An application to extract User-to-IP mappings from RADIUS accounting data and send them to Palo Alto firewalls for use by the User-ID function.
Home Page: http://packetpushers.net/radiuid/
License: GNU General Public License v3.0
RadiUID ships with a generic domain configured for the userdomain configuration value and there is no acceptable entry to prevent any domain from being prepended to User-IDs.
Hi John,
When attempting to create a munge rule to match the \ using the example on the radiuid website the following error occurs however if i specify the partial domain first, for example "CEQ\\" this is accepted.
Here is the output:
administrator@radiuid:~/radiuid$ sudo radiuid set munge 101.0 match "\\" partial
Unrecognized return criterion
A rule's match return criterion activates a rule either when the regex pattern match is COMPLETE or PARTIAL
Hello!
I have installed radiuid with freeradius on Centos 7 and it works perfectly!
But I have a one question : can I reconfigure radiuid without deleting logs from $radius_logs_folder/radacct/ ?
I would like have possibility stores logs of freeradius at local server for history.
Sorry, if it have, but a don't see how it to do.
Service control breaks when stopping the radiuid service
Hi John,
I was wondering if there is any chance in the setup wizard that the option for a non-standard port for the management interface of the firewall to be added in?
I have a customer who has to NAT access in to their management network and they wish to use a port other than 443 to access the firewall management via XML (security via obscurity in play).
Thanks in advance
Marcus
There are situations where FreeRADIUS reports poorly formatted usernames. Need to add a feature which will allow users to easily perform filtering on usernames before they are sent to the Palo Alto.
This issue and request was made by Adam here
Hi John,
I just thought I would let you know that there appears to be a problem with the 2.5.0 installation script.
Initially I tried installing it on Ubuntu 18 LTS and this was unable to create the clients.conf file (it produced an error).
I then went back to Ubuntu 16 LTS and it created the file without an issue but the subnets I added in the installation wizard never made it in to the configuration. I later added them with
sudo radius set clients ipv4 x.x.x.x password
This seemed to save them in the clients.conf however freeradius still will not accept radius accounting packets from any of the sources we added (we can now see them with the show clients table/file command).
Has anyone else had any issues with v2.5.0? Is there a way I can install an older version for comparison?
Kind regards,
Marcus Cooke
Hi,
After checking "/var/log/radius/radius.log", I've noticed the warnings below:
Thu Dec 28 21:07:40 2017 : Warning: No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 10.0.1.0/24. Please fix your configuration
Thu Dec 28 21:07:40 2017 : Warning: Support for old-style clients will be removed in a future release
It would be nice if RadiUID could support the new format of IPv4/IPv6 addresses, instead of the network one:
client host_v4 {
ipv4addr = 10.0.1.10
secret = blahblahblah
}
client host_v6 {
ipv6addr = 2001:db8:1:::10
secret = blahblahblah
}
Hi,
Is there any roadmap for IPv6 Support (both for actual operation on the network and for pushing IPv6 mappings in UID pushes)?
I've seen this issue (#1) that says about IPv6 support on version 2, but on my xml conf (version 2.4.2) there is only "Framed-IP-Address" and nothing about "Framed-IPv6-Address".
An issue with a consistent Delineator Term (delineatorterm) was found and documented by Dan Hume at http://www.dhume.co.uk/blog/technical/ruckus-radiuid
This issue has to do with the key word used , when parsing the FreeRADIUS logs, to separate each of the log entries from each other. By default, RadiUID is using "Acct-Authentic", but it seems that that key word is not used in all RADIUS accounting logs.
Need to find a new way to separate between accounting logs.
The 'merge_dicts' method is throwing a KeyError exception and quitting the loop (service) when a FreeRADIUS log was scraped which didn't contain the three required fields (usernameterm, ipaddressterm, and the delineatorterm).
Issue to track development of Docker support in RadiUID
A list of feature ideas to add to V2.1.0
The PA-200 does not recognize the vsys ID contained in the API calls of RadiUID and errors out when making the calls. This issue was reported by Dan as a comment at http://packetpushers.net/radiuid/
[root@DEVEL ~]# radiuid push all "testuser.domain.internal" 1.1.1.1
2017-03-09 08:54:54: ##### COMMAND 'push all testuser.domain.internal 1.1.1.1' ISSUED FROM CLI BY USER 'root' #####
########################## EXECUTING COMMAND: push all testuser.domain.internal 1.1.1.1 ##########################
##################################################################################################################
2017-03-09 08:54:54: FATAL: Illegal characters found in username. Valid characters are alphanimeric and underscore (_)
Something Went Wrong!
