linelog best practice

classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

linelog best practice

cedric delaunay
Hello all,
I'm trying to log accounting and requests into our elasticsearch/graylog
logserver.
I use home made linelog modules to rewrite logs into json format.
modules are called in authorize, accounting, post-auth, Post-Auth-Type
REJECT, preproxy and post-proxy sections
here is an exemple of my module :

linelog linelog_postauth {
     format = "%t linelog_postauth \%Packet-Type non reconnu for %{User-Name} (%{Packet-Type})"
     filename = ${logdir}/linelog_json
     permissions = 0600
     reference = "messages.%{%{reply:Packet-Type}:-format}"
     messages {
        Access-Reject = "{\"Datetime\":\"%t\",\"Module_Name\":\"linelog_postauth\",\"Packet-Type\":\"%{reply:Packet-Type}\",\"User-Name\":\"%{User-Name}\",\"Realm\":\"%{Realm}\",\"NAS-IP-Address\":\"%{NAS-IP-Address}\",\"NAS-Port\":\"%{NAS-Port}\",\"Service-Type\":\"%{Service-Type}\",\"Framed-MTU\":\"%{Framed-MTU}\",\"State\":\"%{State}\",\"Class\":\"%{Class}\",\"Vendor-Specific\":\"%{Vendor-Specific}\",\"Session-Timeout\":\"%{Session-Timeout}\",\"Idle-Timeout\":\"%{Idle-Timeout}\",\"Termination-Action\":\"%{Termination-Action}\",\"Called-Station-Id\":\"%{Called-Station-Id}\",\"Calling-Station-Id\":\"%{Calling-Station-Id}\",\"NAS-Identifier\":\"%{NAS-Identifier}\",\"Proxy-State\":\"%{Proxy-State}\",\"Login-LAT-Service\":\"%{Login-LAT-Service}\",\"Login-LAT-Node\":\"%{Login-LAT-Node}\",\"Login-LAT-Group\":\"%{Login-LAT-Group}\",\"Framed-AppleTalk-Link\":\"%{Framed-AppleTalk-Link}\",\"Framed-AppleTalk-Network\":\"%{Framed-AppleTalk-Network}\",\"Framed-AppleTalk-Zone\":\"%{Framed-AppleTalk-Zone}\",\"CHAP-Challenge\":\"%{CHAP-Challenge}\",\"NAS-Port-Type\":\"%{NAS-Port-Type}\",\"Port-Limit\":\"%{Port-Limit}\",\"Login-LAT-Port\":\"%{Login-LAT-Port}\"}"
        Access-Challenge = "{\"Datetime\":\"%t\",\"Module_Name\":\"linelog_postauth\",\"Packet-Type\":\"%{reply:Packet-Type}\",\"User-Name\":\"%{User-Name}\",\"Realm\":\"%{Realm}\",\"NAS-IP-Address\":\"%{NAS-IP-Address}\",\"NAS-Port\":\"%{NAS-Port}\",\"Service-Type\":\"%{Service-Type}\",\"Framed-Protocol\":\"%{Framed-Protocol}\",\"Framed-IP-Address\":\"%{Framed-IP-Address}\",\"Framed-IP-Netmask\":\"%{Framed-IP-Netmask}\",\"Framed-Routing\":\"%{Framed-Routing}\",\"Filter-Id\":\"%{Filter-Id}\",\"Framed-MTU\":\"%{Framed-MTU}\",\"Framed-Compression\":\"%{Framed-Compression}\",\"Login-IP-Host\":\"%{Login-IP-Host}\",\"Login-Service\":\"%{Login-Service}\",\"Login-TCP-Port\":\"%{Login-TCP-Port}\",\"Reply-Message\":\"%{Reply-Message}\",\"Callback-Number\":\"%{Callback-Number}\",\"Callback-Id\":\"%{Callback-Id}\",\"Framed-Route\":\"%{Framed-Route}\",\"Framed-IPX-Network\":\"%{Framed-IPX-Network}\",\"State\":\"%{State}\",\"Class\":\"%{Class}\",\"Vendor-Specific\":\"%{Vendor-Specific}\",\"Session-Timeout\":\"%{Session-Timeout}\",\"Idle-Timeout\":\"%{Idle-Timeout}\",\"Termination-Action\":\"%{Termination-Action}\",\"Called-Station-Id\":\"%{Called-Station-Id}\",\"Calling-Station-Id\":\"%{Calling-Station-Id}\",\"NAS-Identifier\":\"%{NAS-Identifier}\",\"Proxy-State\":\"%{Proxy-State}\",\"Login-LAT-Service\":\"%{Login-LAT-Service}\",\"Login-LAT-Node\":\"%{Login-LAT-Node}\",\"Login-LAT-Group\":\"%{Login-LAT-Group}\",\"Framed-AppleTalk-Link\":\"%{Framed-AppleTalk-Link}\",\"Framed-AppleTalk-Network\":\"%{Framed-AppleTalk-Network}\",\"Framed-AppleTalk-Zone\":\"%{Framed-AppleTalk-Zone}\",\"CHAP-Challenge\":\"%{CHAP-Challenge}\",\"NAS-Port-Type\":\"%{NAS-Port-Type}\",\"Port-Limit\":\"%{Port-Limit}\",\"Login-LAT-Port\":\"%{Login-LAT-Port}\"}"
         Access-Accept = "{\"Datetime\":\"%t\",\"Module_Name\":\"linelog_postauth\",\"Packet-Type\":\"%{reply:Packet-Type}\",\"User-Name\":\"%{User-Name}\",\"Realm\":\"%{Realm}\",\"NAS-IP-Address\":\"%{NAS-IP-Address}\",\"NAS-Port\":\"%{NAS-Port}\",\"Service-Type\":\"%{Service-Type}\",\"Framed-MTU\":\"%{Framed-MTU}\",\"Login-IP-Host\":\"%{Login-IP-Host}\",\"Login-Service\":\"%{Login-Service}\",\"Login-TCP-Port\":\"%{Login-TCP-Port}\",\"Reply-Message\":\"%{Reply-Message}\",\"Callback-Number\":\"%{Callback-Number}\",\"Callback-Id\":\"%{Callback-Id}\",\"Framed-Route\":\"%{Framed-Route}\",\"Framed-IPX-Network\":\"%{Framed-IPX-Network}\",\"State\":\"%{State}\",\"Class\":\"%{Class}\",\"Vendor-Specific\":\"%{Vendor-Specific}\",\"Session-Timeout\":\"%{Session-Timeout}\",\"Idle-Timeout\":\"%{Idle-Timeout}\",\"Termination-Action\":\"%{Termination-Action}\",\"Called-Station-Id\":\"%{Called-Station-Id}\",\"Calling-Station-Id\":\"%{Calling-Station-Id}\",\"NAS-Identifier\":\"%{NAS-Identifier}\",\"Proxy-State\":\"%{Proxy-State}\",\"Login-LAT-Service\":\"%{Login-LAT-Service}\",\"Login-LAT-Node\":\"%{Login-LAT-Node}\",\"Login-LAT-Group\":\"%{Login-LAT-Group}\",\"Framed-AppleTalk-Link\":\"%{Framed-AppleTalk-Link}\",\"Framed-AppleTalk-Network\":\"%{Framed-AppleTalk-Network}\",\"Framed-AppleTalk-Zone\":\"%{Framed-AppleTalk-Zone}\",\"CHAP-Challenge\":\"%{CHAP-Challenge}\",\"NAS-Port-Type\":\"%{NAS-Port-Type}\",\"Port-Limit\":\"%{Port-Limit}\",\"Login-LAT-Port\":\"%{Login-LAT-Port}\",\"VLAN\":\"%{Tunnel-Private-Group-ID:0}\"}"
     }
}


