different logs for different failures
Hallo, we are allowing access only to users with correct password (obviously), given that some conditions based on a sql query are met: server eduroam-inner-tunnel { authorize { preprocess rewrite.calling_station_id if ("%{sql:SELECT count(*) FROM ... WHERE ... AND condition1 AND condition2 AND condition3}" >= 1) { ok update control { Auth-Type := Accept } } else { reject } auth_log eap openldap mschap } authenticate { ntlm_auth Auth-Type MS-CHAP { mschap } eap } post-auth { if ( "%{outer.request:User-Name}" != "%{User-Name}" ){ reject } reply_log Post-Auth-Type REJECT { reply_log } } I't working fine, but the logs always show "Login incorrect", without detailing what caused the failure: Nov 30 15:28:50 radius1 freeradius[2248]: Login incorrect: [myuser@myorg.it] (from client foobar.myorg.it port 0 cli F8450AEFD221) I'd like to have something like: Nov 30 15:28:51 radius1 freeradius[2248]: Condition1 not met: [ myuser@myorg.it] (from client foobar.myorg.it port 0 cli F8450AEFD221) Nov 30 15:28:52 radius1 freeradius[2248]: Login incorrect: [ youruser@myorg.it] (from client foobar.myorg.it port 0 cli F8450AEFD222) Nov 30 15:28:53 radius1 freeradius[2248]: Condition2 not met: [ hisuser@myorg.it] (from client foobar.myorg.it port 0 cli F8450AEFD223) Is it possible to achieve this? Thank you very much for your help, Stefano
Hi, yes, use linelog. you can then add the module failure message etc to catch more exact things..and you can have different linelog module configs for different requirements. alan
From Brocade switch: Mon Nov 30 16:33:56 2015 : Debug: (1) Received Access-Request Id 4 from X.X.X.X:10185 to X.X.X.X:1812 length 93 Mon Nov 30 16:33:56 2015 : Debug: (1) User-Name = "db00000" Mon Nov 30 16:33:56 2015 : Debug: (1) User-Password = "db00000\000\000\000\000\000\000\000\000\031" Mon Nov 30 16:33:56 2015 : Debug: (1) NAS-IP-Address = xxx.xx.xx.x Mon Nov 30 16:33:56 2015 : Debug: (1) NAS-Identifier = "XXXXXXXXXX" Mon Nov 30 16:33:56 2015 : Debug: (1) Calling-Station-Id = "xxx.xx.xx.xx" Mon Nov 30 16:33:56 2015 : Debug: (1) NAS-Port = 9160 Mon Nov 30 16:33:56 2015 : Debug: (1) NAS-Port-Type = Virtual Mon Nov 30 16:33:56 2015 : Debug: (1) session-state: No State attribute Mon Nov 30 16:33:56 2015 : Debug: (1) # Executing section authorize from file /etc/raddb/sites-enabled/default Mon Nov 30 16:33:56 2015 : Debug: (1) authorize { Mon Nov 30 16:33:56 2015 : Debug: (1) update request { Mon Nov 30 16:33:56 2015 : Debug: (1) EXPAND %{string:User-Password} Mon Nov 30 16:33:56 2015 : Debug: (1) --> db00000 Mon Nov 30 16:33:56 2015 : Debug: (1) Tmp-String-0 := db00000 Mon Nov 30 16:33:56 2015 : Debug: (1) EXPAND %{string:Tmp-String-0} Mon Nov 30 16:33:56 2015 : Debug: (1) --> db00000 Mon Nov 30 16:33:56 2015 : Debug: (1) User-Password := db00000 Mon Nov 30 16:33:56 2015 : Debug: (1) Overwriting value "db00000\000\000\000\000\000\000\000\000\031" with "db00000" Mon Nov 30 16:33:56 2015 : Debug: (1) } # update request = noop Resolved in this way: update request { Tmp-String-0 := "%{string:User-Password}" User-Password := "%{string:Tmp-String-0}" } Best regards. Stefano
On Nov 30, 2015, at 10:39 AM, Stefano Mason <stefano.mason@eng-mo.it> wrote:
From Brocade switch:
Mon Nov 30 16:33:56 2015 : Debug: (1) Received Access-Request Id 4 from X.X.X.X:10185 to X.X.X.X:1812 length 93 Mon Nov 30 16:33:56 2015 : Debug: (1) User-Name = "db00000" Mon Nov 30 16:33:56 2015 : Debug: (1) User-Password = "db00000\000\000\000\000\000\000\000\000\031"
The brocade switch is broken.
