Hello all, I'm trying to log accounting and requests into our elasticsearch/graylog logserver. I use home made linelog modules to rewrite logs into json format. modules are called in authorize, accounting, post-auth, Post-Auth-Type REJECT, preproxy and post-proxy sections here is an exemple of my module : linelog linelog_postauth { format = "%t linelog_postauth \%Packet-Type non reconnu for %{User-Name} (%{Packet-Type})" filename = ${logdir}/linelog_json permissions = 0600 reference = "messages.%{%{reply:Packet-Type}:-format}" messages { Access-Reject = "{\"Datetime\":\"%t\",\"Module_Name\":\"linelog_postauth\",\"Packet-Type\":\"%{reply:Packet-Type}\",\"User-Name\":\"%{User-Name}\",\"Realm\":\"%{Realm}\",\"NAS-IP-Address\":\"%{NAS-IP-Address}\",\"NAS-Port\":\"%{NAS-Port}\",\"Service-Type\":\"%{Service-Type}\",\"Framed-MTU\":\"%{Framed-MTU}\",\"State\":\"%{State}\",\"Class\":\"%{Class}\",\"Vendor-Specific\":\"%{Vendor-Specific}\",\"Session-Timeout\":\"%{Session-Timeout}\",\"Idle-Timeout\":\"%{Idle-Timeout}\",\"Termination-Action\":\"%{Termination-Action}\",\"Called-Station-Id\":\"%{Called-Station-Id}\",\"Calling-Station-Id\":\"%{Calling-Station-Id}\",\"NAS-Identifier\":\"%{NAS-Identifier}\",\"Proxy-State\":\"%{Proxy-State}\",\"Login-LAT-Service\":\"%{Login-LAT-Service}\",\"Login-LAT-Node\":\"%{Login-LAT-Node}\",\"Login-LAT-Group\":\"%{Login-LAT-Group}\",\"Framed-AppleTalk-Link\":\"%{Framed-AppleTalk-Link}\",\"Framed-AppleTalk-Network\":\"%{Framed-AppleTalk-Network}\",\"Framed-AppleTalk-Zone\":\"%{Framed-AppleTalk-Zone}\",\"CHAP-Challenge\":\"%{CHAP-Challenge}\",\"NAS-Port-Type\":\"%{NAS-Port-Type}\",\"Port-Limit\":\"%{Port-Limit}\",\"Login-LAT-Port\":\"%{Login-LAT-Port}\"}" Access-Challenge = "{\"Datetime\":\"%t\",\"Module_Name\":\"linelog_postauth\",\"Packet-Type\":\"%{reply:Packet-Type}\",\"User-Name\":\"%{User-Name}\",\"Realm\":\"%{Realm}\",\"NAS-IP-Address\":\"%{NAS-IP-Address}\",\"NAS-Port\":\"%{NAS-Port}\",\"Service-Type\":\"%{Service-Type}\",\"Framed-Protocol\":\"%{Framed-Protocol}\",\"Framed-IP-Address\":\"%{Framed-IP-Address}\",\"Framed-IP-Netmask\":\"%{Framed-IP-Netmask}\",\"Framed-Routing\":\"%{Framed-Routing}\",\"Filter-Id\":\"%{Filter-Id}\",\"Framed-MTU\":\"%{Framed-MTU}\",\"Framed-Compression\":\"%{Framed-Compression}\",\"Login-IP-Host\":\"%{Login-IP-Host}\",\"Login-Service\":\"%{Login-Service}\",\"Login-TCP-Port\":\"%{Login-TCP-Port}\",\"Reply-Message\":\"%{Reply-Message}\",\"Callback-Number\":\"%{Callback-Number}\",\"Callback-Id\":\"%{Callback-Id}\",\"Framed-Route\":\"%{Framed-Route}\",\"Framed-IPX-Network\":\"%{Framed-IPX-Network}\",\"State\":\"%{State}\",\"Class\":\"%{Class}\",\"Vendor-Specific\":\"%{Vendor-Specific}\",\"Session-Timeout\":\"%{Session-Timeout}\",\"Idle-Timeout\":\"%{Idle-Timeout}\",\"Termination-Action\":\"%{Termination-Action}\",\"Called-Station-Id\":\"%{Called-Station-Id}\",\"Calling-Station-Id\":\"%{Calling-Station-Id}\",\"NAS-Identifier\":\"%{NAS-Identifier}\",\"Proxy-State\":\"%{Proxy-State}\",\"Login-LAT-Service\":\"%{Login-LAT-Service}\",\"Login-LAT-Node\":\"%{Login-LAT-Node}\",\"Login-LAT-Group\":\"%{Login-LAT-Group}\",\"Framed-AppleTalk-Link\":\"%{Framed-AppleTalk-Link}\",\"Framed-AppleTalk-Network\":\"%{Framed-AppleTalk-Network}\",\"Framed-AppleTalk-Zone\":\"%{Framed-AppleTalk-Zone}\",\"CHAP-Challenge\":\"%{CHAP-Challenge}\",\"NAS-Port-Type\":\"%{NAS-Port-Type}\",\"Port-Limit\":\"%{Port-Limit}\",\"Login-LAT-Port\":\"%{Login-LAT-Port}\"}" Access-Accept = "{\"Datetime\":\"%t\",\"Module_Name\":\"linelog_postauth\",\"Packet-Type\":\"%{reply:Packet-Type}\",\"User-Name\":\"%{User-Name}\",\"Realm\":\"%{Realm}\",\"NAS-IP-Address\":\"%{NAS-IP-Address}\",\"NAS-Port\":\"%{NAS-Port}\",\"Service-Type\":\"%{Service-Type}\",\"Framed-MTU\":\"%{Framed-MTU}\",\"Login-IP-Host\":\"%{Login-IP-Host}\",\"Login-Service\":\"%{Login-Service}\",\"Login-TCP-Port\":\"%{Login-TCP-Port}\",\"Reply-Message\":\"%{Reply-Message}\",\"Callback-Number\":\"%{Callback-Number}\",\"Callback-Id\":\"%{Callback-Id}\",\"Framed-Route\":\"%{Framed-Route}\",\"Framed-IPX-Network\":\"%{Framed-IPX-Network}\",\"State\":\"%{State}\",\"Class\":\"%{Class}\",\"Vendor-Specific\":\"%{Vendor-Specific}\",\"Session-Timeout\":\"%{Session-Timeout}\",\"Idle-Timeout\":\"%{Idle-Timeout}\",\"Termination-Action\":\"%{Termination-Action}\",\"Called-Station-Id\":\"%{Called-Station-Id}\",\"Calling-Station-Id\":\"%{Calling-Station-Id}\",\"NAS-Identifier\":\"%{NAS-Identifier}\",\"Proxy-State\":\"%{Proxy-State}\",\"Login-LAT-Service\":\"%{Login-LAT-Service}\",\"Login-LAT-Node\":\"%{Login-LAT-Node}\",\"Login-LAT-Group\":\"%{Login-LAT-Group}\",\"Framed-AppleTalk-Link\":\"%{Framed-AppleTalk-Link}\",\"Framed-AppleTalk-Network\":\"%{Framed-AppleTalk-Network}\",\"Framed-AppleTalk-Zone\":\"%{Framed-AppleTalk-Zone}\",\"CHAP-Challenge\":\"%{CHAP-Challenge}\",\"NAS-Port-Type\":\"%{NAS-Port-Type}\",\"Port-Limit\":\"%{Port-Limit}\",\"Login-LAT-Port\":\"%{Login-LAT-Port}\",\"VLAN\":\"%{Tunnel-Private-Group-ID:0}\"}" } } the goal is to keep info about login attempts and failure and why. when we run radius in debug mode we can see failure reason as next example : ..... (17) authenticate { (17) eap : Expiring EAP session with state 0x2ee654852ee14efb (17) eap : Finished EAP session with state 0x2ee654852ee14efb (17) eap : Previous EAP request found for state 0x2ee654852ee14efb, released from the list (17) eap : Peer sent method MSCHAPv2 (26) (17) eap : EAP MSCHAPv2 (26) (17) eap : Calling eap_mschapv2 to process EAP data (17) eap_mschapv2 : # Executing group from file /etc/raddb//sites-enabled/eduroam-inner-tunnel (17) eap_mschapv2 : Auth-Type MS-CHAP { (17) mschap : Found LM-Password (17) WARNING: mschap : No Cleartext-Password configured. Cannot create LM-Password (17) mschap : Found NT-Password (17) WARNING: mschap : No Cleartext-Password configured. Cannot create NT-Password (17) mschap : Creating challenge hash with username: cdelauna@univ-rennes1.fr (17) mschap : Client is using MS-CHAPv2 (17) ERROR: mschap : MS-CHAP2-Response is incorrect (17) [mschap] = reject (17) } # Auth-Type MS-CHAP = reject (17) eap : Freeing handler (17) [eap] = reject (17) } # authenticate = reject ..... I can't find reject reason (mscahp result, ...) in access-reject variables. I had a look into mailist's archives without success ;( Do anybody can help me to find the best way doing this ? Thanks a lot -- Cédric Delaunay Direction des Systèmes d'Informations Equipe Réseau & Telephonie 263, Avenue du Général Leclerc Tel: 02 23 23 71 59 CS 74205 - 35042 Rennes Cedex Pour toute demande utiliser l'aide et assistance via l'ENT à l'adresse http://ent.univ-rennes1.fr
On Tue, Jan 24, 2017 at 11:15:17AM +0100, cedric delaunay wrote:
I can't find reject reason (mscahp result, ...) in access-reject variables.
