multuple ldap freeradius ssid
Hi,
I have a question. I already read how to make this, but I'm not sur if it
works !
So, what do I want ? I have 2 SSID : students and an other staff. I want to
have to ldap instance for authenticating my users.
In the /module/ldap, I have set ldap students { some stuff } and ldap staff
{ some stuff}. But now, what i need to do ?
My access point is Aruba. I can use this value Aruba-Essid-Name for
choosing which instance i need to use. In the /site-avaible/inner-tunel,
what i need to do ?
Something like that ?
if (Aruba-Essid-Name==students) { students }
elsif {staff}
Thanks for your reply, and sorry for my english, I'm French ;)
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/multuple-ldap-freeradius-ssid-tp4399529p4399529.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Renaming during Machine Authentication
On 05/16/2011 01:03 AM, Mark Jones wrote:
Hi Phil thanks for answering. I am trying to authenticate the
machines on bootup. I have an edir backend and am following this cool
solutions article which is fairly old:
http://www.novell.com/coolsolutions/feature/17044.html In it they
talk about atrrib-rewrite but use it in the radiusd.conf file which
in my limited knowledge of freeradius I think is an older way of
doing it.
Yeah, don't do it that way. Aside from the config in the article being
subtly wrong (regexp in the 2nd rewrite module isn't right), there are
easier ways to accomplish mutating the username if you need to do that,
which you don't because you can just use %{mschap:User-Name} and it'll
do it for you (as well as being more obvious IMHO)
Right now if i join a machine to the samba domain I have created, it
automatically is imported into edirectory and named machinename$.
The article is not complete so I am really not sure if the machine is
I'm not familiar with eDir so can't say.
Is it working for you now? If not, post a debug and someone can probably
suggest what needs changing.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multuple ldap freeradius ssid
seb2020 girard@gmail.com wrote:
I have a question. I already read how to make this, but I'm not sur if
it works !
So, what do I want ? I have 2 SSID : students and an other staff. I
want to have to ldap instance for authenticating my users.
You really do *not* want to do this. Have both the staff and students
connect to the same SSID (for example 'eduroam') and use your RADIUS
server to use an LDAP group check (or username style) to find out how to
treat them. For example, place them into a different VLAN.
In the /module/ldap, I have set ldap students { some stuff } and ldap
staff { some stuff}. But now, what i need to do ?
My access point is Aruba. I can use this value Aruba-Essid-Name for
choosing which instance i need to use. In the
/site-avaible/inner-tunel, what i need to do ?
Something like that ?
FreeRADIUS is (was?) a bit picky about how the if/else layout is, so you
need:
if (Aruba-Essid-Name == students) {
...students...
}
elsif {
...staff...
}
I *strongly* recommend you go with the single SSID and use RADIUS in the
background; getting everyone at a latter date to move to a different
SSID is a real pain.
Thanks for your reply, and sorry for my english, I'm French ;)
We forgive you... ;)
Cheers
--
Alexander Clouter
.sigmonster says: A modem is a baudy house.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multuple ldap freeradius ssid
Thanks for your reply ! I will do what you say me ! I will make one SSID and chech with the group my user with the OU of the user. My user is by example : user.group.locality.tree How I can retreive the group of my user ? And this verification, I need to make in this file /site-avaible/inner-tunel ? - From Switzerland -- View this message in context: http://freeradius.1045715.n5.nabble.com/Multiple-ldap-freeradius-ssid-tp4399529p4399886.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multuple ldap freeradius ssid
Thanks for your reply !
I will do what you say me ! I will make one SSID and check with the group my
user with the OU of the user.
My user is by example : user.group.locality.tree
How I can retreive the numbers of letters in my loginname ?
And this verification, I need to make in this file /site-avaible/inner-tunel
? with something like that ? But how i can retreive the length of the
username with this code ? Use Regex ?
modules/ldap:
ldap {
basedn = ou=%{Tmp-String-0},o=XXX
...
}
sites-available/...
authorize {
if (username have 3 letters) {
update request {
Tmp-String-0 = ou=xx,ou=xx
}
}
elsif (username have 8 letters) {
update request {
Tmp-String-0 = ou=xx,ou=xx
}
}
}
In finally, I want to put my students in the VLAN students, and the staff in
the VLAN staff
-
From Switzerland
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Multiple-ldap-freeradius-ssid-tp4399529p4399919.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using LDAP with EAP-TLS
Hi,
I'am trying to make FR 2.1.10 on Squeeze work with my LDAP installation.
