Capturing Access-Reject data in the radpostauth table
I've added a column to my radpostauth table and started collecting %{reply:Reply-Message} for each Access-Reject packet. This is moderately useful, but it's not really what I want to do. My intention is to capture some useful information as to why the user was rejected. Ideally, I'd like to have access to the response message from the authentication module, or maybe even the last log messages generated by this session. E.g., if the log message was: Login incorrect (rlm_pap: CLEAR TEXT password check failed): [user/pass] (from client NAS port 0 cli callinginfo) I'd consider capturing the whole thing, but I'd be happy with just the "rlm_pap: CLEAR TEXT password check failed" part. Do I have access to that level of info from within rlm_sql? --Aaron
Hi everyone, I have some troubles to proxy PEAP requests to (internal) virtual server : I have one proxy server (with realms define in proxy.conf file) that forward the request internally to a virtual server define in site-enabled directory. For basic authentication request (PAP, CHAP, MSCHAP, ...) , authentication is successful, but with PEAP it doesn't work (work with EAP-TTLS). I have this error message : "Multiple levels of TLS nesting is invalid". In my proxy.conf I have this lines : realms university.fr { virtual_server = my-virtual-server nostrip } I specify that the request is well forwarded to the virtual server. I made some tests. If I change my proxy.conf like this : home_server localhost { port=2812 type=auth ipaddr=127.0.0.1 secret=****** ... } home_server_pool my-pool { home_server = localhost type=fail-over } realms university.fr { auth_pool= my-pool nostrip } -> Everything works correctly. Someone had an idea? Thanks in advance
brisstony21@free.fr wrote:
I have some troubles to proxy PEAP requests to (internal) virtual server : I have one proxy server (with realms define in proxy.conf file) that forward the request internally to a virtual server define in site-enabled directory.
Why is there a need to proxy the PEAP packets?
For basic authentication request (PAP, CHAP, MSCHAP, ...) , authentication is successful, but with PEAP it doesn't work (work with EAP-TTLS). I have this error message : "Multiple levels of TLS nesting is invalid".
<sigh> Deleting all of the other messages doesn't help. Are you sure it's just PEAP (MSCHAP), and not PEAP-TLS? Alan DeKok.
Hi thanks for your reply. I have to proxy all authentication request to virtual server (not just PEAP). We have differents kind of internals users (student, staff, guest, ...). Each of them is managed by one virtual server associated to one realm, example : for the student : realm student.university.fr { virtual_server = student } server student { .... } I can only specify one IP adresse and one port in NAS configuration (wired dot1x and wireless network) and I will use the proxy port (1812). Maybe there is another method to do that... But I think that use a proxy is the best way. Selon Alan DeKok <aland@deployingradius.com>:
brisstony21@free.fr wrote:
I have some troubles to proxy PEAP requests to (internal) virtual server : I have one proxy server (with realms define in proxy.conf file) that forward the request internally to a virtual server define in site-enabled directory.
Why is there a need to proxy the PEAP packets?
For basic authentication request (PAP, CHAP, MSCHAP, ...) , authentication is successful, but with PEAP it doesn't work (work with EAP-TTLS). I have this error message : "Multiple levels of TLS nesting is invalid".
<sigh> Deleting all of the other messages doesn't help.
Are you sure it's just PEAP (MSCHAP), and not PEAP-TLS?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
brisstony21@free.fr wrote:
I have to proxy all authentication request to virtual server (not just PEAP). We have differents kind of internals users (student, staff, guest, ...). Each of them is managed by one virtual server associated to one realm, example : for the student :
So... are you sure it's just PEAP (MSCHAP), and not PEAP-TLS?
I can only specify one IP adresse and one port in NAS configuration (wired dot1x and wireless network) and I will use the proxy port (1812).
Maybe there is another method to do that... But I think that use a proxy is the best way.
You've described your configuration at a *very* high level. I still have no idea what you're trying to do, or what is actually happening in your system. Perhaps explaining things in detail would help, or showing the output of debug mode as suggested in the FAQ, README, INSTALL, "man" page, web page, configuration files, and daily on this list. Alan DeKok.
