Freeradius Access Requet ID

全球无线联盟 2394263740 at qq.com
Fri Apr 20 05:15:12 CEST 2012 

Hello,
  
 What is the parameter name for freeradius access requet ID?
  
 For example,         
 Called-Station-Id  = "46-E7-CF-62-78-11"
 Called-Station-Id is the parameter name for NAS MAC address.
  
 Thanks!
  
 Tom
  
 
 
   
  
  ------------------ Original ------------------
  From:  "freeradius-users"<freeradius-users-request at lists.freeradius.org>;
 Date:  Fri, Apr 20, 2012 08:12 AM
 To:  "freeradius-users"<freeradius-users at lists.freeradius.org>; 
 
 Subject:  Freeradius-Users Digest, Vol 84, Issue 60

  
Send Freeradius-Users mailing list submissions to
freeradius-users at lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request at lists.freeradius.org

You can reach the person managing the list at
freeradius-users-owner at lists.freeradius.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."


Today's Topics:

   1. Re: Perl, MySQL & auth (Fabricio Flores)
   2. Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails. (alan buxey)
   3. Re: Perl, MySQL & auth (alan buxey)
   4. Re: using windows 8's builtin eap-ttls... Windows 8 bug
      (Matthew Newton)
   5. Re: using windows 8's builtin eap-ttls... Windows 8 bug
      (alan buxey)
   6. Re: Perl, MySQL & auth (Fabricio Flores)


----------------------------------------------------------------------

Message: 1
Date: Thu, 19 Apr 2012 10:48:28 -0500
From: Fabricio Flores <fabrifloresg at gmail.com>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: Perl, MySQL & auth
Message-ID:
<CAJfLZm94kTamUafQf5QNxs95yOti9zEEy3bQNNvb4zPdw4dAnQ at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Hi... I worked in my perl script... i did the conection to the web service
and it works... I configure freeradius (add perl and sql) in auth section,
I made a debug with freeradius -X but I don?t know if freeradius read the
perl script before work with mysql... i have this output:
rad_recv: Access-Request packet from host 127.0.0.1 port 45894, id=120,
length=62
User-Name = "1104015936"
User-Password = "fabricio1"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "usuario", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
rlm_perl: Added pair User-Name = usuario
rlm_perl: Added pair User-Password = clave
rlm_perl: Added pair NAS-Port = 1812
rlm_perl: Added pair NAS-IP-Address = 127.0.1.1
++[perl] returns ok
[sql] expand: %{User-Name} -> 1104015936
[sql] sql_set_user escaped user --> 'usuario'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY
id -> SELECT id, username, attribute, value, op           FROM radcheck
      WHERE username = 'usuario'           ORDER BY id
[sql] expand: SELECT groupname           FROM radusergroup           WHERE
username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT
groupname           FROM radusergroup           WHERE username = 'usuario'
          ORDER BY priority
rlm_sql (sql): Released sql socket id: 2
[sql] User usuario not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> usuario
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 120 to 127.0.0.1 port 45894
Waking up in 4.9 seconds.
Cleaning up request 1 ID 120 with timestamp +410
Ready to process requests.



El 9 de abril de 2012 16:49, Fajar A. Nugraha <list at fajar.net> escribi?:

> On Mon, Apr 9, 2012 at 10:49 PM, Fabricio Flores <fabrifloresg at gmail.com>
> wrote:
> > is possible to use the perl and mysql in authorization section? in
>
> As I've already said, yes.
>
> --
> Fajar
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Fabricio A. Flores G.
Egresado en Ingenier?a en Sistemas

MSN: fabri_floresg at hotmail.com
Google: fabrifloresg at gmail.com
Twitter: fabricioflores
Skype: fabriciofloresgallardo

Blog Personal <http://fabricioflores.wordpress.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120419/c221d954/attachment-0001.html>