the goal is to keep info about login attempts and failure and why.
when we run radius in debug mode we can see failure reason as next example :

.....
(17)    authenticate {
(17)   eap : Expiring EAP session with state 0x2ee654852ee14efb
(17)   eap : Finished EAP session with state 0x2ee654852ee14efb
(17)   eap : Previous EAP request found for state 0x2ee654852ee14efb, released from the list
(17)   eap : Peer sent method MSCHAPv2 (26)
(17)   eap : EAP MSCHAPv2 (26)
(17)   eap : Calling eap_mschapv2 to process EAP data
(17)   eap_mschapv2 : # Executing group from file /etc/raddb//sites-enabled/eduroam-inner-tunnel
(17)   eap_mschapv2 :  Auth-Type MS-CHAP {
(17)    mschap : Found LM-Password
(17)    WARNING: mschap : No Cleartext-Password configured.  Cannot create LM-Password
(17)    mschap : Found NT-Password
(17)    WARNING: mschap : No Cleartext-Password configured.  Cannot create NT-Password
(17)    mschap : Creating challenge hash with username: [hidden email]
(17)    mschap : Client is using MS-CHAPv2
(17)    ERROR: mschap : MS-CHAP2-Response is incorrect
(17)     [mschap] = reject
(17)    } # Auth-Type MS-CHAP = reject
(17)   eap : Freeing handler
(17)    [eap] = reject
(17)   } #  authenticate = reject
.....

