Need Log For Acces Request, access Accept and Access Reject

Sanhenra Sinaga if06071 at students.del.ac.id
Thu May 14 13:36:50 CEST 2009


Dear all,

As the subject, i need the log that i said in the subject.
Help me please...!


----- Original Message -----
From: freeradius-users-request at lists.freeradius.org
To: freeradius-users at lists.freeradius.org
Sent: Thursday, 14 May, 2009 5:33:33 PM GMT +07:00 Bangkok, Hanoi, Jakarta
Subject: Freeradius-Users Digest, Vol 49, Issue 53

Send Freeradius-Users mailing list submissions to
	freeradius-users at lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
	freeradius-users-request at lists.freeradius.org

You can reach the person managing the list at
	freeradius-users-owner at lists.freeradius.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."


Today's Topics:

   1. Release 2.1.6 will be on Monday (Alan DeKok)
   2. Re: rlm_perl to authenticate against data in ldap (Ivan Kalik)
   3. question about windows users (Bartosz Chodzinski)


----------------------------------------------------------------------

Message: 1
Date: Thu, 14 May 2009 12:12:57 +0200
From: Alan DeKok <aland at deployingradius.com>
Subject: Release 2.1.6 will be on Monday
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <4A0BEEA9.8000209 at deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1

  Unless any last-minute panics come up.  The release candidate is
available on:

  http://git.freeradius.org/pre/

  If there are no other comments, that "tar" file will become the
official 2.1.6 release.

  Alan DeKok.


------------------------------

Message: 2
Date: Thu, 14 May 2009 11:33:05 +0100 (BST)
From: "Ivan Kalik" <tnt at kalik.net>
Subject: Re: rlm_perl to authenticate against data in ldap
To: "FreeRadius users mailing list"
	<freeradius-users at lists.freeradius.org>
Message-ID:
	<61037.194.176.105.43.1242297185.squirrel at webmail.kalik.net>
Content-Type: text/plain;charset=utf-8

> I browsed the mailing list for possible solutions to the problem I have
> but unfortunately I didn't find any (or something I missed I dunno)
>
> We have this Cisco ISG 7301 router that we are using that are passing the
> Remote-ID av pair as its User-Name (just a copy not that it matters)
> Now, the remote ID format is ascii in format but hexadecimal in meaning
> 0000079d010100660000000000000000000050544e55544147303033000705000064
>
> We would only want to authenticate the part after the 20 zeroes
> "50544e55544147303033000705000064". By the way the length before this
> substring is always fixed (18 bytes) so we only want the part after 18
> bytes.
>
> is it possible to parse this string in perl then passing the result string
> to ldap for authentication?

Yes, it will be passed as $RAD_REQUEST{'User-Name'}. Rewrite the username
to what you think it should be in perl. Just list perl before ldap in
authorize.

Ivan Kalik
Kalik Informatika ISP



------------------------------

Message: 3
Date: Thu, 14 May 2009 12:33:24 +0200
From: Bartosz Chodzinski <bartosz.c at gmail.com>
Subject: question about windows users
To: Freeradius-Users at lists.freeradius.org
Message-ID:
	<1f06c2db0905140333od4725cap9991b8a752510a46 at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Hi,
I have freeradius with eap support on debian etch, radius v1.1.3
"everthing" working fine but I'd like to have much more simple configuration
only by certificate and nothing more,
so I have few question:

1.
fragment of my log first, before question
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.5.206:1812, id=182,
length=159
        NAS-IP-Address = 192.168.5.206
        NAS-Port = 50046
        NAS-Port-Type = Ethernet
        User-Name = "PC-01\\Administrator"
        Called-Station-Id = "00-0C-30-81-9B-EE"
        Calling-Station-Id = "00-0A-E4-13-1A-02"
        Service-Type = Framed-User
        Framed-MTU = 1500
        EAP-Message =
0x0200001b014e4c504c2d4943455c41646d696e6973747261746f72
        Message-Authenticator = 0xe0b4e2966553f890137d9e56bebd0b3d
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "PC-01\Administrator", looking up realm
NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0

my users file contain:
"PC-01\\Administrator" User-Password == "passwd"

how can I avoid this value PC-01 ?, its really annoying, I would like to
have only real user, PC-01 is "my computer -> properties -> computer name ->
full computer name". I would like to have only username (with no matter of
case sensitive). sth like
"administrator" User-Password == "passwd"


2.
I would like to use only certificate to check wheter or not some computer
should have network connection,
I dont care about login or password,
if client has a valid cacert.pem installed on pc (windows xp) it should
grant acces to network, is it possible to do that?
I tried do sth like:
users:
DEFAULT                Auth-Type := Accept
but it didn't work
the perfect way for me is possiblity to set up something in radiusd.conf and
live file users empty

3.
when I read log from freeradius -X I see that one pc need to have 7requests
in freeradius and in 8-th request is accepted, is it ok?

modcall: entering group authenticate for request 8
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Received EAP-TLV response.
  rlm_eap_peap: Tunneled data is valid.
  rlm_eap_peap: Success
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns ok for request 8
modcall: leaving group authenticate (returns ok) for request 8
Sending Access-Accept of id 193 to 192.168.5.206 port 1812
        MS-MPPE-Recv-Key =
0xc349694508a365a56e56e085069e36270cb13b60c3cc7847129b2386a7062dde
        MS-MPPE-Send-Key =
0xf93f6de4f455056df7f1d88aa3d12a26cd1a71994fdf6c31bb726612eaf2f038
        EAP-Message = 0x03080004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "PC-01\\Administrator"
Finished request 8


