Migration of FreeRadius Server from 2.1 to 3.X
I am in process of migrating free radius 2.1 to free radius 3.x. In Free radius 2.1 all configuration is located in freeradius.conf file. In Freeradius 3.X , the configurations are divided into various configuration files Some in ldap modules & some sites-enabled/default. Modified files accordingly. I have custom configuration for authenticating to Unix Server by Radius Server. Failed to find "level1_and_duopush" in the "modules" section. What I am supposed to do in modules section for "level1_and_duopush" =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2017.09.06 11:16:49 =~=~=~=~=~=~=~=~=~=~=~= radiusd -X radiusd: FreeRADIUS Version 3.0.3, for host x86_64-suse-linux-gnu, built on Jul 18 2017 at 14:51 Copyright (C) 1999-2014 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/raddb/dictionary including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/mods-enabled/ including configuration file /etc/raddb/mods-enabled/ldap including configuration file /etc/raddb/mods-enabled/always including configuration file /etc/raddb/mods-enabled/attr_filter including configuration file /etc/raddb/mods-enabled/cache_eap including configuration file /etc/raddb/mods-enabled/chap including configuration file /etc/raddb/mods-enabled/detail including configuration file /etc/raddb/mods-enabled/detail.log including configuration file /etc/raddb/mods-enabled/dhcp including configuration file /etc/raddb/mods-enabled/digest including configuration file /etc/raddb/mods-enabled/dynamic_clients including configuration file /etc/raddb/mods-enabled/eap including configuration file /etc/raddb/mods-enabled/echo including configuration file /etc/raddb/mods-enabled/exec including configuration file /etc/raddb/mods-enabled/expiration including configuration file /etc/raddb/mods-enabled/expr including configuration file /etc/raddb/mods-enabled/files including configuration file /etc/raddb/mods-enabled/linelog including configuration file /etc/raddb/mods-enabled/logintime including configuration file /etc/raddb/mods-enabled/mschap including configuration file /etc/raddb/mods-enabled/ntlm_auth including configuration file /etc/raddb/mods-enabled/pap including configuration file /etc/raddb/mods-enabled/passwd including configuration file /etc/raddb/mods-enabled/preprocess including configuration file /etc/raddb/mods-enabled/radutmp including configuration file /etc/raddb/mods-enabled/realm including configuration file /etc/raddb/mods-enabled/replicate including configuration file /etc/raddb/mods-enabled/soh including configuration file /etc/raddb/mods-enabled/sradutmp including configuration file /etc/raddb/mods-enabled/unix including configuration file /etc/raddb/mods-enabled/unpack including configuration file /etc/raddb/mods-enabled/utf8 including files in directory /etc/raddb/policy.d/ including configuration file /etc/raddb/policy.d/accounting including configuration file /etc/raddb/policy.d/canonicalization including configuration file /etc/raddb/policy.d/control including configuration file /etc/raddb/policy.d/cui including configuration file /etc/raddb/policy.d/dhcp including configuration file /etc/raddb/policy.d/eap including configuration file /etc/raddb/policy.d/filter including configuration file /etc/raddb/policy.d/operator-name including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel main { security { allow_core_dumps = no } } main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } security { max_attributes = 200 reject_delay = 1 status_server = yes allow_vulnerable_openssl = "no" } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } radiusd: #### Instantiating modules #### instantiate { } modules { # Loaded module rlm_ldap # Instantiating module "ldapmed" from file /etc/raddb/mods-enabled/ldap ldap ldapmed { server = "idm-dir1.p-ent.XXXX.XXX.edu" port = 636 password = <<< secret >>> identity = "cn=p-idm-radius,o=services" user { filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" scope = "sub" base_dn = "dc=umich,dc=edu" access_attribute = "dialupAccess" access_positive = yes } group { filter = "(objectClass=posixGroup)" scope = "sub" base_dn = "dc=xxxx,dc=edu" name_attribute = "cn" membership_attribute = "memberOf" cacheable_name = no cacheable_dn = no } client { filter = "(objectClass=frClient)" scope = "sub" base_dn = "dc=xxxx,dc=edu" attribute { identifier = "radiusClientIdentifier" shortname = "cn" secret = "radiusClientSecret" } } profile { filter = "(&)" } options { ldap_debug = 40 chase_referrals = yes rebind = yes net_timeout = 1 res_timeout = 20 srv_timelimit = 20 idle = 60 probes = 3 interval = 3 } tls { start_tls = no require_cert = "never" } } accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" } post-auth { reference = "." } rlm_ldap (ldapmed): Initialising connection pool pool { start = 5 min = 4 max = 32 spare = 3 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 1 spread = no } rlm_ldap (ldapmed): Opening additional connection (0) rlm_ldap (ldapmed): Connecting to idm-dir1.p-ent.med.umich.edu:636 rlm_ldap (ldapmed): Waiting for bind result... rlm_ldap (ldapmed): Bind successful rlm_ldap (ldapmed): Opening additional connection (1) rlm_ldap (ldapmed): Connecting to idm-dir1.p-ent.xxx.xxxx.edu:636 rlm_ldap (ldapmed): Waiting for bind result... rlm_ldap (ldapmed): Bind successful rlm_ldap (ldapmed): Opening additional connection (2) rlm_ldap (ldapmed): Connecting to idm-dir1.p-ent.xxxx.xxxx.edu:636 rlm_ldap (ldapmed): Waiting for bind result... rlm_ldap (ldapmed): Bind successful rlm_ldap (ldapmed): Opening additional connection (3) rlm_ldap (ldapmed): Connecting to idm-dir1.p-ent.xxx.xxxx.edu:636 rlm_ldap (ldapmed): Waiting for bind result... rlm_ldap (ldapmed): Bind successful rlm_ldap (ldapmed): Opening additional connection (4) rlm_ldap (ldapmed): Connecting to idm-dir1.p-ent.xxx.xxx.edu:636 rlm_ldap (ldapmed): Waiting for bind result... rlm_ldap (ldapmed): Bind successful # Loaded module rlm_always # Instantiating module "reject" from file /etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Instantiating module "fail" from file /etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Instantiating module "ok" from file /etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Instantiating module "handled" from file /etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Instantiating module "noop" from file /etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Instantiating module "updated" from file /etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_attr_filter # Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject # Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/raddb/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response # Loaded module rlm_cache # Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap cache cache_eap { key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 16384 epoch = 0 add_stats = no } # Loaded module rlm_chap # Instantiating module "chap" from file /etc/raddb/mods-enabled/chap # Loaded module rlm_detail # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail detail { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no log_packet_header = no } # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no log_packet_header = no } rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no log_packet_header = no } # Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no log_packet_header = no } # Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no log_packet_header = no } # Loaded module rlm_dhcp # Instantiating module "dhcp" from file /etc/raddb/mods-enabled/dhcp # Loaded module rlm_digest # Instantiating module "digest" from file /etc/raddb/mods-enabled/digest # Loaded module rlm_dynamic_clients # Instantiating module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients # Loaded module rlm_eap # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no mod_accounting_username_bug = no max_sessions = 1024 } # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 ca_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" ca_file = "/etc/raddb/certs/ca.pem" private_key_password = <<< secret >>> dh_file = "/etc/raddb/certs/dh" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = yes lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = yes } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_method = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Loaded module rlm_exec # Instantiating module "echo" from file /etc/raddb/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Instantiating module "exec" from file /etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_expiration # Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration # Loaded module rlm_expr # Instantiating module "expr" from file /etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } # Loaded module rlm_files # Instantiating module "files" from file /etc/raddb/mods-enabled/files files { filename = "/etc/raddb/mods-config/files/authorize" usersfile = "/etc/raddb/mods-config/files/authorize" acctusersfile = "/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy" compat = "cistron" } reading pairlist file /etc/raddb/mods-config/files/authorize [/etc/raddb/mods-config/files/authorize]:181 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/mods-config/files/authorize]:188 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/mods-config/files/authorize]:195 Cistron compatibility checks for entry DEFAULT ... reading pairlist file /etc/raddb/mods-config/files/authorize [/etc/raddb/mods-config/files/authorize]:181 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/mods-config/files/authorize]:188 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/mods-config/files/authorize]:195 Cistron compatibility checks for entry DEFAULT ... reading pairlist file /etc/raddb/mods-config/files/accounting reading pairlist file /etc/raddb/mods-config/files/pre-proxy # Loaded module rlm_linelog # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog linelog { filename = "/var/log/radius/linelog" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{Packet-Type}:-default}" } # Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog linelog log_accounting { filename = "/var/log/radius/linelog-accounting" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_logintime # Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_mschap # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes } # Instantiating module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_pap # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_passwd # Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Loaded module rlm_preprocess # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups" hints = "/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups reading pairlist file /etc/raddb/mods-config/preprocess/hints # Loaded module rlm_radutmp # Instantiating module "radutmp" from file /etc/raddb/mods-enabled/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_realm # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } # Loaded module rlm_replicate # Instantiating module "replicate" from file /etc/raddb/mods-enabled/replicate # Loaded module rlm_soh # Instantiating module "soh" from file /etc/raddb/mods-enabled/soh soh { dhcp = yes } # Instantiating module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_unix # Instantiating module "unix" from file /etc/raddb/mods-enabled/unix unix { radwtmp = "/var/log/radius/radwtmp" } # Loaded module rlm_unpack # Instantiating module "unpack" from file /etc/raddb/mods-enabled/unpack # Loaded module rlm_utf8 # Instantiating module "utf8" from file /etc/raddb/mods-enabled/utf8 } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf } # server server default { # from file /etc/raddb/sites-enabled/default # Creating Auth-Type = level1_and_duopush # Creating Auth-Type = level1_and_duophone # Creating Auth-Type = level2_and_duopush # Creating Auth-Type = level2_and_duophone # Creating Auth-Type = PhoneFactor # Creating Auth-Type = Level-1 # Loading authenticate {...} /etc/raddb/sites-enabled/default[488]: Failed to find "level1_and_duopush" in the "modules" section. /etc/raddb/sites-enabled/default[488]: Failed to parse "level1_and_duopush" entry. ********************************************************** Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues
On Wed, 2017-09-06 at 15:32 +0000, Bhagwat, Shrikant wrote:
I am in process of migrating free radius 2.1 to free radius 3.x.
That's good. But please use 3.0.15, not 3.0.3. You really don't want to start off with a server with loads of bugs and security issues that have now been fixed. And 3.0.3 has plenty of both.
In Free radius 2.1 all configuration is located in freeradius.conf file.
In your config, maybe. Not as shipped with the server.
Failed to find "level1_and_duopush" in the "modules" section.
That's not a standard module, so there's no way for us to know what it's supposed to do.
What I am supposed to do in modules section forlevel1_and_duopush"
Look at your old configuration, and find out what forlevel1_and_duopush did. Then do the same in v3. It's presumably in the modules{} section of the configuration, so should be in one of the files in the mods- available directory. -- Matthew
In Freeradius 2.1 in our radiusd.conf file, we had following # # Execute external programs # # This module is useful only for 'xlat'. To use it, # put 'exec' into the 'instantiate' section. You can then # do dynamic translation of attributes like: # # Attribute-Name = `%{exec:/path/to/program args}` # # The value of the attribute will be replaced with the output # of the program which is executed. Due to RADIUS protocol # limitations, any output over 253 bytes will be ignored. # # The RADIUS attributes from the user request will be placed # into environment variables of the executed program, as # described in 'doc/variables.txt' # exec default { wait = yes output = none #input_pairs = request output_pairs = none # 0 - level-2 proxy; 1 - level-2 proxy password; 2 - level-2 server; 3 - level-2 basedn; 4 - level-2 account found flag; # 5 - level-1 kdc domain; 6 - log file name. program = "/idm/idmt_home/PhoneFactor/Level1Factor.pl %{config:modules.ldap.identity} %{config:modules.ldap.password} %{config:modules.ldap.server} %{config:modules.ldap.basedn} not_found \ %{config:modules.ldap.level-1_kdc} %{config:modules.ldap.logFILEname}" shell_escape = yes } # Phone Factor exec phonefactor { wait = yes output = none #input_pairs = request output_pairs = none # 0 - level-2 proxy; 1 - level-2 proxy password; 2 - level-2 server; 3 - level-2 basedn; 4 - level-2 account found flag; # 5 - level-1 kdc domain; 6 - log file name; 7 - phone factor call back number program = "/idm/idmt_home/PhoneFactor/PhoneFactor.pl %{config:modules.ldap.identity} %{config:modules.ldap.password} %{config:modules.ldap.server} %{config:modules.ldap.basedn} found \ %{config:modules.ldap.level-1_kdc} %{config:modules.ldap.logFILEname} %{reply:Callback-Number}" shell_escape = yes } exec level-1 { wait = yes output = none #input_pairs = request output_pairs = none # 0 - level-2 proxy; 1 - level-2 proxy password; 2 - level-2 server; 3 - level-2 basedn; 4 - level-2 account found flag; # 5 - level-1 kdc domain; 6 - log file name. program = "/idm/idmt_home/PhoneFactor/Level1Factor.pl %{config:modules.ldap.identity} %{config:modules.ldap.password} %{config:modules.ldap.server} %{config:modules.ldap.basedn} %{check:LDAP-UserDn} \ %{config:modules.ldap.level-1_kdc} %{config:modules.ldap.logFILEname}" shell_escape = yes } exec level1_and_duophone { wait = yes output = none #input_pairs = request output_pairs = none # 0 - level-2 proxy; 1 - level-2 proxy password; 2 - level-2 server; 3 - level-2 basedn; 4 - level-2 account found flag; # 5 - level-1 kdc domain; 6 - log file name; 7 - duo api host; 8 - duo ikey; 9 - duo skey; 10 - duo factor program = "/idm/idmt_home/PhoneFactor/DuoFactor.pl %{config:modules.ldap.identity} %{config:modules.ldap.password} %{config:modules.ldap.server} %{config:modules.ldap.basedn} %{check:LDAP-UserDn} \ %{config:modules.ldap.level-1_kdc} %{config:modules.ldap.logFILEname} %{config:modules.ldap.duo_host} %{config:modules.ldap.duo_ikey} %{config:modules.ldap.duo_skey} phone" shell_escape = yes } exec level1_and_duopush { wait = yes output = none #input_pairs = request output_pairs = none # 0 - level-2 proxy; 1 - level-2 proxy password; 2 - level-2 server; 3 - level-2 basedn; 4 - level-2 account found flag; # 5 - level-1 kdc domain; 6 - log file name; 7 - duo api host; 8 - duo ikey; 9 - duo skey; 10 - duo factor program = "/idm/idmt_home/PhoneFactor/DuoFactor.pl %{config:modules.ldap.identity} %{config:modules.ldap.password} %{config:modules.ldap.server} %{config:modules.ldap.basedn} %{check:LDAP-UserDn} \ %{config:modules.ldap.level-1_kdc} %{config:modules.ldap.logFILEname} %{config:modules.ldap.duo_host} %{config:modules.ldap.duo_ikey} %{config:modules.ldap.duo_skey} push" shell_escape = yes } We may need to add above lines in exec modules ? -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+shrbhagw=med.umich.edu@lists.freeradius.org] On Behalf Of Matthew Newton Sent: Wednesday, September 06, 2017 11:42 AM To: freeradius-users@lists.freeradius.org Subject: Re: Migration of FreeRadius Server from 2.1 to 3.X On Wed, 2017-09-06 at 15:32 +0000, Bhagwat, Shrikant wrote:
I am in process of migrating free radius 2.1 to free radius 3.x.
That's good. But please use 3.0.15, not 3.0.3. You really don't want to start off with a server with loads of bugs and security issues that have now been fixed. And 3.0.3 has plenty of both.
In Free radius 2.1 all configuration is located in freeradius.conf file.
In your config, maybe. Not as shipped with the server.
Failed to find "level1_and_duopush" in the "modules" section.
That's not a standard module, so there's no way for us to know what it's supposed to do.
What I am supposed to do in modules section forlevel1_and_duopush"
Look at your old configuration, and find out what forlevel1_and_duopush did. Then do the same in v3. It's presumably in the modules{} section of the configuration, so should be in one of the files in the mods- available directory. -- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ********************************************************** Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues
# Loaded module rlm_exec # Instantiating module "echo" from file /etc/raddb/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Instantiating module "exec" from file /etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Instantiating module "default" from file /etc/raddb/mods-enabled/exec exec default { wait = yes program = "/idm/idmt_home/PhoneFactor/Level1Factor.pl %{config:modules.ldap.identity} %{config:modules.ldap.password} %{config:modules.ldap.server} %{config:modules.ldap.basedn} not_found %{config:modules.ldap.level-1_kdc} %{config:modules.ldap.logFILEname}" output_pairs = "none" shell_escape = yes } /etc/raddb/mods-enabled/exec[33]: Invalid output list 'none' /etc/raddb/mods-enabled/exec[33]: Instantiation failed for module "default" Not sure why Invalid Output list none -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+shrbhagw=med.umich.edu@lists.freeradius.org] On Behalf Of Matthew Newton Sent: Wednesday, September 6, 2017 11:54 AM To: freeradius-users@lists.freeradius.org Subject: Re: Migration of FreeRadius Server from 2.1 to 3.X On Wed, 2017-09-06 at 15:51 +0000, Bhagwat, Shrikant wrote:
We may need to add above lines in exec modules ?
Exactly. They define instances of the 'exec' module with those names. -- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ********************************************************** Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues
On Wed, 2017-09-06 at 16:03 +0000, Bhagwat, Shrikant wrote:
exec default { wait = yes program = "/idm/idmt_home/PhoneFactor/Level1Factor.pl %{config:modules.ldap.identity} %{config:modules.ldap.password} %{config:modules.ldap.server} %{config:modules.ldap.basedn} not_found %{config:modules.ldap.level- 1_kdc} %{config:modules.ldap.logFILEname}" output_pairs = "none" shell_escape = yes } /etc/raddb/mods-enabled/exec[33]: Invalid output list 'none' /etc/raddb/mods-enabled/exec[33]: Instantiation failed for module "default"
Not sure why Invalid Output list none
Because that's invalid - the output lists are documented in mods- available/echo (which mods-available/exec points to), so you need to use one of the standard attribute list names. The release notes say that a config for version 2 won't just work on version 3 for a reason... the config likely won't "just work". So you have to look at the examples with the server and update your config where necessary. If you're looking at that anyway, it's probably a good time to consider if you can do whatever you are doing in the external script within FreeRADIUS directly. Running scripts is generally much slower than, for example, doing LDAP lookups or similar in the server. -- Matthew
I know config of version 2 will not work with config of version 3. It looks like echo module controls the exe module
From exec module
