Freeradius Access Requet ID
全球无线联盟
2394263740 at qq.com
Fri Apr 20 05:15:12 CEST 2012
Hello,
What is the parameter name for freeradius access requet ID?
For example,
Called-Station-Id = "46-E7-CF-62-78-11"
Called-Station-Id is the parameter name for NAS MAC address.
Thanks!
Tom
------------------ Original ------------------
From: "freeradius-users"<freeradius-users-request at lists.freeradius.org>;
Date: Fri, Apr 20, 2012 08:12 AM
To: "freeradius-users"<freeradius-users at lists.freeradius.org>;
Subject: Freeradius-Users Digest, Vol 84, Issue 60
Send Freeradius-Users mailing list submissions to
freeradius-users at lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request at lists.freeradius.org
You can reach the person managing the list at
freeradius-users-owner at lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: Perl, MySQL & auth (Fabricio Flores)
2. Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails. (alan buxey)
3. Re: Perl, MySQL & auth (alan buxey)
4. Re: using windows 8's builtin eap-ttls... Windows 8 bug
(Matthew Newton)
5. Re: using windows 8's builtin eap-ttls... Windows 8 bug
(alan buxey)
6. Re: Perl, MySQL & auth (Fabricio Flores)
----------------------------------------------------------------------
Message: 1
Date: Thu, 19 Apr 2012 10:48:28 -0500
From: Fabricio Flores <fabrifloresg at gmail.com>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: Perl, MySQL & auth
Message-ID:
<CAJfLZm94kTamUafQf5QNxs95yOti9zEEy3bQNNvb4zPdw4dAnQ at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Hi... I worked in my perl script... i did the conection to the web service
and it works... I configure freeradius (add perl and sql) in auth section,
I made a debug with freeradius -X but I don?t know if freeradius read the
perl script before work with mysql... i have this output:
rad_recv: Access-Request packet from host 127.0.0.1 port 45894, id=120,
length=62
User-Name = "1104015936"
User-Password = "fabricio1"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "usuario", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
rlm_perl: Added pair User-Name = usuario
rlm_perl: Added pair User-Password = clave
rlm_perl: Added pair NAS-Port = 1812
rlm_perl: Added pair NAS-IP-Address = 127.0.1.1
++[perl] returns ok
[sql] expand: %{User-Name} -> 1104015936
[sql] sql_set_user escaped user --> 'usuario'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'usuario' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username = 'usuario'
ORDER BY priority
rlm_sql (sql): Released sql socket id: 2
[sql] User usuario not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> usuario
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 120 to 127.0.0.1 port 45894
Waking up in 4.9 seconds.
Cleaning up request 1 ID 120 with timestamp +410
Ready to process requests.
El 9 de abril de 2012 16:49, Fajar A. Nugraha <list at fajar.net> escribi?:
> On Mon, Apr 9, 2012 at 10:49 PM, Fabricio Flores <fabrifloresg at gmail.com>
> wrote:
> > is possible to use the perl and mysql in authorization section? in
>
> As I've already said, yes.
>
> --
> Fajar
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
Fabricio A. Flores G.
Egresado en Ingenier?a en Sistemas
MSN: fabri_floresg at hotmail.com
Google: fabrifloresg at gmail.com
Twitter: fabricioflores
Skype: fabriciofloresgallardo
Blog Personal <http://fabricioflores.wordpress.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120419/c221d954/attachment-0001.html>
------------------------------
Message: 2
Date: Thu, 19 Apr 2012 16:53:42 +0100
From: alan buxey <A.L.M.Buxey at lboro.ac.uk>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails.
Message-ID: <20120419155342.GD1845 at lboro.ac.uk>
Content-Type: text/plain; charset=us-ascii
hi,
quick look seems to show that you dont have a suitable authorise
section in the inner tunnel.
the tunnel gets started...your client rejects the default md5
the server sent - and EAP-TTLS gets done...the username/password
gets sent but has nothing to go against.... so I suggest
you add
'ldap' to the inner-tunnel virtual server (in same way that ldap and
LDAP are defined in default server...)
alan
------------------------------
Message: 3
Date: Thu, 19 Apr 2012 16:56:10 +0100
From: alan buxey <A.L.M.Buxey at lboro.ac.uk>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: Perl, MySQL & auth
Message-ID: <20120419155610.GE1845 at lboro.ac.uk>
Content-Type: text/plain; charset=utf-8
Hi,
> Hi... I worked in my perl script... i did the conection to the web service
> and it works... I configure freeradius (add perl and sql) in auth section,
> I made a debug with freeradius -X but I don?t know if freeradius read the
> perl script before work with mysql... i have this output:
the logs show the perl being called before the sql...and the sql failing with
usuario userid not being found
alan
------------------------------
Message: 4
Date: Thu, 19 Apr 2012 19:53:13 +0100
From: Matthew Newton <mcn4 at leicester.ac.uk>
To: aman.arneja at microsoft.com
Cc: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: using windows 8's builtin eap-ttls... Windows 8 bug
Message-ID: <20120419185313.GC10911 at rootmail.cc.le.ac.uk>
Content-Type: text/plain; charset=us-ascii
Hi Aman,
(I'm copying freeradius-users to feedback to the thread, but
as it's not really a FR issue I'm happy for you to take this
off-list if you want any more details/testing).
On Mon, Mar 05, 2012 at 08:19:15PM +0000, Alan Buxey wrote:
> right. interesting. I've just been looking into Windows 8 and I found
> that if I chose a non-EAP method with TTLS (eg PAP or MSCHAP) then it
> didnt work. but if I chose an EAP method with TTLS - eg EAP-MSCHAPv2 then
> it worked fine. so more needs to be looked at there.
