Re: pam_radius_auth query

vijay s sheelavantar s_vijay65 at rediffmail.com
Sat Feb 26 08:07:48 CET 2011


Hi ,Marc and Alan Thanx for the reply .
What I exactly mean by authorization is Management-Privilege-Level which is defined in RFC 5607, I want to give restricted access to certain resources on my NE to the user accounts. basically I want to authorize user accounts based on groups and privileges.
If a user belongs to certain group and have the previlege level (security admin or administrator) then only he can execute certain commands on the NE.right now PAM module is doing this in my NE. I want it to be done by Radius server.
Now pam_radius_auth module sends "authentication only" in request message so, the server is not doing authorization it seems.
How can I ask Server to do authorization and when server sends the authorization attributes AVPs in the access-Accept message how to process those values? or PAM module will take care of this thing.?
I am really not getting how to support this "management-privilege-level" feature using pam-radius-auth.
On Fri, 25 Feb 2011 20:11:32 , freeradius-users-request at lists.freeradius.org wrote
Send Freeradius-Users mailing list submissions to

   freeradius-users at lists.freeradius.org



To subscribe or unsubscribe via the World Wide Web, visit

   http://lists.freeradius.org/mailman/listinfo/freeradius-users

or, via email, send a message with subject or body 'help' to

   freeradius-users-request at lists.freeradius.org



You can reach the person managing the list at

   freeradius-users-owner at lists.freeradius.org



When replying, please edit your Subject line so it is more specific

than "Re: Contents of Freeradius-Users digest..."





Today's Topics:



   1. Re: store and proxy accounting packets (Waqas Toor)

   2. Re: store and proxy accounting packets (Alan DeKok)

   3. Re: pam_radius_auth query (Marc Phillips)

   4. Re: store and proxy accounting packets (Waqas Toor)

   5. Re: store and proxy accounting packets (Alan DeKok)

   6. Re: store and proxy accounting packets (Waqas Toor)

   7. Re: store and proxy accounting packets (Alan DeKok)





----------------------------------------------------------------------



Message: 1

Date: Fri, 25 Feb 2011 16:01:06 +0500

From: Waqas Toor <waqasnasirtoor at gmail.com>

Subject: Re: store and proxy accounting packets

To: FreeRadius users mailing list

   <freeradius-users at lists.freeradius.org>

Cc: Alan DeKok <aland at deployingradius.com>

Message-ID:

   <AANLkTinpZ94e6NpNMJo+fLgSbkreryZvio6=FBPcUpbg at mail.gmail.com>

Content-Type: text/plain; charset=ISO-8859-1



Hi,



On Thu, Feb 24, 2011 at 11:33 AM, Alan DeKok <aland at deployingradius.com> wrote:

> Waqas Toor wrote:

>> but what to do to get accounting to other client, Also if that fails

>> is it going to create detail files ?

>

> ?Did you bother *reading* the "robust-proxy-accounting" file?

>

I have configured the robust-proxy-accounting

below is the file

====================================

home_server home1.example.com {

   type = acct

   ipaddr = 10.1.67.41

   port = 1813

   secret = freerad





   status_check = request

   username = "test_user_status_check"



   response_window = 6

}



home_server home2.example.com {

   type = acct

   ipaddr = 10.1.67.42

   port = 1813

   secret = freerad



   response_window = 6

}



home_server acct_detail.example.com {

   virtual_server = acct_detail.example.com

}



home_server_pool acct_pool.example.com {



   home_server = home1.example.com

   home_server = home2.example.com

   fallback = acct_detail.example.com



   virtual_server = home.example.com

}



realm acct_realm.example.com {

   acct_pool = acct_pool.example.com

}



server acct_detail.example.com {

   accounting {

      detail.example.com

   }

}



server home.example.com {

   pre-proxy {

      #  Insert pre-proxy rules here

   }



   post-proxy {

      Post-Proxy-Type Fail {

         detail.example.com

      }

   }



   listen {

      type = detail

      filename = "${radacctdir}/detail.example.com/detail-*:*"

      load_factor = 10

   }

   accounting {

      # You may want accounting policies here...



      update control {

         Proxy-To-Realm := "acct_realm.example.com"

      }

   }



}

====================================

but it is not working neither its creating any file

here is the debug last lines

===================================



} # server

radiusd: #### Opening IP addresses and Ports ####

listen {

        type = "auth"

        ipaddr = *

        port = 0

}

listen {

        type = "acct"

        ipaddr = *

        port = 0

}

listen {

        type = "control"

 listen {

        socket = "/usr/local/var/run/radiusd/radiusd.sock"

        mode = "rw"