exec default { wait = yes output = none #input_pairs = request output_pairs = none # 0 - level-2 proxy; 1 - level-2 proxy password; 2 - level-2 server; 3 - level-2 basedn; 4 - level-2 account found flag; # 5 - level-1 kdc domain; 6 - log file name. program = "/idm/idmt_home/PhoneFactor/Level1Factor.pl %{config:modules.ldap.identity} %{config:modules.ldap.password} %{config:modules.ldap.server} %{config:modules.ldap.basedn} not_found \ %{config:modules.ldap.level-1_kdc} %{config:modules.ldap.logFILEname}" shell_escape = yes } # Phone Factor exec phonefactor { wait = yes output = none #input_pairs = request output_pairs = none # 0 - level-2 proxy; 1 - level-2 proxy password; 2 - level-2 server; 3 - level-2 basedn; 4 - level-2 account found flag; # 5 - level-1 kdc domain; 6 - log file name; 7 - phone factor call back number program = "/idm/idmt_home/PhoneFactor/PhoneFactor.pl %{config:modules.ldap.identity} %{config:modules.ldap.password} %{config:modules.ldap.server} %{config:modules.ldap.basedn} found \ %{config:modules.ldap.level-1_kdc} %{config:modules.ldap.logFILEname} %{reply:Callback-Number}" shell_escape = yes } Do I modify echo module to match in exec module ? or vice versa ? -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+shrbhagw=med.umich.edu@lists.freeradius.org] On Behalf Of Matthew Newton Sent: Wednesday, September 6, 2017 6:37 PM To: freeradius-users@lists.freeradius.org Subject: Re: Migration of FreeRadius Server from 2.1 to 3.X On Wed, 2017-09-06 at 16:03 +0000, Bhagwat, Shrikant wrote:
exec default { wait = yes program = "/idm/idmt_home/PhoneFactor/Level1Factor.pl %{config:modules.ldap.identity} %{config:modules.ldap.password} %{config:modules.ldap.server} %{config:modules.ldap.basedn} not_found %{config:modules.ldap.level- 1_kdc} %{config:modules.ldap.logFILEname}" output_pairs = "none" shell_escape = yes } /etc/raddb/mods-enabled/exec[33]: Invalid output list 'none' /etc/raddb/mods-enabled/exec[33]: Instantiation failed for module "default"
Not sure why Invalid Output list none
Because that's invalid - the output lists are documented in mods- available/echo (which mods-available/exec points to), so you need to use one of the standard attribute list names. The release notes say that a config for version 2 won't just work on version 3 for a reason... the config likely won't "just work". So you have to look at the examples with the server and update your config where necessary. If you're looking at that anyway, it's probably a good time to consider if you can do whatever you are doing in the external script within FreeRADIUS directly. Running scripts is generally much slower than, for example, doing LDAP lookups or similar in the server. -- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ********************************************************** Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues
hi,
I know config of version 2 will not work with config of version 3. It looks like echo module controls the exe module
?? the exec module is the main module the provided example echo module USES the exec module exec echo { } see?
From exec module
exec default { wait = yes output = none #input_pairs = request output_pairs = none # 0 - level-2 proxy; 1 - level-2 proxy password; 2 - level-2 server; 3 - level-2 basedn; 4 - level-2 account found flag; # 5 - level-1 kdc domain; 6 - log file name. program = "/idm/idmt_home/PhoneFactor/Level1Factor.pl %{config:modules.ldap.identity} %{config:modules.ldap.password} %{config:modules.ldap.server} %{config:modules.ldap.basedn} not_found \ %{config:modules.ldap.level-1_kdc} %{config:modules.ldap.logFILEname}" shell_escape = yes }
# Phone Factor exec phonefactor { wait = yes output = none #input_pairs = request output_pairs = none # 0 - level-2 proxy; 1 - level-2 proxy password; 2 - level-2 server; 3 - level-2 basedn; 4 - level-2 account found flag; # 5 - level-1 kdc domain; 6 - log file name; 7 - phone factor call back number program = "/idm/idmt_home/PhoneFactor/PhoneFactor.pl %{config:modules.ldap.identity} %{config:modules.ldap.password} %{config:modules.ldap.server} %{config:modules.ldap.basedn} found \ %{config:modules.ldap.level-1_kdc} %{config:modules.ldap.logFILEname} %{reply:Callback-Number}" shell_escape = yes }
Do I modify echo module to match in exec module ? or vice versa ?
so, these two sub-modules of exec, which can be called as 'default' and 'phonefactor' elsewhere in your config - eg in the sites-enabled/* virtual servers (PS 'default' is an awful choice) and yes, you need to look at the FR 3.x docs and ensure your format and entries match the 3.x configuration/specification..... also, as already said, this is the IDEAL time, during a migration, to clean up and optimise the config. operations with LDAP can be done natively through LDAP module and unang and will be MUCH MUCH quicker than calls to scripts (more than an order of magnitude quicker AND able to deal natively with multiple servers, failover, connection pools etc etc - thread safe etc) in previous migrations I have removed most modules and random functions and sped server up - in most cases being able to make the server more like a default install with far fewer changes and stopping the use of eg rlm_perl and rlm_python alan
Hi Alan In sites-enabled/default file in authenticate section I have added custom section unix authenticate { # unix # Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. Auth-Type level1_and_duopush { level1_and_duopush } Auth-Type level1_and_duophone { level1_and_duophone } Auth-Type level2_and_duopush { level2_and_duopush } Auth-Type level2_and_duophone { level2_and_duophone } Auth-Type PhoneFactor { phonefactor } Auth-Type Level-1 { level-1 } } In Post Auth section of default file I have following : post-auth { # Get an address from the IP Pool. # main_pool # Create the CUI value and add the attribute to Access-Accept. # Uncomment the line below if *returning* the CUI. # cui # # If you want to have a log of authentication replies, # un-comment the following line, and enable the # 'detail reply_log' module. reply_log # # After authenticating the user, do another SQL query. # # See "Authentication Logging Queries" in sql.conf -sql # # Instead of sending the query to the SQL server, # write it into a log file. # # sql_log # # Un-comment the following if you want to modify the user's object # in LDAP after a successful login. # # ldap # For Exec-Program and Exec-Program-Wait exec # # Calculate the various WiMAX keys. In order for this to work, # you will need to define the WiMAX NAI, usually via # # update request { # WiMAX-MN-NAI = "%{User-Name}" # } # # If you want various keys to be calculated, you will need to # update the reply with "template" values. The module will see # this, and replace the template values with the correct ones # taken from the cryptographic calculations. e.g. # # update reply { # WiMAX-FA-RK-Key = 0x00 # WiMAX-MSK = "%{EAP-MSK}" # } # # You may want to delete the MS-MPPE-*-Keys from the reply, # as some WiMAX clients behave badly when those attributes # are included. See "raddb/modules/wimax", configuration # entry "delete_mppe_keys" for more information. # # wimax -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+shrbhagw=med.umich.edu@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Thursday, September 7, 2017 5:25 AM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Migration of FreeRadius Server from 2.1 to 3.X hi,
I know config of version 2 will not work with config of version 3. It looks like echo module controls the exe module
?? the exec module is the main module the provided example echo module USES the exec module exec echo { } see?
