Freeradius-Users Digest, Vol 27, Issue 116
ashish verma
ashish.scit at gmail.com
Thu Jul 19 12:24:17 CEST 2007
Hi all,
Thanks for the reply.
i was just missing " ".
Well another problem here.. i have defined a priv level 7 in the switch.
ran the following commands.
privilege configure level 7 snmp-server host
privilege configure level 7 snmp-server enable
privilege configure level 7 snmp-server
privilege exec level 7 ping
!
But still the user is able to run all the commands.
here is my user file conf
user Auth-Type :=Local, User-Password == "user"
Service-Type = NAS-Prompt-User,
Login-Service = ssh,
Cisco-avpair = "Shell:priv-lvl=7"
On 7/19/07, freeradius-users-request at lists.freeradius.org <
freeradius-users-request at lists.freeradius.org> wrote:
>
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Problem in EAP-TLS Authentication (Govardhana K N)
> 2. Re: Quirky question about rewriting usernames (Pshem Kowalczyk)
> 3. Support for Cisco (ashish verma)
> 4. Re: Support for Cisco (tnt at kalik.co.yu)
> 5. Re: Support for Cisco (Peter Nixon)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 19 Jul 2007 10:36:28 +0530
> From: "Govardhana K N" <govardhan.nagarajaiah at gmail.com>
> Subject: Problem in EAP-TLS Authentication
> To: FreeRadius <freeradius-users at lists.freeradius.org>
> Message-ID:
> <5f382300707182206k616c02f6ude7fb5e71976dbe9 at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi,
>
> I was trying to configure EAP with TLS/TTlS. After enabling TLS/TTLS in "
> eap.conf", I tried sending an Radius Access-Request with EAP-Identitye
> response. The Server is crashing becoz of segmentation fault. The debug
> lod
> from the server is given below.
>
>
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> cheux301:/etc/freeradius# freeradius -X
> Starting - reading configuration files ...
> reread_config: reading radiusd.conf
> Config: including file: /etc/freeradius/proxy.conf
> Config: including file: /etc/freeradius/clients.conf
> Config: including file: /etc/freeradius/snmp.conf
> Config: including file: /etc/freeradius/eap.conf
> Config: including file: /etc/freeradius/sql.conf
> main: prefix = "/usr"
> main: localstatedir = "/var"
> main: logdir = "/var/log/freeradius"
> main: libdir = "/usr/lib/freeradius:/usr/local/lib"
> main: radacctdir = "/var/log/freeradius/radacct"
> main: hostname_lookups = no
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 0
> main: allow_core_dumps = no
> main: log_stripped_names = yes
> main: log_file = "/var/log/freeradius/radius.log"
> main: log_auth = no
> main: log_auth_badpass = no
> main: log_auth_goodpass = no
> main: pidfile = "/var/run/freeradius/freeradius.pid"
> main: bind_address = 127.0.0.1 IP address [127.0.0.1]
> main: user = "freerad"
> main: group = "freerad"
> main: usercollide = no
> main: lower_user = "no"
> main: lower_pass = "no"
> main: nospace_user = "no"
> main: nospace_pass = "no"
> main: checkrad = "/usr/sbin/checkrad"
> main: proxy_requests = no
> proxy: retry_delay = 5
> proxy: retry_count = 3
> proxy: synchronous = no
> proxy: default_fallback = yes
> proxy: dead_time = 120
> proxy: post_proxy_authorize = no
> proxy: wake_all_if_all_dead = no
> security: max_attributes = 200
> security: reject_delay = 1
> security: status_server = no
> main: debug_level = 0
> read_config_files: reading dictionary
> read_config_files: reading naslist
> Using deprecated naslist file. Support for this will go away soon.
> read_config_files: reading clients
> read_config_files: reading realms
> radiusd: entering modules setup
> Module: Library search path is /usr/lib/freeradius:/usr/local/lib
> Module: Loaded exec
> exec: wait = yes
> exec: program = "(null)"
> exec: input_pairs = "request"
> exec: output_pairs = "(null)"
> exec: packet_type = "(null)"
> rlm_exec: Wait=yes but no output defined. Did you mean output=none?
