Freeradius-Users Digest, Vol 107, Issue 36

Hangi Christian hangi_chris at hotmail.com
Tue Mar 11 02:52:00 CET 2014




Hi Alan,Thank you for your help. I've already run the radtest command as a regular user using debugging mode and I had this issue : $radclient: dict_init: Couldn't open dictionary "etc/raddb/dictionary" : Permission denied . I want to know how to solve this problem. 
With regards, Christian.  

> From: freeradius-users-request at lists.freeradius.org
> Subject: Freeradius-Users Digest, Vol 107, Issue 36
> To: freeradius-users at lists.freeradius.org
> Date: Mon, 10 Mar 2014 09:56:18 +0100
> 
> Send Freeradius-Users mailing list submissions to
> 	freeradius-users at lists.freeradius.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> 	freeradius-users-request at lists.freeradius.org
> 
> You can reach the person managing the list at
> 	freeradius-users-owner at lists.freeradius.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
> 
> 
> Today's Topics:
> 
>    1. Authentication on the basis of circuit id and not mac address
>       (Mahima Kumar)
>    2. Authorise based on Calling Station ID ? (Darren Ward (darrward))
>    3. Testing an access-request user without the debugging mode
>       (Hangi Christian)
>    4. Re: Testing an access-request user without the debugging mode
>       (A.L.M.Buxey at lboro.ac.uk)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Sun, 9 Mar 2014 08:51:51 -0600
> From: Mahima Kumar <mahima at ualberta.ca>
> To: freeradius-users at lists.freeradius.org
> Subject: Authentication on the basis of circuit id and not mac address
> Message-ID:
> 	<CADOyXPg+1pxy90Dur+Pf6MxmJt3TBUHuo5oyuJvwA_y04uappw at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> Hi ,
> 
> I have used an Alcatel router as relay agent which gives the circuit id and
> i can see that in the radius debug output, so the client is getting
> authenticated on the basis of mac address and is getting the ip address
> from the Dhcp server , now i want to authenticate the client based on the
> circuit id provided by the relay agent in between, but the radius server
> doesn't accept username as circuit id, it only authenticates based on mac
> address of the client(i tried changing the users file), so can anyone
> please guide me as to what changes i have to make for this to be possible.
> 
> TIA
> 
> 
> Regards,
> Mahima
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140309/c97c6465/attachment-0001.html>
> 
> ------------------------------
> 
> Message: 2
> Date: Mon, 10 Mar 2014 01:57:23 +0000
> From: "Darren Ward (darrward)" <darrward at cisco.com>
> To: "freeradius-users at lists.freeradius.org"
> 	<freeradius-users at lists.freeradius.org>
> Subject: Authorise based on Calling Station ID ?
> Message-ID:
> 	<5D5ED6338DFDB54B8E876331223AEE2D1F88B009 at xmb-rcd-x10.cisco.com>
> Content-Type: text/plain; charset="us-ascii"
> 
> Hi All
> 
> I have a two box wifi solution where the controller performs dot1x/EAP authentication of the end user then a policy management box that sits behind that implements appropriate QoS and traffic policies to the users traffic
> 
> Of course the Authen part is easy as it's just the normal username/password in users
> 
> The Author is a little bit trickier and I was interested in some opinions on how to resolve...
> 
> Basically the policy manager uses the mac address to authorise the device
> 
> The mac address was sent by the wifi controller as the calling-station-id but the question is how do I match that field against the user to authorise them?
> 
> Darren
> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140310/78452ee0/attachment-0001.html>
> 
> ------------------------------
> 
> Message: 3
> Date: Mon, 10 Mar 2014 06:33:12 +0000
> From: Hangi Christian <hangi_chris at hotmail.com>
> To: "freeradius-users at lists.freeradius.org"
> 	<freeradius-users at lists.freeradius.org>
> Subject: Testing an access-request user without the debugging mode
> Message-ID: <DUB118-W18FF7A0914B285CD495FAB9A740 at phx.gbl>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> 
> 
> 
> 
> 
> 
> Hello Guys,
> 
> I am new in Freeradius server and also in linux and I need your help regarding the functionality of the server. I am currently using freeradius version 2.2.3  and my desktop computer is running the CentOS 6.4 linux operating. First of all, I've downloaded the uncompressed freeradius software package (freeradius-server-2.2.3.tar) from the freeradius website: http://www.freeradius.org from source code in the tar format. Then after I had to create a folder using CentOS linux in order to the freeradius server source code package to the folder, uncompressed and installed on the computer. After copied to the folder, I used the tar commands to uncompress the source code package and install it on the computer using #./configure, #make and #make install commands from the INSTALL file of the uncompressed server package. After installed, the configurations files of the RADIUS SERVER were found under /usr/local/etc/raddb directory path.