Aaron Paetznick wrote:
I'd consider capturing the whole thing, but I'd be happy with just the "rlm_pap: CLEAR TEXT password check failed" part. Do I have access to that level of info from within rlm_sql?
Look at Module-Failure-Message. It's populated by the PAP module with the various reasons for reject. e.g., for testing: post-auth { ... update reply { Reply-Message += "You got: %{Module-Failure-Message}" } ... } Alan DeKok.
%{Module-Failure-Message} seems to be empty for me. Is there a scope/prefix I should try? --Aaron On 4/28/2010 9:37 AM, Alan DeKok wrote:
Aaron Paetznick wrote:
I'd consider capturing the whole thing, but I'd be happy with just the "rlm_pap: CLEAR TEXT password check failed" part. Do I have access to that level of info from within rlm_sql?
Look at Module-Failure-Message. It's populated by the PAP module with the various reasons for reject.
e.g., for testing:
post-auth { ...
update reply { Reply-Message += "You got: %{Module-Failure-Message}" } ... }
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Huh. Here's my complete SQL query: postauth_query = "INSERT INTO ${postauth_table} \ (username, pass, reply, authdate, message, nasipaddress) \ VALUES ( \ '%{User-Name}', \ '%{%{User-Password}:-%{Chap-Password}}', \ '%{reply:Packet-Type}', '%S', \ '%{Module-Failure-Message}', \ '%{NAS-IP-Address}')" I did not add this yet: post-auth { ... update reply { Reply-Message += "You got: %{Module-Failure-Message}" } ... } Do I need that entry in the post-auth block? %{Module-Failure-Message} doesn't seem to be available by default in rlm_sql. --Aaron On 4/28/2010 2:57 PM, Alan DeKok wrote:
Aaron Paetznick wrote:
%{Module-Failure-Message} seems to be empty for me. Is there a scope/prefix I should try?
Hmm... it *should* be there along with the packet attributes.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Aaron Paetznick wrote:
Huh. Here's my complete SQL query:
postauth_query = "INSERT INTO ${postauth_table} \ (username, pass, reply, authdate, message, nasipaddress) \ VALUES ( \ '%{User-Name}', \ '%{%{User-Password}:-%{Chap-Password}}', \ '%{reply:Packet-Type}', '%S', \ '%{Module-Failure-Message}', \
Uh... did you update your schema to have a "message" colummn?
'%{NAS-IP-Address}')"
I did not add this yet:
post-auth { ...
update reply { Reply-Message += "You got: %{Module-Failure-Message}" } ... }
I said that was for testing. Did you try it for testing? It's an example of using the attribute... you *will* need to make sure you use it in the appropriate manner for what you want. See "man unlang" for documentation on what the aboce example does. Hint: it doesn't have anything to do with SQL.
Do I need that entry in the post-auth block? %{Module-Failure-Message} doesn't seem to be available by default in rlm_sql.
I have no idea what this means. Module-Failure-Message is an attribute... just like anything else. If you can figure out out to store attributes into SQL, you can store Module-Failure-Message in SQL. Alan DeKok.
On 4/28/2010 3:23 PM, Alan DeKok wrote:
Uh... did you update your schema to have a "message" colummn?
Yes, I have extended my radpostauth table with columns to hold the message and the nasipaddress. It is working perfectly if I use '%{reply:Reply-Message}', but it is always empty if I use '%{Module-Failure-Message}' in the same INSERT. This is why I'm confirming if I should have access to '%{Module-Failure-Message}' within rlm_sql.
Module-Failure-Message is an attribute... just like anything else. If you can figure out out to store attributes into SQL, you can store Module-Failure-Message in SQL.
This is not true, at least in my case. See above. Maybe I need to take extra steps to expose that attribute in another part of the config, or maybe I need to reference it with some sort of prefix, I don't know. That's why I'm asking. --Aaron
Aaron Paetznick wrote:
On 4/28/2010 3:23 PM, Alan DeKok wrote:
Uh... did you update your schema to have a "message" colummn?