What I want to do is:
A host-based authentification for my workstations. All the names of the
workstations are in LDAP, the authentification itself should be done
with EAP-TLS. I would like to have a hint, how to start EAP when the
LDAP-Query was successfull. The LDAP-Query works I think, FR says:
[ldap] user scit-beerchen authorized to use remote access, but then it
tries to make some kind of password authentification (I have no password
for workstations in LDAP), and is not starting EAP-TLS. The asking host
scit-beerchen is in the WLAN-User Group.
What could I do?
Please have a look on my Debug-Output:
rad_recv: Access-Request packet from host 10.48.244.28 port 3079, id=0,
length=139
User-Name = scit-beerchen
NAS-IP-Address = 10.48.244.28
Called-Station-Id = 0016b64f44cc
Calling-Station-Id = 002268c63ff2
NAS-Identifier = 0016b64f44cc
NAS-Port = 11
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x021201736369742d626565726368656e
Message-Authenticator = 0x12969f7ffa42f57be53a54474c1274be
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = scit-beerchen, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[ntdomain] No '\' in User-Name = scit-beerchen, looking up realm NULL
[ntdomain] No such realm NULL
++[ntdomain] returns noop
[eap] EAP packet type response id 0 length 18
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for scit-beerchen
[ldap] expand: %{Stripped-User-Name} -
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} - scit-beerchen
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=scit-beerchen)
[ldap] expand: dc=verwaltung,dc=kh-berlin,dc=de -
dc=verwaltung,dc=kh-berlin,dc=de
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to physalis:389, authentication 0
[ldap] bind as / to physalis:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=verwaltung,dc=kh-berlin,dc=de, with
filter (uid=scit-beerchen)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] user scit-beerchen authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++? if (notfound)
? Evaluating (notfound) - FALSE
++? if (notfound) - FALSE
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
[ntlm_auth] expand: --username=%{mschap:User-Name} -
--username=scit-beerchen
[ntlm_auth] expand: --password=%{User-Password} - --password=
Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a)
Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password
(0xc06a)
Exec-Program: returned: 1
++[ntlm_auth] returns reject
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - scit-beerchen
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.8 seconds.
rad_recv: Access-Request packet from host 10.48.244.28 port 3079, id=0,
length=139
Cleaning up request 0 ID 0 with timestamp +1034
User-Name = scit-beerchen
NAS-IP-Address = 10.48.244.28
Called-Station-Id = 0016b64f44cc
Calling-Station-Id = 002268c63ff2
NAS-Identifier = 0016b64f44cc
NAS-Port = 11
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x021201736369742d626565726368656e
Message-Authenticator = 0x11c70e19e2f1150428f5cc12d535e57b
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = scit-beerchen, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[ntdomain] No '\' in User-Name = scit-beerchen, looking up realm NULL
[ntdomain] No such realm NULL
++[ntdomain] returns noop
[eap] EAP packet type response id 0 length 18
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files]
Re: Using LDAP with EAP-TLS
On 16/05/11 13:32, Alexandros Gougousoudis wrote:
Hi,
I'am trying to make FR 2.1.10 on Squeeze work with my LDAP installation.
What I want to do is:
A host-based authentification for my workstations. All the names of the
workstations are in LDAP, the authentification itself should be done
with EAP-TLS. I would like to have a hint, how to start EAP when the
LDAP-Query was successfull. The LDAP-Query works I think, FR says:
[ldap] user scit-beerchen authorized to use remote access, but then it
tries to make some kind of password authentification (I have no password
for workstations in LDAP), and is not starting EAP-TLS. The asking host
scit-beerchen is in the WLAN-User Group.
What could I do?
The reason it's failing is nothing to do with LDAP. It's because you've
added a module ntlm_auth to the authorize section.
[ntlm_auth] expand: --username=%{mschap:User-Name} -
--username=scit-beerchen
[ntlm_auth] expand: --password=%{User-Password} - --password=
Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a)
Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password
(0xc06a)
Exec-Program: returned: 1
++[ntlm_auth] returns reject
Using Post-Auth-Type Reject
You've broken the default configs by adding in modules you don't need
and don't understand.