##################################################################################################################
##################################################################################################################
Morning,
I am working on a quite specific project where I need to get Radius logs from our Meraki setup into Palo for user based rules, this looks amazing, thank you for your work!
I don't have a massive amount of experience with Linux install so hoping this may be an easy fix. Part way through install it asked to log out and then continue, when logging back in I recieve the following error.
Any tips?
Not sure if this should be done or not. It might make the implementation simpler
Hey!
Amazing tool! I've been looking for something for years on and off to do this and your tool is hands down the best I've used.
Was just curious if there was a mechanism in place to push mappings to a specific firewall target based on the client that the accounting request came from? I'm not seeing anything in the documentation for it but maybe I'm missing something obvious here.
Thanks again for the amazing tool!
Hi, I am curious, would this work with the globalprotect client which authenticates to a globalprotect gateway that uses a radius server for authentication? I would like to create security policies based on the user/group if possible...
When RadiUID discovers a username that contains an apostrophe it halts processing and gives the following error when trying to restart the process:
2017-10-11 11:57:14: ##### COMMAND 'service radiuid restart' ISSUED FROM CLI BY USER 'root' #####
***** ARE YOU SURE YOU WANT TO RESTART IT?
Hit CTRL-C to quit. Hit ENTER to continue
########################## STOPPING RADIUID ##########################
######################################################################
● radiuid.service - RadiUID User-ID Service
Loaded: loaded (/etc/systemd/system/radiuid.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2017-10-11 11:55:46 AEDT; 1min 29s ago
Process: 4428 ExecStart=/bin/bash -c cd /bin; python radiuid run (code=exited, status=1/FAILURE)
Main PID: 4428 (code=exited, status=1/FAILURE)
Oct 11 11:55:46 cggs-radiuid bash[4428]: self.radiuid.looper()
Oct 11 11:55:46 cggs-radiuid bash[4428]: File "radiuid", line 2017, in looper
Oct 11 11:55:46 cggs-radiuid bash[4428]: usernames = self.dpr.clean_names(usernames)
Oct 11 11:55:46 cggs-radiuid bash[4428]: File "radiuid", line 1448, in clean_names
Oct 11 11:55:46 cggs-radiuid bash[4428]: clean1 = re.findall(username_regex, value, flags=0)[0]
Oct 11 11:55:46 cggs-radiuid bash[4428]: IndexError: list index out of range
Oct 11 11:55:46 cggs-radiuid systemd[1]: radiuid.service: Main process exited, code=exited, status=1/FAILURE
Oct 11 11:55:46 cggs-radiuid systemd[1]: radiuid.service: Unit entered failed state.
Oct 11 11:55:46 cggs-radiuid systemd[1]: radiuid.service: Failed with result 'exit-code'.
Oct 11 11:57:15 cggs-radiuid systemd[1]: Stopped RadiUID User-ID Service.
To resolve the issue you must issue radiuid clear acct-logs and then start the service again
Hi,
I've tried to create a DockerFile to RadiUID 2.5.0 following the instructions on https://github.com/PackeTsar/radiuid#dockerfiles, but the script stops when it tries to download the 2.5.0 tar.gz file, getting an "ERROR 404: Not Found" response.
The last file I could download on "https://codeload.github.com/PackeTsar/radiuid/tar.gz/" was 2.4.2.
Make the 10-second loop time customizable in the config.
Looks like complex passwords which include special characters do not authenticate properly during the pull_api_key method.
Thanks for a superb utility. Just what I need in a School where we are trying to authenticate BYOD from Aerohive APs to the PAlo.
Really sorry to pester you with a problem...I am on versions (PAlo is 8.0.3). Apologies if I have configured something wrong...