Yes, I have extended my radpostauth table with columns to hold the message and the nasipaddress. It is working perfectly if I use '%{reply:Reply-Message}', but it is always empty if I use '%{Module-Failure-Message}' in the same INSERT. This is why I'm confirming if I should have access to '%{Module-Failure-Message}' within rlm_sql.
If it exists, yes. It's added by the PAP module for authentication rejects. For authentication success... there's no failure message.
This is not true, at least in my case. See above. Maybe I need to take extra steps to expose that attribute in another part of the config, or maybe I need to reference it with some sort of prefix, I don't know. That's why I'm asking.
I did explain that... Alan DeKok.
I'm sorry, your explanation wasn't clear to me. How can I expose Module-Failure-Message to or reference Module-Failure-Message within rlm_sql? This, also, didn't work for me: post-auth { ... Post-Auth-Type REJECT { update reply { Reply-Message += "You got: %{Module-Failure-Message}" } attr_filter.access_reject sql } ... } --Aaron On 4/28/2010 4:11 PM, Alan DeKok wrote:
If it exists, yes. It's added by the PAP module for authentication rejects. For authentication success... there's no failure message.
This is not true, at least in my case. See above. Maybe I need to take extra steps to expose that attribute in another part of the config, or maybe I need to reference it with some sort of prefix, I don't know. That's why I'm asking.
I did explain that...
Aaron Paetznick wrote:
I'm sorry, your explanation wasn't clear to me. How can I expose Module-Failure-Message to or reference Module-Failure-Message within rlm_sql?
This, also, didn't work for me:
post-auth { ... Post-Auth-Type REJECT { update reply { Reply-Message += "You got: %{Module-Failure-Message}" }
OK... if the Module-Failure-Message doesn't exist, it won't work. But the log message *uses* it: Login incorrect (rlm_pap: CLEAR TEXT password check failed) .. The text between the () *is* the Module-Failure-Message attribute. See src/main/auth.c. So we know it exists, the previous log message you posted shows it. And the server core doesn't delete it, so it *should* always exist after the PAP module creates it. Alan DeKok.
Huh. Then it should be working but it isn't. radiusd -X says: ... ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [username/badpass] (from client somenas port 0 cli somecallinginfo) Using Post-Auth-Type Reject ... Sending Access-Reject of id 135 to 75.102.161.225 port 1645 Reply-Message = "You got: " ... --Aaron On 4/29/2010 1:02 AM, Alan DeKok wrote:
Aaron Paetznick wrote:
I'm sorry, your explanation wasn't clear to me. How can I expose Module-Failure-Message to or reference Module-Failure-Message within rlm_sql?
This, also, didn't work for me:
post-auth { ... Post-Auth-Type REJECT { update reply { Reply-Message += "You got: %{Module-Failure-Message}" }
OK... if the Module-Failure-Message doesn't exist, it won't work.
But the log message *uses* it:
Login incorrect (rlm_pap: CLEAR TEXT password check failed) ..
The text between the () *is* the Module-Failure-Message attribute. See src/main/auth.c.
So we know it exists, the previous log message you posted shows it. And the server core doesn't delete it, so it *should* always exist after the PAP module creates it.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Aaron Paetznick wrote:
Huh. Then it should be working but it isn't.
radiusd -X says: ... ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [username/badpass] (from client somenas port 0 cli somecallinginfo) Using Post-Auth-Type Reject
As I said:
But the log message *uses* it:
Login incorrect (rlm_pap: CLEAR TEXT password check failed) ..
The text between the () *is* the Module-Failure-Message attribute. See src/main/auth.c.
Look closely at the two log messages. They're different. One references "rlm_pap", which means it's using Module-Failure-Message. The other doesn't reference rlm_pap, which means it's not using Module-Failure-Method. i.e. In this example, you failed to configure a way for the user to be authenticated. The server didn't run any module for authentication. So.... there's no Module-Failure-Method. Alan DeKok.
participants (3)
-
Aaron Paetznick -
Alan DeKok -
brisstony21@free.fr