Scribd Logo
Upload

Welcome to Scribd!

  • 7 and 8. Logging and Filtering

    Uploaded by

    akun1994
    6 views29 pages
    Logging and filtering

    Original Title

    7 and 8. Logging and filtering

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Logging and filtering

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    6 views29 pages

    7 and 8. Logging and Filtering

    Uploaded by

    akun1994
    Logging and filtering

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 29

    Filtering (Pre-Auth)

    EDUROAM WORKSHOP 2019


    FILTERING IN EDUROAM
    FILTERING (PRE-AUTH)

    WHY DO WE NEED TO FILTER ATTRIBUTES (1/3)?

    ▸ When we receive responses from a foreign IdP it may include attributes that
    would cause authentication to fail.

    ▸ The most common of these attributes in Tunnel-Private-Group-ID which


    assigns VLANs.

    ▸ This should never normally be included in responses, and will only be sent
    by a misconfigured IdP.
    FILTERING (PRE-AUTH)

    WHY DO WE NEED TO FILTER ATTRIBUTES (2/3)?

    ▸ Another reason for filtering is security.


    ▸ Most NAS will send lots of information about your internal network IP
    addresses, the make/model of the NAS, and the Mac-Addresses and BSSIDs
    of the NAS to the FLR.

    ▸ You may not want this information to leak outside of your organisation.
    ▸ Lets examine a packet from a Cisco NAS now.
    FILTERING (PRE-AUTH)

    WHY DO WE NEED TO FILTER ATTRIBUTES (3/3)?

    ▸ The final reason is efficiency


    ▸ Sending lots of unneeded attributes uses more bandwidth
    ▸ The TLRs process many thousands of requests a second, and increasing the
    size of RADIUS packets reduces their efficiency.

    ▸ Let look at some wireshark traces of filtered and unfiltered RADIUS packets.
    FILTERING (PRE-AUTH)

    WHAT ATTRIBUTES NEED TO BE PASSED?


    ▸ The JANET Eduroam specification requires the following attributes to be allowed to pass:
    ▸ User-Name
    ▸ Reply-Message
    ▸ State
    ▸ Class
    ▸ Message-Authenticator
    ▸ Proxy-State
    ▸ EAP-Message
    ▸ MS-MPPE-Send-Key
    ▸ MS-MPPE-Recv-Key
    ▸ Calling-Station-Id
    ▸ Operator-Name
    ▸ Chargeable-User-Identity
    FILTERING (PRE-AUTH)

    HOW DO WE FILTER?

    ▸ The rlm_attr_filter module is used to apply filtering.


    ▸ The filtering module removes all attributes except the ones that match.
    ▸ The filtering definitions are configured in /etc/raddb/mods-config/attr_filter
    FILTERING (PRE-AUTH)

    WHERE IS ATTRIBUTE FILTERING APPLIED?

    ▸ Filtering is applied in the pre-proxy {} Traffic for foreign domains


    sent to the FLR
    and post-proxy{} sections of the FLR
    'default' virtual server. RADIUS PROXY

    ▸ Pre-proxy applies filtering before the


    request is sent upstream to the FLR.

    ▸ Post-Proxy applies filtering after the Filtering applied


    request is received from the FLR.
    65

    ▸ In both cases the attr_filter call is


    Traffic for local domains
    received from the FLR PWR ENTE A B/G

    what actually applies the filter. IdP SP NAS


    RADIUS SERVER RADIUS PROXY RADIUS CLIENT

    Local domains
    internally routed
    PRACTICAL - BAD IDP
    FILTERING (PRE-AUTH)

    SETUP THE BAD IDP

    ▸ Open /etc/raddb/mods-config
    ▸ Under the "DEFAULT Cleartext-Password" line tab in one, and add "Tunnel-Private-Group-
    ID := 300"

    ▸ This will cause your IDP server to send back a VLAN 300 assignment.
    ▸ Open /etc/raddb/sites-available/default
    ▸ Comment out the attr_filter.post-proxy line in the pre-proxy {} section
    ▸ Restart/start your server in debug mode (radiusd -X).

    sudo -s
    echo -e "\tTunnel-Private-Group-ID := 300" >> /etc/raddb/mods-config/files/authorize
    nano /etc/raddb/sites-available/default
    exit
    FILTERING (PRE-AUTH)

    TEST THE UNSUSPECTING SP

    ▸ Use your eapol_test configuration to sending a request to your partner


    institution.

    ▸ You should now see that the VLAN sent back from your SP, is not 100 or 200,
    but 300! An invalid VLAN.

    eapol_test -a 127.0.0.1 -s testing123 -c ~/foreign-ttls-pap.conf


    FILTERING (PRE-AUTH)

    RE-ENABLING FILTERING

    ▸ Uncomment the attr_filter.post-proxy line in the pre-proxy {} section


    ▸ Restart your server
    ▸ Perform the same test. Check that the foreign VLAN is now filtered.

    eapol_test -a 127.0.0.1 -s testing123 -c ~/foreign-ttls-pap.conf


    FILTERING (PRE-AUTH)

    CLEANING UP

    ▸ Open /etc/raddb/mods-config
    ▸ Remove the Tunnel-Private-Group-ID := 300 line.

    nano /etc/raddb/mods-config
    Logging And What To Log

    EDUROAM WORKSHOP 2019


    LOGGING

    WHY DO WE NEED TO LOG ATTRIBUTES?

