Re: pam_radius_auth query
vijay s sheelavantar
s_vijay65 at rediffmail.com
Sat Feb 26 08:07:48 CET 2011
Hi ,Marc and Alan Thanx for the reply .
What I exactly mean by authorization is Management-Privilege-Level which is defined in RFC 5607, I want to give restricted access to certain resources on my NE to the user accounts. basically I want to authorize user accounts based on groups and privileges.
If a user belongs to certain group and have the previlege level (security admin or administrator) then only he can execute certain commands on the NE.right now PAM module is doing this in my NE. I want it to be done by Radius server.
Now pam_radius_auth module sends "authentication only" in request message so, the server is not doing authorization it seems.
How can I ask Server to do authorization and when server sends the authorization attributes AVPs in the access-Accept message how to process those values? or PAM module will take care of this thing.?
I am really not getting how to support this "management-privilege-level" feature using pam-radius-auth.
On Fri, 25 Feb 2011 20:11:32 , freeradius-users-request at lists.freeradius.org wrote
Send Freeradius-Users mailing list submissions to
freeradius-users at lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request at lists.freeradius.org
You can reach the person managing the list at
freeradius-users-owner at lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: store and proxy accounting packets (Waqas Toor)
2. Re: store and proxy accounting packets (Alan DeKok)
3. Re: pam_radius_auth query (Marc Phillips)
4. Re: store and proxy accounting packets (Waqas Toor)
5. Re: store and proxy accounting packets (Alan DeKok)
6. Re: store and proxy accounting packets (Waqas Toor)
7. Re: store and proxy accounting packets (Alan DeKok)
----------------------------------------------------------------------
Message: 1
Date: Fri, 25 Feb 2011 16:01:06 +0500
From: Waqas Toor <waqasnasirtoor at gmail.com>
Subject: Re: store and proxy accounting packets
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Cc: Alan DeKok <aland at deployingradius.com>
Message-ID:
<AANLkTinpZ94e6NpNMJo+fLgSbkreryZvio6=FBPcUpbg at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Hi,
On Thu, Feb 24, 2011 at 11:33 AM, Alan DeKok <aland at deployingradius.com> wrote:
> Waqas Toor wrote:
>> but what to do to get accounting to other client, Also if that fails
>> is it going to create detail files ?
>
> ?Did you bother *reading* the "robust-proxy-accounting" file?
>
I have configured the robust-proxy-accounting
below is the file
====================================
home_server home1.example.com {
type = acct
ipaddr = 10.1.67.41
port = 1813
secret = freerad
status_check = request
username = "test_user_status_check"
response_window = 6
}
home_server home2.example.com {
type = acct
ipaddr = 10.1.67.42
port = 1813
secret = freerad
response_window = 6
}
home_server acct_detail.example.com {
virtual_server = acct_detail.example.com
}
home_server_pool acct_pool.example.com {
home_server = home1.example.com
home_server = home2.example.com
fallback = acct_detail.example.com
virtual_server = home.example.com
}
realm acct_realm.example.com {
acct_pool = acct_pool.example.com
}
server acct_detail.example.com {
accounting {
detail.example.com
}
}
server home.example.com {
pre-proxy {
# Insert pre-proxy rules here
}
post-proxy {
Post-Proxy-Type Fail {
detail.example.com
}
}
listen {
type = detail
filename = "${radacctdir}/detail.example.com/detail-*:*"
load_factor = 10
}
accounting {
# You may want accounting policies here...
update control {
Proxy-To-Realm := "acct_realm.example.com"
}
}
}
====================================
but it is not working neither its creating any file
here is the debug last lines
===================================
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/usr/local/var/run/radiusd/radiusd.sock"
mode = "rw"
}
}
listen {
type = "detail"
listen {
filename =
"/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*"
load_factor = 10
poll_interval = 1
retry_interval = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* as
server home.example.com
Detail listener
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state
unopened signalled 0 waiting 1.000000 sec
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Waking up in 0.9 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Detail listener
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state
unopened signalled 0 waiting 1.134651 sec
Waking up in 1.1 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Detail listener
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state
unopened signalled 0 waiting 1.011006 sec
Waking up in 1.0 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Detail listener
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state
unopened signalled 0 waiting 1.113558 sec
Waking up in 1.1 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Detail listener
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state
unopened signalled 0 waiting 0.903584 sec
Waking up in 0.9 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Detail listener
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state
unopened signalled 0 waiting 1.185763 sec
Waking up in 1.1 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Detail listener
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state
unopened signalled 0 waiting 0.916197 sec
Waking up in 0.9 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Detail listener
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state
unopened signalled 0 waiting 0.925224 sec
Waking up in 0.9 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Detail listener
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state
unopened signalled 0 waiting 1.160946 sec
Waking up in 1.1 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Detail listener
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state
unopened signalled 0 waiting 0.817426 sec
Waking up in 0.8 seconds.