I can't find reject reason (mscahp result, ...) in access-reject variables.
I had a look into mailist's archives without success ;(

Do anybody can help me to find the best way doing this ?
Thanks a lot

--
Cédric Delaunay Direction des Systèmes d'Informations
Equipe Réseau & Telephonie 263, Avenue du Général Leclerc
Tel: 02 23 23 71 59 CS 74205 - 35042 Rennes Cedex

Pour toute demande utiliser l'aide et assistance via l'ENT à l'adresse
http://ent.univ-rennes1.fr



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: linelog best practice

Matthew Newton
On Tue, Jan 24, 2017 at 11:15:17AM +0100, cedric delaunay wrote:
> I can't find reject reason (mscahp result, ...) in access-reject variables.
>
> Do anybody can help me to find the best way doing this ?

Look at &Module-Failure-Message, it should have what you want.

Matthew


--
Matthew Newton, Ph.D. <[hidden email]>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <[hidden email]>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|

Re: linelog best practice

A.L.M.Buxey
In reply to this post by cedric delaunay
Hi,

use Module-Failure-Message  - but also look at the 3.0.x HEAD from git or wait until 3.0.13
comes out as Matthew has ensures theres a good starting point for the ELK crowd  :)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|

Re: linelog best practice

Matthew Newton
On Tue, Jan 24, 2017 at 10:52:32AM +0000, [hidden email] wrote:
> use Module-Failure-Message  - but also look at the 3.0.x HEAD from git or wait until 3.0.13
> comes out as Matthew has ensures theres a good starting point for the ELK crowd  :)

Yeah, to be honest rather than trying to write out JSON with
linelog personally I'd just look at reading the plain detail files
with logstash and using that to write them out as JSON. You might
be fine, but then some joker will come along and try to log in
with a username like 'silly"json'...

Should probably at least wrap all the attributes in
%{jsonquote:...} to be safe.

"rlm_jsonlog" is something I've thought about for a while. Just
not sure it's worth it. Might be if I can then use that to feed
directly into elasticsearch and skip the logstash bit.

Matthew


--
Matthew Newton, Ph.D. <[hidden email]>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <[hidden email]>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|

Re: linelog best practice

Herwin Weststrate
On 24-01-17 13:22, Matthew Newton wrote:
> "rlm_jsonlog" is something I've thought about for a while. Just
> not sure it's worth it. Might be if I can then use that to feed
> directly into elasticsearch and skip the logstash bit.

Actually, we've created something like that for a very specific use
case, never thought others would have a purpose for it. The source is
available at https://github.com/Quarantainenet/rlm_attr_log. It works by
sending JSON syslog, so it might need a few tweaks to work with ELK.

FreeRADIUS v4 contains a rlm_json module which would make it very
trivial, getting a JSON string of the request is as simple as:

  fr_json_afrom_pair_list(NULL, &request->packet->vps, NULL);

--
Herwin Weststrate
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|

Re: linelog best practice

cedric delaunay
In reply to this post by Matthew Newton
Hi guys,
Thanks for the quick answer.
As a newbie, I didn't find how to implement Module-failure-message.
I follow this example :
http://lists.freeradius.org/pipermail/freeradius-users/2014-December/074957.html
but service wont run :

server eduroam-inner-tunnel { # from file /etc/raddb//sites-enabled/eduroam-inner-tunnel
  # Loading authenticate {...}
  # Loading authorize {...}
  # Loading session {...}
  # Loading post-proxy {...}
  # Loading post-auth {...}
/etc/raddb//sites-enabled/eduroam-inner-tunnel[321]: Default list "session-state" specified in mapping section is invalid
/etc/raddb//sites-enabled/eduroam-inner-tunnel[321]: Failed to parse "update" subsection.

any detail I should know ?

