FreeRadius - Multiple Clients
Hello, Starting to get into using FreeRADIUS and had a question, that I can't seem to find the answer to, I'm guessing its because I'm not even totally clear of the correct terminology. I'm using FreeRADIUS 3.0.? not sure of the exact version as I complied it a month or two ago and I don't have access to the computer right this second. Okay, my question is how do I set things up so the FreeRADIUS will evaluate a request based on where its coming from. So given the following Set up. Have two services wanting to use FreeRADIUS for authentication 1. Wifi 2. a HTTP Proxy I also have a bunch of users. All users can use Wifi (unless of course I need to revoke them for a little bit) Then certain Users need to be authenticated against the HTTP Proxy to allow them to do direct connections instead I plan on using the standard users file if possible. Thank You, Casey
On 9 Apr 2014, at 06:30, Casey Daniels <mailinglist@cd.kcfam.net> wrote:
Hello, Starting to get into using FreeRADIUS and had a question, that I can't seem to find the answer to, I'm guessing its because I'm not even totally clear of the correct terminology.
I'm using FreeRADIUS 3.0.? not sure of the exact version as I complied it a month or two ago and I don't have access to the computer right this second.
Okay, my question is how do I set things up so the FreeRADIUS will evaluate a request based on where its coming from.
So given the following Set up.
Have two services wanting to use FreeRADIUS for authentication
1. Wifi 2. a HTTP Proxy
I also have a bunch of users. All users can use Wifi (unless of course I need to revoke them for a little bit)
Then certain Users need to be authenticated against the HTTP Proxy to allow them to do direct connections instead
I plan on using the standard users file if possible.
client <wifi> { nas_type = 'wifi' } authorize { if ("%{client:nas_type}" == 'wifi') { <do wifi things!> } } Unfortunately regular expressions are not permitted as the LHS of a check item pair in a users file so you have to use unlang, or assign the result of %{client:nas_type} to a temporary attribute and use that instead. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 9 Apr 2014, at 07:45, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 9 Apr 2014, at 06:30, Casey Daniels <mailinglist@cd.kcfam.net> wrote:
Hello, Starting to get into using FreeRADIUS and had a question, that I can't seem to find the answer to, I'm guessing its because I'm not even totally clear of the correct terminology.
I'm using FreeRADIUS 3.0.? not sure of the exact version as I complied it a month or two ago and I don't have access to the computer right this second.
Okay, my question is how do I set things up so the FreeRADIUS will evaluate a request based on where its coming from.
So given the following Set up.
Have two services wanting to use FreeRADIUS for authentication
1. Wifi 2. a HTTP Proxy
I also have a bunch of users. All users can use Wifi (unless of course I need to revoke them for a little bit)
Then certain Users need to be authenticated against the HTTP Proxy to allow them to do direct connections instead
I plan on using the standard users file if possible.
client <wifi> { nas_type = 'wifi' }
authorize { if ("%{client:nas_type}" == 'wifi') { <do wifi things!> } }
Unfortunately regular expressions
Make that xlat expansions, though regular expressions aren't either. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On Wed, Apr 09, 2014 at 07:45:36AM +0100, Arran Cudbard-Bell wrote:
On 9 Apr 2014, at 06:30, Casey Daniels <mailinglist@cd.kcfam.net> wrote:
I also have a bunch of users. All users can use Wifi (unless of course I need to revoke them for a little bit)
Then certain Users need to be authenticated against the HTTP Proxy to allow them to do direct connections instead
I plan on using the standard users file if possible.