Do anybody can help me to find the best way doing this ?
Look at &Module-Failure-Message, it should have what you want. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Hi, use Module-Failure-Message - but also look at the 3.0.x HEAD from git or wait until 3.0.13 comes out as Matthew has ensures theres a good starting point for the ELK crowd :) alan
On Tue, Jan 24, 2017 at 10:52:32AM +0000, A.L.M.Buxey@lboro.ac.uk wrote:
use Module-Failure-Message - but also look at the 3.0.x HEAD from git or wait until 3.0.13 comes out as Matthew has ensures theres a good starting point for the ELK crowd :)
Yeah, to be honest rather than trying to write out JSON with linelog personally I'd just look at reading the plain detail files with logstash and using that to write them out as JSON. You might be fine, but then some joker will come along and try to log in with a username like 'silly"json'... Should probably at least wrap all the attributes in %{jsonquote:...} to be safe. "rlm_jsonlog" is something I've thought about for a while. Just not sure it's worth it. Might be if I can then use that to feed directly into elasticsearch and skip the logstash bit. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 24-01-17 13:22, Matthew Newton wrote:
"rlm_jsonlog" is something I've thought about for a while. Just not sure it's worth it. Might be if I can then use that to feed directly into elasticsearch and skip the logstash bit.
Actually, we've created something like that for a very specific use case, never thought others would have a purpose for it. The source is available at https://github.com/Quarantainenet/rlm_attr_log. It works by sending JSON syslog, so it might need a few tweaks to work with ELK. FreeRADIUS v4 contains a rlm_json module which would make it very trivial, getting a JSON string of the request is as simple as: fr_json_afrom_pair_list(NULL, &request->packet->vps, NULL); -- Herwin Weststrate
Hi guys, Thanks for the quick answer. As a newbie, I didn't find how to implement Module-failure-message. I follow this example : http://lists.freeradius.org/pipermail/freeradius-users/2014-December/074957.... but service wont run : server eduroam-inner-tunnel { # from file /etc/raddb//sites-enabled/eduroam-inner-tunnel # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} /etc/raddb//sites-enabled/eduroam-inner-tunnel[321]: Default list "session-state" specified in mapping section is invalid /etc/raddb//sites-enabled/eduroam-inner-tunnel[321]: Failed to parse "update" subsection. any detail I should know ? I would like switch from 2.x to 3.x as soon as possible so I can't wait for 3.0.13 release on my centos ;( Matthew, I guess that you talk about this : https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x/doc/schemas/logs... Maybe is that a best way but : - I first have to make login-failure reason to be printed in detail files, isn't it ? Thanks Cedric Le 24/01/2017 à 13:22, Matthew Newton a écrit :
On Tue, Jan 24, 2017 at 10:52:32AM +0000, A.L.M.Buxey@lboro.ac.uk wrote:
use Module-Failure-Message - but also look at the 3.0.x HEAD from git or wait until 3.0.13 comes out as Matthew has ensures theres a good starting point for the ELK crowd :) Yeah, to be honest rather than trying to write out JSON with linelog personally I'd just look at reading the plain detail files with logstash and using that to write them out as JSON. You might be fine, but then some joker will come along and try to log in with a username like 'silly"json'...
Should probably at least wrap all the attributes in %{jsonquote:...} to be safe.
"rlm_jsonlog" is something I've thought about for a while. Just not sure it's worth it. Might be if I can then use that to feed directly into elasticsearch and skip the logstash bit.
