linelog best practice

cedric delaunay cedric.delaunay at univ-rennes1.fr
Wed Feb 1 15:39:03 CET 2017 

Hi all,
Thanks Stefan for the proposition, I finally upgraded from packetfence 
version as Alan suggested in another post 
(http://lists.freeradius.org/pipermail/freeradius-users/2017-January/086387.html)
System admin added a new repo allowing only freeradius* packages

I'm now running 3.0.13 successfully.
Before It started I had to customise my conf files and particularly 
disable filter_username module in authorise sections.
Do someone ever has reject because of an unreal reason ? It looks like a 
bug or am I wrong ?
here is radius -X details :


eady to process requests
(1) Received Access-Request Id 48 from 129.20.3.1:32770 to 129.20.128.215:2012 length 267
(1)   User-Name = "XXXXXXX at univ-rennes1.fr"
(1)   Calling-Station-Id = "xx:xx:xx:xx:xx:xx"
(1)   Called-Station-Id = "zz:zz:zz:zz:zz:zz:eduroam2"
(1)   NAS-Port = 13
(1)   Cisco-AVPair = "audit-session-id=81140301004ea5905891e58f"
(1)   NAS-IP-Address = 129.20.3.1
(1)   NAS-Identifier = "cs5508-00-12d-1"
(1)   Airespace-Wlan-Id = 9
(1)   Service-Type = Framed-User
(1)   Framed-MTU = 1300
(1)   NAS-Port-Type = Wireless-802.11
(1)   Tunnel-Type:0 = VLAN
(1)   Tunnel-Medium-Type:0 = IEEE-802
(1)   Tunnel-Private-Group-Id:0 = "410"
(1)   EAP-Message = 0x0202001d016364656c61756e6140756e69762d72656e6e6573312e6672
(1)   Message-Authenticator = 0x1132d719171132f5a5c236cf9c4f3de1
(1) # Executing section authorize from file /etc/raddb//sites-enabled/eduroam
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> TRUE
(1)         if (&User-Name =~ /\.$/)   {
(1)           update request {
(1)             &Module-Failure-Message += 'Rejected: Realm ends with a dot'
(1)           } # update request = noop
(1)           [reject] = reject
(1)         } # if (&User-Name =~ /\.$/)   = reject
(1)       } # if (&User-Name)  = reject
(1)     } # policy filter_username = reject
(1)   } # authorize = reject
(1) Invalid user (Rejected: Realm ends with a dot): [XXXXXXX at univ-rennes1.fr] (from client Controleur1 port 13 cli xx:xx:xx:xx:xx:xx)

.......

Received Access-Request Id 47 from 129.20.3.1:32770 to 129.20.128.215:2012 length 267
(2)   User-Name = "XXXXXXX at univ-rennes1.fr"
(2)   Calling-Station-Id = "xx:xx:xx:xx:xx:xx"
(2)   Called-Station-Id = "zz:zz:zz:zz:zz:zz:eduroam2"
(2)   NAS-Port = 13
(2)   Cisco-AVPair = "audit-session-id=81140301004ea2255891e39d"
(2)   NAS-IP-Address = 129.20.3.1
(2)   NAS-Identifier = "cs5508-00-12d-1"
(2)   Airespace-Wlan-Id = 9
(2)   Service-Type = Framed-User
(2)   Framed-MTU = 1300
(2)   NAS-Port-Type = Wireless-802.11
(2)   Tunnel-Type:0 = VLAN
(2)   Tunnel-Medium-Type:0 = IEEE-802
(2)   Tunnel-Private-Group-Id:0 = "410"
(2)   EAP-Message = 0x0201001d016364656c61756e6140756e69762d72656e6e6573312e6672
(2)   Message-Authenticator = 0x6e2d0c853052c1e6c24554832e2986c2
(2) # Executing section authorize from file /etc/raddb//sites-enabled/eduroam
(2)   authorize {
(2)     policy filter_username {
(2)       if (&User-Name) {
(2)       if (&User-Name)  -> TRUE
(2)       if (&User-Name)  {
(2)         if (&User-Name =~ / /) {
(2)         if (&User-Name =~ / /)  -> FALSE
(2)         if (&User-Name =~ /@[^@]*@/ ) {
(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(2)         if (&User-Name =~ /\.\./ ) {
(2)         if (&User-Name =~ /\.\./ )  -> TRUE
(2)         if (&User-Name =~ /\.\./ )  {
(2)           update request {
(2)             &Module-Failure-Message += 'Rejected: User-Name contains multiple ..s'
(2)           } # update request = noop
(2)           [reject] = reject
(2)         } # if (&User-Name =~ /\.\./ )  = reject
(2)       } # if (&User-Name)  = reject
(2)     } # policy filter_username = reject
(2)   } # authorize = reject
(2) Invalid user (Rejected: User-Name contains multiple ..s): [XXXXXXX at univ-rennes1.fr] (from client Controleur1 port 13 cli xx:xx:xx:xx:xx:xx)
(2) Using Post-Auth-Type Reject
(2) # Executing group from file /etc/raddb//sites-enabled/eduroam
(2)   Post-Auth-Type REJECT {
(2) attr_filter.access_reject: EXPAND %{User-Name}
(2) attr_filter.access_reject:    --> XXXXXXX at univ-rennes1.fr
(2) attr_filter.access_reject: Matched entry DEFAULT at line 11
(2)     [attr_filter.access_reject] = updated

Anyway, I disable the module and it work.
I'll now look at Module-Failure-Message

Cedric


Le 25/01/2017 à 10:56, Stefan Paetow a écrit :
>> I would like switch from 2.x to 3.x as soon as possible so I can't wait for 3.0.13 release on my centos ;(
> If you are ok with getting a CentOS version of FR that's *not* from the official repo, you can get one from the Moonshot repository[1][2]. Granted, it comes with additional build functionality (dynamic realm lookup with Moonshot technology), but at least you won't have to hang around with 2.x anymore.
>
> [1] http://repository.project-moonshot.org/rpms/centos6/RPMS/x86_64/
> [2] Instructions: https://wiki.moonshot.ja.net/display/TEM/_SystemPrep_RHEL6 (or _SystemPrep_RHEL7)
>
> We expect to release a 3.0.13 once Alan releases it.
>
> :-)
>
> Stefan Paetow
> Moonshot Industry & Research Liaison Coordinator
>
> t: +44 (0)1235 822 125
> gpg: 0x3FCE5142
> xmpp: stefanp at jabber.dev.ja.net
> skype: stefan.paetow.janet
>
> jisc.ac.uk
>
> Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
>
>
>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
Cédric Delaunay			Direction des Systèmes d'Informations
Equipe Réseau & Telephonie	263, Avenue du Général Leclerc
Tel: 02 23 23 71 59		CS 74205 - 35042 Rennes Cedex

Pour toute demande utiliser l'aide et assistance via l'ENT à l'adresse
http://ent.univ-rennes1.fr

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3610 bytes
Desc: Signature cryptographique S/MIME
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170201/3e639c5d/attachment-0001.bin>

More information about the Freeradius-Users mailing list