Resolved in this way:
update request { Tmp-String-0 := "%{string:User-Password}" User-Password := "%{string:Tmp-String-0}" }
That works. I'll add this to the default policies. Alan DeKok.
On 30 Nov 2015, at 10:53, Alan DeKok <aland@deployingradius.com> wrote:
On Nov 30, 2015, at 10:39 AM, Stefano Mason <stefano.mason@eng-mo.it> wrote:
From Brocade switch:
Mon Nov 30 16:33:56 2015 : Debug: (1) Received Access-Request Id 4 from X.X.X.X:10185 to X.X.X.X:1812 length 93 Mon Nov 30 16:33:56 2015 : Debug: (1) User-Name = "db00000" Mon Nov 30 16:33:56 2015 : Debug: (1) User-Password = "db00000\000\000\000\000\000\000\000\000\031"
The brocade switch is broken.
Resolved in this way:
update request { Tmp-String-0 := "%{string:User-Password}" User-Password := "%{string:Tmp-String-0}" }
That works.
I'll add this to the default policies.
Better to do something more explicit with a regex, in case we get around to fixing string expansion :) -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On Nov 30, 2015, at 11:00 AM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
Better to do something more explicit with a regex, in case we get around to fixing string expansion :)
Regexes on some platforms don't deal well with embedded zeros. I'm happy with leaving %{string:..} as being explicitly not binary safe. The alternative is: update request { Tmp-Octets-0 := &User-Password } # Some systems send User-Password = "\000\000foo" # which is stupid if (Tmp-Octets-0 =~ /^0x00/) { reject } if (Tmp-Octets-0 =~ /^(0x(..)+)00/) { # get the text BEFORE the zeros update request { Tmp-Octets-0 := "%{1}" } update request { User-Password := "%{string:Tmp-Octets-0}" } } Alan DeKok.
On 30 Nov 2015, at 11:04, Alan DeKok <aland@deployingradius.com> wrote:
On Nov 30, 2015, at 11:00 AM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
Better to do something more explicit with a regex, in case we get around to fixing string expansion :)
Regexes on some platforms don't deal well with embedded zeros. I'm happy with leaving %{string:..} as being explicitly not binary safe.
True, that's probably the best option TBH. There are binary safe regexes available if you build with PCRE, or use a BSD, but they're absent on Linux. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 11/30/2015 05:04 PM, Alan DeKok wrote:
Regexes on some platforms don't deal well with embedded zeros.
I'm happy with leaving %{string:..} as being explicitly not binary safe.
The alternative is:
update request { Tmp-Octets-0 := &User-Password }
# Some systems send User-Password = "\000\000foo" # which is stupid if (Tmp-Octets-0 =~ /^0x00/) { reject }
if (Tmp-Octets-0 =~ /^(0x(..)+)00/) {
# get the text BEFORE the zeros update request { Tmp-Octets-0 := "%{1}" } update request { User-Password := "%{string:Tmp-Octets-0}" } }
Thanks Alan, but the alternative isn't good in all situation. When I used the previous code the regex fail with all the password that end with zero, like: mikemouse00. Anyway thank you very much because it was just your code that allowed me to find the one proposed: update request { Tmp-String-0 := "%{string:User-Password}" User-Password := "%{string:Tmp-String-0}" } Best regards. Stefano
On Nov 30, 2015, at 11:30 AM, Stefano Mason <stefano.mason@eng-mo.it> wrote:
Thanks Alan, but the alternative isn't good in all situation. When I used the previous code the regex fail with all the password that end with zero, like: mikemouse00.