    ▸ Legal compliance.
    ▸ Debugging for both local and foreign users.
    ▸ Statistical analysis.
    LOGGING

    WHAT NEEDS TO BE LOGGED

    ▸ At a minimum the following attributes must be logged:


    ▸ Packet-Type
    ▸ User-Name (inner)
    ▸ Calling-Station-Id
    ▸ Operator-Name
    ▸ Chargeable-User-Identity
    ▸ NAS-IP-Address
    LOGGING

    LOGGING METHODS

    ▸ linelog - We can write out log entries, one line at a time.


    ▸ These types of logs are line based (one line per entry).
    ▸ Written by the rlm_linelog module (the default in the config eduroam you
    deployed).

    ▸ Contents can be customised.


    ▸ detail - Detail files write a complete copy of the packet to disk.
    LOGGING

    LINELOG

    ▸ Can log to multiple destinations


    ▸ Syslog
    ▸ Flat file
    ▸ TCP/UDP socket version4
    ▸ Format is fully customisable, and you can create multiple 'instances' of the
    linelog module, meaning that create log messages at different points in your
    config for debugging later.

    ▸ Easily Ingestible into Splunk, or Graylog or anything that processes line based
    data.
    LOGGING

    DETAIL

    ▸ detail files create a copy of incoming or outgoing packets on disk.


    ▸ Which packet is logged is dependent on which section in a virtual server the
    detail module is listed in.

    ▸ authorize - The incoming packet from the network


    ▸ post-auth - The response going back to the network
    ▸ pre-proxy - The response going to the FLR.
    ▸ post-proxy - The response coming from the FLR.
    LOGGING

    EFFICIENT LOGGING

    ▸ Eduroam only requires a record of packets, and basic attributes be logged.


    ▸ In practice it's easier just to log all attributes, which is what the linelog
    entries do here:

    https://wiki.freeradius.org/guide/eduroam#configuration_the-outer-
    virtual-server_mods-available-linelog

    ▸ If you want to reduce the amount of data logged to the minimum required by
    eduroam standards, use the guide here:

    https://wiki.freeradius.org/guide/eduroam-logging
    PRACTICAL - CUSTOM LINELOG ENTRIES
    LOGGING

    CUSTOM LINELOG - CONFIG


    ▸ We're now going to add a custom linelog entry to record any users with badly formatted NAIs.
    ▸ Open /etc/raddb/mods-available/linelog
    ▸ Create a new linelog block with the following lines
    ▸ linelog linelog_bad_username {
    filename = /tmp/radius_bad_username.log

    format = "action = Reject-Bad-NAI, %{pairs:request:}"

    ▸ This will output any instances where we have a badly formatted username to the file '/tmp/radius_bad_username.log'
    ▸ We're just using a file here to separate out log entries, but you could change the other linelog modules in /etc/raddb/
    mods-available/linelog to log to files instead of syslog.

    nano /etc/raddb/mods-available/linelog
    LOGGING

    CUSTOM LINELOG - CALLING

    ▸ Open /etc/raddb/sites-available/default
    ▸ Search for the keyword 'reject' underneath the split_username_nai module
    call.

    ▸ Directly above the reject keyword, add 'linelog_bad_username'


    ▸ Start/restart your server in debug module (radiusd -X)

    nano /etc/raddb/sites-available/default
    LOGGING

    CUSTOM LOGGING - TESTING

    ▸ Copy your ttls-pap.conf file to bad-nai-ttls-pap.conf.


    ▸ Open bad-nai-ttls-pap.conf
    ▸ Remove all the dots '.' from anonymous_identity.
    ▸ Run eapol_test with bad-nai-ttls-pap.conf
    ▸ Check new entries are created in /tmp/radius_bad_username.log

    eapol_test -a 127.0.0.1 -s testing123 -c ~/bad-nai-ttls-pap.conf


    cat /tmp/radius_bad_username.log
    PRACTICAL - DETAIL LOGGING
    LOGGING

    DETAIL LOGGING

    ▸ Sometimes it's more easier to debug issues with packet logs in a different format.
    ▸ We'll now list the detail module in the outer virtual server to show what the other
    logging formats look like.

    ▸ Open /etc/raddb/sites-available/default
    ▸ Under the start of the 'authorize {' section, add 'detail'
    ▸ Start/restart your server in debug module (radiusd -X)

    nano /etc/raddb/sites-available/default
    LOGGING

    DETAIL LOGGING - TESTING

    ▸ Start/restart your server in debug module (radiusd -X).


    ▸ Send a test packet using eapol_test and with the ttls-pap.conf config.
    ▸ Look in /var/log/freeradius/radacct/127.0.0.1 and examine the log contents

    eapol_test -a 127.0.0.1 -s testing123 -c ~/ttls-pap.conf


    cat /var/log/freeradius/radacct/127.0.0.1/*
    LOGGING

    DETAIL LOGGING - GROUP

    ▸ By default the detail logs are grouped by IP adddress


    ▸ This is useful for debugging issues with particular NAS
    ▸ Or debugging issues with local authentication vs authentication via the FLR
    ▸ Send a test packet to your partner institution
    ▸ List the directory contents of the log directory
    ▸ Observe the directories created
    ▸ Examine the contents of the new directory

    eapol_test -a 127.0.0.1 -s testing123 -c ~/foreign-ttls-pap.conf


    ls -l /var/log/freeradius/radacct
    cat /var/log/freeradius/radacct/<ip address>/*
    BREAK TIME!

    You might also like