Called-Station-ID and Cisco AP's
I am just starting looking into this, but it seems that the Called-Station-ID being logged from my Cisco AP's is off: What I see in the log is the following: Called-Station-Id = "0017.0f8c.25c1" However, the cisco itself shows something slightly different: Mac Address 0017.0f8c.25c0 As you can see, the last digit is off. This is not the only one. Another example.... Called-Station-Id = "0013.6078.7661" MAC Address 00:13:60:78:76:60 The only other system I have on the system (Bluesocket) does not have this discrepancy. I have searched through the archives, but trying to limit search by Called-Station-Id and cisco does not help a lot. Have others seen/noticed this before? If so any pointers to information on it? If not, can anyone else look and see if they are having a similar issue? Here is the information on AP Cisco Aironet 1200 IOS Firmware: 12.3(8)JA2 Using FreeRadius 1.1.2 The only conf file that even mentioned called station ID (that I am using) is radiusd.conf. Here is the subsection #attr_rewrite sanecallerid { # attribute = Called-Station-Id # may be "packet", "reply", "proxy", "proxy_reply" or "config" # searchin = packet # searchfor = "[+ ]" # replacewith = "" # ignore_case = no # new_attribute = no # max_matches = 10 # ## If set to yes then the replace string will be appended # to the original string # append = no #} As it is commented out I do not see that it could be the issue. If you want any conf files let me know, I just did not want to clog up the message with lots of conf info that is not useful. Thanks to all. -- Walter Reynolds Principle Systems Security Development Engineer Information Technology Central Services University of Michigan (734)615-9438
Hy, I'm having a small problem with the proxy.conf file. I added the following entry to proxy.conf: realm test.com{ type = radius authhost = LOCAL accthost = LOCAL secret = foobar strip } But when I send a user with the test.com domain, it wasn't stripped. The radiusd -X log below shows the behavior: modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "test.com" for User-Name = "rgreiner@test.com" rlm_realm: Found realm "test.com" rlm_realm: Adding Stripped-User-Name = "rgreiner" rlm_realm: Proxying request from user rgreiner to realm test.com rlm_realm: Adding Realm = "test.com" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 radius_xlat: 'rgreiner@test.com' I've tried removing the realm LOCAL entry from proxy.conf, without result. The realm DEFAULT with authhost = LOCAL or = localhost didn't solve either. The only way I managed to get this to work was to write realm test.com { authhost = a.b.c.d ..... } With a.b.c.d being the local server's real IP (not the localhost IP). Is that the proper way to do it or am I missing something? Thank you, Roberto -- ------------------------------------------------------------------- | Marcos Roberto Greiner | | | | Os otimistas acham que estamos no melhor dos mundos | | Os pessimistas tem medo de que isto seja verdade | | Murphy | ------------------------------------------------------------------- | rgreiner@usp.br | -------------------------------------------------------------------
Roberto Greiner <mrgreiner@gmail.com> wrote:
But when I send a user with the test.com domain, it wasn't stripped. The radiusd -X log below shows the behavior:
Show the *full* log.
modcall[authorize]: module "files" returns notfound for request 0 radius_xlat: 'rgreiner@test.com'
ok... and the logs don't show it being proxied. So you're asking a question about why isn't the proxy code doing what you want, and you haven't shown the server doing any proxying. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan DeKok wrote:
Roberto Greiner <mrgreiner@gmail.com> wrote:
But when I send a user with the test.com domain, it wasn't stripped. The radiusd -X log below shows the behavior:
Show the *full* log.
rad_recv: Access-Request packet from host E.F.G.H:4126, id=4, length=62 User-Name = "rgreiner@test.com" User-Password = "teste" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: Looking up realm "test.com" for User-Name = "rgreiner@test.com" rlm_realm: Found realm "test.com" rlm_realm: Adding Stripped-User-Name = "rgreiner" rlm_realm: Proxying request from user rgreiner to realm test.com rlm_realm: Adding Realm = "test.com" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 3 modcall[authorize]: module "files" returns notfound for request 3 radius_xlat: 'rgreiner@test.com' rlm_sql (sql): sql_set_user escaped user --> 'rgreiner@test.com' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'rgreiner@test.com' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 0 rlm_sql (sql): User rgreiner@test.com not found in radcheck radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'rgreiner@test.com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'rgreiner@test.com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): User rgreiner@test.com not found in radgroupcheck rlm_sql (sql): Released sql socket id: 0 rlm_sql (sql): User not found modcall[authorize]: module "sql" returns notfound for request 3 modcall: leaving group authorize (returns ok) for request 3 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [rgreiner@test.com/teste] (from client dsu24 port 0) Sending Access-Reject of id 4 to 143.107.71.24 port 4126 Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 4 with timestamp 4526adb5 Nothing to do. Sleeping until we see a request. -- ------------------------------------------------------------------- | Marcos Roberto Greiner | | | | Os otimistas acham que estamos no melhor dos mundos | | Os pessimistas tem medo de que isto seja verdade | | Murphy | ------------------------------------------------------------------- | rgreiner@usp.br | -------------------------------------------------------------------
Roberto Greiner <mrgreiner@gmail.com> wrote:
Show the *full* log.