From exec module
exec default { wait = yes output = none #input_pairs = request output_pairs = none # 0 - level-2 proxy; 1 - level-2 proxy password; 2 - level-2 server; 3 - level-2 basedn; 4 - level-2 account found flag; # 5 - level-1 kdc domain; 6 - log file name. program = "/idm/idmt_home/PhoneFactor/Level1Factor.pl %{config:modules.ldap.identity} %{config:modules.ldap.password} %{config:modules.ldap.server} %{config:modules.ldap.basedn} not_found \ %{config:modules.ldap.level-1_kdc} %{config:modules.ldap.logFILEname}" shell_escape = yes }
# Phone Factor exec phonefactor { wait = yes output = none #input_pairs = request output_pairs = none # 0 - level-2 proxy; 1 - level-2 proxy password; 2 - level-2 server; 3 - level-2 basedn; 4 - level-2 account found flag; # 5 - level-1 kdc domain; 6 - log file name; 7 - phone factor call back number program = "/idm/idmt_home/PhoneFactor/PhoneFactor.pl %{config:modules.ldap.identity} %{config:modules.ldap.password} %{config:modules.ldap.server} %{config:modules.ldap.basedn} found \ %{config:modules.ldap.level-1_kdc} %{config:modules.ldap.logFILEname} %{reply:Callback-Number}" shell_escape = yes }
Do I modify echo module to match in exec module ? or vice versa ?
so, these two sub-modules of exec, which can be called as 'default' and 'phonefactor' elsewhere in your config - eg in the sites-enabled/* virtual servers (PS 'default' is an awful choice) and yes, you need to look at the FR 3.x docs and ensure your format and entries match the 3.x configuration/specification..... also, as already said, this is the IDEAL time, during a migration, to clean up and optimise the config. operations with LDAP can be done natively through LDAP module and unang and will be MUCH MUCH quicker than calls to scripts (more than an order of magnitude quicker AND able to deal natively with multiple servers, failover, connection pools etc etc - thread safe etc) in previous migrations I have removed most modules and random functions and sped server up - in most cases being able to make the server more like a default install with far fewer changes and stopping the use of eg rlm_perl and rlm_python alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ********************************************************** Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues
What are you trying to do? You say you added custom unix but haven't/didn't from info you provided. What are those auth-type entries for? You can't just make up your own random syntax. alan On 7 Sep 2017 1:49 pm, "Bhagwat, Shrikant" <shrbhagw@med.umich.edu> wrote:
Hi Alan
In sites-enabled/default file in authenticate section I have added custom section unix
authenticate {
# unix
# Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password.
Auth-Type level1_and_duopush { level1_and_duopush }
Auth-Type level1_and_duophone { level1_and_duophone }
Auth-Type level2_and_duopush { level2_and_duopush }
Auth-Type level2_and_duophone { level2_and_duophone }
Auth-Type PhoneFactor { phonefactor }
Auth-Type Level-1 { level-1 } }
In Post Auth section of default file I have following :
post-auth { # Get an address from the IP Pool. # main_pool
# Create the CUI value and add the attribute to Access-Accept. # Uncomment the line below if *returning* the CUI. # cui
# # If you want to have a log of authentication replies, # un-comment the following line, and enable the # 'detail reply_log' module. reply_log
# # After authenticating the user, do another SQL query. # # See "Authentication Logging Queries" in sql.conf -sql
# # Instead of sending the query to the SQL server, # write it into a log file. # # sql_log
# # Un-comment the following if you want to modify the user's object # in LDAP after a successful login. # # ldap
# For Exec-Program and Exec-Program-Wait exec
# # Calculate the various WiMAX keys. In order for this to work, # you will need to define the WiMAX NAI, usually via # # update request { # WiMAX-MN-NAI = "%{User-Name}" # } # # If you want various keys to be calculated, you will need to # update the reply with "template" values. The module will see # this, and replace the template values with the correct ones # taken from the cryptographic calculations. e.g. # # update reply { # WiMAX-FA-RK-Key = 0x00 # WiMAX-MSK = "%{EAP-MSK}" # } # # You may want to delete the MS-MPPE-*-Keys from the reply, # as some WiMAX clients behave badly when those attributes # are included. See "raddb/modules/wimax", configuration # entry "delete_mppe_keys" for more information. # # wimax
-----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+shrbhagw= med.umich.edu@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Thursday, September 7, 2017 5:25 AM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Migration of FreeRadius Server from 2.1 to 3.X
hi,
I know config of version 2 will not work with config of version 3. It looks like echo module controls the exe module
??
the exec module is the main module
the provided example echo module USES the exec module
exec echo { }
see?
From exec module
exec default { wait = yes output = none #input_pairs = request output_pairs = none # 0 - level-2 proxy; 1 - level-2 proxy password; 2 -
level-2 server; 3 - level-2 basedn; 4 - level-2 account found flag;
# 5 - level-1 kdc domain; 6 - log file name. program = "/idm/idmt_home/PhoneFactor/Level1Factor.pl
%{config:modules.ldap.identity} %{config:modules.ldap.password} %{config:modules.ldap.server} %{config:modules.ldap.basedn} not_found \
%{config:modules.ldap.level-1_kdc}
%{config:modules.ldap.logFILEname}"
shell_escape = yes }
# Phone Factor exec phonefactor { wait = yes output = none #input_pairs = request output_pairs = none # 0 - level-2 proxy; 1 - level-2 proxy password; 2 -
level-2 server; 3 - level-2 basedn; 4 - level-2 account found flag;
# 5 - level-1 kdc domain; 6 - log file name; 7 - phone
factor call back number
program = "/idm/idmt_home/PhoneFactor/PhoneFactor.pl
%{config:modules.ldap.identity} %{config:modules.ldap.password} %{config:modules.ldap.server} %{config:modules.ldap.basedn} found \
%{config:modules.ldap.level-1_kdc}
%{config:modules.ldap.logFILEname} %{reply:Callback-Number}"
shell_escape = yes }
Do I modify echo module to match in exec module ? or vice versa ?
so, these two sub-modules of exec, which can be called as 'default' and 'phonefactor' elsewhere in your config - eg in the sites-enabled/* virtual servers (PS 'default' is an awful choice)
and yes, you need to look at the FR 3.x docs and ensure your format and entries match the 3.x configuration/specification..... also, as already said, this is the IDEAL time, during a migration, to clean up and optimise the config. operations with LDAP can be done natively through LDAP module and unang and will be MUCH MUCH quicker than calls to scripts (more than an order of magnitude quicker AND able to deal natively with multiple servers, failover, connection pools etc etc - thread safe etc) in previous migrations I have removed most modules and random functions and sped server up - in most cases being able to make the server more like a default install with far fewer changes and stopping the use of eg rlm_perl and rlm_python
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html ********************************************************** Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Hi Alan
In sites-enabled/default file in authenticate section I have added custom section unix
authenticate {
# unix
# Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password.