-----------------------------------------------
my configuration files:
eap.conf
eap {
        default_eap_type = peap
        timer_expire     = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
   md5 {
   }
   leap {
   }
   gtc {
      auth_type = PAP
   }
  tls {
      private_key_file = /etc/freeradius/eap/newkey.pem
      certificate_file = /etc/freeradius/eap/newcert.pem
      CA_file = /etc/freeradius/eap/eapCA/cacert.pem
      dh_file = /etc/freeradius/eap/dh
      random_file = /etc/freeradius/eap/random
      fragment_size = 1024
      include_length = yes
      check_crl = no
   }
   peap {
         default_eap_type = mschapv2
   }
   mschapv2 {
   }
}

radiusd.conf

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid
user = freerad
group = freerad
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions     = yes
extended_expressions    = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
        max_attributes = 200
        reject_delay = 1
        status_server = no
}
proxy_requests  = yes
$INCLUDE  ${confdir}/proxy.conf
$INCLUDE  ${confdir}/clients.conf
snmp    = no
$INCLUDE  ${confdir}/snmp.conf
thread pool {
        start_servers = 5
        max_servers = 32
        min_spare_servers = 3
        max_spare_servers = 10
        max_requests_per_server = 0
}
modules {
        pap {
                encryption_scheme = crypt
        }
        chap {
                authtype = CHAP
        }
        pam {
                pam_auth = radiusd
        }
        unix {
                cache = no
                cache_reload = 600
                shadow = /etc/shadow
                radwtmp = ${logdir}/radwtmp
        }
$INCLUDE ${confdir}/eap.conf
        mschap {
                authtype = MS-CHAP
                use_mppe = yes
                require_encryption = yes
                require_strong = yes
                with_ntdomain_hack = yes
        }
        ldap {
                server = "ldap.your.domain"
                basedn = "o=My Org,c=UA"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                start_tls = no
                access_attr = "dialupAccess"
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                ldap_connections_number = 5
                timeout = 4
                timelimit = 3
                net_timeout = 1
        }
        realm IPASS {
                format = prefix
                delimiter = "/"
                ignore_default = no
                ignore_null = no
        }
        realm suffix {
                format = suffix
                delimiter = "@"
                ignore_default = no
                ignore_null = no
        }
        realm realmpercent {
                format = suffix
                delimiter = "%"
                ignore_default = no
                ignore_null = no
        }
        realm ntdomain {
                format = prefix
                delimiter = "\\"
                ignore_default = no
                ignore_null = no
        }
        checkval {
                item-name = Calling-Station-Id
                check-name = Calling-Station-Id
                data-type = string
        }
        preprocess {
                huntgroups = ${confdir}/huntgroups
                hints = ${confdir}/hints
                with_ascend_hack = no
                ascend_channels_per_line = 23
                with_ntdomain_hack = no
                with_specialix_jetstream_hack = no
                with_cisco_vsa_hack = no
        }

        files {
                usersfile = ${confdir}/users
                acctusersfile = ${confdir}/acct_users
                preproxy_usersfile = ${confdir}/preproxy_users
                compat = no
        }

        detail {
                detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
                detailperm = 0600
        }
        acct_unique {
                key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
        }

        $INCLUDE  ${confdir}/sql.conf
        radutmp {
                filename = ${logdir}/radutmp
                username = %{User-Name}
                case_sensitive = yes
                check_with_nas = yes
                perm = 0600
                callerid = "yes"
        }
        radutmp sradutmp {
                filename = ${logdir}/sradutmp
                perm = 0644
                callerid = "no"
        }
        attr_filter {
                attrsfile = ${confdir}/attrs
        }
        counter daily {
                filename = ${raddbdir}/db.daily
                key = User-Name
                count-attribute = Acct-Session-Time
                reset = daily
                counter-name = Daily-Session-Time
                check-name = Max-Daily-Session
                allowed-servicetype = Framed-User
                cache-size = 5000
        }
        sqlcounter dailycounter {
                counter-name = Daily-Session-Time
                check-name = Max-Daily-Session
                sqlmod-inst = sql
                key = User-Name
                reset = daily
                query = "SELECT SUM(AcctSessionTime - \
                 GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
                 FROM radacct WHERE UserName='%{%k}' AND \
                 UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
        }

        sqlcounter monthlycounter {
                counter-name = Monthly-Session-Time
                check-name = Max-Monthly-Session
                sqlmod-inst = sql
                key = User-Name
                reset = monthly
                query = "SELECT SUM(AcctSessionTime - \
                 GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
                 FROM radacct WHERE UserName='%{%k}' AND \
                 UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
        }
        always fail {
                rcode = fail
        }
        always reject {
                rcode = reject
        }
        always ok {
                rcode = ok
                simulcount = 0
                mpp = no
        }
        expr {
        }
        digest {
        }
        exec {
                wait = yes
                input_pairs = request
        }
        exec echo {
                wait = yes
                program = "/bin/echo %{User-Name}"
                input_pairs = request
                output_pairs = reply
        }
        ippool main_pool {
                range-start = 192.168.1.1
                range-stop = 192.168.3.254
                netmask = 255.255.255.0
                cache-size = 800
                session-db = ${raddbdir}/db.ippool
                ip-index = ${raddbdir}/db.ipindex
                override = no
                maximum-timeout = 0
        }
}
instantiate {
        exec
        expr
}
authorize {
        preprocess
        mschap
        suffix
        eap
        files
}
authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
        unix
        eap
}
preacct {
        preprocess
        acct_unique
        suffix
        files
}
accounting {
        detail
        unix
        radutmp
}
session {
        radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
        eap
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090514/e08978a1/attachment.html>

------------------------------

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


End of Freeradius-Users Digest, Vol 49, Issue 53
************************************************



More information about the Freeradius-Users mailing list