Matthew
-- Cédric Delaunay Direction des Systèmes d'Informations Equipe Réseau & Telephonie 263, Avenue du Général Leclerc Tel: 02 23 23 71 59 CS 74205 - 35042 Rennes Cedex Pour toute demande utiliser l'aide et assistance via l'ENT à l'adresse http://ent.univ-rennes1.fr
On 25-01-17 09:25, cedric delaunay wrote:
... /etc/raddb//sites-enabled/eduroam-inner-tunnel[321]: Default list "session-state" specified in mapping section is invalid /etc/raddb//sites-enabled/eduroam-inner-tunnel[321]: Failed to parse "update" subsection.
any detail I should know ?
I would like switch from 2.x to 3.x as soon as possible so I can't wait for 3.0.13 release on my centos ;(
session-state is a feature introduced in 3.0.something (it's probably mentioned in the changelogs) -- Herwin Weststrate
Yep, I'm already on 3.x on my new server but I just found that centos 7 base repos has only FR 3.0.4 and Module-Failure-Message came with 3.0.5 .... http://freeradius-users.freeradius.narkive.com/Mt1jQ2ig/multi-packet-session... Have now to negotiate with system-admins to add an testing repo or install one rpm.... Cedric Le 25/01/2017 à 10:40, A.L.M.Buxey@lboro.ac.uk a écrit :
Hi,
any detail I should know ? yes, you can only use that config on FR 3.x and above :)
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Cédric Delaunay Direction des Systèmes d'Informations Equipe Réseau & Telephonie 263, Avenue du Général Leclerc Tel: 02 23 23 71 59 CS 74205 - 35042 Rennes Cedex Pour toute demande utiliser l'aide et assistance via l'ENT à l'adresse http://ent.univ-rennes1.fr
I would like switch from 2.x to 3.x as soon as possible so I can't wait for 3.0.13 release on my centos ;(
If you are ok with getting a CentOS version of FR that's *not* from the official repo, you can get one from the Moonshot repository[1][2]. Granted, it comes with additional build functionality (dynamic realm lookup with Moonshot technology), but at least you won't have to hang around with 2.x anymore. [1] http://repository.project-moonshot.org/rpms/centos6/RPMS/x86_64/ [2] Instructions: https://wiki.moonshot.ja.net/display/TEM/_SystemPrep_RHEL6 (or _SystemPrep_RHEL7) We expect to release a 3.0.13 once Alan releases it. :-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Hi all, Thanks Stefan for the proposition, I finally upgraded from packetfence version as Alan suggested in another post (http://lists.freeradius.org/pipermail/freeradius-users/2017-January/086387.h...) System admin added a new repo allowing only freeradius* packages I'm now running 3.0.13 successfully. Before It started I had to customise my conf files and particularly disable filter_username module in authorise sections. Do someone ever has reject because of an unreal reason ? It looks like a bug or am I wrong ? here is radius -X details : eady to process requests (1) Received Access-Request Id 48 from 129.20.3.1:32770 to 129.20.128.215:2012 length 267 (1) User-Name = "XXXXXXX@univ-rennes1.fr" (1) Calling-Station-Id = "xx:xx:xx:xx:xx:xx" (1) Called-Station-Id = "zz:zz:zz:zz:zz:zz:eduroam2" (1) NAS-Port = 13 (1) Cisco-AVPair = "audit-session-id=81140301004ea5905891e58f" (1) NAS-IP-Address = 129.20.3.1 (1) NAS-Identifier = "cs5508-00-12d-1" (1) Airespace-Wlan-Id = 9 (1) Service-Type = Framed-User (1) Framed-MTU = 1300 (1) NAS-Port-Type = Wireless-802.11 (1) Tunnel-Type:0 = VLAN (1) Tunnel-Medium-Type:0 = IEEE-802 (1) Tunnel-Private-Group-Id:0 = "410" (1) EAP-Message = 0x0202001d016364656c61756e6140756e69762d72656e6e6573312e6672 (1) Message-Authenticator = 0x1132d719171132f5a5c236cf9c4f3de1 (1) # Executing section authorize from file /etc/raddb//sites-enabled/eduroam (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> TRUE (1) if (&User-Name =~ /\.