Managed to get it up and running and it works great for about 1 hour and then the service stops. I do a show status and get the following:
oot@RADIUID:/home/radiuid# radiuid show status
2017-08-02 17:26:20: ##### COMMAND 'show status' ISSUED FROM CLI BY USER 'root' #####
########################## CHECKING RADIUID ##########################
######################################################################
â radiuid.service - RadiUID User-ID Service
Loaded: loaded (/etc/systemd/system/radiuid.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2017-08-02 15:46:34 BST; 1h 39min ago
Process: 4633 ExecStart=/bin/bash -c cd /bin; python radiuid run (code=exited, status=1/FAILURE)
Main PID: 4633 (code=exited, status=1/FAILURE)
Aug 02 15:46:34 RADIUID bash[4633]: File "radiuid", line 3115, in interpreter
Aug 02 15:46:34 RADIUID bash[4633]: self.radiuid.looper()
Aug 02 15:46:34 RADIUID bash[4633]: File "radiuid", line 2007, in looper
Aug 02 15:46:34 RADIUID bash[4633]: statustypes = self.dpr.clean_statuses(statustypes)
Aug 02 15:46:34 RADIUID bash[4633]: File "radiuid", line 1464, in clean_statuses
Aug 02 15:46:34 RADIUID bash[4633]: newdict[key] = cleaned
Aug 02 15:46:34 RADIUID bash[4633]: UnboundLocalError: local variable 'cleaned' referenced before assignment
Aug 02 15:46:34 RADIUID systemd[1]: radiuid.service: Main process exited, code=exited, status=1/FAILURE
Aug 02 15:46:34 RADIUID systemd[1]: radiuid.service: Unit entered failed state.
Aug 02 15:46:34 RADIUID systemd[1]: radiuid.service: Failed with result 'exit-code'.
######################################################################
######################################################################
########################## CHECKING FREERADIUS ##########################
#########################################################################
â freeradius.service - LSB: Radius Daemon
Loaded: loaded (/etc/init.d/freeradius; bad; vendor preset: enabled)
Active: active (running) since Wed 2017-08-02 15:13:36 BST; 2h 12min ago
Docs: man:systemd-sysv-generator(8)
Process: 4614 ExecStop=/etc/init.d/freeradius stop (code=exited, status=0/SUCCESS)
Process: 4644 ExecStart=/etc/init.d/freeradius start (code=exited, status=0/SUCCESS)
Tasks: 6
Memory: 4.0M
CPU: 191ms
CGroup: /system.slice/freeradius.service
ââ4680 /usr/sbin/freeradius
Aug 02 15:13:36 RADIUID systemd[1]: Starting LSB: Radius Daemon...
Aug 02 15:13:36 RADIUID freeradius[4644]: * Starting FreeRADIUS daemon freeradius
Aug 02 15:13:36 RADIUID freeradius[4644]: ...done.
Aug 02 15:13:36 RADIUID systemd[1]: Started LSB: Radius Daemon.
#########################################################################
#########################################################################
Config is this
radiuid set radiuslogpath /var/log/freeradius/radacct/
!
radiuid set logfile /etc/radiuid/radiuid.log
!
radiuid set maxloglines 0
!
radiuid set userdomain uppingham
!
radiuid set timeout 60
!
radiuid set looptime 10
!
radiuid set tlsversion 1.2
!
radiuid set radiusstopaction clear
!
!
radiuid clear client all
!
radiuid set client *REMOVED as sensitive
!
radiuid set client *REMOVED as sensitive
!
!
radiuid clear target all
!
radiuid set target *removed as sensitve version 6
!
radiuid set target version:vsys1
!
radiuid set maxloglines 1000 outputs the below
2017-04-25 10:49:00: ##### COMMAND 'set maxloglines 1000' ISSUED FROM CLI BY USER 'root' #####
########################## EXECUTING COMMAND: set maxloglines 1000 ##########################
#############################################################################################
2017-04-25 10:49:00: ****************Making sure directory: / exists...creating if not****************
2017-04-25 10:49:00: ****************Writing config change to: /etc/radiuid/radiuid.conf****************
2017-04-25 10:49:00: <maxloglines> configuration element changed to :
<maxloglines>
</maxloglines>
Success!
#############################################################################################
#############################################################################################
Need to document and standardize the cues used in the installer (colors and textual cues)
Reported by Marcus Cooke on the PacketPushers blog.
A discard step in a munge rule is not successfully stopping the processing of rules.