------------------------------

Message: 2
Date: Thu, 19 Apr 2012 16:53:42 +0100
From: alan buxey <A.L.M.Buxey at lboro.ac.uk>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails.
Message-ID: <20120419155342.GD1845 at lboro.ac.uk>
Content-Type: text/plain; charset=us-ascii

hi,

quick look seems to show that you dont have a suitable authorise
section in the inner tunnel.

the tunnel gets started...your client rejects the default md5 
the server sent - and EAP-TTLS gets done...the username/password
gets sent but has nothing to go against.... so I suggest
you add 

'ldap' to the inner-tunnel virtual server (in same way that ldap and
LDAP are defined in default server...)

alan


------------------------------

Message: 3
Date: Thu, 19 Apr 2012 16:56:10 +0100
From: alan buxey <A.L.M.Buxey at lboro.ac.uk>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: Perl, MySQL & auth
Message-ID: <20120419155610.GE1845 at lboro.ac.uk>
Content-Type: text/plain; charset=utf-8

Hi,

>    Hi... I worked in my perl script... i did the conection to the web service
>    and it works... I configure freeradius (add perl and sql) in auth section,
>    I made a debug with freeradius -X but I don?t know if freeradius read the
>    perl script before work with mysql... i have this output:

the logs show the perl being called before the sql...and the sql failing with
usuario userid not being found


alan


------------------------------

Message: 4
Date: Thu, 19 Apr 2012 19:53:13 +0100
From: Matthew Newton <mcn4 at leicester.ac.uk>
To: aman.arneja at microsoft.com
Cc: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: using windows 8's builtin eap-ttls... Windows 8 bug
Message-ID: <20120419185313.GC10911 at rootmail.cc.le.ac.uk>
Content-Type: text/plain; charset=us-ascii

Hi Aman,

(I'm copying freeradius-users to feedback to the thread, but
as it's not really a FR issue I'm happy for you to take this
off-list if you want any more details/testing).

On Mon, Mar 05, 2012 at 08:19:15PM +0000, Alan Buxey wrote:
> right. interesting. I've just been looking into Windows 8 and I found
> that if I chose a non-EAP method with TTLS (eg PAP or MSCHAP) then it
> didnt work. but if I chose an EAP method with TTLS - eg EAP-MSCHAPv2 then
> it worked fine. so more needs to be looked at there.

We've been digging into this a bit more and testing the TTLS
support with Windows 8. Really nice to see more options than just
PEAP at last :-)

There seems to be a bug in the Windows 8 TTLS ACK, which means
that EAP-TTLS/MS-CHAPv2 doesn't work (EAP-TTLS/MSCHAP and
EAP-TTLS/EAP-MSCHAP-V2 are OK).

Having received an Access-Accept from the inner tunnel (after the
mschap module succeeded), FreeRADIUS sends an Access-Challenge
back to the NAS. See src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c:675.

The end device should respond to the challenge with a TTLS ACK.
RFC 5281 s9.2.3 says:

 "An Acknowledgement packet is an EAP-TTLS packet with no
  additional data beyond the Flags octet, and with the L, M, and S
  bits of the Flags octet set to 0.  (Note, however, that the V
  field MUST still be set to the appropriate version number.)"

(this is correctly handled in FR src/modules/rlm_eap/libeap/eap_tls.c:375)

The EAP-Message in the resulting Access-Request from Win8 is:

  EAP-Message = 0x020b000a158000000000

Which is Response / id 11 / length 10 / type TTLS, then:
  flags 0x80 ('length included') followed by a length of 00000000.

Note the RFC says that no additional data beyond Flags, and L/M/S
all set to 0 - here, L is set to 1, so it's not a correctly formed
ACK (albeit looking like one with Length set to 0), so FR bombs
out with:

[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
  TLS Length 0
[ttls] Length Included
[ttls] eaptls_verify returned 11 
[ttls] SSL_read Error
[ttls] Error in fragmentation logic
[ttls] eaptls_process returned 4 
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.


eapol_test with EAP-TTLS/MSCHAP-v2 works fine, and sends the TTLS
ACK back as:

  EAP-Message = 0x020800061500

which is fine - flags all 0, no TTLS length supplied.


