Re: radiusd -X SQL suggests "not found" however user attributes are in the radcheck table?
Wait. You said you were trying to do dot1x.... but now you say MAB. The Auth-Type := accept construct would work with MAB... but better to put the matching cleartext-password instead. Your ideas ate almost online...no reason to make things complex , use SQL with radreply items for setting the VLAN. perhaps look at something like packetfence though alan
On Wed, Aug 1, 2012 at 7:36 AM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Wait. You said you were trying to do dot1x.... but now you say MAB. The Auth-Type := accept construct would work with MAB... but better to put the matching cleartext-password instead. Your ideas ate almost online...no reason to make things complex , use SQL with radreply items for setting the VLAN. perhaps look at something like packetfence though
alan
Hi Alan, I'm sorry, I got confused! I am trying to do MAB however, my confusion came due to Cisco's documentation putting MAB under dot1x, making me think that either mab was a sub-section of dot1x or part or cut-down version of it.... I will definitely look into adding the user a different way, putting the Name and Pass into the record rather then choosing the "MAC Authentication" portion of DaloRADIUS. What do you suggest I do about the radusergroup check that you mentioned in your last email? I probably went off on a tangent completely misunderstanding what it was, do I need to disable it? I had a look at Packetfence and will investigate further about it as I'm not sure if that works with or in-place-of RADIUS, currently I am quite happy with RADIUS however, and it is something that is very interesting to learn and hopefully implement in the near-future! Regards, Kaya
Hi,
What do you suggest I do about the radusergroup check that you mentioned in your last email?
do you need/want that functionality? if so, then populate the tables, if not, then remove that function
I had a look at Packetfence and will investigate further about it as I'm not sure if that works with or in-place-of RADIUS, currently I am quite happy with RADIUS however, and it is something that is very interesting to learn and hopefully implement in the near-future!
it uses FreeRADIUS - its a NAC solution and can deal with your kit. PS in your other post, your unlang is wrong... you have trailing :- etc you just want something like if (%{User-Name}) { blah blah ] or such.... alan
On Wed, Aug 1, 2012 at 12:02 PM, alan buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
What do you suggest I do about the radusergroup check that you mentioned in your last email?
do you need/want that functionality? if so, then populate the tables, if not, then remove that function
Ok I'll remove it as you suggested not to over-complicate things in your email this morning so I don't see any need need for it.
I had a look at Packetfence and will investigate further about it as I'm not sure if that works with or in-place-of RADIUS, currently I am quite happy with RADIUS however, and it is something that is very interesting to learn and hopefully implement in the near-future!
it uses FreeRADIUS - its a NAC solution and can deal with your kit.
Thanks!
PS in your other post, your unlang is wrong... you have trailing :- etc
you just want something like
if (%{User-Name}) {
blah blah
]
or such....
Upon putting your suggestion in I get: Bare %{...} is invalid in condition at: %{User-Name}) ....../default[62]: Errors parsing authorize section. The actual statement looks like so now with the above error in-place: if (%{User-Name}) { update reply { ... } } I actually grabbed the initial syntax from here: "Conditional Syntax Conditional syntax similar to that used in Unix shells may also be used. %{%{Foo}:-bar} If %{Foo} has a value, returns that value. Otherwise, returns literal string "bar". %{%{Foo}:-%{Bar}} If %{Foo} has a value, returns that value. Otherwise, returns the expansion of %{Bar}. These conditional expansions can be nested to almost any depth, such as with %{%{One}:-%{%{Two}:-%{Three}}} "
alan
Regards, Kaya
On Wed, Aug 1, 2012 at 6:17 PM, Kaya Saman <kayasaman@gmail.com> wrote:
Upon putting your suggestion in I get:
Bare %{...} is invalid in condition at: %{User-Name}) ....../default[62]: Errors parsing authorize section.
The actual statement looks like so now with the above error in-place:
if (%{User-Name}) {
Try if ("%{User-Name}") { ... though I'm not sure why an update block by itself (without "if") didn't work. AFAIK it should. -- Fajar
On Wed, Aug 1, 2012 at 12:28 PM, Fajar A. Nugraha <list@fajar.net> wrote:
On Wed, Aug 1, 2012 at 6:17 PM, Kaya Saman <kayasaman@gmail.com> wrote:
Upon putting your suggestion in I get:
Bare %{...} is invalid in condition at: %{User-Name}) ....../default[62]: Errors parsing authorize section.
