programming. Very similar to the verification of the type incoming packet in tls_listen.c start from 357 line:
Yes. The verification is there.
But if you want to parse "auth+acct", you need to edit more than that.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- __________________________ Vyacheslav Adamanov 87500, Ukraine, Mariupol, st. Apatova 136а mob: +38 (067) 621 32 61 email: adamanov@gmail.com www: http://hl.ua
-- __________________________ Vyacheslav Adamanov 87500, Ukraine, Mariupol, st. Apatova 136а mob: +38 (067) 621 32 61 email: adamanov@gmail.com www: http://hl.ua
Вячеслав Адаманов wrote:
With this config i can receive and handle only packets the same type as specified listen section:
That is how it works. I just spent 3 messages explaining this.
Can I receive packets authorization and accounting on one tls port and redirect non-tls packets to the server, authorization and accounting?
That question makes no sense. Alan DeKok
But i started thread with message:
In the specification port 2083/tcp use for authentication and accounting. But in config i can set only one type: home_server tls { ipaddr = 127.0.0.1 port = 2083 type = auth secret = testing123 proto = tcp status_check = none ... } There are any ideas how to implement it?
2.1. TCP port and packet types The default destination port number for RADIUS over TLS is TCP/2083. There are no separate ports for authentication, accounting and dynamic authorisation changes. The source port is arbitrary.
I will be very grateful if you help me with this trouble 2012/8/21 Alan DeKok <aland@deployingradius.com>:
Вячеслав Адаманов wrote:
With this config i can receive and handle only packets the same type as specified listen section:
That is how it works. I just spent 3 messages explaining this.
Can I receive packets authorization and accounting on one tls port and redirect non-tls packets to the server, authorization and accounting?
That question makes no sense.
Alan DeKok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- __________________________ Vyacheslav Adamanov 87500, Ukraine, Mariupol, st. Apatova 136а mob: +38 (067) 621 32 61 email: adamanov@gmail.com www: http://hl.ua
Can I receive packets authorization and accounting on one tls port and redirect non-tls packets to the server, authorization and accounting?
That question makes no sense. Why, no sense. If client send auth and acct at same port.
2012/8/21 Вячеслав Адаманов <adamanov@gmail.com>:
But i started thread with message:
In the specification port 2083/tcp use for authentication and accounting. But in config i can set only one type: home_server tls { ipaddr = 127.0.0.1 port = 2083 type = auth secret = testing123 proto = tcp status_check = none ... } There are any ideas how to implement it?
2.1. TCP port and packet types The default destination port number for RADIUS over TLS is TCP/2083. There are no separate ports for authentication, accounting and dynamic authorisation changes. The source port is arbitrary.
I will be very grateful if you help me with this trouble
2012/8/21 Alan DeKok <aland@deployingradius.com>:
Вячеслав Адаманов wrote:
With this config i can receive and handle only packets the same type as specified listen section:
That is how it works. I just spent 3 messages explaining this.
Can I receive packets authorization and accounting on one tls port and redirect non-tls packets to the server, authorization and accounting?
That question makes no sense.
Alan DeKok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- __________________________ Vyacheslav Adamanov 87500, Ukraine, Mariupol, st. Apatova 136а mob: +38 (067) 621 32 61 email: adamanov@gmail.com www: http://hl.ua
-- __________________________ Vyacheslav Adamanov 87500, Ukraine, Mariupol, st. Apatova 136а mob: +38 (067) 621 32 61 email: adamanov@gmail.com www: http://hl.ua
Вячеслав Адаманов wrote:
Can I receive packets authorization and accounting on one tls port and redirect non-tls packets to the server, authorization and accounting?
That question makes no sense. Why, no sense. If client send auth and acct at same port.
You want to have a TLS port, and redirect non-TLS packets? How, exactly, does a TLS port receive non-TLS packets? Alan DeKok.
Вячеслав Адаманов wrote:
But i started thread with message:
Really? I didn't remember.
I will be very grateful if you help me with this trouble
I already told you. It requires code changes. Do you understand "code changes"? Do you understand "it doesn't work now"? And "I already told you it doesn't work" ? Alan DeKok.
I understand that changes are needed, after you second message. Do not boil. Thank you for useful dialog. 2012/8/21 Alan DeKok <aland@deployingradius.com>:
Вячеслав Адаманов wrote:
But i started thread with message:
Really? I didn't remember.
I will be very grateful if you help me with this trouble
I already told you. It requires code changes.
Do you understand "code changes"?
Do you understand "it doesn't work now"?
And "I already told you it doesn't work" ?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- __________________________ Vyacheslav Adamanov 87500, Ukraine, Mariupol, st. Apatova 136а mob: +38 (067) 621 32 61 email: adamanov@gmail.com www: http://hl.ua
participants (3)
-
Alan DeKok -
Arran Cudbard-Bell -
Вячеслав Адаманов