Freeradius-Users Digest, Vol 107, Issue 36
Hangi Christian
hangi_chris at hotmail.com
Tue Mar 11 02:52:00 CET 2014
Hi Alan,Thank you for your help. I've already run the radtest command as a regular user using debugging mode and I had this issue : $radclient: dict_init: Couldn't open dictionary "etc/raddb/dictionary" : Permission denied . I want to know how to solve this problem.
With regards, Christian.
> From: freeradius-users-request at lists.freeradius.org
> Subject: Freeradius-Users Digest, Vol 107, Issue 36
> To: freeradius-users at lists.freeradius.org
> Date: Mon, 10 Mar 2014 09:56:18 +0100
>
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Authentication on the basis of circuit id and not mac address
> (Mahima Kumar)
> 2. Authorise based on Calling Station ID ? (Darren Ward (darrward))
> 3. Testing an access-request user without the debugging mode
> (Hangi Christian)
> 4. Re: Testing an access-request user without the debugging mode
> (A.L.M.Buxey at lboro.ac.uk)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 9 Mar 2014 08:51:51 -0600
> From: Mahima Kumar <mahima at ualberta.ca>
> To: freeradius-users at lists.freeradius.org
> Subject: Authentication on the basis of circuit id and not mac address
> Message-ID:
> <CADOyXPg+1pxy90Dur+Pf6MxmJt3TBUHuo5oyuJvwA_y04uappw at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi ,
>
> I have used an Alcatel router as relay agent which gives the circuit id and
> i can see that in the radius debug output, so the client is getting
> authenticated on the basis of mac address and is getting the ip address
> from the Dhcp server , now i want to authenticate the client based on the
> circuit id provided by the relay agent in between, but the radius server
> doesn't accept username as circuit id, it only authenticates based on mac
> address of the client(i tried changing the users file), so can anyone
> please guide me as to what changes i have to make for this to be possible.
>
> TIA
>
>
> Regards,
> Mahima
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140309/c97c6465/attachment-0001.html>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 10 Mar 2014 01:57:23 +0000
> From: "Darren Ward (darrward)" <darrward at cisco.com>
> To: "freeradius-users at lists.freeradius.org"
> <freeradius-users at lists.freeradius.org>
> Subject: Authorise based on Calling Station ID ?
> Message-ID:
> <5D5ED6338DFDB54B8E876331223AEE2D1F88B009 at xmb-rcd-x10.cisco.com>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi All
>
> I have a two box wifi solution where the controller performs dot1x/EAP authentication of the end user then a policy management box that sits behind that implements appropriate QoS and traffic policies to the users traffic
>
> Of course the Authen part is easy as it's just the normal username/password in users
>
> The Author is a little bit trickier and I was interested in some opinions on how to resolve...
>
> Basically the policy manager uses the mac address to authorise the device
>
> The mac address was sent by the wifi controller as the calling-station-id but the question is how do I match that field against the user to authorise them?
>
> Darren
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140310/78452ee0/attachment-0001.html>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 10 Mar 2014 06:33:12 +0000
> From: Hangi Christian <hangi_chris at hotmail.com>
> To: "freeradius-users at lists.freeradius.org"
> <freeradius-users at lists.freeradius.org>
> Subject: Testing an access-request user without the debugging mode
> Message-ID: <DUB118-W18FF7A0914B285CD495FAB9A740 at phx.gbl>
> Content-Type: text/plain; charset="iso-8859-1"
>
>
>
>
>
>
>
> Hello Guys,
>
> I am new in Freeradius server and also in linux and I need your help regarding the functionality of the server. I am currently using freeradius version 2.2.3 and my desktop computer is running the CentOS 6.4 linux operating. First of all, I've downloaded the uncompressed freeradius software package (freeradius-server-2.2.3.tar) from the freeradius website: http://www.freeradius.org from source code in the tar format. Then after I had to create a folder using CentOS linux in order to the freeradius server source code package to the folder, uncompressed and installed on the computer. After copied to the folder, I used the tar commands to uncompress the source code package and install it on the computer using #./configure, #make and #make install commands from the INSTALL file of the uncompressed server package. After installed, the configurations files of the RADIUS SERVER were found under /usr/local/etc/raddb directory path.
> i tested the server on the debugging mode using radiusd -X and at the end of the output i saw this line " Ready to process requests".