Auth-Type level1_and_duopush { level1_and_duopush }
Auth-Type level1_and_duophone { level1_and_duophone }
Auth-Type level2_and_duopush { level2_and_duopush }
Auth-Type level2_and_duophone { level2_and_duophone }
Auth-Type PhoneFactor { phonefactor }
Auth-Type Level-1 { level-1 } }
In Post Auth section of default file I have following :
post-auth { # Get an address from the IP Pool. # main_pool
# Create the CUI value and add the attribute to Access-Accept. # Uncomment the line below if *returning* the CUI. # cui
# # If you want to have a log of authentication replies, # un-comment the following line, and enable the # 'detail reply_log' module. reply_log
# # After authenticating the user, do another SQL query. # # See "Authentication Logging Queries" in sql.conf -sql
# # Instead of sending the query to the SQL server, # write it into a log file. # # sql_log
# # Un-comment the following if you want to modify the user's object # in LDAP after a successful login. # # ldap
# For Exec-Program and Exec-Program-Wait exec
# # Calculate the various WiMAX keys. In order for this to work, # you will need to define the WiMAX NAI, usually via # # update request { # WiMAX-MN-NAI = "%{User-Name}" # } # # If you want various keys to be calculated, you will need to # update the reply with "template" values. The module will see # this, and replace the template values with the correct ones # taken from the cryptographic calculations. e.g. # # update reply { # WiMAX-FA-RK-Key = 0x00 # WiMAX-MSK = "%{EAP-MSK}" # } # # You may want to delete the MS-MPPE-*-Keys from the reply, # as some WiMAX clients behave badly when those attributes # are included. See "raddb/modules/wimax", configuration # entry "delete_mppe_keys" for more information. # # wimax
-----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+shrbhagw= med.umich.edu@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Thursday, September 7, 2017 5:25 AM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Migration of FreeRadius Server from 2.1 to 3.X
hi,
I know config of version 2 will not work with config of version 3. It looks like echo module controls the exe module
??
the exec module is the main module
the provided example echo module USES the exec module
exec echo { }
see?
From exec module
exec default { wait = yes output = none #input_pairs = request output_pairs = none # 0 - level-2 proxy; 1 - level-2 proxy password; 2 -
level-2 server; 3 - level-2 basedn; 4 - level-2 account found flag;
# 5 - level-1 kdc domain; 6 - log file name. program = "/idm/idmt_home/PhoneFactor/Level1Factor.pl
%{config:modules.ldap.identity} %{config:modules.ldap.password} %{config:modules.ldap.server} %{config:modules.ldap.basedn} not_found \
%{config:modules.ldap.level-1_kdc}
%{config:modules.ldap.logFILEname}"
shell_escape = yes }
# Phone Factor exec phonefactor { wait = yes output = none #input_pairs = request output_pairs = none # 0 - level-2 proxy; 1 - level-2 proxy password; 2 -
level-2 server; 3 - level-2 basedn; 4 - level-2 account found flag;
# 5 - level-1 kdc domain; 6 - log file name; 7 - phone
factor call back number
program = "/idm/idmt_home/PhoneFactor/PhoneFactor.pl
%{config:modules.ldap.identity} %{config:modules.ldap.password} %{config:modules.ldap.server} %{config:modules.ldap.basedn} found \
%{config:modules.ldap.level-1_kdc}
%{config:modules.ldap.logFILEname} %{reply:Callback-Number}"
shell_escape = yes }
Do I modify echo module to match in exec module ? or vice versa ?
so, these two sub-modules of exec, which can be called as 'default' and 'phonefactor' elsewhere in your config - eg in the sites-enabled/* virtual servers (PS 'default' is an awful choice)
and yes, you need to look at the FR 3.x docs and ensure your format and entries match the 3.x configuration/specification..... also, as already said, this is the IDEAL time, during a migration, to clean up and optimise the config. operations with LDAP can be done natively through LDAP module and unang and will be MUCH MUCH quicker than calls to scripts (more than an order of magnitude quicker AND able to deal natively with multiple servers, failover, connection pools etc etc - thread safe etc) in previous migrations I have removed most modules and random functions and sped server up - in most cases being able to make the server more like a default install with far fewer changes and stopping the use of eg rlm_perl and rlm_python
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html ********************************************************** Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Got it working finally, -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+shrbhagw=med.umich.edu@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Thursday, September 7, 2017 5:10 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: RE: Migration of FreeRadius Server from 2.1 to 3.X What are you trying to do? You say you added custom unix but haven't/didn't from info you provided. What are those auth-type entries for? You can't just make up your own random syntax. alan On 7 Sep 2017 1:49 pm, "Bhagwat, Shrikant" <shrbhagw@med.umich.edu> wrote: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ********************************************************** Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues
congrats. being a public forum for users, its good protocol to note
what you did to fix things so when the next person comes along after a
google search that matches the same issue/problems/phrases they
get a decent clue rather than just ask the same questions to the list
again again and again
alan
On 8 September 2017 at 03:19, Bhagwat, Shrikant <shrbhagw@med.umich.edu> wrote:
> Got it working finally,
>
>
>
> -----Original Message-----
> From: Freeradius-Users [mailto:freeradius-users-bounces+shrbhagw=med.umich.edu@lists.freeradius.org] On Behalf Of Alan Buxey
> Sent: Thursday, September 7, 2017 5:10 PM
> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
> Subject: RE: Migration of FreeRadius Server from 2.1 to 3.X
>
> What are you trying to do? You say you added custom unix but haven't/didn't from info you provided. What are those auth-type entries for? You can't just make up your own random syntax.
>
> alan
>
> On 7 Sep 2017 1:49 pm, "Bhagwat, Shrikant" <shrbhagw@med.umich.edu> wrote:
>
>> Hi Alan
>>
>> In sites-enabled/default file in authenticate section I have added
>> custom section unix
>>
>> authenticate {
>>
>>
>> # unix
>>
>> # Uncomment it if you want to use ldap for authentication
>> #
>> # Note that this means "check plain-text password against
>> # the ldap database", which means that EAP won't work,
>> # as it does not supply a plain-text password.
>>
>> Auth-Type level1_and_duopush {
>> level1_and_duopush
>> }
>>
>> Auth-Type level1_and_duophone {
>> level1_and_duophone
>> }
>>
>> Auth-Type level2_and_duopush {
>> level2_and_duopush
>> }
>>
>> Auth-Type level2_and_duophone {
>> level2_and_duophone
>> }
>>
>> Auth-Type PhoneFactor {
>> phonefactor
>> }
>>
>> Auth-Type Level-1 {
>> level-1
>> }
>> }
>>
>> In Post Auth section of default file I have following :
>>
>>
>> post-auth {
>> # Get an address from the IP Pool.