rad_recv: Access-Request packet from host E.F.G.H:4126, id=4, length=62 User-Name = "rgreiner@test.com"
Is this the log from the home server? If so, why? You already said the username wasn't stripped, so showing that the home server receives it non-stripped is pointless. If this is the log from the proxying server, then it's not doing proxying, so of course it isn't stripping the username.
rlm_realm: Adding Stripped-User-Name = "rgreiner" rlm_realm: Proxying request from user rgreiner to realm test.com rlm_realm: Adding Realm = "test.com" rlm_realm: Authentication realm is LOCAL.
You've marked that realm as something that shouldn't be proxied. Why do you expect it to be proxied? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan DeKok wrote:
Roberto Greiner <mrgreiner@gmail.com> wrote:
Show the *full* log.
rad_recv: Access-Request packet from host E.F.G.H:4126, id=4, length=62 User-Name = "rgreiner@test.com"
Is this the log from the home server? If so, why? You already said the username wasn't stripped, so showing that the home server receives it non-stripped is pointless.
If this is the log from the proxying server, then it's not doing proxying, so of course it isn't stripping the username.
rlm_realm: Adding Stripped-User-Name = "rgreiner" rlm_realm: Proxying request from user rgreiner to realm test.com rlm_realm: Adding Realm = "test.com" rlm_realm: Authentication realm is LOCAL.
You've marked that realm as something that shouldn't be proxied. Why do you expect it to be proxied?
Actually I don't wan't it to be proxied, only that it removes the realm part to handle it locally. But it's comparing the full entry (with realm) against the database name, instead of only the login. Roberto -- ------------------------------------------------------------------- | Marcos Roberto Greiner | | | | Os otimistas acham que estamos no melhor dos mundos | | Os pessimistas tem medo de que isto seja verdade | | Murphy | ------------------------------------------------------------------- | rgreiner@usp.br | -------------------------------------------------------------------
Roberto Greiner wrote:
You've marked that realm as something that shouldn't be proxied. Why do you expect it to be proxied?
Actually I don't wan't it to be proxied, only that it removes the realm part to handle it locally. But it's comparing the full entry (with realm) against the database name, instead of only the login.
To be honest, if you're not wanting to actually proxy, using the "realm" module just to strip usernames has all kinds of problems. Take a look at the hints file.
Roberto Greiner wrote:
Alan DeKok wrote:
Roberto Greiner <mrgreiner@gmail.com> wrote:
Show the *full* log.
rad_recv: Access-Request packet from host E.F.G.H:4126, id=4, length=62 User-Name = "rgreiner@test.com"
Is this the log from the home server? If so, why? You already said the username wasn't stripped, so showing that the home server receives it non-stripped is pointless.
If this is the log from the proxying server, then it's not doing proxying, so of course it isn't stripping the username.
rlm_realm: Adding Stripped-User-Name = "rgreiner" rlm_realm: Proxying request from user rgreiner to realm test.com rlm_realm: Adding Realm = "test.com" rlm_realm: Authentication realm is LOCAL.
You've marked that realm as something that shouldn't be proxied. Why do you expect it to be proxied?
Actually I don't wan't it to be proxied, only that it removes the realm part to handle it locally. But it's comparing the full entry (with realm) against the database name, instead of only the login.
Oh, also if you do want to continue using the "realm" module, look at: sql_user_name = "%{Stripped-User-Name:-%{User-Name:-DEFAULT}} Note the Stripped-User-Name. Ensure the realm has "strip" set as an option
Roberto Greiner <mrgreiner@gmail.com> wrote:
Actually I don't wan't it to be proxied
So when you originally said you wanted it to be proxied... If you want people to be able to help you, tell them what you really want to do. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Hi,
I am just starting looking into this, but it seems that the Called-Station-ID being logged from my Cisco AP's is off: What I see in the log is the following:
this COULD be the way that CISCO differentiates different VLANS on its AP when running in autonomous mode (are you running autonomous or LWAPP mode? you didnt say) ie first WLAN 0017.0f8c.25c0 second WLAN 0017.0f8c.25c1 third WLAN 0017.0f8c.25c2 (hence things like maximum of 8 WLAN on the autonomous etc) etc - its certainly plausible and matches to how they use MAC addresses on their other devices for variouis functions. we arent having this issue . but we are using Cisco 1131/1232 APs in LWAPP mode talking to 1.1.3 FreeRADIUS systems. so there may be some big differences in architecture there.
Here is the information on AP Cisco Aironet 1200 IOS Firmware: 12.3(8)JA2
well, thats nice and up to date 12.3(8)JEA does fix a lot of other things though ;-) alan
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Phil Mayers -
Roberto Greiner -
Walter Reynolds