> Module: Instantiated exec (exec)
> Module: Loaded expr
> Module: Instantiated expr (expr)
> Module: Loaded PAP
> pap: encryption_scheme = "crypt"
> Module: Instantiated pap (pap)
> Module: Loaded CHAP
> Module: Instantiated chap (chap)
> Module: Loaded MS-CHAP
> mschap: use_mppe = yes
> mschap: require_encryption = yes
> mschap: require_strong = yes
> mschap: with_ntdomain_hack = no
> mschap: passwd = "(null)"
> mschap: ntlm_auth = "(null)"
> Module: Instantiated mschap (mschap)
> Module: Loaded System
> unix: cache = no
> unix: passwd = "/etc/passwd"
> unix: shadow = "/etc/shadow"
> unix: group = "/etc/group"
> unix: radwtmp = "/var/log/freeradius/radwtmp"
> unix: usegroup = no
> unix: cache_reload = 600
> Module: Instantiated unix (unix)
> Module: Loaded eap
> eap: default_eap_type = "md5"
> eap: timer_expire = 60
> eap: ignore_unknown_eap_types = no
> eap: cisco_accounting_username_bug = no
> rlm_eap: Loaded and initialized type md5
> rlm_eap: Loaded and initialized type leap
> gtc: challenge = "Password: "
> gtc: auth_type = "PAP"
> rlm_eap: Loaded and initialized type gtc
> tls: rsa_key_exchange = no
> tls: dh_key_exchange = yes
> tls: rsa_key_length = 512
> tls: dh_key_length = 512
> tls: verify_depth = 0
> tls: CA_path = "(null)"
> tls: pem_file_type = yes
> tls: private_key_file = "/etc/freeradius/certs/cert-srv.pem"
> tls: certificate_file = "/etc/freeradius/certs/cert-srv.pem"
> tls: CA_file = "/etc/freeradius/certs/demoCA/cacert.pem"
> tls: private_key_password = "whatever"
> tls: dh_file = "/etc/freeradius/certs/dh"
> tls: random_file = "/etc/freeradius/certs/random"
> tls: fragment_size = 1024
> tls: include_length = yes
> tls: check_crl = yes
> tls: check_cert_cn = "%{User-Name}"
> tls: cipher_list = "DEFAULT"
> tls: check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
> rlm_eap_tls: Loading the certificate file as a chain
> rlm_eap: Loaded and initialized type tls
> ttls: default_eap_type = "md5"
> ttls: copy_request_to_tunnel = no
> ttls: use_tunneled_reply = no
> rlm_eap: Loaded and initialized type ttls
> mschapv2: with_ntdomain_hack = no
> rlm_eap: Loaded and initialized type mschapv2
> Module: Instantiated eap (eap)
> Module: Loaded preprocess
> preprocess: huntgroups = "/etc/freeradius/huntgroups"
> preprocess: hints = "/etc/freeradius/hints"
> preprocess: with_ascend_hack = no
> preprocess: ascend_channels_per_line = 23
> preprocess: with_ntdomain_hack = no
> preprocess: with_specialix_jetstream_hack = no
> preprocess: with_cisco_vsa_hack = no
> preprocess: with_alvarion_vsa_hack = no
> Module: Instantiated preprocess (preprocess)
> Module: Loaded realm
> realm: format = "suffix"
> realm: delimiter = "@"
> realm: ignore_default = no
> realm: ignore_null = no
> Module: Instantiated realm (suffix)
> Module: Loaded files
> files: usersfile = "/etc/freeradius/users"
> files: acctusersfile = "/etc/freeradius/acct_users"
> files: preproxy_usersfile = "/etc/freeradius/preproxy_users"
> files: compat = "no"
> Module: Instantiated files (files)
> Module: Loaded Acct-Unique-Session-Id
> acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
> Client-IP-Address"
> Module: Instantiated acct_unique (acct_unique)
> Module: Loaded detail
> detail: detailfile =
> "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
> detail: detailperm = 384
> detail: dirperm = 493
> detail: locking = no
> Module: Instantiated detail (detail)
> Module: Loaded radutmp
> radutmp: filename = "/var/log/freeradius/radutmp"
> radutmp: username = "%{User-Name}"
> radutmp: case_sensitive = yes
> radutmp: check_with_nas = yes
> radutmp: perm = 384
> radutmp: callerid = yes
> Module: Instantiated radutmp (radutmp)
> Listening on authentication 127.0.0.1:1812
> Listening on accounting 127.0.0.1:1813
> Ready to process requests.