The actual statement looks like so now with the above error in-place:
if (%{User-Name}) {
Try
if ("%{User-Name}") {
... though I'm not sure why an update block by itself (without "if") didn't work. AFAIK it should.
-- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I added the "" as suggested and radiusd now starts however, I am still getting a REJECT response: [sql] User 0015c5537baa not found ++[sql] returns notfound ++? if ("%{User-Name}") expand: %{User-Name} -> 0015c5537baa ? Evaluating ("%{User-Name}") -> TRUE ++? if ("%{User-Name}") -> TRUE ++- entering if ("%{User-Name}") {...} +++[reply] returns notfound ++- if ("%{User-Name}") returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} ++- group REJECT returns noop Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 147 to 10.0.0.1 port 1645 Tunnel-Private-Group-Id:0 = "80" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Preference:0 = 0 Waking up in 4.9 seconds. Cleaning up request 0 ID 147 with timestamp +20 Ready to process requests. I'm wondering if a. I put the statement in the correct place: /etc/raddb/sites-enabled/default - under Authorize -> SQL and b. if there needs to be some kind of comparison (boolean expression) done between the %{User-Name} field? - something like: if %{User-Name} := notfound then bla bla bla -- I could however be way off base! Regards, Kaya
Hi,
[sql] User 0015c5537baa not found
fairly definitive. check that you have case-insensitivityenabled and that this user exists in the table being checked alan
++[sql] returns notfound ++? if ("%{User-Name}") expand: %{User-Name} -> 0015c5537baa ? Evaluating ("%{User-Name}") -> TRUE
..and that bit is working...the later output shows the assignments being made and send back in the packet. ideally you would only do that in the post-auth stage for a successful authentication? alan
On Wed, Aug 1, 2012 at 1:15 PM, alan buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
[sql] User 0015c5537baa not found
fairly definitive. check that you have case-insensitivityenabled and that this user exists in the table being checked
This is correct and should be the case!
alan
++[sql] returns notfound ++? if ("%{User-Name}") expand: %{User-Name} -> 0015c5537baa ? Evaluating ("%{User-Name}") -> TRUE
..and that bit is working...the later output shows the assignments being made and send back in the packet. ideally you would only do that in the post-auth stage for a successful authentication?
alan
What I want to do, perhaps I didn't explain properly or maybe my idea was flawed - but essentially I would like to have a "catch all" statement so: IF %User-Name notfound IN SQL Accept AND Provision onto VLAN 80 (my demo guest vlan in this case but could be any number (n)) In a nutshell, if nothing has been entered into the SQL database; simply allocate the user onto the Guest VLAN (tunnel-Id) Regards, Kaya
Hi,
What I want to do, perhaps I didn't explain properly or maybe my idea was flawed - but essentially I would like to have a "catch all" statement so:
in that case you need to have a fall-through catch-all in the radcheck - with Auth-Type Accept otherwise auth/autz will fail..and once its a reject thats pretty much it without getting all hacky so, add the DEFAULT in SQL - maybe even users file if SQL comes first...and it should work alan
On Wed, Aug 1, 2012 at 7:20 PM, Kaya Saman <kayasaman@gmail.com> wrote:
IF %User-Name notfound IN SQL
This one might not work the way you intended. What you've done so far, the "=" part says "add this attribute if it doesn't already exist" (e.g. not in SQL) If you HAVE to do "notfound" check, something like this MIGHT work authorize { sql if (notfound) { ... } }
Accept AND Provision onto VLAN 80 (my demo guest vlan in this case but could be any number (n))
Then just add Auth-Type = Accept inside the update block. -- Fajar
On Wed, Aug 1, 2012 at 1:36 PM, Fajar A. Nugraha <list@fajar.net> wrote:
On Wed, Aug 1, 2012 at 7:20 PM, Kaya Saman <kayasaman@gmail.com> wrote:
IF %User-Name notfound IN SQL
This one might not work the way you intended. What you've done so far, the "=" part says "add this attribute if it doesn't already exist" (e.g. not in SQL)
If you HAVE to do "notfound" check, something like this MIGHT work
authorize {
sql if (notfound) { ... }
}
Accept AND Provision onto VLAN 80 (my demo guest vlan in this case but could be any number (n))
Then just add Auth-Type = Accept inside the update block.
-- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I tried this method which didn't work.... The expression came out TRUE but then it failed to authenticate :-( If however, as Alan B. suggested to add a DEFAULT entry to the /etc/raddb/users file is 'better' then I'd be happy to go down that route. I have already started testing with it but again I'm doing something wrong so it isn't able to process the information properly. This is the output I have: Users: DEFAULT Auth-Type := Accept Tunnel-Type:0 = VLAN, Tunnel-Medium-type:0 = IEEE-802, Tunnel-Private-Group-Id:0 = "80", Tunnel-Preference:0 = 0x000000, Fall-Through = Yes I tried also with the basic: DEFAULT Auth-Type := Accept (tried with = too, though found more references to using := in Google) This is the result of trying to start FR with that in place: Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/raddb/modules/files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Couldn't open /etc/raddb/acct_users for reading: Permission denied Errors reading /etc/raddb/acct_users /etc/raddb/modules/files[7]: Instantiation failed for module "files" /etc/raddb/sites-enabled/inner-tunnel[133]: Failed to load module "files". /etc/raddb/sites-enabled/inner-tunnel[47]: Errors parsing authorize section. Is the error here due to the 'users' file not containing correct information, or do I need to uncomment/adapt one of the lines in acct_users? Regards, Kaya
On Wed, Aug 1, 2012 at 3:32 PM, Kaya Saman <kayasaman@gmail.com> wrote:
On Wed, Aug 1, 2012 at 1:36 PM, Fajar A. Nugraha <list@fajar.net> wrote:
On Wed, Aug 1, 2012 at 7:20 PM, Kaya Saman <kayasaman@gmail.com> wrote:
IF %User-Name notfound IN SQL
This one might not work the way you intended. What you've done so far, the "=" part says "add this attribute if it doesn't already exist" (e.g. not in SQL)
If you HAVE to do "notfound" check, something like this MIGHT work
authorize {
sql if (notfound) { ... }
}
Accept AND Provision onto VLAN 80 (my demo guest vlan in this case but could be any number (n))
Then just add Auth-Type = Accept inside the update block.
-- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I tried this method which didn't work.... The expression came out TRUE but then it failed to authenticate :-(
If however, as Alan B. suggested to add a DEFAULT entry to the /etc/raddb/users file is 'better' then I'd be happy to go down that route.
I have already started testing with it but again I'm doing something wrong so it isn't able to process the information properly.
This is the output I have:
Users:
DEFAULT Auth-Type := Accept Tunnel-Type:0 = VLAN, Tunnel-Medium-type:0 = IEEE-802, Tunnel-Private-Group-Id:0 = "80", Tunnel-Preference:0 = 0x000000, Fall-Through = Yes
I tried also with the basic:
DEFAULT Auth-Type := Accept (tried with = too, though found more references to using := in Google)
This is the result of trying to start FR with that in place:
Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/raddb/modules/files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Couldn't open /etc/raddb/acct_users for reading: Permission denied Errors reading /etc/raddb/acct_users /etc/raddb/modules/files[7]: Instantiation failed for module "files" /etc/raddb/sites-enabled/inner-tunnel[133]: Failed to load module "files". /etc/raddb/sites-enabled/inner-tunnel[47]: Errors parsing authorize section.
Is the error here due to the 'users' file not containing correct information, or do I need to uncomment/adapt one of the lines in acct_users?
Regards,
Kaya
Please ignore the above earlier posting!! I managed to get FR up and running. It was a permissions thing on the files called by rlm_files module!!! One quick question now: This is the only config in my 'users' file:
DEFAULT Auth-Type := Accept Tunnel-Type:0 = VLAN, Tunnel-Medium-type:0 = IEEE-802, Tunnel-Private-Group-Id:0 = "80", Tunnel-Preference:0 = 0x000000, Fall-Through = Yes
Do I really need the Fall-Through statement? This basically if I understand correctly, claims that IF nothing matches against the DEFAULT statement go to the NEXT statement..... If this is so I can get rid of it since it would 'extra' unnecessary config! Thanks for all the help in the meantime :-) Regards, Kaya
participants (4)
-
Alan Buxey -
alan buxey -
Fajar A. Nugraha -
Kaya Saman