$/) { (1) update request { (1) &Module-Failure-Message += 'Rejected: Realm ends with a dot' (1) } # update request = noop (1) [reject] = reject (1) } # if (&User-Name =~ /\.$/) = reject (1) } # if (&User-Name) = reject (1) } # policy filter_username = reject (1) } # authorize = reject (1) Invalid user (Rejected: Realm ends with a dot): [XXXXXXX@univ-rennes1.fr] (from client Controleur1 port 13 cli xx:xx:xx:xx:xx:xx) ....... Received Access-Request Id 47 from 129.20.3.1:32770 to 129.20.128.215:2012 length 267 (2) User-Name = "XXXXXXX@univ-rennes1.fr" (2) Calling-Station-Id = "xx:xx:xx:xx:xx:xx" (2) Called-Station-Id = "zz:zz:zz:zz:zz:zz:eduroam2" (2) NAS-Port = 13 (2) Cisco-AVPair = "audit-session-id=81140301004ea2255891e39d" (2) NAS-IP-Address = 129.20.3.1 (2) NAS-Identifier = "cs5508-00-12d-1" (2) Airespace-Wlan-Id = 9 (2) Service-Type = Framed-User (2) Framed-MTU = 1300 (2) NAS-Port-Type = Wireless-802.11 (2) Tunnel-Type:0 = VLAN (2) Tunnel-Medium-Type:0 = IEEE-802 (2) Tunnel-Private-Group-Id:0 = "410" (2) EAP-Message = 0x0201001d016364656c61756e6140756e69762d72656e6e6573312e6672 (2) Message-Authenticator = 0x6e2d0c853052c1e6c24554832e2986c2 (2) # Executing section authorize from file /etc/raddb//sites-enabled/eduroam (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> TRUE (2) if (&User-Name =~ /\.\./ ) { (2) update request { (2) &Module-Failure-Message += 'Rejected: User-Name contains multiple ..s' (2) } # update request = noop (2) [reject] = reject (2) } # if (&User-Name =~ /\.\./ ) = reject (2) } # if (&User-Name) = reject (2) } # policy filter_username = reject (2) } # authorize = reject (2) Invalid user (Rejected: User-Name contains multiple ..s): [XXXXXXX@univ-rennes1.fr] (from client Controleur1 port 13 cli xx:xx:xx:xx:xx:xx) (2) Using Post-Auth-Type Reject (2) # Executing group from file /etc/raddb//sites-enabled/eduroam (2) Post-Auth-Type REJECT { (2) attr_filter.access_reject: EXPAND %{User-Name} (2) attr_filter.access_reject: --> XXXXXXX@univ-rennes1.fr (2) attr_filter.access_reject: Matched entry DEFAULT at line 11 (2) [attr_filter.access_reject] = updated Anyway, I disable the module and it work. I'll now look at Module-Failure-Message Cedric Le 25/01/2017 à 10:56, Stefan Paetow a écrit :
I would like switch from 2.x to 3.x as soon as possible so I can't wait for 3.0.13 release on my centos ;( If you are ok with getting a CentOS version of FR that's *not* from the official repo, you can get one from the Moonshot repository[1][2]. Granted, it comes with additional build functionality (dynamic realm lookup with Moonshot technology), but at least you won't have to hang around with 2.x anymore.
[1] http://repository.project-moonshot.org/rpms/centos6/RPMS/x86_64/ [2] Instructions: https://wiki.moonshot.ja.net/display/TEM/_SystemPrep_RHEL6 (or _SystemPrep_RHEL7)
We expect to release a 3.0.13 once Alan releases it.
:-)
Stefan Paetow Moonshot Industry & Research Liaison Coordinator
t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Cédric Delaunay Direction des Systèmes d'Informations Equipe Réseau & Telephonie 263, Avenue du Général Leclerc Tel: 02 23 23 71 59 CS 74205 - 35042 Rennes Cedex Pour toute demande utiliser l'aide et assistance via l'ENT à l'adresse http://ent.univ-rennes1.fr
On Feb 1, 2017, at 9:39 AM, cedric delaunay <cedric.delaunay@univ-rennes1.fr> wrote:
I'm now running 3.0.13 successfully. Before It started I had to customise my conf files and particularly disable filter_username module in authorise sections. Do someone ever has reject because of an unreal reason ? It looks like a bug or am I wrong ? here is radius -X details :
It works for me. That's weird. Please post the first 100 or so lines of "freeradius -Xx" That will hopefully give some more information. Alan DeKok.