==================
I am missing something but could not figure it out what
regards.
Waqas
------------------------------
Message: 2
Date: Fri, 25 Feb 2011 14:02:33 +0100
From: Alan DeKok <aland at deployingradius.com>
Subject: Re: store and proxy accounting packets
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <4D67A869.7050209 at deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1
Waqas Toor wrote:
>> Did you bother *reading* the "robust-proxy-accounting" file?
>>
> I have configured the robust-proxy-accounting
That doesn't answer the question. The comments in that file describe
how it works. This includes answering your original question.
> I am missing something but could not figure it out what
The debug log doesn't show it receiving packets.
What do you *expect* to happen when it doesn't received packets?
The answer should be obvious: it's documented in the comments in the
"robust-proxy-accounting" file.
Go read it.
Alan DeKok.
------------------------------
Message: 3
Date: Fri, 25 Feb 2011 07:09:14 -0600
From: Marc Phillips <rmarc at copacetic.net>
Subject: Re: pam_radius_auth query
To: vijay s sheelavantar <s_vijay65 at rediffmail.com>
Cc: freeradius-users <freeradius-users at lists.freeradius.org>
Message-ID: <20110225130914.GB12219 at archwayconcepts.com>
Content-Type: text/plain; charset=us-ascii
vijay s sheelavantar <s_vijay65 at rediffmail.com> wrote:
> Hi,
> Please clarify my doubts.
>
> 1. does pam_radius_auth.so support authorization of user accounts?
the pam module just sends the user info to the radius server.
The radius server does authorization and authentication. It first authorizes
via your authorization rules you defined. If it passes that, it moves on
to the authentication rules.
There's nothing special you have to do on the pam module side.
R. Marc
------------------------------
Message: 4
Date: Fri, 25 Feb 2011 18:48:40 +0500
From: Waqas Toor <waqasnasirtoor at gmail.com>
Subject: Re: store and proxy accounting packets
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Cc: Alan DeKok <aland at deployingradius.com>
Message-ID:
<AANLkTikNCwcteS+oFcb8btnjPiR9+zfX9HgYWwBz6R57 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Thank you Alan for you help,
But please can you point out where I am wrong or a line may be which
is a bad config, I am having trouble understanding why the packets are
not being forwarded while being in site-enabled directory.
I read the file I am still struggling to understand FreeRadius proxy
and virtual servers, treat me as a noob
Waqas
On Fri, Feb 25, 2011 at 6:02 PM, Alan DeKok <aland at deployingradius.com> wrote:
> Waqas Toor wrote:
>>> ?Did you bother *reading* the "robust-proxy-accounting" file?
>>>
>> I have configured the robust-proxy-accounting
>
> ?That doesn't answer the question. ?The comments in that file describe
> how it works. ?This includes answering your original question.
>
>> I am missing something but could not figure it out what
>
> ?The debug log doesn't show it receiving packets.
>
> ?What do you *expect* to happen when it doesn't received packets?
>
> ?The answer should be obvious: it's documented in the comments in the
> "robust-proxy-accounting" file.
>
> ?Go read it.
------------------------------
Message: 5
Date: Fri, 25 Feb 2011 14:53:02 +0100
From: Alan DeKok <aland at deployingradius.com>
Subject: Re: store and proxy accounting packets
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <4D67B43E.4020309 at deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1
Waqas Toor wrote:
> Thank you Alan for you help,
> But please can you point out where I am wrong or a line may be which
> is a bad config, I am having trouble understanding why the packets are
> not being forwarded while being in site-enabled directory.
As I said, the debug log you posted shows *no* packets being received.
How can it forward packets it doesn't receive?
How can you debug the failure to proxy packets, when it doesn't
receive any packets?
> I read the file I am still struggling to understand FreeRadius proxy
> and virtual servers, treat me as a noob
I'm asking you to read the documents, and the messages on this list.
Nothing more.
Alan DeKok.
------------------------------
Message: 6
Date: Fri, 25 Feb 2011 19:10:53 +0500
From: Waqas Toor <waqasnasirtoor at gmail.com>
Subject: Re: store and proxy accounting packets
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Cc: Alan DeKok <aland at deployingradius.com>
Message-ID:
<AANLkTinubNyY8nagxyVNK+G+DAOgqn8oV+ALiEiAVYsF at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Ahaan, Ok below is an accounting packet and and its response
also please tell me if the the lines that i get while in debug mode are normal ?
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Detail listener
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state
unopened signalled 0 waiting 1.159171 sec
Waking up in 1.1 seconds.
=================================================
Waking up in 0.8 seconds.
