Hi all, I have installed freeradius on a debian machine and it work well. In the log I see that freeradius record failed and accepted authentication, reporting the user, the password and the user client station, but not the device wich someone has tried to make access. For example: from my pc I try to connect to a router without the correct credentials. Freeradius log that my PC with IP address 1.1.1.1 has tried to make access with the user "admin" and password "admin", but do not report the address of the router to wich someone has tried to make access, so if I use freeradius for authenticating user on many device, I can't know on which device someone has tried to make access. There is a way to log also this information? Regards Danilo
Danilo Molini wrote:
For example: from my pc I try to connect to a router without the correct credentials. Freeradius log that my PC with IP address 1.1.1.1 has tried to make access with the user "admin" and password "admin", but do not report the address of the router to wich someone has tried to make access, so if I use freeradius for authenticating user on many device, I can't know on which device someone has tried to make access.
See the FAQ for "it doesn't work". Also, I'm not sure I understand what you're talking about. RADIUS does *not* provide the IP address of end machines during the authentication process. Routers do not usually do RADIUS authentication, either. *Switches* do RADIUS authentication. i.e. You seem to have confused the roles and/or names of the machines involved. As a result, it's difficult to understand what's happening, or what you want to have happen. Alan DeKok.
I try to explain better what I want. My freeradius server is 10.0.0.1 and the router that use the radius service is 192.168.0.1 and I try to connecto to the router from my pc with ip address 172.16.0.1 The log report this information: Auth: Login OK: [test] (from client myhomenetwork-network port 194 cli 172.16.0.1) Is it possibile to add the information of the router on which I have request access? I try to enable the datil log, but seems to be not work... But I'm searching on the mailing list archive an help for this problem. Thanks for the help! Regards Danilo 2008/7/23 Alan DeKok <aland@deployingradius.com>
Danilo Molini wrote:
For example: from my pc I try to connect to a router without the correct credentials. Freeradius log that my PC with IP address 1.1.1.1 has tried to make access with the user "admin" and password "admin", but do not report the address of the router to wich someone has tried to make access, so if I use freeradius for authenticating user on many device, I can't know on which device someone has tried to make access.
See the FAQ for "it doesn't work".
Also, I'm not sure I understand what you're talking about. RADIUS does *not* provide the IP address of end machines during the authentication process. Routers do not usually do RADIUS authentication, either. *Switches* do RADIUS authentication.
i.e. You seem to have confused the roles and/or names of the machines involved. As a result, it's difficult to understand what's happening, or what you want to have happen.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Danilo Molini wrote:
I try to explain better what I want.
My freeradius server is 10.0.0.1 and the router that use the radius service is 192.168.0.1 and I try to connecto to the router from my pc with ip address 172.16.0.1
'connect"... how? Administrator login on the router? Please be specific. You have been careful to *not* describe what you are trying to do. The less information you give, the harder it is for anyone to help you.
The log report this information:
Auth: Login OK: [test] (from client myhomenetwork-network port 194 cli 172.16.0.1 ) Is it possibile to add the information of the router on which I have request access?
Read the log message again. It *is* printing out the client information. In this case, it's "myhomenetwork-network". If you want it to print out something else for the name of the client, edit the "shortname" field of the "client" entry that defines the client IP, shared secret, etc. Alan DeKok.
I'm sorry! I try to connect in telnet... Moreover, probably I solved my problem with your suggestion. In the clients.conf I create a specific client for each host on my network, like this: client 192.168.0.1/32 { secret = secret shortname = router } client 192.168.0.2/32 { secret = secret shortname = switch } and not a unique client like I using before: client 192.168.0.0/24 { secret = secret shortname = mynetwork } Now when I try to make access trough telnet on my router or on my switch, in the radius.log I see all the information that I need: Wed Jul 23 12:06:42 2008 : Auth: Login OK: [test] (from client router port 194 cli 172.16.0.1) Wed Jul 23 12:06:42 2008 : Auth: Login OK: [test] (from client switch port 194 cli 172.16.0.1) Thanks for the help!!!!!!!!! Regards Danilo 2008/7/23 Alan DeKok <aland@deployingradius.com>
Danilo Molini wrote:
I try to explain better what I want.
My freeradius server is 10.0.0.1 and the router that use the radius service is 192.168.0.1 and I try to connecto to the router from my pc with ip address 172.16.0.1
'connect"... how? Administrator login on the router? Please be specific.
You have been careful to *not* describe what you are trying to do. The less information you give, the harder it is for anyone to help you.
The log report this information:
Auth: Login OK: [test] (from client myhomenetwork-network port 194 cli 172.16.0.1 ) Is it possibile to add the information of the router on which I have request access?
Read the log message again. It *is* printing out the client information. In this case, it's "myhomenetwork-network".
If you want it to print out something else for the name of the client, edit the "shortname" field of the "client" entry that defines the client IP, shared secret, etc.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Right. The log lists short name from clients.conf which is a descriptive name that you give to your routers (so you can tell them apart easier than with IPs). So, login attempt was onto the router you called "myhomenetwork-network". Ivan Kalik Kalik Informatika ISP Dana 23/7/2008, "Danilo Molini" <molini.danilo@gmail.com> piše:
I try to explain better what I want.
My freeradius server is 10.0.0.1 and the router that use the radius service is 192.168.0.1 and I try to connecto to the router from my pc with ip address 172.16.0.1
The log report this information:
Auth: Login OK: [test] (from client myhomenetwork-network port 194 cli 172.16.0.1) Is it possibile to add the information of the router on which I have request access?
I try to enable the datil log, but seems to be not work... But I'm searching on the mailing list archive an help for this problem.
Thanks for the help!
Regards
Danilo 2008/7/23 Alan DeKok <aland@deployingradius.com>
Danilo Molini wrote:
For example: from my pc I try to connect to a router without the correct credentials. Freeradius log that my PC with IP address 1.1.1.1 has tried to make access with the user "admin" and password "admin", but do not report the address of the router to wich someone has tried to make access, so if I use freeradius for authenticating user on many device, I can't know on which device someone has tried to make access.
See the FAQ for "it doesn't work".
Also, I'm not sure I understand what you're talking about. RADIUS does *not* provide the IP address of end machines during the authentication process. Routers do not usually do RADIUS authentication, either. *Switches* do RADIUS authentication.
i.e. You seem to have confused the roles and/or names of the machines involved. As a result, it's difficult to understand what's happening, or what you want to have happen.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Danilo Molini -
Ivan Kalik