On Wed, Feb 01, 2017 at 03:39:03PM +0100, cedric delaunay wrote:
Do someone ever has reject because of an unreal reason ? It looks like a bug or am I wrong ?
I'm guessing you took your 2.x config and got that working with 3.x. All the instructions tell you not to do that because things will break. In this case, the correct_escapes setting. Start from a fresh v3 config and work from there. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Hi, Nope, fresh config from 3.0.4 I took inspiration from old server but nothing had been copied as old server Cédric Le 01/02/2017 à 17:04, Matthew Newton a écrit :
On Wed, Feb 01, 2017 at 03:39:03PM +0100, cedric delaunay wrote:
Do someone ever has reject because of an unreal reason ? It looks like a bug or am I wrong ? I'm guessing you took your 2.x config and got that working with 3.x.
All the instructions tell you not to do that because things will break. In this case, the correct_escapes setting.
Start from a fresh v3 config and work from there.
Matthew
-- Cédric Delaunay Direction des Systèmes d'Informations Equipe Réseau & Telephonie 263, Avenue du Général Leclerc Tel: 02 23 23 71 59 CS 74205 - 35042 Rennes Cedex Pour toute demande utiliser l'aide et assistance via l'ENT à l'adresse http://ent.univ-rennes1.fr
On Feb 1, 2017, at 11:11 AM, cedric delaunay <cedric.delaunay@univ-rennes1.fr> wrote:
Hi, Nope, fresh config from 3.0.4
That's not really "fresh"
I took inspiration from old server but nothing had been copied as old server Cédric
Le 01/02/2017 à 17:04, Matthew Newton a écrit :
On Wed, Feb 01, 2017 at 03:39:03PM +0100, cedric delaunay wrote:
Do someone ever has reject because of an unreal reason ? It looks like a bug or am I wrong ? I'm guessing you took your 2.x config and got that working with 3.x.
All the instructions tell you not to do that because things will break. In this case, the correct_escapes setting.
Check the "correct_escapes" setting in radius.conf. If it isn't there, go read the v3.0.x config for the setting, and add it to your config. Alan DeKok.
On Wed, Feb 01, 2017 at 05:11:44PM +0100, cedric delaunay wrote:
Nope, fresh config from 3.0.4
I would diff that against a default config from 3.0.12. Lots has been fixed since then. Check "correct_escapes = true" is set in your radiusd.conf.
I took inspiration from old server but nothing had been copied as old server
OK you've done the right thing; that's good to know. Thanks, Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Hi, As suggested by Alan : enabled "correct_escapes = true" in radiusd.conf. had to suppress some \\ in realm Re-enable filter_username int sites-enable That's ok. About loggins reject cause : in inner-tunnel : Post-Auth-Type REJECT { ... update outer.session-state { Module-Failure-Message := &request:Module-Failure-Message } in linelog module called by site's Post-Auth-Type REJECT section : reference = "messages.%{%{reply:Packet-Type}:-format}" messages { ... Access-Reject = "{\"Datetime\":\"%t\",....\"Reject-Cause\":\"%{session-state:Module-Failure-Message}\",..."}" } I'm on the way ;) not perfect because reject caused by ldap module still sent mschap reason but I spent enough time on it thanks a lot for the help Cédric Le 01/02/2017 à 17:15, Matthew Newton a écrit :
On Wed, Feb 01, 2017 at 05:11:44PM +0100, cedric delaunay wrote:
Nope, fresh config from 3.0.4 I would diff that against a default config from 3.0.12. Lots has been fixed since then.
Check "correct_escapes = true" is set in your radiusd.conf.
I took inspiration from old server but nothing had been copied as old server OK you've done the right thing; that's good to know.
Thanks,
Matthew
-- Cédric Delaunay Direction des Systèmes d'Informations Equipe Réseau & Telephonie 263, Avenue du Général Leclerc Tel: 02 23 23 71 59 CS 74205 - 35042 Rennes Cedex Pour toute demande utiliser l'aide et assistance via l'ENT à l'adresse http://ent.univ-rennes1.fr
Le 24/01/2017 à 13:22, Matthew Newton a écrit :
On Tue, Jan 24, 2017 at 10:52:32AM +0000, A.L.M.Buxey@lboro.ac.uk wrote:
use Module-Failure-Message - but also look at the 3.0.x HEAD from git or wait until 3.0.13 comes out as Matthew has ensures theres a good starting point for the ELK crowd :) Yeah, to be honest rather than trying to write out JSON with linelog personally I'd just look at reading the plain detail files with logstash and using that to write them out as JSON. You might be fine, but then some joker will come along and try to log in with a username like 'silly"json'...