Rulebase:
radiuid clear munge all
!
radiuid set munge 10.0 match "host/" partial
!
radiuid set munge 10.10 discard
!
radiuid set munge 100.0 match "laptop" partial
!
radiuid set munge 100.10 set-variable domain from-string "mydomain"
!
radiuid set munge 100.15 set-variable slash from-string "\\"
!
radiuid set munge 100.20 set-variable user from-match "([^@]+)"
!
radiuid set munge 100.30 assemble domain slash user
!
radiuid set munge 100.40 accept
Debug Output
[root radiuid]# radiuid request munge-test host/laptop-111111 debug
########################## MUNGE TEST ##########################
################################################################
----- Sorted index of rules and steps: {'rules': ['rule10', 'rule100'], 'rule100': ['step10', 'step15', 'step20', 'step30', 'step40'], 'rule10': ['step10']} -----
----- Input String: host/laptop-111111 -----
----- rule10 -----
----- Rule beginning with input: host/laptop-111111 -----
----- Loaded Rule: -----
<root>
<match>
<regex>host/</regex>
<criterion>partial</criterion>
</match>
<step10>
<discard />
</step10>
</root>
----- Rule match statement regex returned: -----
['host/']
----- Matched pattern {'regex': 'host/', 'criterion': 'partial'} for rule10 in input host/laptop-111111 -----
----- Loaded step10: {'discard': None} -----
----- 'Discard' interrupt detected and set, breaking out of rule-set and discarding input -----
----- rule100 -----
----- Rule beginning with input: host/laptop-111111 -----
----- Loaded Rule: -----
<root>
<step30>
<assemble>
<variable1>domain</variable1>
<variable3>user</variable3>
<variable2>slash</variable2>
</assemble>
</step30>
<step20>
<from-match>([^@]+)</from-match>
<set-variable>user</set-variable>
</step20>
<step15>
<from-string>\</from-string>
<set-variable>slash</set-variable>
</step15>
<step10>
<from-string>mydomain</from-string>
<set-variable>domain</set-variable>
</step10>
<step40>
<accept />
</step40>
<match>
<regex>laptop</regex>
<criterion>partial</criterion>
</match>
</root>
----- Rule match statement regex returned: -----
['laptop']
----- Matched pattern {'regex': 'laptop', 'criterion': 'partial'} for rule100 in input host/laptop-111111 -----
----- Loaded step10: {'from-string': 'mydomain', 'set-variable': 'domain'} -----
----- Setting variable domain as value mydomain -----
----- Current variables in the variable list: {'domain': 'mydomain'} -----
----- Loaded step15: {'from-string': '\\', 'set-variable': 'slash'} -----
----- Setting variable slash as value \ -----
----- Current variables in the variable list: {'domain': 'mydomain', 'slash': '\\'} -----
----- Loaded step20: {'from-match': '([^@]+)', 'set-variable': 'user'} -----
----- Setting variable user as value host/laptop-111111 -----
----- Current variables in the variable list: {'domain': 'mydomain', 'user': 'host/laptop-111111', 'slash': '\\'} -----
----- Loaded step30: {'assemble': {'variable1': 'domain', 'variable3': 'user', 'variable2': 'slash'}} -----
----- Assembling Variables: ['variable1', 'variable2', 'variable3'] -----
----- Assemble Result: mydomain\host/laptop-111111 -----
----- Loaded step40: {'accept': None} -----
----- 'Accept' interrupt detected and set, breaking out of rule-set and adding input to result -----
----- Input mydomain\host/laptop-111111 added to result due to 'accept' interrupt -----
----- Current result list: -----
----- ['mydomain\\host/laptop-111111'] -----
String input from command line: host/laptop-111111
String returned by Munge Engine: mydomain\host/laptop-111111
################################################################
################################################################
Munge rule processing results within push_uids were being assembled back into modipanduserdict incorrectly formatted excluding the status field in the dictionary.
- modipanduserdict.update({entry: newuname})
+ status = ipanduserdict[entry]["status"]
+ modipanduserdict.update({entry: {"username": newuname, "status": status}})
Reported by Ian Burrowes on PacketPushers comments. Need to adjust the number of UIDs allowed in a request down and make it a top-level variable (easy to change).
Besides I'm sucessfully running RadiUID with PAN-OS 8.0.5 using the "version 7" tag, it would be nice if the "version 8" tag were added to it.
Hi John,
Long time no chat! How are you?
I just had a query about a certain Regex I am trying to use in a munge rule which RadiUID doesn't seem to accept:
([^\\]+$)
This should select everything after the \ as the username.
I am trying to use this instead of using [a-zA-Z0-9]+$ as I have some usernames in the following format that won't match correctly:
ww_xx\yy.zz
Instead of maching yy.zz it matches zz only and gets transformed in to ww_xx\zz (yes they are using an underscore in the NT domain).
It is very strange, it only happens with a certain few usernames and https://www.regextester.com/ seems to exhibit the same behaviour. I can email you the full domain\username i am testing if you require it. I just thought that being able to use ([^\\]+$) would be easier.
Regards,
Marcus
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.