No. The code I posted converts the User-Password to an *octet* string in Tmp-Octets-0. So if the ASCII version ends with "00", the octet string will end with "3030". Alan DeKok.
On 11/30/2015 05:34 PM, Alan DeKok wrote:
On Nov 30, 2015, at 11:30 AM, Stefano Mason <stefano.mason@eng-mo.it> wrote:
Thanks Alan, but the alternative isn't good in all situation. When I used the previous code the regex fail with all the password that end with zero, like: mikemouse00. No.
The code I posted converts the User-Password to an *octet* string in Tmp-Octets-0. So if the ASCII version ends with "00", the octet string will end with "3030".
Your code in action from Brocade switch (password MATgia00): Mon Nov 30 17:47:37 2015 : Debug: (1) Received Access-Request Id 143 from XXX.XX.XX.X:13894 to XXX.XXX.XX.XX:1812 length 94 Mon Nov 30 17:47:37 2015 : Debug: (1) User-Name = "bob" Mon Nov 30 17:47:37 2015 : Debug: (1) User-Password = "MATgia00\000\000\000\000\000\000\000\031" Mon Nov 30 17:47:37 2015 : Debug: (1) NAS-IP-Address = XXX.XX.XX.X Mon Nov 30 17:47:37 2015 : Debug: (1) NAS-Identifier = "XXXXXXXXXXXXX" Mon Nov 30 17:47:37 2015 : Debug: (1) Calling-Station-Id = "XX.XX.XXX.XX" Mon Nov 30 17:47:37 2015 : Debug: (1) NAS-Port = 12869 Mon Nov 30 17:47:37 2015 : Debug: (1) NAS-Port-Type = Virtual Mon Nov 30 17:47:37 2015 : Debug: (1) session-state: No State attribute Mon Nov 30 17:47:37 2015 : Debug: (1) # Executing section authorize from file /etc/raddb/sites-enabled/default Mon Nov 30 17:47:37 2015 : Debug: (1) authorize { Mon Nov 30 17:47:37 2015 : Debug: (1) update request { Mon Nov 30 17:47:37 2015 : Debug: (1) Tmp-Octets-0 := &User-Password -> 0x4d415467696130300000000000000019 Mon Nov 30 17:47:37 2015 : Debug: (1) } # update request = noop Mon Nov 30 17:47:37 2015 : Debug: (1) if (Tmp-Octets-0 =~ /^0x00/) { Mon Nov 30 17:47:37 2015 : Debug: No matches Mon Nov 30 17:47:37 2015 : Debug: (1) if (Tmp-Octets-0 =~ /^0x00/) -> FALSE Mon Nov 30 17:47:37 2015 : Debug: (1) if (Tmp-Octets-0 =~ /^(0x(..)+)00/) { Mon Nov 30 17:47:37 2015 : Debug: No matches Mon Nov 30 17:47:37 2015 : Debug: Adding 3 matches Mon Nov 30 17:47:37 2015 : Debug: (1) if (Tmp-Octets-0 =~ /^(0x(..)+)00/) -> TRUE Mon Nov 30 17:47:37 2015 : Debug: (1) if (Tmp-Octets-0 =~ /^(0x(..)+)00/) { Mon Nov 30 17:47:37 2015 : Debug: (1) update request { Mon Nov 30 17:47:37 2015 : Debug: (1) 1/3 Found: 0x4d41546769613030000000000000 (31) Mon Nov 30 17:47:37 2015 : Debug: (1) EXPAND %{1} Mon Nov 30 17:47:37 2015 : Debug: (1) --> 0x4d41546769613030000000000000 Mon Nov 30 17:47:37 2015 : Debug: (1) Tmp-Octets-0 := 0x4d41546769613030000000000000 Mon Nov 30 17:47:37 2015 : Debug: (1) Overwriting value "0x4d415467696130300000000000000019" with "0x4d41546769613030000000000000" Mon Nov 30 17:47:37 2015 : Debug: (1) } # update request = noop Mon Nov 30 17:47:37 2015 : Debug: (1) update request { Mon Nov 30 17:47:37 2015 : Debug: (1) EXPAND %{string:Tmp-Octets-0} Mon Nov 30 17:47:37 2015 : Debug: (1) --> MATgia00\000\000\000\000\000 Mon Nov 30 17:47:37 2015 : Debug: (1) User-Password := MATgia00 Mon Nov 30 17:47:37 2015 : Debug: (1) Overwriting value "MATgia00\000\000\000\000\000\000\000\031" with "MATgia00\000\000\000\000" Mon Nov 30 17:47:37 2015 : Debug: (1) } # update request = noop Mon Nov 30 17:47:37 2015 : Debug: (1) } # if (Tmp-Octets-0 =~ /^(0x(..)+)00/) = noop Cheers. Stefano