Should probably at least wrap all the attributes in %{jsonquote:...} to be safe.
"rlm_jsonlog" is something I've thought about for a while. Just not sure it's worth it. Might be if I can then use that to feed directly into elasticsearch and skip the logstash bit.
Matthew
I Matthew, Linelog/jon solution is pretty operational but as you have guessed it, I have problems with "\" in attributes. You talked about jsonquote but I can't find how use it. Should I load "rest" module and web server associated or can I juste use jsonquote in linelog syntax ? Do somebody have a small howto aviable ? Thanks Cedric -- Cédric Delaunay Direction des Systèmes d'Informations Equipe Réseau & Telephonie 263, Avenue du Général Leclerc Tel: 02 23 23 71 59 CS 74205 - 35042 Rennes Cedex Pour toute demande utiliser l'aide et assistance via l'ENT à l'adresse http://ent.univ-rennes1.fr
On May 10, 2017, at 11:29 AM, cedric delaunay <cedric.delaunay@univ-rennes1.fr> wrote:
Le 24/01/2017 à 13:22, Matthew Newton a écrit :
On Tue, Jan 24, 2017 at 10:52:32AM +0000, A.L.M.Buxey@lboro.ac.uk wrote:
use Module-Failure-Message - but also look at the 3.0.x HEAD from git or wait until 3.0.13 comes out as Matthew has ensures theres a good starting point for the ELK crowd :) Yeah, to be honest rather than trying to write out JSON with linelog personally I'd just look at reading the plain detail files with logstash and using that to write them out as JSON. You might be fine, but then some joker will come along and try to log in with a username like 'silly"json'...
Should probably at least wrap all the attributes in %{jsonquote:...} to be safe.
"rlm_jsonlog" is something I've thought about for a while. Just not sure it's worth it. Might be if I can then use that to feed directly into elasticsearch and skip the logstash bit.
Matthew
I Matthew, Linelog/jon solution is pretty operational but as you have guessed it, I have problems with "\" in attributes. You talked about jsonquote but I can't find how use it.
It's an xlat, just us "%{jsonquote:<string>}" as part of your linelog fmt string. -Arran
Hi Arran, Thanks for your reply. It works now. I had to compile and enable rest module because jsonquote is an xlat command provided by rest I consider now this post as solved. Thanks all for your help Cedric Le 15/05/2017 à 18:08, Arran Cudbard-Bell a écrit :
On May 10, 2017, at 11:29 AM, cedric delaunay <cedric.delaunay@univ-rennes1.fr> wrote:
Le 24/01/2017 à 13:22, Matthew Newton a écrit :
On Tue, Jan 24, 2017 at 10:52:32AM +0000, A.L.M.Buxey@lboro.ac.uk wrote:
use Module-Failure-Message - but also look at the 3.0.x HEAD from git or wait until 3.0.13 comes out as Matthew has ensures theres a good starting point for the ELK crowd :) Yeah, to be honest rather than trying to write out JSON with linelog personally I'd just look at reading the plain detail files with logstash and using that to write them out as JSON. You might be fine, but then some joker will come along and try to log in with a username like 'silly"json'...
Should probably at least wrap all the attributes in %{jsonquote:...} to be safe.
"rlm_jsonlog" is something I've thought about for a while. Just not sure it's worth it. Might be if I can then use that to feed directly into elasticsearch and skip the logstash bit.
Matthew
I Matthew, Linelog/jon solution is pretty operational but as you have guessed it, I have problems with "\" in attributes. You talked about jsonquote but I can't find how use it. It's an xlat, just us "%{jsonquote:<string>}" as part of your linelog fmt string.
-Arran
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Cédric Delaunay Direction des Systèmes d'Informations Equipe Réseau & Telephonie 263, Avenue du Général Leclerc Tel: 02 23 23 71 59 CS 74205 - 35042 Rennes Cedex Pour toute demande utiliser l'aide et assistance via l'ENT à l'adresse http://ent.univ-rennes1.fr
participants (7)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Arran Cudbard-Bell -
cedric delaunay -
Herwin Weststrate -
Matthew Newton -
Stefan Paetow