I would like switch from 2.x to 3.x as soon as possible so I can't wait
for 3.0.13 release on my centos ;(

Matthew, I guess that you talk about this :
https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x/doc/schemas/logstash
Maybe is that a best way but :
     - I first have to make login-failure reason to be printed in detail
files, isn't it ?

Thanks
Cedric

Le 24/01/2017 à 13:22, Matthew Newton a écrit :

> On Tue, Jan 24, 2017 at 10:52:32AM +0000, [hidden email] wrote:
>> use Module-Failure-Message  - but also look at the 3.0.x HEAD from git or wait until 3.0.13
>> comes out as Matthew has ensures theres a good starting point for the ELK crowd  :)
> Yeah, to be honest rather than trying to write out JSON with
> linelog personally I'd just look at reading the plain detail files
> with logstash and using that to write them out as JSON. You might
> be fine, but then some joker will come along and try to log in
> with a username like 'silly"json'...
>
> Should probably at least wrap all the attributes in
> %{jsonquote:...} to be safe.
>
> "rlm_jsonlog" is something I've thought about for a while. Just
> not sure it's worth it. Might be if I can then use that to feed
> directly into elasticsearch and skip the logstash bit.
>
> Matthew
>
>

--
Cédric Delaunay Direction des Systèmes d'Informations
Equipe Réseau & Telephonie 263, Avenue du Général Leclerc
Tel: 02 23 23 71 59 CS 74205 - 35042 Rennes Cedex

Pour toute demande utiliser l'aide et assistance via l'ENT à l'adresse
http://ent.univ-rennes1.fr



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: linelog best practice

Herwin Weststrate
On 25-01-17 09:25, cedric delaunay wrote:

> ...
> /etc/raddb//sites-enabled/eduroam-inner-tunnel[321]: Default list
> "session-state" specified in mapping section is invalid
> /etc/raddb//sites-enabled/eduroam-inner-tunnel[321]: Failed to parse
> "update" subsection.
>
> any detail I should know ?
>
> I would like switch from 2.x to 3.x as soon as possible so I can't wait
> for 3.0.13 release on my centos ;(

session-state is a feature introduced in 3.0.something (it's probably
mentioned in the changelogs)

--
Herwin Weststrate
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|

Re: linelog best practice

A.L.M.Buxey
In reply to this post by cedric delaunay
Hi,

> any detail I should know ?

yes, you can only use that config on FR 3.x and above :)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|

Re: linelog best practice

cedric delaunay
Yep, I'm already on 3.x on my new server but I just found that centos 7
base repos has only FR 3.0.4 and Module-Failure-Message came with 3.0.5
....
http://freeradius-users.freeradius.narkive.com/Mt1jQ2ig/multi-packet-session-state-will-be-in-version-3-0-5

Have now to negotiate with system-admins to add an testing repo or
install one rpm....
Cedric

Le 25/01/2017 à 10:40, [hidden email] a écrit :
> Hi,
>
>> any detail I should know ?
> yes, you can only use that config on FR 3.x and above :)
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
Cédric Delaunay Direction des Systèmes d'Informations
Equipe Réseau & Telephonie 263, Avenue du Général Leclerc
Tel: 02 23 23 71 59 CS 74205 - 35042 Rennes Cedex

Pour toute demande utiliser l'aide et assistance via l'ENT à l'adresse
http://ent.univ-rennes1.fr



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: linelog best practice

Stefan Paetow-3
In reply to this post by cedric delaunay
> I would like switch from 2.x to 3.x as soon as possible so I can't wait for 3.0.13 release on my centos ;(

If you are ok with getting a CentOS version of FR that's *not* from the official repo, you can get one from the Moonshot repository[1][2]. Granted, it comes with additional build functionality (dynamic realm lookup with Moonshot technology), but at least you won't have to hang around with 2.x anymore.

[1] http://repository.project-moonshot.org/rpms/centos6/RPMS/x86_64/
[2] Instructions: https://wiki.moonshot.ja.net/display/TEM/_SystemPrep_RHEL6 (or _SystemPrep_RHEL7)

We expect to release a 3.0.13 once Alan releases it.