On Nov 30, 2015, at 12:01 PM, Stefano Mason <stefano.mason@eng-mo.it> wrote:
Your code in action from Brocade switch (password MATgia00): ... Mon Nov 30 17:47:37 2015 : Debug: (1) Overwriting value "0x4d415467696130300000000000000019" with "0x4d41546769613030000000000000
The regular expression is matching on the last binary "00" instead of the first. This has nothing to do with the ASCII "00" in User-Password. Alan DeKok.
On 11/30/2015 06:06 PM, Alan DeKok wrote:
On Nov 30, 2015, at 12:01 PM, Stefano Mason <stefano.mason@eng-mo.it> wrote:
Your code in action from Brocade switch (password MATgia00): ... Mon Nov 30 17:47:37 2015 : Debug: (1) Overwriting value "0x4d415467696130300000000000000019" with "0x4d41546769613030000000000000 The regular expression is matching on the last binary "00" instead of the first.
This has nothing to do with the ASCII "00" in User-Password.
Thanks Alan, you are right. When I saw this behaviour from regex I tried to change the number of zero that match on (Tmp-Octets-0 =~ /^(0x(..)+)000000/) and in this way I remove the final part of password because 3030 become 303. Best regards. Stefano
Dear Alan, I'm curios to know why this Access-Request from Brocade switch to Freeradius 3.0.10 report the User-Password end with many NULL, instead, Freeradius 2.2.9 report a clean User-Password?
From Brocade switch to Freeradius 3.0.10 (radiusd -XXX):
Mon Nov 30 16:33:56 2015 : Debug: (1) Received Access-Request Id 4 from X.X.X.X:10185 to X.X.X.X:1812 length 93 Mon Nov 30 16:33:56 2015 : Debug: (1) User-Name = "db00000" Mon Nov 30 16:33:56 2015 : Debug: (1) User-Password = "db00000\000\000\000\000\000\000\000\000\031" Mon Nov 30 16:33:56 2015 : Debug: (1) NAS-IP-Address = xxx.xx.xx.x Mon Nov 30 16:33:56 2015 : Debug: (1) NAS-Identifier = "XXXXXXXXXX" Mon Nov 30 16:33:56 2015 : Debug: (1) Calling-Station-Id = "xxx.xx.xx.xx" Mon Nov 30 16:33:56 2015 : Debug: (1) NAS-Port = 9160 Mon Nov 30 16:33:56 2015 : Debug: (1) NAS-Port-Type = Virtual
From Brocade switch to Freeradius 2.2.9 (radiusd -XXX): rad_recv: Access-Request packet from host XXX.XX.XX.X port 33692, id=41, length=94 User-Name = "db00000" User-Password = "db00000" NAS-IP-Address = xxx.xx.xx.x NAS-Identifier = "XXXXXXXXXXXX" Calling-Station-Id = "xxx.xx.xx.xx" NAS-Port = 32667 NAS-Port-Type = Virtual Many thanks in advance. Stefano
On 30 Nov 2015, at 18:37, Stefano Mason <stefano.mason@eng-mo.it> wrote:
Dear Alan, I'm curios to know why this Access-Request from Brocade switch to Freeradius 3.0.10 report the User-Password end with many NULL, instead, Freeradius 2.2.9 report a clean User-Password?