client <wifi> { nas_type = 'wifi' }
Alternatively, put them through different virtual servers - it can make it easier to do more separation, though you may end up with more duplicated config: client <wifi> { ... virtual_server = wireless } client <proxy> { ... virtual_server = proxy } Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 04/09/2014 07:55 AM, Matthew Newton wrote:
On Wed, Apr 09, 2014 at 07:45:36AM +0100, Arran Cudbard-Bell wrote:
On 9 Apr 2014, at 06:30, Casey Daniels <mailinglist@cd.kcfam.net> wrote:
I also have a bunch of users. All users can use Wifi (unless of course I need to revoke them for a little bit)
Then certain Users need to be authenticated against the HTTP Proxy to allow them to do direct connections instead
I plan on using the standard users file if possible. client <wifi> { nas_type = 'wifi' } Alternatively, put them through different virtual servers - it can make it easier to do more separation, though you may end up with more duplicated config:
client <wifi> { ... virtual_server = wireless }
client <proxy> { ... virtual_server = proxy }
Matthew
Thank you for the reply, so in the user file would I do this? Wifi Only user bob { ... Service-Type = wifi } User of both timmy { ... Service-Type = wifi, proxy } Casey
On 04/09/2014 02:45 AM, Arran Cudbard-Bell wrote:
On 9 Apr 2014, at 06:30, Casey Daniels <mailinglist@cd.kcfam.net> wrote:
client <wifi> { nas_type = 'wifi' }
authorize { if ("%{client:nas_type}" == 'wifi') { <do wifi things!> } }
Unfortunately regular expressions are not permitted as the LHS of a check item pair in a users file so you have to use unlang, or assign the result of %{client:nas_type} to a temporary attribute and use that instead.
I created a attribute in the user file called wifi_key, so what would the unlang look like to check against that. I tried if ("%{wifi_key}" == 'true') { <do wifi things>! } but with your stated limitation about the LHS, how does someone get around that? Casey
Casey Daniels wrote:
I created a attribute in the user file called wifi_key,
What does that mean? The users file doesn't create attributes.
so what would the unlang look like to check against that.
Since it's not clear what you did, we can't answer that question.
I tried
if ("%{wifi_key}" == 'true') { <do wifi things>! }
Which isn't what Arran said to do. And it doesn't follow the normal unlang syntax. See "man unlang". Or the hundreds of examples in the configuration files.
but with your stated limitation about the LHS, how does someone get around that?
The users file has no work-arounds. It behaves as documented. Nothing more. If you want more functionality, use unlang. And read the docs. Alan DeKok.
On 04/11/2014 02:27 PM, Alan DeKok wrote:
Casey Daniels wrote:
I created a attribute in the user file called wifi_key, What does that mean? The users file doesn't create attributes.
I went into the dictionary.local file and defined an attribute called wifi_key that allows strings as the possible values. I then went into the user file and listed the attribute wifi_key = false (just to purposely make it fail for testing purposes)
so what would the unlang look like to check against that. Since it's not clear what you did, we can't answer that question.
I tried
if ("%{wifi_key}" == 'true') { <do wifi things>! } I put the above section in the authorize section of the site file. I'm not understanding how its not following the normal unlang syntax. I've read the man page, and I've looked at the examples. From what I understand from the man page the syntax its following it. If (Condition) { Operations if Condition is true } Which isn't what Arran said to do. And it doesn't follow the normal unlang syntax. See "man unlang". Or the hundreds of examples in the configuration files.
but with your stated limitation about the LHS, how does someone get around that? The users file has no work-arounds. It behaves as documented. Nothing more.
If you want more functionality, use unlang. And read the docs.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Attempting to use unlang, to view items in the user file, that is what i meant how do you work about the limitation.
Casey Daniels wrote:
I went into the dictionary.local file and defined an attribute called wifi_key that allows strings as the possible values. I then went into the user file and listed the attribute wifi_key = false (just to purposely make it fail for testing purposes)
OK. That makes more sense.
I put the above section in the authorize section of the site file.
Please be specific. It matters. If you drop words and use the wrong terminology, we have no idea what you mean. And we're more likely to ignore you.
I'm not understanding how its not following the normal unlang syntax. I've read the man page, and I've looked at the examples. From what I understand from the man page the syntax its following it. If (Condition) { Operations if Condition is true }
Yes, but you don't need to do string expansions: if (Attribute-Name == "value") { is OK. if ("%{Attribute-Name}" == "value") { is pointless. Alan DeKok.
On 04/11/2014 03:03 PM, Alan DeKok wrote:
Please be specific. It matters. If you drop words and use the wrong terminology, we have no idea what you mean. And we're more likely to ignore you. Right above the EAP entry in the authorize section I put this code
If (wifi_key != "true") { reject } my user file looks like this steve Cleartext-Password := "mypassword", wifi_key := "true" the issue from the server logs appears that the (wifi_key != "true") is always evaluating to be true, thus is always rejecting the packet. I believe the issue is that I'm missing is the server isn't evaluating the value of the wifi_key in the user file.