:-)

Stefan Paetow
Moonshot Industry & Research Liaison Coordinator

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: [hidden email]
skype: stefan.paetow.janet

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

signature.asc (507 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: linelog best practice

cedric delaunay
Hi all,
Thanks Stefan for the proposition, I finally upgraded from packetfence
version as Alan suggested in another post
(http://lists.freeradius.org/pipermail/freeradius-users/2017-January/086387.html)
System admin added a new repo allowing only freeradius* packages

I'm now running 3.0.13 successfully.
Before It started I had to customise my conf files and particularly
disable filter_username module in authorise sections.
Do someone ever has reject because of an unreal reason ? It looks like a
bug or am I wrong ?
here is radius -X details :


eady to process requests
(1) Received Access-Request Id 48 from 129.20.3.1:32770 to 129.20.128.215:2012 length 267
(1)   User-Name = "[hidden email]"
(1)   Calling-Station-Id = "xx:xx:xx:xx:xx:xx"
(1)   Called-Station-Id = "zz:zz:zz:zz:zz:zz:eduroam2"
(1)   NAS-Port = 13
(1)   Cisco-AVPair = "audit-session-id=81140301004ea5905891e58f"
(1)   NAS-IP-Address = 129.20.3.1
(1)   NAS-Identifier = "cs5508-00-12d-1"
(1)   Airespace-Wlan-Id = 9
(1)   Service-Type = Framed-User
(1)   Framed-MTU = 1300
(1)   NAS-Port-Type = Wireless-802.11
(1)   Tunnel-Type:0 = VLAN
(1)   Tunnel-Medium-Type:0 = IEEE-802
(1)   Tunnel-Private-Group-Id:0 = "410"
(1)   EAP-Message = 0x0202001d016364656c61756e6140756e69762d72656e6e6573312e6672
(1)   Message-Authenticator = 0x1132d719171132f5a5c236cf9c4f3de1
(1) # Executing section authorize from file /etc/raddb//sites-enabled/eduroam
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> TRUE
(1)         if (&User-Name =~ /\.$/)   {
(1)           update request {
(1)             &Module-Failure-Message += 'Rejected: Realm ends with a dot'
(1)           } # update request = noop
(1)           [reject] = reject
(1)         } # if (&User-Name =~ /\.$/)   = reject
(1)       } # if (&User-Name)  = reject
(1)     } # policy filter_username = reject
(1)   } # authorize = reject
(1) Invalid user (Rejected: Realm ends with a dot): [[hidden email]] (from client Controleur1 port 13 cli xx:xx:xx:xx:xx:xx)

.......

Received Access-Request Id 47 from 129.20.3.1:32770 to 129.20.128.215:2012 length 267
(2)   User-Name = "[hidden email]"
(2)   Calling-Station-Id = "xx:xx:xx:xx:xx:xx"
(2)   Called-Station-Id = "zz:zz:zz:zz:zz:zz:eduroam2"
(2)   NAS-Port = 13
(2)   Cisco-AVPair = "audit-session-id=81140301004ea2255891e39d"
(2)   NAS-IP-Address = 129.20.3.1
(2)   NAS-Identifier = "cs5508-00-12d-1"
(2)   Airespace-Wlan-Id = 9
(2)   Service-Type = Framed-User
(2)   Framed-MTU = 1300
(2)   NAS-Port-Type = Wireless-802.11
(2)   Tunnel-Type:0 = VLAN
(2)   Tunnel-Medium-Type:0 = IEEE-802
(2)   Tunnel-Private-Group-Id:0 = "410"
(2)   EAP-Message = 0x0201001d016364656c61756e6140756e69762d72656e6e6573312e6672
(2)   Message-Authenticator = 0x6e2d0c853052c1e6c24554832e2986c2
(2) # Executing section authorize from file /etc/raddb//sites-enabled/eduroam
(2)   authorize {
(2)     policy filter_username {
(2)       if (&User-Name) {
(2)       if (&User-Name)  -> TRUE
(2)       if (&User-Name)  {
(2)         if (&User-Name =~ / /) {
(2)         if (&User-Name =~ / /)  -> FALSE
(2)         if (&User-Name =~ /@[^@]*@/ ) {
(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(2)         if (&User-Name =~ /\.\./ ) {
(2)         if (&User-Name =~ /\.\./ )  -> TRUE
(2)         if (&User-Name =~ /\.\./ )  {
(2)           update request {
(2)             &Module-Failure-Message += 'Rejected: User-Name contains multiple ..s'
(2)           } # update request = noop
(2)           [reject] = reject
(2)         } # if (&User-Name =~ /\.\./ )  = reject
(2)       } # if (&User-Name)  = reject
(2)     } # policy filter_username = reject
(2)   } # authorize = reject
(2) Invalid user (Rejected: User-Name contains multiple ..s): [[hidden email]] (from client Controleur1 port 13 cli xx:xx:xx:xx:xx:xx)
(2) Using Post-Auth-Type Reject
(2) # Executing group from file /etc/raddb//sites-enabled/eduroam
(2)   Post-Auth-Type REJECT {
(2) attr_filter.access_reject: EXPAND %{User-Name}
(2) attr_filter.access_reject:    --> [hidden email]
(2) attr_filter.access_reject: Matched entry DEFAULT at line 11
(2)     [attr_filter.access_reject] = updated

