2012/6/6 Matthew Newton <mcn4@leicester.ac.uk>:
On Wed, Jun 06, 2012 at 03:56:54PM -0300, Sergio Belkin wrote:
Good idea, I've tried appending %{EAP-Type) that to detail.log but sending nothing eg:
auth-detail-AP-XXX-DEFAULT--20120606
Between "-" and "-" is nothing (Neither TTLS nor PEAP appears)
You've not really explained what you've done.
However, I *guess* that you have added %{EAP-Type} to the filename (detailfile) in the detail config.
Yes, you guess well
Look, though, where detail is getting called, and where eap is called, in the authorize section. It goes in order. The eap module sets EAP-Type, detail is called before.
So you need to call the log after eap. But the gotcha is that eap will short circuit the return in the challenges, so you won't call the detail module if you put it after eap.
Nice to know it :)
I'd suggest you let all the incoming logs go to a single location where they are, then you add a new detail (or linelog) module to post-auth. That can use %{EAP-Type}, as it's *after* EAP has happened.
I've tested it and works, nice! But please keep on reading:
Alternatively, you can use my other suggestion anywhere you like. If you pick data out of EAP-Message yourself, you get to do what you want with it (and keep the shards when it shatters).
Totally untested unlang.
if (%{EAP-Message} =~ /^0x........19/) { detail_log_peap } elsif (%{EAP-Message} =~ /^0x........15/) { detail_log_ttls } else { detail_log_other }
Note that things *will* hit detail_log_other. EAP Identity, for instance, before the eap type has been agreed. If you do this in the inner server, be prepared for unexpectedness. In short, understand EAP first.
Good, but it sounds somewhat complex :)
I just chuck the raw data out with detail and leave it be. The useful stuff is pristinely formatted with gentle loving care by the linelog module, where it sits in a nice greppable format for me. One log entry, in post-auth, after the useful stuff happened. Any more detail needed? Just go to the dirty detail log and dig it out. Happens so rarely it wouldn't matter if it was in binary format and had to be read with a hex editor in Windows...
Wow, linelog seems interesting, I've tried but only is logging Access-Request, why? I add my debug (I plan to get rid out of inner-tunnel-peap file): FreeRADIUS Version 2.1.12, for host x86_64-unknown-linux-gnu, built on Jan 3 2012 at 16:18:16 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb-testing/radiusd.conf including configuration file /etc/raddb-testing/proxy.conf including configuration file /etc/raddb-testing/clients.conf including files in directory /etc/raddb-testing/modules/ including configuration file /etc/raddb-testing/modules/chap including configuration file /etc/raddb-testing/modules/mschap including configuration file /etc/raddb-testing/modules/sqlcounter_expire_on_login including configuration file /etc/raddb-testing/modules/exec including configuration file /etc/raddb-testing/modules/realm including configuration file /etc/raddb-testing/modules/checkval including configuration file /etc/raddb-testing/modules/rediswho including configuration file /etc/raddb-testing/modules/passwd including configuration file /etc/raddb-testing/modules/attr_filter including configuration file /etc/raddb-testing/modules/linelog including configuration file /etc/raddb-testing/modules/wimax including configuration file /etc/raddb-testing/modules/pam including configuration file /etc/raddb-testing/modules/inner-eap including configuration file /etc/raddb-testing/modules/echo including configuration file /etc/raddb-testing/modules/soh including configuration file /etc/raddb-testing/modules/replicate including configuration file /etc/raddb-testing/modules/acct_unique including configuration file /etc/raddb-testing/modules/etc_group including configuration file /etc/raddb-testing/modules/pap including configuration file /etc/raddb-testing/modules/expr including configuration file /etc/raddb-testing/modules/smbpasswd including configuration file /etc/raddb-testing/modules/attr_rewrite including configuration file /etc/raddb-testing/modules/radutmp including configuration file /etc/raddb-testing/modules/mac2ip including configuration file /etc/raddb-testing/modules/logintime including configuration file /etc/raddb-testing/modules/sql_log including configuration file /etc/raddb-testing/modules/smsotp including configuration file /etc/raddb-testing/modules/preprocess including configuration file /etc/raddb-testing/modules/policy including configuration file /etc/raddb-testing/modules/cui including configuration file /etc/raddb-testing/modules/perl including configuration file /etc/raddb-testing/modules/digest including configuration file /etc/raddb-testing/modules/mac2vlan including configuration file /etc/raddb-testing/modules/otp including configuration file /etc/raddb-testing/modules/files including configuration file /etc/raddb-testing/modules/always including configuration file /etc/raddb-testing/modules/ntlm_auth including configuration file /etc/raddb-testing/modules/detail including configuration file /etc/raddb-testing/modules/krb5 