 }

}

listen {

        type = "detail"

  listen {

        filename =

"/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*"

        load_factor = 10

        poll_interval = 1

        retry_interval = 30

  }

}

listen {

        type = "auth"

        ipaddr = 127.0.0.1

        port = 18120

}

Listening on authentication address * port 1812

Listening on accounting address * port 1813

Listening on command file /usr/local/var/run/radiusd/radiusd.sock

Listening on detail file

/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* as

server home.example.com

Detail listener

/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state

unopened signalled 0 waiting 1.000000 sec

Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel

Listening on proxy address * port 1814

Waking up in 0.9 seconds.

Polling for detail file

/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*

Detail listener

/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state

unopened signalled 0 waiting 1.134651 sec

Waking up in 1.1 seconds.

Polling for detail file

/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*

Detail listener

/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state

unopened signalled 0 waiting 1.011006 sec

Waking up in 1.0 seconds.

Polling for detail file

/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*

Detail listener

/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state

unopened signalled 0 waiting 1.113558 sec

Waking up in 1.1 seconds.

Polling for detail file

/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*

Detail listener

/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state

unopened signalled 0 waiting 0.903584 sec

Waking up in 0.9 seconds.

Polling for detail file

/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*

Detail listener

/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state

unopened signalled 0 waiting 1.185763 sec

Waking up in 1.1 seconds.

Polling for detail file

/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*

Detail listener

/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state

unopened signalled 0 waiting 0.916197 sec

Waking up in 0.9 seconds.

Polling for detail file

/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*

Detail listener

/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state

unopened signalled 0 waiting 0.925224 sec

Waking up in 0.9 seconds.

Polling for detail file

/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*

Detail listener

/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state

unopened signalled 0 waiting 1.160946 sec

Waking up in 1.1 seconds.

Polling for detail file

/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*

Detail listener

/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state

unopened signalled 0 waiting 0.817426 sec

Waking up in 0.8 seconds.



==================



I am missing something but could not figure it out what



regards.

Waqas







------------------------------



Message: 2

Date: Fri, 25 Feb 2011 14:02:33 +0100

From: Alan DeKok <aland at deployingradius.com>

Subject: Re: store and proxy accounting packets

To: FreeRadius users mailing list

   <freeradius-users at lists.freeradius.org>

Message-ID: <4D67A869.7050209 at deployingradius.com>

Content-Type: text/plain; charset=ISO-8859-1



Waqas Toor wrote:

>>  Did you bother *reading* the "robust-proxy-accounting" file?

>>

> I have configured the robust-proxy-accounting



  That doesn't answer the question.  The comments in that file describe

how it works.  This includes answering your original question.



> I am missing something but could not figure it out what



  The debug log doesn't show it receiving packets.



  What do you *expect* to happen when it doesn't received packets?



  The answer should be obvious: it's documented in the comments in the

"robust-proxy-accounting" file.



  Go read it.



  Alan DeKok.





------------------------------



Message: 3

Date: Fri, 25 Feb 2011 07:09:14 -0600

From: Marc Phillips <rmarc at copacetic.net>

Subject: Re: pam_radius_auth query

To: vijay s sheelavantar <s_vijay65 at rediffmail.com>

Cc: freeradius-users <freeradius-users at lists.freeradius.org>

Message-ID: <20110225130914.GB12219 at archwayconcepts.com>

Content-Type: text/plain; charset=us-ascii



vijay s sheelavantar <s_vijay65 at rediffmail.com> wrote:

> Hi,

> Please clarify my doubts.

> 

> 1. does pam_radius_auth.so support authorization of user accounts? 



the pam module just sends the user info to the radius server.



The radius server does authorization and authentication.  It first authorizes

via your authorization rules you defined.  If it passes that, it moves on

to the authentication rules.



There's nothing special you have to do on the pam module side.





R. Marc





------------------------------



Message: 4

Date: Fri, 25 Feb 2011 18:48:40 +0500

From: Waqas Toor <waqasnasirtoor at gmail.com>

Subject: Re: store and proxy accounting packets

To: FreeRadius users mailing list

   <freeradius-users at lists.freeradius.org>

Cc: Alan DeKok <aland at deployingradius.com>

Message-ID:

   <AANLkTikNCwcteS+oFcb8btnjPiR9+zfX9HgYWwBz6R57 at mail.gmail.com>

Content-Type: text/plain; charset=ISO-8859-1



Thank you Alan for you help,

But please can you point out where I am wrong or a line may be which

is a bad config, I am having trouble understanding why the packets are

not being forwarded while being in site-enabled directory.