Anyway, I disable the module and it work.
I'll now look at Module-Failure-Message

Cedric


Le 25/01/2017 à 10:56, Stefan Paetow a écrit :

>> I would like switch from 2.x to 3.x as soon as possible so I can't wait for 3.0.13 release on my centos ;(
> If you are ok with getting a CentOS version of FR that's *not* from the official repo, you can get one from the Moonshot repository[1][2]. Granted, it comes with additional build functionality (dynamic realm lookup with Moonshot technology), but at least you won't have to hang around with 2.x anymore.
>
> [1] http://repository.project-moonshot.org/rpms/centos6/RPMS/x86_64/
> [2] Instructions: https://wiki.moonshot.ja.net/display/TEM/_SystemPrep_RHEL6 (or _SystemPrep_RHEL7)
>
> We expect to release a 3.0.13 once Alan releases it.
>
> :-)
>
> Stefan Paetow
> Moonshot Industry & Research Liaison Coordinator
>
> t: +44 (0)1235 822 125
> gpg: 0x3FCE5142
> xmpp: [hidden email]
> skype: stefan.paetow.janet
>
> jisc.ac.uk
>
> Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
>
>
>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

--
Cédric Delaunay Direction des Systèmes d'Informations
Equipe Réseau & Telephonie 263, Avenue du Général Leclerc
Tel: 02 23 23 71 59 CS 74205 - 35042 Rennes Cedex

Pour toute demande utiliser l'aide et assistance via l'ENT à l'adresse
http://ent.univ-rennes1.fr


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: linelog best practice

Alan DeKok-2
On Feb 1, 2017, at 9:39 AM, cedric delaunay <[hidden email]> wrote:
> I'm now running 3.0.13 successfully.
> Before It started I had to customise my conf files and particularly disable filter_username module in authorise sections.
> Do someone ever has reject because of an unreal reason ? It looks like a bug or am I wrong ?
> here is radius -X details :

  It works for me.  That's weird.

  Please post the first 100 or so lines of "freeradius -Xx"

  That will hopefully give some more information.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|

Re: linelog best practice

Matthew Newton
In reply to this post by cedric delaunay
On Wed, Feb 01, 2017 at 03:39:03PM +0100, cedric delaunay wrote:
> Do someone ever has reject because of an unreal reason ? It looks like a bug
> or am I wrong ?

I'm guessing you took your 2.x config and got that working with 3.x.

All the instructions tell you not to do that because things will
break. In this case, the correct_escapes setting.

Start from a fresh v3 config and work from there.

Matthew


--
Matthew Newton, Ph.D. <[hidden email]>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <[hidden email]>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|

Re: linelog best practice

cedric delaunay
Hi,
Nope, fresh config from 3.0.4
I took inspiration from old server but nothing had been copied as old server
Cédric

Le 01/02/2017 à 17:04, Matthew Newton a écrit :

> On Wed, Feb 01, 2017 at 03:39:03PM +0100, cedric delaunay wrote:
>> Do someone ever has reject because of an unreal reason ? It looks like a bug
>> or am I wrong ?
> I'm guessing you took your 2.x config and got that working with 3.x.
>
> All the instructions tell you not to do that because things will
> break. In this case, the correct_escapes setting.
>
> Start from a fresh v3 config and work from there.
>
> Matthew
>
>

--
Cédric Delaunay Direction des Systèmes d'Informations
Equipe Réseau & Telephonie 263, Avenue du Général Leclerc
Tel: 02 23 23 71 59 CS 74205 - 35042 Rennes Cedex

