Newbie question re. dictionary files.
I'm using FreeRADIUS 1.0.5. to authenticate admin logins to a NetScreen5. I'm able to authenticate accounts just fine. Now I'd like to begin pulling administrative privileges from the Radius server, but I haven't figured out how to do that. I've referenced the dictionary.netscreen file in my clients.conf file, nastype = netscreen, but I'm embarrassed to say I can't figure out the format for including the dictionary attributes for a user in my users file. I've tried various permutations like: markt Auth-Type := Local, User=Password == "testing" NS-Admin-Privilege = "Read-Only-Admin" and: markt Auth-Type := Local, User=Password == "testing" Netscreen-NS-Admin-Privilege = "Read-Only-Admin" Nothing's working. Can some one show me the correct syntax? Thank you, Mark
Mark Tunnell <mtunnell@livebridge.com> wrote:
I've referenced the dictionary.netscreen file in my clients.conf file, nastype = netscreen,
That isn't necessary.
I've tried various permutations like:
markt Auth-Type := Local, User=Password == "testing" NS-Admin-Privilege = "Read-Only-Admin"
That should work.
Nothing's working. Can some one show me the correct syntax?
Can you show the debug output, as suggested in the README, INSTALL, and FAQ? Alan DeKok.
Can you show the debug output, as suggested in the README, INSTALL, and FAQ?
Alan DeKok.
Here's the debug from the Radius server: Ready to process requests. rad_recv: Access-Request packet from host 172.17.200.13:2913, id=16, length=51 User-Name = "markt" User-Password = "testing" NAS-IP-Address = 172.17.200.13 Login OK: [markt] (from client myserver port 0) Sending Access-Accept of id 16 to 172.17.200.13:2913 Here's the debug from the NetScreen: ns5gt-> get dbuf stream ## 13:08:06 : >>> auth_admin_internal(ct=3, un='markt', sip=172.17.1.20, dip=0.0.0.0, sp=42001, dp=0) ## 13:08:06 : >>> authenticate_admin(un='markt', vsys='void') ## 13:08:06 : >>> auth_remote_admin(un='markt', vsys='void') ## 13:08:06 : >>> query_ext_server(un='markt', pw=*, ...) ## 13:08:06 : --- query_ext_server() : before receive_mail() ## 13:08:06 : >>> admin_tasklevel_handle_result(..., ret_code=1) ## 13:08:06 : --- admin_tasklevel_handle_result() : task 0xc87444 -> task 0xc8799c via send_mail() ## 13:08:06 : --- query_ext_server() : after receive_mail() ## 13:08:06 : --- query_ext_server() : receive_mail() -> auth_mail_resp=0x0757dcb0{authed=1 priv=0 vsys=''} ## 13:08:06 : <<< query_ext_server(rad_auth_resp{priv=0 vsys=''}) = 0 ## 13:08:06 : <<< auth_remote_admin(*v='void', *priv=0) = 0 ## 13:08:06 : <<< authenticate_admin(*v='void', *priv=0) = 0 ## 13:08:06
Mark Tunnell <mtunnell@livebridge.com> wrote:
Here's the debug from the Radius server:
Ready to process requests. rad_recv: Access-Request packet from host 172.17.200.13:2913, id=16, length=51 User-Name = "markt" User-Password = "testing" NAS-IP-Address = 172.17.200.13 Login OK: [markt] (from client myserver port 0) Sending Access-Accept of id 16 to 172.17.200.13:2913
Uh, no, that's not the full debugging output as suggested in the README and INSTALL. Alan DeKok.
Sorry, I was using an "x" instead of an "X". Here's the full debug: [root@aubsnort1 ~]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 172.17.200.13:2913, id=20, length=51 User-Name = "markt" User-Password = "testing" NAS-IP-Address = 172.17.200.13 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "markt", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry markt at line 2 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Login OK: [markt] (from client myserver port 0) Sending Access-Accept of id 20 to 172.17.200.13:2913 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 20 with timestamp 436bd6b4 Nothing to do. Sleeping until we see a request.
Mark Tunnell <mtunnell@livebridge.com> wrote:
users: Matched entry markt at line 2
So, what is that entry? If it's one of the ones you posted earlier, it should send back the attributes you've configured. At least, it does so in my configuration. Are you sure you're using the same names as in dictionary.netscreen? Alan DeKok.
participants (2)
-
Alan DeKok -
Mark Tunnell