Problems with Huntgroup
Sergio Belkin
sebelk at gmail.com
Thu Jun 7 17:59:24 CEST 2012
2012/6/6 Matthew Newton <mcn4 at leicester.ac.uk>:
> On Wed, Jun 06, 2012 at 03:56:54PM -0300, Sergio Belkin wrote:
>> Good idea, I've tried appending %{EAP-Type) that to detail.log but
>> sending nothing
>> eg:
>>
>> auth-detail-AP-XXX-DEFAULT--20120606
>>
>> Between "-" and "-" is nothing (Neither TTLS nor PEAP appears)
>
> You've not really explained what you've done.
>
> However, I *guess* that you have added %{EAP-Type} to the filename
> (detailfile) in the detail config.
Yes, you guess well
>
> Look, though, where detail is getting called, and where eap is
> called, in the authorize section. It goes in order. The eap module
> sets EAP-Type, detail is called before.
>
> So you need to call the log after eap. But the gotcha is that eap
> will short circuit the return in the challenges, so you won't call
> the detail module if you put it after eap.
Nice to know it :)
>
> I'd suggest you let all the incoming logs go to a single location
> where they are, then you add a new detail (or linelog) module to
> post-auth. That can use %{EAP-Type}, as it's *after* EAP has
> happened.
I've tested it and works, nice! But please keep on reading:
>
> Alternatively, you can use my other suggestion anywhere you like.
> If you pick data out of EAP-Message yourself, you get to do what
> you want with it (and keep the shards when it shatters).
>
> Totally untested unlang.
>
> if (%{EAP-Message} =~ /^0x........19/) {
> detail_log_peap
> }
> elsif (%{EAP-Message} =~ /^0x........15/) {
> detail_log_ttls
> }
> else {
> detail_log_other
> }
>
> Note that things *will* hit detail_log_other. EAP Identity, for
> instance, before the eap type has been agreed. If you do this in
> the inner server, be prepared for unexpectedness. In short,
> understand EAP first.
Good, but it sounds somewhat complex :)
>
> I just chuck the raw data out with detail and leave it be. The
> useful stuff is pristinely formatted with gentle loving care by
> the linelog module, where it sits in a nice greppable format for
> me. One log entry, in post-auth, after the useful stuff happened.
> Any more detail needed? Just go to the dirty detail log and dig it
> out. Happens so rarely it wouldn't matter if it was in binary
> format and had to be read with a hex editor in Windows...
>
Wow, linelog seems interesting, I've tried but only is logging
Access-Request, why?
I add my debug (I plan to get rid out of inner-tunnel-peap file):
FreeRADIUS Version 2.1.12, for host x86_64-unknown-linux-gnu, built on
Jan 3 2012 at 16:18:16
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb-testing/radiusd.conf
including configuration file /etc/raddb-testing/proxy.conf
including configuration file /etc/raddb-testing/clients.conf
including files in directory /etc/raddb-testing/modules/
including configuration file /etc/raddb-testing/modules/chap
including configuration file /etc/raddb-testing/modules/mschap
including configuration file
/etc/raddb-testing/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb-testing/modules/exec
including configuration file /etc/raddb-testing/modules/realm
including configuration file /etc/raddb-testing/modules/checkval
including configuration file /etc/raddb-testing/modules/rediswho
including configuration file /etc/raddb-testing/modules/passwd
including configuration file /etc/raddb-testing/modules/attr_filter
including configuration file /etc/raddb-testing/modules/linelog
including configuration file /etc/raddb-testing/modules/wimax
including configuration file /etc/raddb-testing/modules/pam
including configuration file /etc/raddb-testing/modules/inner-eap
including configuration file /etc/raddb-testing/modules/echo
including configuration file /etc/raddb-testing/modules/soh
including configuration file /etc/raddb-testing/modules/replicate
including configuration file /etc/raddb-testing/modules/acct_unique
including configuration file /etc/raddb-testing/modules/etc_group
including configuration file /etc/raddb-testing/modules/pap
including configuration file /etc/raddb-testing/modules/expr
including configuration file /etc/raddb-testing/modules/smbpasswd
including configuration file /etc/raddb-testing/modules/attr_rewrite
including configuration file /etc/raddb-testing/modules/radutmp
including configuration file /etc/raddb-testing/modules/mac2ip
including configuration file /etc/raddb-testing/modules/logintime
including configuration file /etc/raddb-testing/modules/sql_log
including configuration file /etc/raddb-testing/modules/smsotp
including configuration file /etc/raddb-testing/modules/preprocess
including configuration file /etc/raddb-testing/modules/policy
including configuration file /etc/raddb-testing/modules/cui
including configuration file /etc/raddb-testing/modules/perl
including configuration file /etc/raddb-testing/modules/digest
including configuration file /etc/raddb-testing/modules/mac2vlan
including configuration file /etc/raddb-testing/modules/otp
including configuration file /etc/raddb-testing/modules/files
including configuration file /etc/raddb-testing/modules/always
including configuration file /etc/raddb-testing/modules/ntlm_auth
including configuration file /etc/raddb-testing/modules/detail
including configuration file /etc/raddb-testing/modules/krb5
including configuration file /etc/raddb-testing/modules/sradutmp