Pour toute demande utiliser l'aide et assistance via l'ENT à l'adresse
http://ent.univ-rennes1.fr



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: linelog best practice

Alan DeKok-2

> On Feb 1, 2017, at 11:11 AM, cedric delaunay <[hidden email]> wrote:
>
> Hi,
> Nope, fresh config from 3.0.4

  That's not really "fresh"

> I took inspiration from old server but nothing had been copied as old server
> Cédric
>
> Le 01/02/2017 à 17:04, Matthew Newton a écrit :
>> On Wed, Feb 01, 2017 at 03:39:03PM +0100, cedric delaunay wrote:
>>> Do someone ever has reject because of an unreal reason ? It looks like a bug
>>> or am I wrong ?
>> I'm guessing you took your 2.x config and got that working with 3.x.
>>
>> All the instructions tell you not to do that because things will
>> break. In this case, the correct_escapes setting.

  Check the "correct_escapes" setting in radius.conf.

  If it isn't there, go read the v3.0.x config for the setting, and add it to your config.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|

Re: linelog best practice

Matthew Newton
In reply to this post by cedric delaunay
On Wed, Feb 01, 2017 at 05:11:44PM +0100, cedric delaunay wrote:
> Nope, fresh config from 3.0.4

I would diff that against a default config from 3.0.12. Lots has
been fixed since then.

Check "correct_escapes = true" is set in your radiusd.conf.

> I took inspiration from old server but nothing had been copied as old server

OK you've done the right thing; that's good to know.

Thanks,

Matthew



--
Matthew Newton, Ph.D. <[hidden email]>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <[hidden email]>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|

Re: linelog best practice

cedric delaunay
Hi,
As suggested by Alan :
enabled "correct_escapes = true" in radiusd.conf.
had to suppress some \\ in realm
Re-enable filter_username int sites-enable

That's ok.
About loggins reject cause :

in inner-tunnel :

     Post-Auth-Type REJECT {
...
         update outer.session-state {
             Module-Failure-Message := &request:Module-Failure-Message
         }

in linelog module called by site's Post-Auth-Type REJECT section :

reference = "messages.%{%{reply:Packet-Type}:-format}"
     messages {
...
Access-Reject = "{\"Datetime\":\"%t\",....\"Reject-Cause\":\"%{session-state:Module-Failure-Message}\",..."}"
}

I'm on the way ;)
not perfect because reject caused by ldap module still sent mschap
reason but I spent enough time on it
thanks a lot for the help
Cédric



Le 01/02/2017 à 17:15, Matthew Newton a écrit :

> On Wed, Feb 01, 2017 at 05:11:44PM +0100, cedric delaunay wrote:
>> Nope, fresh config from 3.0.4
> I would diff that against a default config from 3.0.12. Lots has
> been fixed since then.
>
> Check "correct_escapes = true" is set in your radiusd.conf.
>
>> I took inspiration from old server but nothing had been copied as old server
> OK you've done the right thing; that's good to know.
>
> Thanks,
>
> Matthew
>
>
>

--
Cédric Delaunay Direction des Systèmes d'Informations
Equipe Réseau & Telephonie 263, Avenue du Général Leclerc
Tel: 02 23 23 71 59 CS 74205 - 35042 Rennes Cedex

Pour toute demande utiliser l'aide et assistance via l'ENT à l'adresse
http://ent.univ-rennes1.fr



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: linelog best practice

cedric delaunay
In reply to this post by Matthew Newton
Le 24/01/2017 à 13:22, Matthew Newton a écrit :

> On Tue, Jan 24, 2017 at 10:52:32AM +0000, [hidden email] wrote:
>> use Module-Failure-Message  - but also look at the 3.0.x HEAD from git or wait until 3.0.13
>> comes out as Matthew has ensures theres a good starting point for the ELK crowd  :)
> Yeah, to be honest rather than trying to write out JSON with
> linelog personally I'd just look at reading the plain detail files
> with logstash and using that to write them out as JSON. You might
> be fine, but then some joker will come along and try to log in
> with a username like 'silly"json'...
>
> Should probably at least wrap all the attributes in
> %{jsonquote:...} to be safe.
>
> "rlm_jsonlog" is something I've thought about for a while. Just
> not sure it's worth it. Might be if I can then use that to feed
> directly into elasticsearch and skip the logstash bit.
>
> Matthew
>
>
I Matthew,
Linelog/jon solution is pretty operational but as you have guessed it, I
have problems with "\" in attributes.
You talked about jsonquote but I can't find how use it.
Should I load "rest" module and web server associated or can I juste use
jsonquote in linelog syntax ?
Do somebody have a small howto aviable ?
Thanks
Cedric