>
> I have first created a user inside the users file and I did the normal default testing with the debugging mode and the user was accepted. After that i change the clients.conf file putting my shared key and the IP Address of the switch and also configure ssh on the server side
>
> I have done the AAA , Radius and SSH configurations on the switch, then I used Putty on another computer to access to the server by putting the IP address of the switch .
>
> Is this the right way to access the server ?
> i ran the debugging mode on the server and try to access using putty on another PC .
> here is the result i got this :
> rad_recv: Accounting-Request packet from host 192.168.9.26 port 5001, id=151, length=122
> User-Name = "testing"
> NAS-Identifier = "002389550a92"
> NAS-Port = 16781313
> NAS-Port-Type = Ethernet
> Calling-Station-Id = "0000-0000-0000"
> Acct-Status-Type = Start
> Acct-Authentic = RADIUS
> Acct-Session-Id = "1100030205009"
> Framed-IP-Address = 192.168.9.25
> NAS-IP-Address = 192.168.9.26
> Event-Timestamp = "Apr 2 2000 12:00:06 ICT"
> Service-Type = Login-User
> # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
> +group preacct {
> ++[preprocess] = ok
> [acct_unique] Hashing 'NAS-Port = 16781313,NAS-Identifier = "002389550a92",NAS-IP-Address = 192.168.9.26,Acct-Session-Id = "1100030205009",User-Name = "testing"'
> [acct_unique] Acct-Unique-Session-ID = "6ff6addd9c912e31".
> ++[acct_unique] = ok
> [suffix] No '@' in User-Name = "testing", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> ++[files] = noop
> +} # group preacct = ok
> # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default
> +group accounting {
> [detail] expand: %{Packet-Src-IP-Address} -> 192.168.9.26
> [detail] expand: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /usr/local/var/log/radius/radacct/192.168.9.26/detail-20140310
> [detail] /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.9.26/detail-20140310
> [detail] expand: %t -> Mon Mar 10 13:12:05 2014
> ++[detail] = ok
> ++[unix] = ok
> ++[exec] = noop
> [attr_filter.accounting_response] expand: %{User-Name} -> testing
> attr_filter: Matched entry DEFAULT at line 12
> ++[attr_filter.accounting_response] = updated
> +} # group accounting = updated
> Sending Accounting-Response of id 151 to 192.168.9.26 port 5001
> Finished request 1.
> Cleaning up request 1 ID 151 with timestamp +122
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 10 with timestamp +122
> Ready to process requests.
>
> then i stopped the debugging mode. and run the server using this commands
>
> [root at chris raddb]# service radiusd restart
> Stopping radiusd: [ OK ]
> Starting radiusd: [ OK ]
>
> on the user's PC side i got access denied and the server does not report on the radius.log file .
> please help me and also correct me where ever i went wrong.
>
> With Regards,
> Chris
>
>
>
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140310/9cc417f8/attachment-0001.html>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 10 Mar 2014 08:55:51 +0000
> From: A.L.M.Buxey at lboro.ac.uk
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Testing an access-request user without the debugging mode
> Message-ID: <20140310085551.GA1959 at lboro.ac.uk>
> Content-Type: text/plain; charset=us-ascii
>
> Hi,
>
> > Stopping radiusd: [ OK ]
> > Starting radiusd: [ OK ]
> >
> > on the user's PC side i got access denied and the server does not report
> > on the radius.log file .
> > please help me and also correct me where ever i went wrong.
>
> if everything works fine in the full debug mode, then the problem when running
> as a service is either a file permissions issue (since when you ran in debug
> mode things got written as 'root' user...now its trying to run as a non priv
> task - check the files its trying to write/access - AND check what the server says when
> run in foreground mod e(not full debug, just not as a background daemon).
>
> another issue may be eg SELinux - are you running selines ('getenforce' output will
> say Enforcing) - it may be that you need to use SELinux policy tools to allow certain
> things (wondering why you arent using the FreeRADIUS that comes as part of your distro
> in these early days of testing/getting familiar?) - you can validate this by temporarily
> turning off SELinux 'setenforce 0' - to see what happens
>
> alan
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> End of Freeradius-Users Digest, Vol 107, Issue 36
> *************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140311/1e41819b/attachment.html>
More information about the Freeradius-Users
mailing list