Migration of FreeRadius Server from 2.1 to 3.X

Alan Buxey alan.buxey at gmail.com
Fri Sep 8 11:23:56 CEST 2017


congrats. being a public forum for users, its good protocol to note
what you did to fix things so when the next person comes along after a
google search that matches the same issue/problems/phrases they
get a decent clue rather than just ask the same questions to the list
again again and again

alan

On 8 September 2017 at 03:19, Bhagwat, Shrikant <shrbhagw at med.umich.edu> wrote:
> Got it working finally,
>
>
>
> -----Original Message-----
> From: Freeradius-Users [mailto:freeradius-users-bounces+shrbhagw=med.umich.edu at lists.freeradius.org] On Behalf Of Alan Buxey
> Sent: Thursday, September 7, 2017 5:10 PM
> To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Subject: RE: Migration of FreeRadius Server from 2.1 to 3.X
>
> What are you trying to do? You say you added custom unix but haven't/didn't from info you provided. What are those auth-type entries for? You can't just make up your own random syntax.
>
> alan
>
> On 7 Sep 2017 1:49 pm, "Bhagwat, Shrikant" <shrbhagw at med.umich.edu> wrote:
>
>> Hi Alan
>>
>> In sites-enabled/default file in authenticate section I have added
>> custom section unix
>>
>> authenticate {
>>
>>
>> #       unix
>>
>>         # Uncomment it if you want to use ldap for authentication
>>         #
>>         # Note that this means "check plain-text password against
>>         # the ldap database", which means that EAP won't work,
>>         # as it does not supply a plain-text password.
>>
>>         Auth-Type level1_and_duopush {
>>                 level1_and_duopush
>>         }
>>
>>         Auth-Type level1_and_duophone {
>>                 level1_and_duophone
>>         }
>>
>>         Auth-Type level2_and_duopush {
>>                 level2_and_duopush
>>         }
>>
>>         Auth-Type level2_and_duophone {
>>                 level2_and_duophone
>>         }
>>
>>         Auth-Type PhoneFactor {
>>                 phonefactor
>>         }
>>
>>         Auth-Type Level-1 {
>>                 level-1
>>         }
>> }
>>
>> In Post Auth section of default file I have following :
>>
>>
>> post-auth {
>>         #  Get an address from the IP Pool.
>> #       main_pool
>>
>>
>>         #  Create the CUI value and add the attribute to Access-Accept.
>>         #  Uncomment the line below if *returning* the CUI.
>> #       cui
>>
>>         #
>>         #  If you want to have a log of authentication replies,
>>         #  un-comment the following line, and enable the
>>         #  'detail reply_log' module.
>>         reply_log
>>
>>         #
>>         #  After authenticating the user, do another SQL query.
>>         #
>>         #  See "Authentication Logging Queries" in sql.conf
>>         -sql
>>
>>         #
>>         #  Instead of sending the query to the SQL server,
>>         #  write it into a log file.
>>         #
>> #       sql_log
>>
>>         #
>>         #  Un-comment the following if you want to modify the user's object
>>         #  in LDAP after a successful login.
>>         #
>> #       ldap
>>
>>         # For Exec-Program and Exec-Program-Wait
>>         exec
>>
>> #
>>         #  Calculate the various WiMAX keys.  In order for this to work,
>>         #  you will need to define the WiMAX NAI, usually via
>>         #
>>         #       update request {
>>         #              WiMAX-MN-NAI = "%{User-Name}"
>>         #       }
>>         #
>>         #  If you want various keys to be calculated, you will need to
>>         #  update the reply with "template" values.  The module will see
>>         #  this, and replace the template values with the correct ones
>>         #  taken from the cryptographic calculations.  e.g.
>>         #
>>         #       update reply {
>>         #               WiMAX-FA-RK-Key = 0x00
>>         #               WiMAX-MSK = "%{EAP-MSK}"
>>         #       }
>>         #
>>         #  You may want to delete the MS-MPPE-*-Keys from the reply,