>> # main_pool
>>
>>
>> # Create the CUI value and add the attribute to Access-Accept.
>> # Uncomment the line below if *returning* the CUI.
>> # cui
>>
>> #
>> # If you want to have a log of authentication replies,
>> # un-comment the following line, and enable the
>> # 'detail reply_log' module.
>> reply_log
>>
>> #
>> # After authenticating the user, do another SQL query.
>> #
>> # See "Authentication Logging Queries" in sql.conf
>> -sql
>>
>> #
>> # Instead of sending the query to the SQL server,
>> # write it into a log file.
>> #
>> # sql_log
>>
>> #
>> # Un-comment the following if you want to modify the user's object
>> # in LDAP after a successful login.
>> #
>> # ldap
>>
>> # For Exec-Program and Exec-Program-Wait
>> exec
>>
>> #
>> # Calculate the various WiMAX keys. In order for this to work,
>> # you will need to define the WiMAX NAI, usually via
>> #
>> # update request {
>> # WiMAX-MN-NAI = "%{User-Name}"
>> # }
>> #
>> # If you want various keys to be calculated, you will need to
>> # update the reply with "template" values. The module will see
>> # this, and replace the template values with the correct ones
>> # taken from the cryptographic calculations. e.g.
>> #
>> # update reply {
>> # WiMAX-FA-RK-Key = 0x00
>> # WiMAX-MSK = "%{EAP-MSK}"
>> # }
>> #
>> # You may want to delete the MS-MPPE-*-Keys from the reply,
>> # as some WiMAX clients behave badly when those attributes
>> # are included. See "raddb/modules/wimax", configuration
>> # entry "delete_mppe_keys" for more information.
>> #
>> # wimax
>>
>>
>>
>> -----Original Message-----
>> From: Freeradius-Users [mailto:freeradius-users-bounces+shrbhagw=
>> med.umich.edu@lists.freeradius.org] On Behalf Of Alan Buxey
>> Sent: Thursday, September 7, 2017 5:25 AM
>> To: FreeRadius users mailing list
>> <freeradius-users@lists.freeradius.org>
>> Subject: Re: Migration of FreeRadius Server from 2.1 to 3.X
>>
>> hi,
>>
>> > I know config of version 2 will not work with config of version 3.
>> > It looks like echo module controls the exe module
>>
>> ??
>>
>> the exec module is the main module
>>
>> the provided example echo module USES the exec module
>>
>>
>> exec echo {
>> }
>>
>> see?
>>
>> >
>> > From exec module
>> >
>> > exec default {
>> > wait = yes
>> > output = none
>> > #input_pairs = request
>> > output_pairs = none
>> > # 0 - level-2 proxy; 1 - level-2 proxy password; 2 -
>> level-2 server; 3 - level-2 basedn; 4 - level-2 account found flag;
>> > # 5 - level-1 kdc domain; 6 - log file name.
>> > program =
>> > "/idm/idmt_home/PhoneFactor/Level1Factor.pl
>> %{config:modules.ldap.identity} %{config:modules.ldap.password}
>> %{config:modules.ldap.server} %{config:modules.ldap.basedn} not_found
>> \
>> > %{config:modules.ldap.level-1_kdc}
>> %{config:modules.ldap.logFILEname}"
>> > shell_escape = yes
>> > }
>> >
>> > # Phone Factor
>> > exec phonefactor {
>> > wait = yes
>> > output = none
>> > #input_pairs = request
>> > output_pairs = none
>> > # 0 - level-2 proxy; 1 - level-2 proxy password; 2 -
>> level-2 server; 3 - level-2 basedn; 4 - level-2 account found flag;
>> > # 5 - level-1 kdc domain; 6 - log file name; 7 -
>> > phone
>> factor call back number
>> > program = "/idm/idmt_home/PhoneFactor/PhoneFactor.pl
>> %{config:modules.ldap.identity} %{config:modules.ldap.password}
>> %{config:modules.ldap.server} %{config:modules.ldap.basedn} found \
>> > %{config:modules.ldap.level-1_kdc}
>> %{config:modules.ldap.logFILEname} %{reply:Callback-Number}"
>> > shell_escape = yes
>> > }
>> >
>> >
>> > Do I modify echo module to match in exec module ? or vice versa ?
>>
>> so, these two sub-modules of exec, which can be called as 'default'
>> and 'phonefactor' elsewhere in your config - eg in the sites-enabled/*
>> virtual servers (PS 'default' is an awful choice)
>>
>> and yes, you need to look at the FR 3.x docs and ensure your format
>> and entries match the 3.x configuration/specification..... also, as
>> already said, this is the IDEAL time, during a migration, to clean up
>> and optimise the config. operations with LDAP can be done natively
>> through LDAP module and unang and will be MUCH MUCH quicker than calls
>> to scripts (more than an order of magnitude quicker AND able to deal
>> natively with multiple servers, failover, connection pools etc etc -
>> thread safe etc) in previous migrations I have removed most modules
>> and random functions and sped server up - in most cases being able to
>> make the server more like a default install with far fewer changes and
>> stopping the use of eg rlm_perl and rlm_python
>>
>> alan
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
>> **********************************************************
>> Electronic Mail is not secure, may not be read every day, and should
>> not be used for urgent or sensitive issues
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> **********************************************************
> Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Changed output_pairs=reply from
output_pairs=none
-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+shrbhagw=med.umich.edu@lists.freeradius.org] On Behalf Of Alan Buxey
Sent: Friday, September 8, 2017 5:24 AM
To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
Subject: Re: Migration of FreeRadius Server from 2.1 to 3.X
congrats. being a public forum for users, its good protocol to note what you did to fix things so when the next person comes along after a google search that matches the same issue/problems/phrases they get a decent clue rather than just ask the same questions to the list again again and again
alan
On 8 September 2017 at 03:19, Bhagwat, Shrikant <shrbhagw@med.umich.edu> wrote:
> Got it working finally,
>
>
>
> -----Original Message-----
> From: Freeradius-Users
> [mailto:freeradius-users-bounces+shrbhagw=med.umich.edu@lists.freeradi
> us.org] On Behalf Of Alan Buxey
> Sent: Thursday, September 7, 2017 5:10 PM
> To: FreeRadius users mailing list
> <freeradius-users@lists.freeradius.org>
> Subject: RE: Migration of FreeRadius Server from 2.1 to 3.X
>
> What are you trying to do? You say you added custom unix but haven't/didn't from info you provided. What are those auth-type entries for? You can't just make up your own random syntax.