I'm not understanding how its not following the normal unlang syntax. I've read the man page, and I've looked at the examples. From what I understand from the man page the syntax its following it. If (Condition) { Operations if Condition is true } Yes, but you don't need to do string expansions:
if (Attribute-Name == "value") {
is OK.
if ("%{Attribute-Name}" == "value") {
is pointless.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I thank you for your patience with helping me with this.
Casey
On 11 Apr 2014, at 15:42, Casey Daniels <mailinglist@cd.kcfam.net> wrote:
On 04/11/2014 03:03 PM, Alan DeKok wrote:
Please be specific. It matters. If you drop words and use the wrong terminology, we have no idea what you mean. And we're more likely to ignore you. Right above the EAP entry in the authorize section I put this code
If (wifi_key != "true") { reject }
my user file looks like this
steve Cleartext-Password := "mypassword", wifi_key := "true"
the issue from the server logs appears that the (wifi_key != "true") is always evaluating to be true, thus is always rejecting the packet. I believe the issue is that I'm missing is the server isn't evaluating the value of the wifi_key in the user file.
Did you define wiki_key as an value pair? The server will not automatically add attributes. It should really error out with the invalid comparison... Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 04/11/2014 04:18 PM, Arran Cudbard-Bell wrote:
On 11 Apr 2014, at 15:42, Casey Daniels <mailinglist@cd.kcfam.net> wrote:
On 04/11/2014 03:03 PM, Alan DeKok wrote:
Please be specific. It matters. If you drop words and use the wrong terminology, we have no idea what you mean. And we're more likely to ignore you. Right above the EAP entry in the authorize section I put this code
If (wifi_key != "true") { reject }
my user file looks like this
steve Cleartext-Password := "mypassword", wifi_key := "true"
the issue from the server logs appears that the (wifi_key != "true") is always evaluating to be true, thus is always rejecting the packet. I believe the issue is that I'm missing is the server isn't evaluating the value of the wifi_key in the user file. Did you define wiki_key as an value pair?
The server will not automatically add attributes. It should really error out with the invalid comparison... if your talking about in the dictionary.local
ATTRIBUTE wifi_key 3000 integer VALUE wifi_key false 0 VALUE wifi_key true 1 Then yes, if your talking about something else, then no, and the only thing that I could find by searching involved the source code.
Casey Daniels wrote:
Right above the EAP entry in the authorize section I put this code
If (wifi_key != "true") { reject }
my user file looks like this
steve Cleartext-Password := "mypassword", wifi_key := "true"
Run the server in debug mode, as suggested in the FAQ, "man" page, web pages, and daily on this list. When you don't do that, you waste everyones time.
the issue from the server logs appears that the (wifi_key != "true") is always evaluating to be true, thus is always rejecting the packet. I believe the issue is that I'm missing is the server isn't evaluating the value of the wifi_key in the user file.
It is. It's running "files" AFTER the code you added in the "authorize" section. If you had run the server in debug mode, you would have seen that. Or, read the "authorize" file. And check that "files" is happening after the code you added. Alan DeKok.
On 04/11/2014 05:05 PM, Alan DeKok wrote:
Casey Daniels wrote:
Right above the EAP entry in the authorize section I put this code
If (wifi_key != "true") { reject }
my user file looks like this
steve Cleartext-Password := "mypassword", wifi_key := "true" Run the server in debug mode, as suggested in the FAQ, "man" page, web pages, and daily on this list. When you don't do that, you waste everyones time. I always run it in -X, and have the information sent to a file for review so that I don't have to try and watch items scroll past the screen.
the issue from the server logs appears that the (wifi_key != "true") is always evaluating to be true, thus is always rejecting the packet. I believe the issue is that I'm missing is the server isn't evaluating the value of the wifi_key in the user file. It is. It's running "files" AFTER the code you added in the "authorize" section.
