Need Log For Acces Request, access Accept and Access Reject
Dear all, As the subject, i need the log that i said in the subject. Help me please...! ----- Original Message ----- From: freeradius-users-request@lists.freeradius.org To: freeradius-users@lists.freeradius.org Sent: Thursday, 14 May, 2009 5:33:33 PM GMT +07:00 Bangkok, Hanoi, Jakarta Subject: Freeradius-Users Digest, Vol 49, Issue 53 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..." Today's Topics: 1. Release 2.1.6 will be on Monday (Alan DeKok) 2. Re: rlm_perl to authenticate against data in ldap (Ivan Kalik) 3. question about windows users (Bartosz Chodzinski) ---------------------------------------------------------------------- Message: 1 Date: Thu, 14 May 2009 12:12:57 +0200 From: Alan DeKok <aland@deployingradius.com> Subject: Release 2.1.6 will be on Monday To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <4A0BEEA9.8000209@deployingradius.com> Content-Type: text/plain; charset=ISO-8859-1 Unless any last-minute panics come up. The release candidate is available on: http://git.freeradius.org/pre/ If there are no other comments, that "tar" file will become the official 2.1.6 release. Alan DeKok. ------------------------------ Message: 2 Date: Thu, 14 May 2009 11:33:05 +0100 (BST) From: "Ivan Kalik" <tnt@kalik.net> Subject: Re: rlm_perl to authenticate against data in ldap To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Message-ID: <61037.194.176.105.43.1242297185.squirrel@webmail.kalik.net> Content-Type: text/plain;charset=utf-8
I browsed the mailing list for possible solutions to the problem I have but unfortunately I didn't find any (or something I missed I dunno)
We have this Cisco ISG 7301 router that we are using that are passing the Remote-ID av pair as its User-Name (just a copy not that it matters) Now, the remote ID format is ascii in format but hexadecimal in meaning 0000079d010100660000000000000000000050544e55544147303033000705000064
We would only want to authenticate the part after the 20 zeroes "50544e55544147303033000705000064". By the way the length before this substring is always fixed (18 bytes) so we only want the part after 18 bytes.
is it possible to parse this string in perl then passing the result string to ldap for authentication?
Yes, it will be passed as $RAD_REQUEST{'User-Name'}. Rewrite the username to what you think it should be in perl. Just list perl before ldap in authorize. Ivan Kalik Kalik Informatika ISP ------------------------------ Message: 3 Date: Thu, 14 May 2009 12:33:24 +0200 From: Bartosz Chodzinski <bartosz.c@gmail.com> Subject: question about windows users To: Freeradius-Users@lists.freeradius.org Message-ID: <1f06c2db0905140333od4725cap9991b8a752510a46@mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1" Hi, I have freeradius with eap support on debian etch, radius v1.1.3 "everthing" working fine but I'd like to have much more simple configuration only by certificate and nothing more, so I have few question: 1. fragment of my log first, before question Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.5.206:1812, id=182, length=159 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "PC-01\\Administrator" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0200001b014e4c504c2d4943455c41646d696e6973747261746f72 Message-Authenticator = 0xe0b4e2966553f890137d9e56bebd0b3d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "PC-01\Administrator", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 my users file contain: "PC-01\\Administrator" User-Password == "passwd" how can I avoid this value PC-01 ?, its really annoying, I would like to have only real user, PC-01 is "my computer -> properties -> computer name -> full computer name". I would like to have only username (with no matter of case sensitive). sth like "administrator" User-Password == "passwd" 2. I would like to use only certificate to check wheter or not some computer should have network connection, I dont care about login or password, if client has a valid cacert.pem installed on pc (windows xp) it should grant acces to network, is it possible to do that? I tried do sth like: users: DEFAULT Auth-Type := Accept but it didn't work the perfect way for me is possiblity to set up something in radiusd.conf and live file users empty 3. when I read log from freeradius -X I see that one pc need to have 7requests in freeradius and in 8-th request is accepted, is it ok? modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Success rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 8 modcall: leaving group authenticate (returns ok) for request 8 Sending Access-Accept of id 193 to 192.168.5.206 port 1812 MS-MPPE-Recv-Key = 0xc349694508a365a56e56e085069e36270cb13b60c3cc7847129b2386a7062dde MS-MPPE-Send-Key = 0xf93f6de4f455056df7f1d88aa3d12a26cd1a71994fdf6c31bb726612eaf2f038 EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "PC-01\\Administrator" Finished request 8 ----------------------------------------------- my configuration files: eap.conf eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_file = /etc/freeradius/eap/newkey.pem certificate_file = /etc/freeradius/eap/newcert.pem CA_file = /etc/freeradius/eap/eapCA/cacert.pem dh_file = /etc/freeradius/eap/dh random_file = /etc/freeradius/eap/random fragment_size = 1024 include_length = yes check_crl = no } peap { default_eap_type = mschapv2 } mschapv2 { } } radiusd.conf prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/freeradius log_file = ${logdir}/radius.log libdir = /usr/lib/freeradius pidfile = ${run_dir}/freeradius.pid user = freerad group = freerad max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 shadow = /etc/shadow radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes } ldap { server = "ldap.your.domain" basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } $INCLUDE ${confdir}/sql.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session sqlmod-inst = sql key = User-Name reset = daily query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session sqlmod-inst = sql key = User-Name reset = monthly query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } } instantiate { exec expr } authorize { preprocess mschap suffix eap files } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp } session { radutmp } post-auth { } pre-proxy { } post-proxy { eap }
participants (2)
-
Ivan Kalik -
Sanhenra Sinaga