Professional Documents
Culture Documents
▸ When we receive responses from a foreign IdP it may include attributes that
would cause authentication to fail.
▸ This should never normally be included in responses, and will only be sent
by a misconfigured IdP.
FILTERING (PRE-AUTH)
▸ You may not want this information to leak outside of your organisation.
▸ Lets examine a packet from a Cisco NAS now.
FILTERING (PRE-AUTH)
▸ Let look at some wireshark traces of filtered and unfiltered RADIUS packets.
FILTERING (PRE-AUTH)
HOW DO WE FILTER?
Local domains
internally routed
PRACTICAL - BAD IDP
FILTERING (PRE-AUTH)
▸ Open /etc/raddb/mods-config
▸ Under the "DEFAULT Cleartext-Password" line tab in one, and add "Tunnel-Private-Group-
ID := 300"
▸ This will cause your IDP server to send back a VLAN 300 assignment.
▸ Open /etc/raddb/sites-available/default
▸ Comment out the attr_filter.post-proxy line in the pre-proxy {} section
▸ Restart/start your server in debug mode (radiusd -X).
sudo -s
echo -e "\tTunnel-Private-Group-ID := 300" >> /etc/raddb/mods-config/files/authorize
nano /etc/raddb/sites-available/default
exit
FILTERING (PRE-AUTH)
▸ You should now see that the VLAN sent back from your SP, is not 100 or 200,
but 300! An invalid VLAN.
RE-ENABLING FILTERING
CLEANING UP
▸ Open /etc/raddb/mods-config
▸ Remove the Tunnel-Private-Group-ID := 300 line.
nano /etc/raddb/mods-config
Logging And What To Log
▸ Legal compliance.
▸ Debugging for both local and foreign users.
▸ Statistical analysis.
LOGGING
LOGGING METHODS
LINELOG
▸ Easily Ingestible into Splunk, or Graylog or anything that processes line based
data.
LOGGING
DETAIL
EFFICIENT LOGGING
https://wiki.freeradius.org/guide/eduroam#configuration_the-outer-
virtual-server_mods-available-linelog
▸ If you want to reduce the amount of data logged to the minimum required by
eduroam standards, use the guide here:
https://wiki.freeradius.org/guide/eduroam-logging
PRACTICAL - CUSTOM LINELOG ENTRIES
LOGGING
▸ This will output any instances where we have a badly formatted username to the file '/tmp/radius_bad_username.log'
▸ We're just using a file here to separate out log entries, but you could change the other linelog modules in /etc/raddb/
mods-available/linelog to log to files instead of syslog.
nano /etc/raddb/mods-available/linelog
LOGGING
▸ Open /etc/raddb/sites-available/default
▸ Search for the keyword 'reject' underneath the split_username_nai module
call.
nano /etc/raddb/sites-available/default
LOGGING
DETAIL LOGGING
▸ Sometimes it's more easier to debug issues with packet logs in a different format.
▸ We'll now list the detail module in the outer virtual server to show what the other
logging formats look like.
▸ Open /etc/raddb/sites-available/default
▸ Under the start of the 'authorize {' section, add 'detail'
▸ Start/restart your server in debug module (radiusd -X)
nano /etc/raddb/sites-available/default
LOGGING