I read the file I am still struggling to understand FreeRadius proxy

and virtual servers, treat me as a noob



Waqas



On Fri, Feb 25, 2011 at 6:02 PM, Alan DeKok <aland at deployingradius.com> wrote:

> Waqas Toor wrote:

>>> ?Did you bother *reading* the "robust-proxy-accounting" file?

>>>

>> I have configured the robust-proxy-accounting

>

> ?That doesn't answer the question. ?The comments in that file describe

> how it works. ?This includes answering your original question.

>

>> I am missing something but could not figure it out what

>

> ?The debug log doesn't show it receiving packets.

>

> ?What do you *expect* to happen when it doesn't received packets?

>

> ?The answer should be obvious: it's documented in the comments in the

> "robust-proxy-accounting" file.

>

> ?Go read it.







------------------------------



Message: 5

Date: Fri, 25 Feb 2011 14:53:02 +0100

From: Alan DeKok <aland at deployingradius.com>

Subject: Re: store and proxy accounting packets

To: FreeRadius users mailing list

   <freeradius-users at lists.freeradius.org>

Message-ID: <4D67B43E.4020309 at deployingradius.com>

Content-Type: text/plain; charset=ISO-8859-1



Waqas Toor wrote:

> Thank you Alan for you help,

> But please can you point out where I am wrong or a line may be which

> is a bad config, I am having trouble understanding why the packets are

> not being forwarded while being in site-enabled directory.



  As I said, the debug log you posted shows *no* packets being received.



  How can it forward packets it doesn't receive?



  How can you debug the failure to proxy packets, when it doesn't

receive any packets?



> I read the file I am still struggling to understand FreeRadius proxy

> and virtual servers, treat me as a noob



  I'm asking you to read the documents, and the messages on this list.

Nothing more.



  Alan DeKok.





------------------------------



Message: 6

Date: Fri, 25 Feb 2011 19:10:53 +0500

From: Waqas Toor <waqasnasirtoor at gmail.com>

Subject: Re: store and proxy accounting packets

To: FreeRadius users mailing list

   <freeradius-users at lists.freeradius.org>

Cc: Alan DeKok <aland at deployingradius.com>

Message-ID:

   <AANLkTinubNyY8nagxyVNK+G+DAOgqn8oV+ALiEiAVYsF at mail.gmail.com>

Content-Type: text/plain; charset=ISO-8859-1



Ahaan, Ok below is an accounting packet and and its response

also please tell me if the the lines that i get while in debug mode are normal ?



Polling for detail file

/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*

Detail listener

/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state

unopened signalled 0 waiting 1.159171 sec

Waking up in 1.1 seconds.



=================================================

Waking up in 0.8 seconds.

Polling for detail file

/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*

Detail listener

/usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state

unopened signalled 0 waiting 1.058084 sec

Waking up in 1.0 seconds.

rad_recv: Accounting-Request packet from host 2.2.2.2 port 10044,

id=248, length=248

        Acct-Status-Type = Start

        WiMAX-Beginning-Of-Session = 1

        WiMAX-IP-Technology = Reserved-0

        WiMAX-Prepaid-Indicator = 0

        Acct-Session-Id = "12033268"

        Acct-Multi-Session-Id = "9a7f45c70eb9cfc263d4b7f5db740d25"

        non-hw-flow-info = "\000\000\000"

        Framed-IP-Address = 175.110.77.76

        User-Name = "002682D1A232 at test_cpe.com"

        Calling-Station-Id = "002682d1a232"

        NAS-Identifier = "WASN"

        WiMAX-hHA-IP-MIP4 = 0.0.0.0

        NAS-IP-Address = 2.2.2.2

        WiMAX-BS-Id = 0x303030303066303030663130

        WiMAX-GMT-Timezone-offset = 18000

        Event-Timestamp = "Feb 25 2011 18:36:49 PKT"

        Huawei-Attr-218 = 0x00000000

        NAS-Port-Type = Wireless-802.16

# Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default

+- entering group preacct {...}

++[preprocess] returns ok

[acct_unique] WARNING: Attribute NAS-Port was not found in request,

unique ID MAY be inconsistent

[acct_unique] Hashing ',Client-IP-Address = 2.2.2.2,NAS-IP-Address =

2.2.2.2,Acct-Session-Id = "12033268",User-Name =

"002682D1A232 at test_cpe.com"'

[acct_unique] Acct-Unique-Session-ID = "8b9e32f20020add2".