Because in v3.0.x we follow RFC 2865 to the letter, and do not give null bytes any special treatment. The FreeRADIUS 2.2.9 behaviour was incorrect, the 3.0.10 behaviour is correct. The Brocade NAS is broken. It looks like it's sending the contents of a fixed length (16 byte) buffer and incorrectly calculating the length of the data in that buffer (someone probably used sizeof() instead of strlen). Anyway, open a support case with Brocade to get this fixed, they are absolutely doing the wrong thing here. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 12/01/2015 12:47 AM, Arran Cudbard-Bell wrote:
Because in v3.0.x we follow RFC 2865 to the letter, and do not give null bytes any special treatment.
OK.
The FreeRADIUS 2.2.9 behaviour was incorrect, the 3.0.10 behaviour is correct. The Brocade NAS is broken. It looks like it's sending the contents of a fixed length (16 byte) buffer and incorrectly calculating the length of the data in that buffer (someone probably used sizeof() instead of strlen).
I'm totally agree! On my multivendor environment: Juniper: User-Password = "db00000" Fortinet: User-Password = "db00000" Cisco: User-Password = "db00000" CheckPoint: User-Password = "db00000" HP: User-Password = "db00000" 3COM: User-Password = "db00000" Dell switch: User-Password = "db00000" Brocade NET switch: User-Password = "db00000\000\000\000\000\000\000\000\000\031"
Anyway, open a support case with Brocade to get this fixed, they are absolutely doing the wrong thing here.
-Arran
Many thanks Arran to make some light on this behaviour. Best regards. Stefano
Thanks Alan, apart from "view /etc/raddb/modules/linelog" where can I find other documentation on the usage of linelog? Best, Stefano On Mon, Nov 30, 2015 at 3:57 PM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
yes, use linelog. you can then add the module failure message etc to catch more exact things..and you can have different linelog module configs for different requirements.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mon, Nov 30, 2015 at 04:58:54PM +0100, Stefano Zanmarchi wrote:
apart from "view /etc/raddb/modules/linelog" where can I find other documentation on the usage of linelog?
http://networkradius.com/doc/3.0.9/raddb/mods-available/linelog.html But what is confusing about the documentation in the config file? Have you tried it, and if so what didn't work? Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Hi Matthew, thanks for the link. I just wanted to read the most exaustive documentation on the module before trying it so I was wondering whether /etc/raddb/modules/linelog was the right one. Regards, Stefano On Mon, Nov 30, 2015 at 5:11 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Mon, Nov 30, 2015 at 04:58:54PM +0100, Stefano Zanmarchi wrote:
apart from "view /etc/raddb/modules/linelog" where can I find other documentation on the usage of linelog?
http://networkradius.com/doc/3.0.9/raddb/mods-available/linelog.html
But what is confusing about the documentation in the config file?
Have you tried it, and if so what didn't work?
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mon, Nov 30, 2015 at 05:19:39PM +0100, Stefano Zanmarchi wrote:
I just wanted to read the most exaustive documentation on the module before trying it so I was wondering whether /etc/raddb/modules/linelog was the right one.
Yes, there's not really very much to configure. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (8)
-
A.L.M.Buxey@lboro.ac.uk -
Alan Buxey -
Alan DeKok -
Arran Cudbard-Bell -
Matthew Newton -
Sergio NNX -
Stefano Mason -
Stefano Zanmarchi