>
> alan
>
> On 7 Sep 2017 1:49 pm, "Bhagwat, Shrikant" <shrbhagw@med.umich.edu> wrote:
>
>> Hi Alan
>>
>> In sites-enabled/default file in authenticate section I have added
>> custom section unix
>>
>> authenticate {
>>
>>
>> # unix
>>
>> # Uncomment it if you want to use ldap for authentication
>> #
>> # Note that this means "check plain-text password against
>> # the ldap database", which means that EAP won't work,
>> # as it does not supply a plain-text password.
>>
>> Auth-Type level1_and_duopush {
>> level1_and_duopush
>> }
>>
>> Auth-Type level1_and_duophone {
>> level1_and_duophone
>> }
>>
>> Auth-Type level2_and_duopush {
>> level2_and_duopush
>> }
>>
>> Auth-Type level2_and_duophone {
>> level2_and_duophone
>> }
>>
>> Auth-Type PhoneFactor {
>> phonefactor
>> }
>>
>> Auth-Type Level-1 {
>> level-1
>> }
>> }
>>
>> In Post Auth section of default file I have following :
>>
>>
>> post-auth {
>> # Get an address from the IP Pool.
>> # main_pool
>>
>>
>> # Create the CUI value and add the attribute to Access-Accept.
>> # Uncomment the line below if *returning* the CUI.
>> # cui
>>
>> #
>> # If you want to have a log of authentication replies,
>> # un-comment the following line, and enable the
>> # 'detail reply_log' module.
>> reply_log
>>
>> #
>> # After authenticating the user, do another SQL query.
>> #
>> # See "Authentication Logging Queries" in sql.conf
>> -sql
>>
>> #
>> # Instead of sending the query to the SQL server,
>> # write it into a log file.
>> #
>> # sql_log
>>
>> #
>> # Un-comment the following if you want to modify the user's object
>> # in LDAP after a successful login.
>> #
>> # ldap
>>
>> # For Exec-Program and Exec-Program-Wait
>> exec
>>
>> #
>> # Calculate the various WiMAX keys. In order for this to work,
>> # you will need to define the WiMAX NAI, usually via
>> #
>> # update request {
>> # WiMAX-MN-NAI = "%{User-Name}"
>> # }
>> #
>> # If you want various keys to be calculated, you will need to
>> # update the reply with "template" values. The module will see
>> # this, and replace the template values with the correct ones
>> # taken from the cryptographic calculations. e.g.
>> #
>> # update reply {
>> # WiMAX-FA-RK-Key = 0x00
>> # WiMAX-MSK = "%{EAP-MSK}"
>> # }
>> #
>> # You may want to delete the MS-MPPE-*-Keys from the reply,
>> # as some WiMAX clients behave badly when those attributes
>> # are included. See "raddb/modules/wimax", configuration
>> # entry "delete_mppe_keys" for more information.
>> #
>> # wimax
>>
>>
>>
>> -----Original Message-----
>> From: Freeradius-Users [mailto:freeradius-users-bounces+shrbhagw=
>> med.umich.edu@lists.freeradius.org] On Behalf Of Alan Buxey
>> Sent: Thursday, September 7, 2017 5:25 AM
>> To: FreeRadius users mailing list
>> <freeradius-users@lists.freeradius.org>
>> Subject: Re: Migration of FreeRadius Server from 2.1 to 3.X
>>
>> hi,
>>
>> > I know config of version 2 will not work with config of version 3.
>> > It looks like echo module controls the exe module
>>
>> ??
>>
>> the exec module is the main module
>>
>> the provided example echo module USES the exec module
>>
>>
>> exec echo {
>> }
>>
>> see?
>>
>> >
>> > From exec module
>> >
>> > exec default {
>> > wait = yes
>> > output = none
>> > #input_pairs = request
>> > output_pairs = none
>> > # 0 - level-2 proxy; 1 - level-2 proxy password; 2
>> > -
>> level-2 server; 3 - level-2 basedn; 4 - level-2 account found flag;
>> > # 5 - level-1 kdc domain; 6 - log file name.
>> > program =
>> > "/idm/idmt_home/PhoneFactor/Level1Factor.pl
>> %{config:modules.ldap.identity} %{config:modules.ldap.password}
>> %{config:modules.ldap.server} %{config:modules.ldap.basedn} not_found
>> \
>> > %{config:modules.ldap.level-1_kdc}
>> %{config:modules.ldap.logFILEname}"
>> > shell_escape = yes
>> > }
>> >
>> > # Phone Factor
>> > exec phonefactor {
>> > wait = yes
>> > output = none
>> > #input_pairs = request
>> > output_pairs = none
>> > # 0 - level-2 proxy; 1 - level-2 proxy password; 2
>> > -
>> level-2 server; 3 - level-2 basedn; 4 - level-2 account found flag;
>> > # 5 - level-1 kdc domain; 6 - log file name; 7 -
>> > phone
>> factor call back number
>> > program =
>> > "/idm/idmt_home/PhoneFactor/PhoneFactor.pl
>> %{config:modules.ldap.identity} %{config:modules.ldap.password}
>> %{config:modules.ldap.server} %{config:modules.ldap.basedn} found \
>> > %{config:modules.ldap.level-1_kdc}
>> %{config:modules.ldap.logFILEname} %{reply:Callback-Number}"
>> > shell_escape = yes
>> > }
>> >
>> >
>> > Do I modify echo module to match in exec module ? or vice versa ?
>>
>> so, these two sub-modules of exec, which can be called as 'default'
>> and 'phonefactor' elsewhere in your config - eg in the
>> sites-enabled/* virtual servers (PS 'default' is an awful choice)
>>
>> and yes, you need to look at the FR 3.x docs and ensure your format
>> and entries match the 3.x configuration/specification..... also, as
>> already said, this is the IDEAL time, during a migration, to clean up
>> and optimise the config. operations with LDAP can be done natively
>> through LDAP module and unang and will be MUCH MUCH quicker than
>> calls to scripts (more than an order of magnitude quicker AND able to
>> deal natively with multiple servers, failover, connection pools etc
>> etc - thread safe etc) in previous migrations I have removed most
>> modules and random functions and sped server up - in most cases being
>> able to make the server more like a default install with far fewer
>> changes and stopping the use of eg rlm_perl and rlm_python
>>
>> alan
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
>> **********************************************************
>> Electronic Mail is not secure, may not be read every day, and should
>> not be used for urgent or sensitive issues
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> **********************************************************
> Electronic Mail is not secure, may not be read every day, and should
> not be used for urgent or sensitive issues
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
**********************************************************
Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues
participants (3)
-
Alan Buxey -
Bhagwat, Shrikant -
Matthew Newton