Polling for detail file
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*
Detail listener
/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state
unopened signalled 0 waiting 1.058084 sec
Waking up in 1.0 seconds.
rad_recv: Accounting-Request packet from host 2.2.2.2 port 10044,
id=248, length=248
Acct-Status-Type = Start
WiMAX-Beginning-Of-Session = 1
WiMAX-IP-Technology = Reserved-0
WiMAX-Prepaid-Indicator = 0
Acct-Session-Id = "12033268"
Acct-Multi-Session-Id = "9a7f45c70eb9cfc263d4b7f5db740d25"
non-hw-flow-info = "\000\000\000"
Framed-IP-Address = 175.110.77.76
User-Name = "002682D1A232 at test_cpe.com"
Calling-Station-Id = "002682d1a232"
NAS-Identifier = "WASN"
WiMAX-hHA-IP-MIP4 = 0.0.0.0
NAS-IP-Address = 2.2.2.2
WiMAX-BS-Id = 0x303030303066303030663130
WiMAX-GMT-Timezone-offset = 18000
Event-Timestamp = "Feb 25 2011 18:36:49 PKT"
Huawei-Attr-218 = 0x00000000
NAS-Port-Type = Wireless-802.16
# Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] WARNING: Attribute NAS-Port was not found in request,
unique ID MAY be inconsistent
[acct_unique] Hashing ',Client-IP-Address = 2.2.2.2,NAS-IP-Address =
2.2.2.2,Acct-Session-Id = "12033268",User-Name =
"002682D1A232 at test_cpe.com"'
[acct_unique] Acct-Unique-Session-ID = "8b9e32f20020add2".
++[acct_unique] returns ok
[suffix] Looking up realm "test_cpe.com" for User-Name =
"002682D1A232 at test_cpe.com"
[suffix] No such realm "test_cpe.com"
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail] expand:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
-> /usr/local/var/log/radius/radacct/2.2.2.2/detail-20110225
[detail] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/2.2.2.2/detail-20110225
[detail] expand: %t -> Fri Feb 25 18:35:11 2011
++[detail] returns ok
++[unix] returns noop
[radutmp] expand: /usr/local/var/log/radius/radutmp ->
/usr/local/var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> 002682D1A232 at test_cpe.com
rlm_radutmp: No NAS-Port seen. Cannot do anything.
rlm_radumtp: WARNING: checkrad will probably not work!
++[radutmp] returns noop
[sql] expand: %{User-Name} -> 002682D1A232 at test_cpe.com
[sql] sql_set_user escaped user --> '002682D1A232 at test_cpe.com'
[sql] expand: INSERT into accounting (RadAcctId, AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets,
AcctOutputOctets, CalledStationId, CallingStationId,
AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress,
AcctStartDelay, AcctStopDelay, XAscendSessionSvrKey, AcctStatusType)
VALUES('', '%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port-Id}',
'%{NAS-Port-Type}', TO_DATE('%S','yyyy-mm-dd hh24:mi:ss'), NULL, '0',
'%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '',
'%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
'%{Acct-Delay-Time}', '0', '%{X-Ascend-Session-Svr-Key}',
'%{Acct-Status-Type}') -> INSERT into accounting (RadAcctId,
AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId,
NASPortType, AcctSta
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
++[exec] returns noop
[attr_filter.accounting_response] expand: %{User-Name} ->
002682D1A232 at test_cpe.com
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 248 to 2.2.2.2 port 10044
Finished request 9.
Cleaning up request 9 ID 248 with timestamp +20
Going to the next request
Waking up in 0.7 seconds.
=======================================================
On Fri, Feb 25, 2011 at 6:53 PM, Alan DeKok <aland at deployingradius.com> wrote:
> Waqas Toor wrote:
>> Thank you Alan for you help,
>> But please can you point out where I am wrong or a line may be which
>> is a bad config, I am having trouble understanding why the packets are
>> not being forwarded while being in site-enabled directory.
>
> ?As I said, the debug log you posted shows *no* packets being received.
>
> ?How can it forward packets it doesn't receive?
>
> ?How can you debug the failure to proxy packets, when it doesn't
> receive any packets?
>
>> I read the file I am still struggling to understand FreeRadius proxy
>> and virtual servers, treat me as a noob
>
> ?I'm asking you to read the documents, and the messages on this list.
> Nothing more.
>
> ?Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
------------------------------
Message: 7
Date: Fri, 25 Feb 2011 15:39:53 +0100
From: Alan DeKok <aland at deployingradius.com>
Subject: Re: store and proxy accounting packets
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <4D67BF39.8070803 at deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1
Waqas Toor wrote:
> Ahaan, Ok below is an accounting packet and and its response
> also please tell me if the the lines that i get while in debug mode are normal ?
Yes, but...
> [suffix] Looking up realm "test_cpe.com" for User-Name =
> "002682D1A232 at test_cpe.com"
> [suffix] No such realm "test_cpe.com"
That should be fixed.
Alan DeKok.
------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 70, Issue 99
************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110226/8e7f03cd/attachment.html>
More information about the Freeradius-Users
mailing list