If you had run the server in debug mode, you would have seen that. Or, read the "authorize" file. And check that "files" is happening after the code you added.
location of the files directive, has no effect, the debug out is virtual the same. I'm getting a matched user file entry, then it runs through the evaluation of the wifi_key, and it never has the desired effect. here is the output i always get from the debug out put files : users: Matched entry steve at line 73 (0) [files] = ok (0) ? if (wifi_key != "true") (0) expand: "true" -> 'true' (0) ? if (wifi_key != "true") -> TRUE (0) if (wifi_key != "true") { (0) [reject] = reject (0) } # if (wifi_key != "true") = reject (0) } # authorize = reject prior to posting to help groups, I do my best to read any related documentation, search both Google and archived mailing list entires to see if others have had the same or similar problems. I'm sorry that I'm bothering you'll with what appears to be a trivial issue, but I would like to get this working.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, On Fri, Apr 11, 2014 at 06:51:59PM -0400, Casey Daniels wrote:
On 04/11/2014 05:05 PM, Alan DeKok wrote:
Run the server in debug mode, as suggested in the FAQ, "man" page, web pages, and daily on this list. When you don't do that, you waste everyones time. I always run it in -X, and have the information sent to a file for review so that I don't have to try and watch items scroll past the screen.
The implication here was that there is no point running it in debug mode, and then keeping the output to yourself... The advice always on this list is to run it with -X, and post the full output to the list. That way people can help you much more easily. Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 04/11/2014 07:24 PM, Matthew Newton wrote:
Hi,
On Fri, Apr 11, 2014 at 06:51:59PM -0400, Casey Daniels wrote:
On 04/11/2014 05:05 PM, Alan DeKok wrote:
Run the server in debug mode, as suggested in the FAQ, "man" page, web pages, and daily on this list. When you don't do that, you waste everyones time. I always run it in -X, and have the information sent to a file for review so that I don't have to try and watch items scroll past the screen. The implication here was that there is no point running it in debug mode, and then keeping the output to yourself...
The advice always on this list is to run it with -X, and post the full output to the list. That way people can help you much more easily.
Cheers,
Matthew
Sorry didn't want to send a huge message with a bunch of debugging stuff to clutter things up, but here it is. Starting FreeRadius Daemon...[1mradiusd: FreeRADIUS Version 3.0.0, for host x86_64-unknown-linux-gnu, built on Oct 26 2013 at 18:29:10[0m [1mCopyright (C) 1999-2013 The FreeRADIUS server project and contributors.[0m [1mThere is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A[0m [1mPARTICULAR PURPOSE.[0m [1mYou may redistribute copies of FreeRADIUS under the terms of the[0m [1mGNU General Public License.[0m [1mFor more information about these matters, see the file named COPYRIGHT.[0m [1mStarting - reading configuration files ...[0m including dictionary file /etc/raddb/dictionary including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/mods-enabled/ including configuration file /etc/raddb/mods-enabled/sradutmp including configuration file /etc/raddb/mods-enabled/expiration including configuration file /etc/raddb/mods-enabled/utf8 including configuration file /etc/raddb/mods-enabled/soh including configuration file /etc/raddb/mods-enabled/eap including configuration file /etc/raddb/mods-enabled/radutmp including configuration file /etc/raddb/mods-enabled/cache_eap including configuration file /etc/raddb/mods-enabled/mschap including configuration file /etc/raddb/mods-enabled/attr_filter including configuration file /etc/raddb/mods-enabled/detail including configuration file /etc/raddb/mods-enabled/always including configuration file /etc/raddb/mods-enabled/preprocess including configuration file /etc/raddb/mods-enabled/linelog including configuration file /etc/raddb/mods-enabled/detail.log including configuration file /etc/raddb/mods-enabled/files including configuration file /etc/raddb/mods-enabled/expr including configuration file /etc/raddb/mods-enabled/logintime including files in directory /etc/raddb/policy.d/ including configuration file /etc/raddb/policy.d/accounting including configuration file /etc/raddb/policy.d/filter including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/wifi main { security { user = "radius" group = "radius" chroot = "/srv/freeradius" allow_core_dumps = no } } main { name = "radiusd" prefix = "/usr/local" localstatedir = "/usr/local/var" sbindir = "/usr/local/sbin" logdir = "/var/log" run_dir = "/var/run" libdir = "/lib" radacctdir = "/var/log/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 5096 pidfile = "/var/run/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = no colourise = yes } security { max_attributes = 200 reject_delay = 3 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Loading Clients #### client localhost { ipv6addr = ::1 IPv6 address [::1] netmask = 128 require_message_authenticator = yes secret = "testing123" proto = "udp" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client wlan-west { ipaddr = 10.50.1.2 netmask = 32 require_message_authenticator = yes secret = "test123" proto = "udp" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } radiusd: #### Instantiating modules #### instantiate { } modules { # Loaded module rlm_radutmp # Instantiating module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_expiration # Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration # Loaded module rlm_utf8 # Instantiating module "utf8" from file /etc/raddb/mods-enabled/utf8 # Loaded module rlm_soh # Instantiating module "soh" from file /etc/raddb/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_eap # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no mod_accounting_username_bug = no max_sessions = 4096 } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 ca_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/prouter-radius.pem" certificate_file = "/etc/raddb/certs/prouter-radius_crt.pem" ca_file = "/etc/raddb/certs/cacert.pem" private_key_password = "2rU36=L-mdKYVbG" dh_file = "/etc/raddb/certs/dh_radius" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = yes lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = yes } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_method = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "radutmp" from file /etc/raddb/mods-enabled/radutmp radutmp { filename = "/var/log/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_cache # Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap cache cache_eap { key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 16384 epoch = 0 add_stats = no } # Loaded module rlm_mschap # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes } # Loaded module rlm_attr_filter # Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject # Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/raddb/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response # Loaded module rlm_detail # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail detail { filename = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } # Loaded module rlm_always # Instantiating module "fail" from file /etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Instantiating module "reject" from file /etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Instantiating module "noop" from file /etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Instantiating module "handled" from file /etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Instantiating module "updated" from file /etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Instantiating module "ok" from file /etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loaded module rlm_preprocess # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess preprocess { with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_linelog # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog linelog { filename = "/var/log/linelog" permissions = 384 format = "This is a log message for %{User-Name}" reference = "%{%{Packet-Type}:-format}" } # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } # Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } # Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } # Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } # Loaded module rlm_files # Instantiating module "files" from file /etc/raddb/mods-enabled/files files { filename = "/etc/raddb/mods-config/files/authorize" usersfile = "/etc/raddb/mods-config/files/authorize" acctusersfile = "/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy" compat = "no" } reading pairlist file /etc/raddb/mods-config/files/authorize reading pairlist file /etc/raddb/mods-config/files/authorize reading pairlist file /etc/raddb/mods-config/files/accounting reading pairlist file /etc/raddb/mods-config/files/pre-proxy # Loaded module rlm_expr # Instantiating module "expr" from file /etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } # Loaded module rlm_logintime # Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf } # server server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading post-auth {...} } # server server default { # from file /etc/raddb/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} # Loading virtual module filter_username # Loading preacct {...} # Loading virtual module acct_unique # Loading accounting {...} # Loading post-auth {...} # Loading virtual module remove_reply_message_if_eap # Loading virtual module remove_reply_message_if_eap } # server server wifi { # from file /etc/raddb/sites-enabled/wifi # Loading authenticate {...