We've been digging into this a bit more and testing the TTLS
support with Windows 8. Really nice to see more options than just
PEAP at last :-)
There seems to be a bug in the Windows 8 TTLS ACK, which means
that EAP-TTLS/MS-CHAPv2 doesn't work (EAP-TTLS/MSCHAP and
EAP-TTLS/EAP-MSCHAP-V2 are OK).
Having received an Access-Accept from the inner tunnel (after the
mschap module succeeded), FreeRADIUS sends an Access-Challenge
back to the NAS. See src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c:675.
The end device should respond to the challenge with a TTLS ACK.
RFC 5281 s9.2.3 says:
"An Acknowledgement packet is an EAP-TTLS packet with no
additional data beyond the Flags octet, and with the L, M, and S
bits of the Flags octet set to 0. (Note, however, that the V
field MUST still be set to the appropriate version number.)"
(this is correctly handled in FR src/modules/rlm_eap/libeap/eap_tls.c:375)
The EAP-Message in the resulting Access-Request from Win8 is:
EAP-Message = 0x020b000a158000000000
Which is Response / id 11 / length 10 / type TTLS, then:
flags 0x80 ('length included') followed by a length of 00000000.
Note the RFC says that no additional data beyond Flags, and L/M/S
all set to 0 - here, L is set to 1, so it's not a correctly formed
ACK (albeit looking like one with Length set to 0), so FR bombs
out with:
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 0
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] SSL_read Error
[ttls] Error in fragmentation logic
[ttls] eaptls_process returned 4
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
eapol_test with EAP-TTLS/MSCHAP-v2 works fine, and sends the TTLS
ACK back as:
EAP-Message = 0x020800061500
which is fine - flags all 0, no TTLS length supplied.
Windows 8 with EAP-TTLS/MSCHAP is also fine, as there is no
Access-Challenge sent; it's a direct Access-Accept with
EAP-Message 0x030a0004 (Success).
As Alan noted, EAP-TTLS/EAP-MSCHAP-V2 also seems fine.
Cheers,
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
------------------------------
Message: 5
Date: Thu, 19 Apr 2012 22:02:27 +0100
From: alan buxey <A.L.M.Buxey at lboro.ac.uk>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Cc: "aman.arneja at microsoft.com" <aman.arneja at microsoft.com>
Subject: Re: using windows 8's builtin eap-ttls... Windows 8 bug
Message-ID: <20120419210227.GA2768 at lboro.ac.uk>
Content-Type: text/plain; charset=us-ascii
Hi,
> We've been digging into this a bit more and testing the TTLS
> support with Windows 8. Really nice to see more options than just
> PEAP at last :-)
thanks for the further testing/verification Matthew :-)
alan
------------------------------
Message: 6
Date: Thu, 19 Apr 2012 19:12:36 -0500
From: Fabricio Flores <fabrifloresg at gmail.com>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: Perl, MySQL & auth
Message-ID:
<CAJfLZm88gdUSMR8bNZhmiKuP_Hp2QT3Jm6ODyLQmhL2K6LMgAA at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
ok i start the freeradius with freeradius -x and i have this error:
Can't load '/usr/lib/perl5/auto/DBI/DBI.so' for module DBI:
/usr/lib/perl5/auto/DBI/DBI.so: undefined symbol: PL_memory_wrap at
/usr/lib/perl/5.12/DynaLoader.pm line 192.
I read in another post that is an error because i use dbi of perl... so i
started freeradius with:
LD_PRELOAD=/usr/lib/libperl.so.5.12.4 freeradius -X
in this way freeradius daemon starts but in the freeradius log i have this:
Thu Apr 19 18:27:55 2012 : Info: Loaded virtual server inner-tunnel
Thu Apr 19 18:27:55 2012 : Error: rlm_perl: perl_parse failed:
/etc/freeradius/example.pl not found or has syntax errors.
Thu Apr 19 18:27:55 2012 : Error: /etc/freeradius/modules/perl[7]:
Instantiation failed for module "perl"
Thu Apr 19 18:27:55 2012 : Error:
/etc/freeradius/sites-enabled/default[265]: Failed to load module "perl".
Thu Apr 19 18:27:55 2012 : Error:
/etc/freeradius/sites-enabled/default[265]: Failed to parse "perl" entry.
Thu Apr 19 18:27:55 2012 : Error: Failed to load virtual server <default>
i test the perl script without freeradius variables and it works
El 19 de abril de 2012 10:56, alan buxey <A.L.M.Buxey at lboro.ac.uk> escribi?:
> Hi,
>
> > Hi... I worked in my perl script... i did the conection to the web
> service
> > and it works... I configure freeradius (add perl and sql) in auth
> section,
> > I made a debug with freeradius -X but I don?t know if freeradius read
> the
> > perl script before work with mysql... i have this output:
>
> the logs show the perl being called before the sql...and the sql failing
> with
> usuario userid not being found
>
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
Fabricio A. Flores G.
Egresado en Ingenier?a en Sistemas
MSN: fabri_floresg at hotmail.com
Google: fabrifloresg at gmail.com
Twitter: fabricioflores
Skype: fabriciofloresgallardo
Blog Personal <http://fabricioflores.wordpress.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120419/ef1c1158/attachment.html>
------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 84, Issue 60
************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120420/0c127072/attachment-0001.html>
More information about the Freeradius-Users
mailing list