> i tested the server on the debugging mode using radiusd -X and at the end of the output i saw this line  " Ready to process requests".
> 
>  I have first created a user inside the users file and I did the normal default testing with the debugging mode and the user was accepted. After that i change the clients.conf file putting my shared key and the IP Address of the switch and also configure ssh on the server side 
> 
>  I have done the AAA , Radius and SSH configurations on the switch, then I used Putty on another computer to access to the server by putting the IP address of the switch . 
> 
>  Is this the right way to access the server ? 
>  i ran the debugging mode on the server and try to access using putty on another PC .
> here is the result i got this :
>      rad_recv: Accounting-Request packet from host 192.168.9.26 port 5001, id=151, length=122
>     User-Name = "testing"
>     NAS-Identifier = "002389550a92"
>     NAS-Port = 16781313
>     NAS-Port-Type = Ethernet
>     Calling-Station-Id = "0000-0000-0000"
>     Acct-Status-Type = Start
>     Acct-Authentic = RADIUS
>     Acct-Session-Id = "1100030205009"
>     Framed-IP-Address = 192.168.9.25
>     NAS-IP-Address = 192.168.9.26
>     Event-Timestamp = "Apr  2 2000 12:00:06 ICT"
>     Service-Type = Login-User
> # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
> +group preacct {
> ++[preprocess] = ok
> [acct_unique] Hashing 'NAS-Port = 16781313,NAS-Identifier = "002389550a92",NAS-IP-Address = 192.168.9.26,Acct-Session-Id = "1100030205009",User-Name = "testing"'
> [acct_unique] Acct-Unique-Session-ID = "6ff6addd9c912e31".
> ++[acct_unique] = ok
> [suffix] No '@' in User-Name = "testing", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> ++[files] = noop
> +} # group preacct = ok
> # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default
> +group accounting {
> [detail]     expand: %{Packet-Src-IP-Address} -> 192.168.9.26
> [detail]     expand: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /usr/local/var/log/radius/radacct/192.168.9.26/detail-20140310
> [detail] /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.9.26/detail-20140310
> [detail]     expand: %t -> Mon Mar 10 13:12:05 2014
> ++[detail] = ok
> ++[unix] = ok
> ++[exec] = noop
> [attr_filter.accounting_response]     expand: %{User-Name} -> testing
> attr_filter: Matched entry DEFAULT at line 12
> ++[attr_filter.accounting_response] = updated
> +} # group accounting = updated
> Sending Accounting-Response of id 151 to 192.168.9.26 port 5001
> Finished request 1.
> Cleaning up request 1 ID 151 with timestamp +122
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 10 with timestamp +122
> Ready to process requests.
> 
> then i stopped the debugging mode. and run the server using this commands
>  
>  [root at chris raddb]# service radiusd restart
> Stopping radiusd:                                          [  OK  ]
> Starting radiusd:                                          [  OK  ]
> 
> on the user's PC side i got access denied and the server does not report on the radius.log file .
> please help me and also correct me where ever i went wrong.
> 
> With Regards,
>  Chris
> 
> 
> 
> 
> 
>  		 	   		  
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140310/9cc417f8/attachment-0001.html>
> 
> ------------------------------
> 
> Message: 4
> Date: Mon, 10 Mar 2014 08:55:51 +0000
> From: A.L.M.Buxey at lboro.ac.uk
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Subject: Re: Testing an access-request user without the debugging mode
> Message-ID: <20140310085551.GA1959 at lboro.ac.uk>
> Content-Type: text/plain; charset=us-ascii
> 
> Hi,
> 
> >    Stopping radiusd:                                          [  OK  ]
> >    Starting radiusd:                                          [  OK  ]
> > 
> >    on the user's PC side i got access denied and the server does not report
> >    on the radius.log file .
> >    please help me and also correct me where ever i went wrong.
> 
> if everything works fine in the full debug mode, then the problem when running
> as a service is either a file permissions issue (since when you ran in debug
> mode things got written as 'root' user...now its trying to run as a non priv
> task - check the files its trying to write/access - AND check what the server says when
> run in foreground mod e(not full debug, just not as a background daemon).
> 
> another issue may be eg SELinux - are you running selines ('getenforce' output will
> say Enforcing) - it may be that you need to use SELinux policy tools to allow certain
> things  (wondering why you arent using the FreeRADIUS that comes as part of your distro
> in these early days of testing/getting familiar?)  - you can validate this by temporarily
> turning off SELinux 'setenforce 0' - to see what happens
> 
> alan
> 
> 
> ------------------------------
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> End of Freeradius-Users Digest, Vol 107, Issue 36
> *************************************************

 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140311/1e41819b/attachment.html>


More information about the Freeradius-Users mailing list