++[acct_unique] returns ok

[suffix] Looking up realm "test_cpe.com" for User-Name =

"002682D1A232 at test_cpe.com"

[suffix] No such realm "test_cpe.com"

++[suffix] returns noop

++[files] returns noop

# Executing section accounting from file

/usr/local/etc/raddb/sites-enabled/default

+- entering group accounting {...}

[detail]        expand:

/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d

-> /usr/local/var/log/radius/radacct/2.2.2.2/detail-20110225

[detail] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d

expands to /usr/local/var/log/radius/radacct/2.2.2.2/detail-20110225

[detail]        expand: %t -> Fri Feb 25 18:35:11 2011

++[detail] returns ok

++[unix] returns noop

[radutmp]       expand: /usr/local/var/log/radius/radutmp ->

/usr/local/var/log/radius/radutmp

[radutmp]       expand: %{User-Name} -> 002682D1A232 at test_cpe.com

  rlm_radutmp: No NAS-Port seen.  Cannot do anything.

  rlm_radumtp: WARNING: checkrad will probably not work!

++[radutmp] returns noop

[sql]   expand: %{User-Name} -> 002682D1A232 at test_cpe.com

[sql] sql_set_user escaped user --> '002682D1A232 at test_cpe.com'

[sql]   expand: INSERT into accounting (RadAcctId, AcctSessionId,

AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,

AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,

ConnectInfo_start, ConnectInfo_stop, AcctInputOctets,

AcctOutputOctets, CalledStationId, CallingStationId,

AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress,

AcctStartDelay, AcctStopDelay, XAscendSessionSvrKey, AcctStatusType)

VALUES('', '%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',

'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port-Id}',

'%{NAS-Port-Type}', TO_DATE('%S','yyyy-mm-dd hh24:mi:ss'), NULL, '0',

'%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0',

'%{Called-Station-Id}', '%{Calling-Station-Id}', '',

'%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',

'%{Acct-Delay-Time}', '0', '%{X-Ascend-Session-Svr-Key}',

'%{Acct-Status-Type}') -> INSERT into accounting (RadAcctId,

AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId,

NASPortType, AcctSta

rlm_sql (sql): Reserving sql socket id: 0

rlm_sql (sql): Released sql socket id: 0

++[sql] returns ok

++[exec] returns noop

[attr_filter.accounting_response]       expand: %{User-Name} ->

002682D1A232 at test_cpe.com

 attr_filter: Matched entry DEFAULT at line 12

++[attr_filter.accounting_response] returns updated

Sending Accounting-Response of id 248 to 2.2.2.2 port 10044

Finished request 9.

Cleaning up request 9 ID 248 with timestamp +20

Going to the next request

Waking up in 0.7 seconds.



=======================================================





On Fri, Feb 25, 2011 at 6:53 PM, Alan DeKok <aland at deployingradius.com> wrote:

> Waqas Toor wrote:

>> Thank you Alan for you help,

>> But please can you point out where I am wrong or a line may be which

>> is a bad config, I am having trouble understanding why the packets are

>> not being forwarded while being in site-enabled directory.

>

> ?As I said, the debug log you posted shows *no* packets being received.

>

> ?How can it forward packets it doesn't receive?

>

> ?How can you debug the failure to proxy packets, when it doesn't

> receive any packets?

>

>> I read the file I am still struggling to understand FreeRadius proxy

>> and virtual servers, treat me as a noob

>

> ?I'm asking you to read the documents, and the messages on this list.

> Nothing more.

>

> ?Alan DeKok.

> -

> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

>







------------------------------



Message: 7

Date: Fri, 25 Feb 2011 15:39:53 +0100

From: Alan DeKok <aland at deployingradius.com>

Subject: Re: store and proxy accounting packets

To: FreeRadius users mailing list

   <freeradius-users at lists.freeradius.org>

Message-ID: <4D67BF39.8070803 at deployingradius.com>

Content-Type: text/plain; charset=ISO-8859-1



Waqas Toor wrote:

> Ahaan, Ok below is an accounting packet and and its response

> also please tell me if the the lines that i get while in debug mode are normal ?



  Yes, but...



> [suffix] Looking up realm "test_cpe.com" for User-Name =

> "002682D1A232 at test_cpe.com"

> [suffix] No such realm "test_cpe.com"



  That should be fixed.



  Alan DeKok.





------------------------------



-

List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




End of Freeradius-Users Digest, Vol 70, Issue 99

************************************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110226/8e7f03cd/attachment.html>


More information about the Freeradius-Users mailing list