>>         #  as some WiMAX clients behave badly when those attributes
>>         #  are included.  See "raddb/modules/wimax", configuration
>>         #  entry "delete_mppe_keys" for more information.
>>         #
>> #       wimax
>>
>>
>>
>> -----Original Message-----
>> From: Freeradius-Users [mailto:freeradius-users-bounces+shrbhagw=
>> med.umich.edu at lists.freeradius.org] On Behalf Of Alan Buxey
>> Sent: Thursday, September 7, 2017 5:25 AM
>> To: FreeRadius users mailing list
>> <freeradius-users at lists.freeradius.org>
>> Subject: Re: Migration of FreeRadius Server from 2.1 to 3.X
>>
>> hi,
>>
>> > I know config of version 2 will not work with config of version 3.
>> > It looks like echo module controls the exe module
>>
>> ??
>>
>> the exec module is the main module
>>
>> the provided example echo module USES the exec module
>>
>>
>> exec echo {
>> }
>>
>> see?
>>
>> >
>> > From exec module
>> >
>> >         exec default {
>> >                 wait = yes
>> >                 output = none
>> >                 #input_pairs = request
>> >                 output_pairs = none
>> >                 # 0 - level-2 proxy; 1 - level-2 proxy password; 2 -
>> level-2 server; 3 - level-2 basedn; 4 - level-2 account found flag;
>> >                 # 5 - level-1 kdc domain; 6 - log file name.
>> >                 program =
>> > "/idm/idmt_home/PhoneFactor/Level1Factor.pl
>> %{config:modules.ldap.identity} %{config:modules.ldap.password}
>> %{config:modules.ldap.server} %{config:modules.ldap.basedn} not_found
>> \
>> >                             %{config:modules.ldap.level-1_kdc}
>> %{config:modules.ldap.logFILEname}"
>> >                 shell_escape = yes
>> >         }
>> >
>> >         # Phone Factor
>> >         exec phonefactor {
>> >                 wait = yes
>> >                 output = none
>> >                 #input_pairs = request
>> >                 output_pairs = none
>> >                 # 0 - level-2 proxy; 1 - level-2 proxy password; 2 -
>> level-2 server; 3 - level-2 basedn; 4 - level-2 account found flag;
>> >                 # 5 - level-1 kdc domain; 6 - log file name; 7 -
>> > phone
>> factor call back number
>> >                 program = "/idm/idmt_home/PhoneFactor/PhoneFactor.pl
>> %{config:modules.ldap.identity} %{config:modules.ldap.password}
>> %{config:modules.ldap.server} %{config:modules.ldap.basedn} found \
>> >                             %{config:modules.ldap.level-1_kdc}
>> %{config:modules.ldap.logFILEname} %{reply:Callback-Number}"
>> >                 shell_escape = yes
>> >         }
>> >
>> >
>> > Do I modify echo module to match in exec module  ? or vice versa ?
>>
>> so, these two sub-modules of exec, which can be called as 'default'
>> and 'phonefactor' elsewhere in your config - eg in the sites-enabled/*
>> virtual servers (PS 'default' is an awful choice)
>>
>> and yes, you need to look at the FR 3.x docs and ensure your format
>> and entries match the 3.x configuration/specification..... also, as
>> already said, this is the IDEAL time, during a migration, to clean up
>> and optimise the config. operations with LDAP can be done natively
>> through LDAP module and unang and will be MUCH MUCH quicker than calls
>> to scripts (more than an order of magnitude quicker AND able to deal
>> natively with multiple servers, failover, connection pools etc etc -
>> thread safe etc) in previous migrations I have removed most modules
>> and random functions and sped server up - in most cases being able to
>> make the server more like a default install with far fewer changes and
>> stopping the use of eg rlm_perl and rlm_python
>>
>> alan
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
>> **********************************************************
>> Electronic Mail is not secure, may not be read every day, and should
>> not be used for urgent or sensitive issues
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> **********************************************************
> Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list