Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
johnson elangbam
elangbamjohnson at gmail.com
Wed May 7 16:57:36 CEST 2008
hi,
I am using freeradius 2.0.3 with radiusclient-ng 0.5.6. I need to used
the following attributes
Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri',
'Digest-Nonce', 'Digest-Response' into my perl code, to do my md5
calculation, unfortunately I can't get any of the values except
Digest-Response,
hopefully i've tried all the alternatives that is posted by Ivan Kalik
earlier.
1. I've uncommented all the digest entries in sites-enabled/default file and
I've uncommented out all the perl entries from the
default.
2. I've tried accessing the digest attributes in my perl code by using
RAD_CHECK as well as RAD_CHECK.
But it doesn't work.
can anybody please tell me that is it possible to call the digest attributes
in the perl code. If it is possible, please show me the way how to call
these attributes('Digest-User-name', 'Digest-Realm', 'Digest-Method',
'Digest-Uri', 'Digest-Nonce', 'Digest-Response'.
Or will it be the problem of not getting the digest attributes by the
incompatible dictionaries of radius client and radius server.
Please help,I am really confused where is the problem.
Thanks for your valuable time.
*Here is the output files when running in debug mode before authenticate a
user*
FreeRADIUS Version 2.0.3, for host i686-pc-linux-gnu, built on May 7 2008
at 16:45:53
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/clients.conf
including configuration file /usr/local/etc/raddb/snmp.conf
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/usr/local/var/log/radius"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
shortname = "localhost"
nastype = "other"
}
client 192.168.1.227 {
require_message_authenticator = no
secret = "johnson"
shortname = "mynetwork"
nastype = "other"
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_digest
Module: Instantiating digest
Module: Linked to module rlm_perl
Module: Instantiating perl
perl {
module = "/usr/local/etc/raddb/myperltemp.pl"
func_authorize = "authorize"
func_authenticate = "authenticate"
func_accounting = "accounting"
func_preacct = "preacct"
func_checksimul = "checksimul"
func_detach = "detach"
func_xlat = "xlat"
func_pre_proxy = "pre_proxy"
func_post_proxy = "post_proxy"
func_post_auth = "post_auth"
}
perl {
max_clones = 32
start_clones = 32
min_spare_clones = 0
max_spare_clones = 32
cleanup_delay = 5
max_request_per_clone = 0
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
CA_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/usr/local/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/usr/local/etc/raddb/users"
acctusersfile = "/usr/local/etc/raddb/acct_users"
preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
compat = "no"
}
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
}
}
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
main {
snmp = no
smux_password = ""
snmp_write_access = no
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
*Here is the output after rejecting a user*
rad_recv: Access-Request packet from host 192.168.1.227 port 33360, id=95,
length=252
User-Name = "john at 192.168.1.227"
X-Ascend-Netware-timeout = 1785686126
X-Ascend-Send-Secret = 0x3139322e3136382e312e323237
X-Ascend-Receive-Secret =
0x34383231633363636239626234663963343639646561323765653066666534346438373831653830
X-Ascend-IP-Pool-Definition = "sip:192.168.1.227"
X-Ascend-IPX-Peer-Mode = 0x5245474953544552
Digest-Response = "7cfeea7f2242db43d8ee8956cf116617"
Service-Type = IAPP-Register
X-Ascend-PW-Lifetime = 1785686126
Cisco-AVPair = "call-id=
b848148f9ebb461b92072b1eca706df5 at 192.168.1.193"
NAS-IP-Address = 127.0.0.1
NAS-Port = 5060
+- entering group authorize
++[preprocess] returns ok
ERROR: Received Digest-Response without Digest-Attributes
++[digest] returns invalid
Invalid user: [john at 192.168.1.227/<no User-Password attribute>] (from client
mynetwork port 5060)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> john at 192.168.1.227
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.227 port 33361, id=96,
length=252
User-Name = "john at 192.168.1.227"
X-Ascend-Netware-timeout = 1785686126
X-Ascend-Send-Secret = 0x3139322e3136382e312e323237
X-Ascend-Receive-Secret =
0x34383231633363636239626234663963343639646561323765653066666534346438373831653830
X-Ascend-IP-Pool-Definition = "sip:192.168.1.227"
X-Ascend-IPX-Peer-Mode = 0x5245474953544552
Digest-Response = "7cfeea7f2242db43d8ee8956cf116617"
Service-Type = IAPP-Register
X-Ascend-PW-Lifetime = 1785686126
Cisco-AVPair = "call-id=
b848148f9ebb461b92072b1eca706df5 at 192.168.1.193"
NAS-IP-Address = 127.0.0.1
NAS-Port = 5060
+- entering group authorize
++[preprocess] returns ok
ERROR: Received Digest-Response without Digest-Attributes
++[digest] returns invalid
Invalid user: [john at 192.168.1.227/<no User-Password attribute>] (from client
mynetwork port 5060)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> john at 192.168.1.227
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.5 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 95 to 192.168.1.227 port 33360
Waking up in 0.4 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 96 to 192.168.1.227 port 33361
Waking up in 4.5 seconds.
Cleaning up request 0 ID 95 with timestamp +3
Waking up in 0.4 seconds.
Cleaning up request 1 ID 96 with timestamp +3
Ready to process requests.
With Regards
Elangbam Johnson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080507/90a28bb3/attachment.html>
More information about the Freeradius-Users
mailing list