> rad_recv: Access-Request packet from host 127.0.0.1:32823, id=217,
> length=95
> User-Name = "jrc"
> NAS-Identifier = "jrcnas"
> NAS-Port-Type = Ethernet
> CUI = "0"
> Service-Type = Framed-User
> Framed-MTU = 1400
> Calling-Station-Id = "1:1:1:1:1:1"
> Message-Authenticator = 0x2568987af6f31763f9199f8067fafee1
> EAP-Message = 0x02d20008016a7263
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> Segmentation fault
> cheux301:/etc/freeradius#
>
>
>
>
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>
> --
> Thanks & Regards,
> Govardhana K N
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/d5a2969f/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Thu, 19 Jul 2007 17:59:54 +1200
> From: "Pshem Kowalczyk" <pshem.k at gmail.com>
> Subject: Re: Quirky question about rewriting usernames
> To: "FreeRadius users mailing list"
> <freeradius-users at lists.freeradius.org>
> Message-ID:
> <20fe625b0707182259p75a26361pbb64b5e732a13886 at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> Hi
>
> On 19/07/07, Cliff Cole <clifflcole at gmail.com> wrote:
> > Hello all.
> >
> > Here is my issue. This is very weird and would only affect one NAS.
> > I'm not sure freeradius is capable of this. I want a username that
> > comes in to check for an @domainname. If the domainname is there I
> > want it to be stripped and added back later. If the domainname is not
> > there I'd like it to continue and have to domainname added later in
> > the authentication process. I hope this makes sense and any help is
> > appreciated
>
> What do you mean by 'later' you can definitely check for the presence
> of domain, you can strip it and add it again. you just have to define
> the flow. rlm_attr will be of help to you (for both stripping and
> adding).
>
> kind regards
> Pshem
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 19 Jul 2007 14:33:13 +0530
> From: "ashish verma" <ashish.scit at gmail.com>
> Subject: Support for Cisco
> To: freeradius-users at lists.freeradius.org
> Message-ID:
> <11b554120707190203i158ebc5dx5313c650d3f0830f at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi all,
>
> I am trying to configure "free radius" for some Cisco devices.
> till now i am able to authenticate using the radius server and i am
> getting
> into user level or privilege level depending on the attribute i am
> defining.
> Now what i am looking for is authorization.
> There is something called "Cisco-AV priv" attribute through which one can
> define privilege level from 1 to 15. But i am not able to define it in
> "users file".
> Can anyone tell me how to define this or whether we can define this kind
> of
> attribute in freeradius or not?
>
> Thanks in advance,
> Ashish
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/17ebaf12/attachment-0001.html
>
> ------------------------------
>
> Message: 4
> Date: Thu, 19 Jul 2007 10:14:49 +0100
> From: <tnt at kalik.co.yu>
> Subject: Re: Support for Cisco
> To: "FreeRadius users mailing list"
> <freeradius-users at lists.freeradius.org>
> Message-ID: <dGKlB4KJ.1184836489.7100930.tnt at kalik.co.yu>
> Content-Type: text/plain; charset=ISO-8859-2
>
> Use proper format:
>
> Cisco-AVPair = "priv-lvl=levelnumber"
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 19/7/2007, "ashish verma" <ashish.scit at gmail.com> pi?e:
>
> >Hi all,
> >
> >I am trying to configure "free radius" for some Cisco devices.
> >till now i am able to authenticate using the radius server and i am
> getting
> >into user level or privilege level depending on the attribute i am
> defining.
> >Now what i am looking for is authorization.
> >There is something called "Cisco-AV priv" attribute through which one can
> >define privilege level from 1 to 15. But i am not able to define it in
> >"users file".
> >Can anyone tell me how to define this or whether we can define this kind
> of
> >attribute in freeradius or not?
> >
> >Thanks in advance,
> >Ashish
> >
> >
>
>
>
> ------------------------------
>
> Message: 5
> Date: Thu, 19 Jul 2007 12:20:04 +0300
> From: Peter Nixon <listuser at peternixon.net>
> Subject: Re: Support for Cisco
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <200707191220.05789.listuser at peternixon.net>
> Content-Type: text/plain; charset="iso-8859-9"
>
> On Thu 19 Jul 2007, ashish verma wrote:
> > Hi all,
> >
> > I am trying to configure "free radius" for some Cisco devices.
> > till now i am able to authenticate using the radius server and i am
> > getting into user level or privilege level depending on the attribute i
> am
> > defining. Now what i am looking for is authorization.
> > There is something called "Cisco-AV priv" attribute through which one
> can
> > define privilege level from 1 to 15. But i am not able to define it in
> > "users file".
> > Can anyone tell me how to define this or whether we can define this kind
> > of attribute in freeradius or not?
>
> http://wiki.freeradius.org/Cisco#Per_User_Privilege_Level
>
> --
>
> Peter Nixon
> http://peternixon.net/
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> End of Freeradius-Users Digest, Vol 27, Issue 116
> *************************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/a4e00ada/attachment.html>
More information about the Freeradius-Users
mailing list