} # Loading authorize {...} # Loading virtual module filter_username # Loading preacct {...} # Loading virtual module acct_unique # Loading accounting {...} # Loading post-auth {...} # Loading virtual module remove_reply_message_if_eap # Loading virtual module remove_reply_message_if_eap } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipv6addr = ::1 IPv6 address [::1] port = 18120 } listen { type = "auth" ipaddr = 10.50.1.1 port = 0 } listen { type = "acct" ipaddr = 10.50.1.1 port = 0 } listen { type = "auth" ipv6addr = ::1 IPv6 address [::1] port = 1812 } listen { type = "acct" ipv6addr = ::1 IPv6 address [::1] port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Listening on auth address ::1 port 18120 as server inner-tunnel Listening on auth interface br0 address 10.50.1.1 port 1812 as server default Listening on acct interface br0 address 10.50.1.1 port 1813 as server default Listening on auth interface lo address ::1 port 1812 as server wifi Listening on acct interface lo address ::1 port 1813 as server wifi [1mReady to process requests.[0m rad_recv: Access-Request packet from host ::1 port 33053, id=230, length=180 User-Name = 'steve' NAS-IPv6-Address = ::1 Called-Station-Id = '6C-88-14-A8-C3-EC:kcfam' NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = '30-D6-C9-6C-44-4B' Connect-Info = 'CONNECT 54Mbps 802.11g' Acct-Session-Id = '53480235-00000077' Framed-MTU = 1400 EAP-Message = 0x024b000a017374657665 Message-Authenticator = 0x20f961946495ef0285ebaae426debb71 (0) # Executing section authorize from file /etc/raddb/sites-enabled/wifi (0) authorize { (0) filter_username filter_username { (0) ? if (User-Name != "%{tolower:%{User-Name}}") (0) expand: "%{tolower:%{User-Name}}" -> 'steve' (0) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (0) ? if (User-Name =~ / /) (0) ? if (User-Name =~ / /) -> FALSE (0) ? if (User-Name =~ /@.*@/ ) (0) ? if (User-Name =~ /@.*@/ ) -> FALSE (0) ? if (User-Name =~ /\\.\\./ ) (0) ? if (User-Name =~ /\\.\\./ ) -> FALSE (0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) ? if (User-Name =~ /\\.$/) (0) ? if (User-Name =~ /\\.$/) -> FALSE (0) ? if (User-Name =~ /@\\./) (0) ? if (User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) auth_log : expand: "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140411' (0) auth_log : /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140411 (0) auth_log : expand: "%t" -> 'Fri Apr 11 22:36:59 2014' (0) [auth_log] = ok (0) files : users: Matched entry steve at line 73 (0) [files] = ok (0) ? if (wifi_key != "true") (0) expand: "true" -> 'true' (0) ? if (wifi_key != "true") -> TRUE (0) if (wifi_key != "true") { (0) [reject] = reject (0) } # if (wifi_key != "true") = reject (0) } # authorize = reject [1m(0) Invalid user: [steve/<no User-Password attribute>] (from client localhost port 1 cli 30-D6-C9-6C-44-4B)[0m (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/wifi (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject : expand: "%{User-Name}" -> 'steve' (0) attr_filter.access_reject : Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) eap : Request was previously rejected, inserting EAP-Failure (0) [eap] = updated (0) remove_reply_message_if_eap remove_reply_message_if_eap { (0) ? if (reply:EAP-Message && reply:Reply-Message) (0) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE (0) else else { (0) [noop] = noop (0) } # else else = noop (0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Finished request 0. Waking up in 0.3 seconds. Waking up in 2.6 seconds. rad_recv: Access-Request packet from host ::1 port 33053, id=230, length=180 [31m(0) Discarding duplicate request from client localhost port 33053 - ID: 230 due to delayed reject[0m (0) Sending delayed reject Sending Access-Reject of id 230 from ::1 port 1812 to ::1 port 33053 EAP-Message = 0x044b0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 4.9 seconds. (0) Cleaning up request packet ID 230 with timestamp +19 [1mReady to process requests.[0m rad_recv: Access-Request packet from host ::1 port 33053, id=231, length=180 User-Name = 'steve' NAS-IPv6-Address = ::1 Called-Station-Id = '6C-88-14-A8-C3-EC:kcfam' NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = '30-D6-C9-6C-44-4B' Connect-Info = 'CONNECT 54Mbps 802.11g' Acct-Session-Id = '53480235-00000078' Framed-MTU = 1400 EAP-Message = 0x0261000a017374657665 Message-Authenticator = 0x19c4400d77d1ef651ef9755cae9098b6 (1) # Executing section authorize from file /etc/raddb/sites-enabled/wifi (1) authorize { (1) filter_username filter_username { (1) ? if (User-Name != "%{tolower:%{User-Name}}") (1) expand: "%{tolower:%{User-Name}}" -> 'steve' (1) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (1) ? if (User-Name =~ / /) (1) ? if (User-Name =~ / /) -> FALSE (1) ? if (User-Name =~ /@.*@/ ) (1) ? if (User-Name =~ /@.*@/ ) -> FALSE (1) ? if (User-Name =~ /\\.\\./ ) (1) ? if (User-Name =~ /\\.