including configuration file /etc/raddb-testing/modules/sradutmp including configuration file /etc/raddb-testing/modules/opendirectory including configuration file /etc/raddb-testing/modules/counter including configuration file /etc/raddb-testing/modules/detail.example.com including configuration file /etc/raddb-testing/modules/ippool including configuration file /etc/raddb-testing/modules/expiration including configuration file /etc/raddb-testing/modules/dynamic_clients including configuration file /etc/raddb-testing/modules/detail.log including configuration file /etc/raddb-testing/modules/redis including configuration file /etc/raddb-testing/modules/ldap including configuration file /etc/raddb-testing/modules/unix including configuration file /etc/raddb-testing/eap.conf including configuration file /etc/raddb-testing/policy.conf including files in directory /etc/raddb-testing/sites-enabled/ including configuration file /etc/raddb-testing/sites-enabled/status including configuration file /etc/raddb-testing/sites-enabled/control-socket including configuration file /etc/raddb-testing/sites-enabled/inner-tunnel including configuration file /etc/raddb-testing/sites-enabled/default including configuration file /etc/raddb-testing/sites-enabled/inner-tunnel-peap main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb-testing/dictionary main { name = "radiusd" prefix = "/usr/local-test" localstatedir = "/usr/local-test/var" sbindir = "/usr/local-test/sbin" logdir = "/usr/local-test/var/log/radius" run_dir = "/usr/local-test/var/run/radiusd" libdir = "/usr/local-test/lib" radacctdir = "/usr/local-test/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/usr/local-test/var/run/radiusd/radiusd.pid" checkrad = "/usr/local-test/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = yes auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 client 192.168.1.5 { Module: Linked to module rlm_linelog Module: Instantiating module "linelog" from file /etc/raddb-testing/modules/linelog linelog { filename = "/usr/local-test/var/log/radius/linelog" permissions = 384 format = "This is a log message for %{User-Name}" reference = "%{%{Packet-Type}:-format}" conns: 0xec4c700 ipaddr = 127.0.0.1 port = 18120 client admin { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "YellowSubmarine" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18121 } ... adding new socket proxy address * port 59646 Listening on authentication address 192.168.1.5 port 1812 Listening on accounting address 192.168.1.5 port 1813 Listening on command file /usr/local-test/var/run/radiusd/radiusd.sock Listening on status address 127.0.0.1 port 18120 as server status Listening on authentication address 127.0.0.1 port 18121 as server inner-tunnel Listening on proxy address 192.168.1.5 port 1814 Ready to process requests. rad_recv: Accounting-Request packet from host 10.129.85.1 port 39402, id=192, length=199 Acct-Session-Id = "00000026-0000003A" Acct-Status-Type = Stop Acct-Authentic = RADIUS User-Name = "fsaze1" NAS-Identifier = "AP-PVIII-V" NAS-Port = 4 Called-Station-Id = "00-23-69-49-06-2C:sarlanga-I" Calling-Station-Id = "60-FA-CD-42-C0-CE" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" Acct-Session-Time = 30 Acct-Input-Packets = 98 Acct-Output-Packets = 26 Acct-Input-Octets = 11164 Acct-Output-Octets = 7989 Event-Timestamp = "Jun 7 2012 10:37:44 ART" Acct-Terminate-Cause = User-Request # Executing section preacct from file /etc/raddb-testing/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 4,Client-IP-Address = 10.129.85.1,NAS-IP-Address = 10.129.85.1,Acct-Session-Id = "00000026-0000003A",User-Name = "fsaze1"' [acct_unique] Acct-Unique-Session-ID = "66c3a7d6e3d79d1a". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "fsaze1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /etc/raddb-testing/sites-enabled/default +- entering group accounting {...} [detail] expand: /usr/local-test/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /usr/local-test/var/log/radius/radacct/10.129.85.1/detail-20120607 [detail] /usr/local-test/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local-test/var/log/radius/radacct/10.129.85.1/detail-20120607 [detail] expand: %t -> Thu Jun 7 10:37:44 2012 ++[detail] returns ok ++[unix] returns ok [radutmp] expand: /usr/local-test/var/log/radius/radutmp -> /usr/local-test/var/log/radius/radutmp [radutmp] expand: %{User-Name} -> fsaze1 ++[radutmp] returns ok ++[exec] returns noop [attr_filter.accounting_response] expand: %{User-Name} -> fsaze1 attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 192 to 10.129.85.1 port 39402 Finished request 0. End of Output Thanks in advance
Add 'preprocess' to the top of the authorize{} section in your inner-tunnel-peap / inner-tunnel files. That's the module that checks huntgroups.
Thanks guys it dit it! I just realize that modules must be appended in inner-tunnel files to load them :)
Yeah, that's why it's called a virtual server. It's treated the same as the default server, the flow is the same. No module listed there? It doesn't happen.
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org