Migration of FreeRadius Server from 2.1 to 3.X
Bhagwat, Shrikant
shrbhagw at med.umich.edu
Wed Sep 6 17:51:14 CEST 2017
In Freeradius 2.1 in our radiusd.conf file, we had following
#
# Execute external programs
#
# This module is useful only for 'xlat'. To use it,
# put 'exec' into the 'instantiate' section. You can then
# do dynamic translation of attributes like:
#
# Attribute-Name = `%{exec:/path/to/program args}`
#
# The value of the attribute will be replaced with the output
# of the program which is executed. Due to RADIUS protocol
# limitations, any output over 253 bytes will be ignored.
#
# The RADIUS attributes from the user request will be placed
# into environment variables of the executed program, as
# described in 'doc/variables.txt'
#
exec default {
wait = yes
output = none
#input_pairs = request
output_pairs = none
# 0 - level-2 proxy; 1 - level-2 proxy password; 2 - level-2 server; 3 - level-2 basedn; 4 - level-2 account found flag;
# 5 - level-1 kdc domain; 6 - log file name.
program = "/idm/idmt_home/PhoneFactor/Level1Factor.pl %{config:modules.ldap.identity} %{config:modules.ldap.password} %{config:modules.ldap.server} %{config:modules.ldap.basedn} not_found \
%{config:modules.ldap.level-1_kdc} %{config:modules.ldap.logFILEname}"
shell_escape = yes
}
# Phone Factor
exec phonefactor {
wait = yes
output = none
#input_pairs = request
output_pairs = none
# 0 - level-2 proxy; 1 - level-2 proxy password; 2 - level-2 server; 3 - level-2 basedn; 4 - level-2 account found flag;
# 5 - level-1 kdc domain; 6 - log file name; 7 - phone factor call back number
program = "/idm/idmt_home/PhoneFactor/PhoneFactor.pl %{config:modules.ldap.identity} %{config:modules.ldap.password} %{config:modules.ldap.server} %{config:modules.ldap.basedn} found \
%{config:modules.ldap.level-1_kdc} %{config:modules.ldap.logFILEname} %{reply:Callback-Number}"
shell_escape = yes
}
exec level-1 {
wait = yes
output = none
#input_pairs = request
output_pairs = none
# 0 - level-2 proxy; 1 - level-2 proxy password; 2 - level-2 server; 3 - level-2 basedn; 4 - level-2 account found flag;
# 5 - level-1 kdc domain; 6 - log file name.
program = "/idm/idmt_home/PhoneFactor/Level1Factor.pl %{config:modules.ldap.identity} %{config:modules.ldap.password} %{config:modules.ldap.server} %{config:modules.ldap.basedn} %{check:LDAP-UserDn} \
%{config:modules.ldap.level-1_kdc} %{config:modules.ldap.logFILEname}"
shell_escape = yes
}
exec level1_and_duophone {
wait = yes
output = none
#input_pairs = request
output_pairs = none
# 0 - level-2 proxy; 1 - level-2 proxy password; 2 - level-2 server; 3 - level-2 basedn; 4 - level-2 account found flag;
# 5 - level-1 kdc domain; 6 - log file name; 7 - duo api host; 8 - duo ikey; 9 - duo skey; 10 - duo factor
program = "/idm/idmt_home/PhoneFactor/DuoFactor.pl %{config:modules.ldap.identity} %{config:modules.ldap.password} %{config:modules.ldap.server} %{config:modules.ldap.basedn} %{check:LDAP-UserDn} \
%{config:modules.ldap.level-1_kdc} %{config:modules.ldap.logFILEname} %{config:modules.ldap.duo_host} %{config:modules.ldap.duo_ikey} %{config:modules.ldap.duo_skey} phone"
shell_escape = yes
}
exec level1_and_duopush {
wait = yes
output = none
#input_pairs = request
output_pairs = none
# 0 - level-2 proxy; 1 - level-2 proxy password; 2 - level-2 server; 3 - level-2 basedn; 4 - level-2 account found flag;
# 5 - level-1 kdc domain; 6 - log file name; 7 - duo api host; 8 - duo ikey; 9 - duo skey; 10 - duo factor
program = "/idm/idmt_home/PhoneFactor/DuoFactor.pl %{config:modules.ldap.identity} %{config:modules.ldap.password} %{config:modules.ldap.server} %{config:modules.ldap.basedn} %{check:LDAP-UserDn} \
%{config:modules.ldap.level-1_kdc} %{config:modules.ldap.logFILEname} %{config:modules.ldap.duo_host} %{config:modules.ldap.duo_ikey} %{config:modules.ldap.duo_skey} push"
shell_escape = yes
}
We may need to add above lines in exec modules ?
-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+shrbhagw=med.umich.edu at lists.freeradius.org] On Behalf Of Matthew Newton
Sent: Wednesday, September 06, 2017 11:42 AM
To: freeradius-users at lists.freeradius.org
Subject: Re: Migration of FreeRadius Server from 2.1 to 3.X
On Wed, 2017-09-06 at 15:32 +0000, Bhagwat, Shrikant wrote:
> I am in process of migrating free radius 2.1 to free radius 3.x.
That's good. But please use 3.0.15, not 3.0.3. You really don't want to start off with a server with loads of bugs and security issues that have now been fixed. And 3.0.3 has plenty of both.
> In Free radius 2.1 all configuration is located in freeradius.conf
> file.
In your config, maybe. Not as shipped with the server.
> Failed to find "level1_and_duopush" in the "modules" section.
That's not a standard module, so there's no way for us to know what it's supposed to do.
> What I am supposed to do in modules section forlevel1_and_duopush"
Look at your old configuration, and find out what forlevel1_and_duopush did. Then do the same in v3. It's presumably in the modules{} section of the configuration, so should be in one of the files in the mods- available directory.
--
Matthew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
**********************************************************
Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues
More information about the Freeradius-Users
mailing list