\\./ ) -> FALSE (1) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (1) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (1) ? if (User-Name =~ /\\.$/) (1) ? if (User-Name =~ /\\.$/) -> FALSE (1) ? if (User-Name =~ /@\\./) (1) ? if (User-Name =~ /@\\./) -> FALSE (1) } # filter_username filter_username = notfound (1) [preprocess] = ok (1) auth_log : expand: "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140411' (1) auth_log : /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140411 (1) auth_log : expand: "%t" -> 'Fri Apr 11 22:37:09 2014' (1) [auth_log] = ok (1) files : users: Matched entry steve at line 73 (1) [files] = ok (1) ? if (wifi_key != "true") (1) expand: "true" -> 'true' (1) ? if (wifi_key != "true") -> TRUE (1) if (wifi_key != "true") { (1) [reject] = reject (1) } # if (wifi_key != "true") = reject (1) } # authorize = reject [1m(1) Invalid user: [steve/<no User-Password attribute>] (from client localhost port 1 cli 30-D6-C9-6C-44-4B)[0m (1) Using Post-Auth-Type Reject (1) # Executing group from file /etc/raddb/sites-enabled/wifi (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject : expand: "%{User-Name}" -> 'steve' (1) attr_filter.access_reject : Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) eap : Request was previously rejected, inserting EAP-Failure (1) [eap] = updated (1) remove_reply_message_if_eap remove_reply_message_if_eap { (1) ? if (reply:EAP-Message && reply:Reply-Message) (1) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE (1) else else { (1) [noop] = noop (1) } # else else = noop (1) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = updated (1) Finished request 1. Waking up in 0.3 seconds. Waking up in 2.6 seconds. rad_recv: Access-Request packet from host ::1 port 33053, id=231, length=180 [31m(1) Discarding duplicate request from client localhost port 33053 - ID: 231 due to delayed reject[0m (1) Sending delayed reject Sending Access-Reject of id 231 from ::1 port 1812 to ::1 port 33053 EAP-Message = 0x04610004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 4.9 seconds.
Casey Daniels wrote:
Sorry didn't want to send a huge message with a bunch of debugging stuff to clutter things up, but here it is.
The point is that we ask for the debug output because WE NEED IT. Your first few messages were vague, and used the wrong terminology. We can't help you if we have no idea what you're talking about.
(0) files : users: Matched entry steve at line 73 (0) [files] = ok
What is the contents of the "users" file at line 73?
(0) ? if (wifi_key != "true") (0) expand: "true" -> 'true' (0) ? if (wifi_key != "true") -> TRUE
So the wifi_key attribute isn't added. So... what is in the "users" file at line 73? This is why we keep asking for debug output, and why we suggest that people READ IT. It has a lot of information, including exactly what the server is doing, and why. Alan DeKok.
On 04/12/2014 11:23 AM, Alan DeKok wrote:
Casey Daniels wrote:
Sorry didn't want to send a huge message with a bunch of debugging stuff to clutter things up, but here it is. The point is that we ask for the debug output because WE NEED IT.
Your first few messages were vague, and used the wrong terminology. We can't help you if we have no idea what you're talking about.
(0) files : users: Matched entry steve at line 73 (0) [files] = ok What is the contents of the "users" file at line 73?
(0) ? if (wifi_key != "true") (0) expand: "true" -> 'true' (0) ? if (wifi_key != "true") -> TRUE So the wifi_key attribute isn't added. So... what is in the "users" file at line 73?
This is why we keep asking for debug output, and why we suggest that people READ IT. It has a lot of information, including exactly what the server is doing, and why.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Line 73 is steve Cleartext-Password := "testing", wifi_key = "true" The rest of the non commented items of the authorize file DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP
Casey Daniels wrote:
steve Cleartext-Password := "testing", wifi_key = "true"
The users file puts the attributes into the "control" list. You'll have to look there for wifi_key. e.g. if (control:wifi_key == "true") { .. Policies in "unlang" are much more precise, and it's more obvious what they're doing. Alan DeKok.
On 04/19/2014 08:58 AM, Alan DeKok wrote:
Casey Daniels wrote:
steve Cleartext-Password := "testing", wifi_key = "true" The users file puts the attributes into the "control" list. You'll have to look there for wifi_key. e.g.
if (control:wifi_key == "true") { ..
Policies in "unlang" are much more precise, and it's more obvious what they're doing.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I believe that is what I was looking for, it appears to be working properly with a few test that I ran.
Thank you so much for the help. Casey
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Arran Cudbard-Bell -
Casey Daniels -
Matthew Newton