--
Cédric Delaunay Direction des Systèmes d'Informations
Equipe Réseau & Telephonie 263, Avenue du Général Leclerc
Tel: 02 23 23 71 59 CS 74205 - 35042 Rennes Cedex

Pour toute demande utiliser l'aide et assistance via l'ENT à l'adresse
http://ent.univ-rennes1.fr



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: linelog best practice

arr2036

> On May 10, 2017, at 11:29 AM, cedric delaunay <[hidden email]> wrote:
>
> Le 24/01/2017 à 13:22, Matthew Newton a écrit :
>> On Tue, Jan 24, 2017 at 10:52:32AM +0000, [hidden email] wrote:
>>> use Module-Failure-Message  - but also look at the 3.0.x HEAD from git or wait until 3.0.13
>>> comes out as Matthew has ensures theres a good starting point for the ELK crowd  :)
>> Yeah, to be honest rather than trying to write out JSON with
>> linelog personally I'd just look at reading the plain detail files
>> with logstash and using that to write them out as JSON. You might
>> be fine, but then some joker will come along and try to log in
>> with a username like 'silly"json'...
>>
>> Should probably at least wrap all the attributes in
>> %{jsonquote:...} to be safe.
>>
>> "rlm_jsonlog" is something I've thought about for a while. Just
>> not sure it's worth it. Might be if I can then use that to feed
>> directly into elasticsearch and skip the logstash bit.
>>
>> Matthew
>>
>>
> I Matthew,
> Linelog/jon solution is pretty operational but as you have guessed it, I have problems with "\" in attributes.
> You talked about jsonquote but I can't find how use it.
It's an xlat, just us "%{jsonquote:<string>}" as part of your linelog fmt string.

-Arran

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

signature.asc (859 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: linelog best practice

cedric delaunay
Hi Arran,
Thanks for your reply.

It works now.
I had to compile and enable rest module because jsonquote is an xlat
command provided by rest

I consider now this post as solved.
Thanks all for your help
Cedric

Le 15/05/2017 à 18:08, Arran Cudbard-Bell a écrit :

>> On May 10, 2017, at 11:29 AM, cedric delaunay <[hidden email]> wrote:
>>
>> Le 24/01/2017 à 13:22, Matthew Newton a écrit :
>>> On Tue, Jan 24, 2017 at 10:52:32AM +0000, [hidden email] wrote:
>>>> use Module-Failure-Message  - but also look at the 3.0.x HEAD from git or wait until 3.0.13
>>>> comes out as Matthew has ensures theres a good starting point for the ELK crowd  :)
>>> Yeah, to be honest rather than trying to write out JSON with
>>> linelog personally I'd just look at reading the plain detail files
>>> with logstash and using that to write them out as JSON. You might
>>> be fine, but then some joker will come along and try to log in
>>> with a username like 'silly"json'...
>>>
>>> Should probably at least wrap all the attributes in
>>> %{jsonquote:...} to be safe.
>>>
>>> "rlm_jsonlog" is something I've thought about for a while. Just
>>> not sure it's worth it. Might be if I can then use that to feed
>>> directly into elasticsearch and skip the logstash bit.
>>>
>>> Matthew
>>>
>>>
>> I Matthew,
>> Linelog/jon solution is pretty operational but as you have guessed it, I have problems with "\" in attributes.
>> You talked about jsonquote but I can't find how use it.
> It's an xlat, just us "%{jsonquote:<string>}" as part of your linelog fmt string.
>
> -Arran
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

--
Cédric Delaunay Direction des Systèmes d'Informations
Equipe Réseau & Telephonie 263, Avenue du Général Leclerc
Tel: 02 23 23 71 59 CS 74205 - 35042 Rennes Cedex

Pour toute demande utiliser l'aide et assistance via l'ENT à l'adresse
http://ent.univ-rennes1.fr


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

smime.p7s (4K) Download Attachment