Windows 8 with EAP-TTLS/MSCHAP is also fine, as there is no
Access-Challenge sent; it's a direct Access-Accept with
EAP-Message 0x030a0004 (Success).

As Alan noted, EAP-TTLS/EAP-MSCHAP-V2 also seems fine.

Cheers,

Matthew



-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


------------------------------

Message: 5
Date: Thu, 19 Apr 2012 22:02:27 +0100
From: alan buxey <A.L.M.Buxey at lboro.ac.uk>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Cc: "aman.arneja at microsoft.com" <aman.arneja at microsoft.com>
Subject: Re: using windows 8's builtin eap-ttls... Windows 8 bug
Message-ID: <20120419210227.GA2768 at lboro.ac.uk>
Content-Type: text/plain; charset=us-ascii

Hi,

> We've been digging into this a bit more and testing the TTLS
> support with Windows 8. Really nice to see more options than just
> PEAP at last :-)

thanks for the further testing/verification Matthew :-)

alan


------------------------------

Message: 6
Date: Thu, 19 Apr 2012 19:12:36 -0500
From: Fabricio Flores <fabrifloresg at gmail.com>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: Perl, MySQL & auth
Message-ID:
<CAJfLZm88gdUSMR8bNZhmiKuP_Hp2QT3Jm6ODyLQmhL2K6LMgAA at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

ok i start the freeradius with freeradius -x and i have this error:

Can't load '/usr/lib/perl5/auto/DBI/DBI.so' for module DBI:
/usr/lib/perl5/auto/DBI/DBI.so: undefined symbol: PL_memory_wrap at
/usr/lib/perl/5.12/DynaLoader.pm line 192.

I read in another post that is an error because i use dbi of perl... so i
started freeradius with:

LD_PRELOAD=/usr/lib/libperl.so.5.12.4 freeradius -X

in this way freeradius daemon starts but in the freeradius log i have this:
Thu Apr 19 18:27:55 2012 : Info: Loaded virtual server inner-tunnel
Thu Apr 19 18:27:55 2012 : Error: rlm_perl: perl_parse failed:
/etc/freeradius/example.pl not found or has syntax errors.
Thu Apr 19 18:27:55 2012 : Error: /etc/freeradius/modules/perl[7]:
Instantiation failed for module "perl"
Thu Apr 19 18:27:55 2012 : Error:
/etc/freeradius/sites-enabled/default[265]: Failed to load module "perl".
Thu Apr 19 18:27:55 2012 : Error:
/etc/freeradius/sites-enabled/default[265]: Failed to parse "perl" entry.
Thu Apr 19 18:27:55 2012 : Error: Failed to load virtual server <default>

i test the perl script without freeradius variables and it works

El 19 de abril de 2012 10:56, alan buxey <A.L.M.Buxey at lboro.ac.uk> escribi?:

> Hi,
>
> >    Hi... I worked in my perl script... i did the conection to the web
> service
> >    and it works... I configure freeradius (add perl and sql) in auth
> section,
> >    I made a debug with freeradius -X but I don?t know if freeradius read
> the
> >    perl script before work with mysql... i have this output:
>
> the logs show the perl being called before the sql...and the sql failing
> with
> usuario userid not being found
>
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Fabricio A. Flores G.
Egresado en Ingenier?a en Sistemas

MSN: fabri_floresg at hotmail.com
Google: fabrifloresg at gmail.com
Twitter: fabricioflores
Skype: fabriciofloresgallardo

Blog Personal <http://fabricioflores.wordpress.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120419/ef1c1158/attachment.html>

------------------------------

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

End of Freeradius-Users Digest, Vol 84, Issue 60
************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120420/0c127072/attachment-0001.html>

More information about the Freeradius-Users mailing list