including configuration file /etc/raddb-testing/modules/opendirectory
including configuration file /etc/raddb-testing/modules/counter
including configuration file /etc/raddb-testing/modules/detail.example.com
including configuration file /etc/raddb-testing/modules/ippool
including configuration file /etc/raddb-testing/modules/expiration
including configuration file /etc/raddb-testing/modules/dynamic_clients
including configuration file /etc/raddb-testing/modules/detail.log
including configuration file /etc/raddb-testing/modules/redis
including configuration file /etc/raddb-testing/modules/ldap
including configuration file /etc/raddb-testing/modules/unix
including configuration file /etc/raddb-testing/eap.conf
including configuration file /etc/raddb-testing/policy.conf
including files in directory /etc/raddb-testing/sites-enabled/
including configuration file /etc/raddb-testing/sites-enabled/status
including configuration file /etc/raddb-testing/sites-enabled/control-socket
including configuration file /etc/raddb-testing/sites-enabled/inner-tunnel
including configuration file /etc/raddb-testing/sites-enabled/default
including configuration file /etc/raddb-testing/sites-enabled/inner-tunnel-peap
main {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
including dictionary file /etc/raddb-testing/dictionary
main {
name = "radiusd"
prefix = "/usr/local-test"
localstatedir = "/usr/local-test/var"
sbindir = "/usr/local-test/sbin"
logdir = "/usr/local-test/var/log/radius"
run_dir = "/usr/local-test/var/run/radiusd"
libdir = "/usr/local-test/lib"
radacctdir = "/usr/local-test/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/usr/local-test/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local-test/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = yes
auth = yes
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
client 192.168.1.5 {
Module: Linked to module rlm_linelog
Module: Instantiating module "linelog" from file
/etc/raddb-testing/modules/linelog
linelog {
filename = "/usr/local-test/var/log/radius/linelog"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "%{%{Packet-Type}:-format}"
conns: 0xec4c700
ipaddr = 127.0.0.1
port = 18120
client admin {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "YellowSubmarine"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18121
}
... adding new socket proxy address * port 59646
Listening on authentication address 192.168.1.5 port 1812
Listening on accounting address 192.168.1.5 port 1813
Listening on command file /usr/local-test/var/run/radiusd/radiusd.sock
Listening on status address 127.0.0.1 port 18120 as server status
Listening on authentication address 127.0.0.1 port 18121 as server inner-tunnel
Listening on proxy address 192.168.1.5 port 1814
Ready to process requests.
rad_recv: Accounting-Request packet from host 10.129.85.1 port 39402,
id=192, length=199
Acct-Session-Id = "00000026-0000003A"
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
User-Name = "fsaze1"
NAS-Identifier = "AP-PVIII-V"
NAS-Port = 4
Called-Station-Id = "00-23-69-49-06-2C:sarlanga-I"
Calling-Station-Id = "60-FA-CD-42-C0-CE"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
Acct-Session-Time = 30
Acct-Input-Packets = 98
Acct-Output-Packets = 26
Acct-Input-Octets = 11164
Acct-Output-Octets = 7989
Event-Timestamp = "Jun 7 2012 10:37:44 ART"
Acct-Terminate-Cause = User-Request
# Executing section preacct from file /etc/raddb-testing/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 4,Client-IP-Address =
10.129.85.1,NAS-IP-Address = 10.129.85.1,Acct-Session-Id =
"00000026-0000003A",User-Name = "fsaze1"'
[acct_unique] Acct-Unique-Session-ID = "66c3a7d6e3d79d1a".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "fsaze1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file
/etc/raddb-testing/sites-enabled/default
+- entering group accounting {...}
[detail] expand:
/usr/local-test/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/10.129.85.1/detail-20120607
[detail] /usr/local-test/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/10.129.85.1/detail-20120607
[detail] expand: %t -> Thu Jun 7 10:37:44 2012
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /usr/local-test/var/log/radius/radutmp ->
/usr/local-test/var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> fsaze1
++[radutmp] returns ok
++[exec] returns noop
[attr_filter.accounting_response] expand: %{User-Name} -> fsaze1
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 192 to 10.129.85.1 port 39402
Finished request 0.
End of Output
Thanks in advance
>
>> > Add 'preprocess' to the top of the authorize{} section in your
>> > inner-tunnel-peap / inner-tunnel files. That's the module that
>> > checks huntgroups.
>>
>> Thanks guys it dit it! I just realize that modules must be appended in
>> inner-tunnel files to load them :)
>
> Yeah, that's why it's called a virtual server. It's treated the
> same as the default server, the flow is the same. No module
> listed there? It doesn't happen.
>
> Matthew
>
>
> --
> Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
>
> Systems Architect (UNIX and Networks), Network Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
--
Sergio Belkin http://www.sergiobelkin.com
Watch More TV http://sebelk.blogspot.com
LPIC-2 Certified - http://www.lpi.org
More information about the Freeradius-Users
mailing list