Go back to the default configs. Then *just* configure LDAP, and things
will work.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using LDAP with EAP-TLS
Alexandros Gougousoudis wrote: A host-based authentification for my workstations. All the names of the workstations are in LDAP, the authentification itself should be done with EAP-TLS. I would like to have a hint, how to start EAP when the LDAP-Query was successfull. You don't. Instead, do reject the user if the LDAP query failed. The LDAP-Query works I think, FR says: [ldap] user scit-beerchen authorized to use remote access, but then it tries to make some kind of password authentification (I have no password for workstations in LDAP), and is not starting EAP-TLS. The asking host scit-beerchen is in the WLAN-User Group. What could I do? Read the debug log you posted to the list. You're forcing Auth-Type, and using ntlm_auth for EAP-TLS. This is wrong. Don't force Auth-Type. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multuple ldap freeradius ssid
seb2020 girard@gmail.com wrote:
I will do what you say me ! I will make one SSID and check with the group my
user with the OU of the user.
My user is by example : user.group.locality.tree
How I can retreive the numbers of letters in my loginname ?
And this verification, I need to make in this file /site-avaible/inner-tunel
? with something like that ? But how i can retreive the length of the
username with this code ? Use Regex ?
modules/ldap:
ldap {
basedn = ou=%{Tmp-String-0},o=XXX
...
}
sites-available/...
authorize {
if (username have 3 letters) {
update request {
Tmp-String-0 = ou=xx,ou=xx
}
}
elsif (username have 8 letters) {
update request {
Tmp-String-0 = ou=xx,ou=xx
}
}
}
That's not going to work to great, it's also horrible :)
If you do not have the option to use 'Ldap-Group' (you should be able to
use LDAP groups, otherwise, why are you using LDAP?) to test group
membership, then you will need to use something like what's below.
In finally, I want to put my students in the VLAN students, and the staff in
the VLAN staff
The 'RFC' way to do it is add something like the following to your
post-auth{} section ('authorize'/'authenticate' will Reject invalid
users):
# defaults
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := unauthorised
Termination-Action := RADIUS-Request
Session-Timeout := 300
Acct-Interim-Interval := 3600
}
if (request:User-Name =~ /^.{3}$/) {
update reply {
Tunnel-Private-Group-Id := staff
}
}
elsif (request:User-Name =~ /^.{8}$/) {
update reply {
Tunnel-Private-Group-Id := student
}
}
if (reply:Tunnel-Private-Group-Id != unauthorised) {
update reply {
# Cisco only support a max of 65535
Session-Timeout := 64800
}
}
Aruba might expect something different, so you should check with *them*
(remember, this is a FreeRADIUS support mailing list, *not* an Aruba
one).
Cheers
--
Alexander Clouter
.sigmonster says: A vivid and creative mind characterizes you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using LDAP with EAP-TLS
Hi Phil,
Phil Mayers schrieb:
You've broken the default configs by adding in modules you don't need
and don't understand.
Go back to the default configs. Then *just* configure LDAP, and things
will work.
Thats what I did right now, EAP starts (Ubuntu 10.04, with working cert
on FR 1.1) but conversation is ended without Access-OK.
Phil, I also understand a lot of things and I can read, but the
documentation of FR is not ideal. I've googled around, looked examples
and had more questions than before. Where are all these features
documented, like the if then-things in the conf, all the keywords like
ok=return and so on, what's the difference between Autz-Type and
Auth-Type? The only thing to get help is here on the list, on the net
you find a lot infos to FR 1.1 and 2 (one is deployinradius and one the
FR site) sites containing a little bit information, no much more than
the conf-files coming with the FR-archive. I'am not complaining, because
it's an open source project, but you should note that it's sometimes not
the lack of understanding than the lack of well documented features. And
if I can't find the infos I need in the docs, I start to try things out.
I've added ntlm_auth to authorize requests from NT4-Users, didn't know
that this is a NoGo. :-)
Here's my debug:
rad_recv: Access-Request packet from host 10.48.244.28 port 3079, id=0,
length=139
User-Name = scit-beerchen
NAS-IP-Address = 10.48.244.28
Called-Station-Id = 0016b64f44cc
Calling-Station-Id = 002268c63ff2
NAS-Identifier = 0016b64f44cc
NAS-Port = 11
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x021201736369742d626565726368656e
Message-Authenticator = 0x651ac911817a87ba89a408f0d94ab4aa
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = scit-beerchen, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[ntdomain] No '\' in User-Name = scit-beerchen, looking up realm NULL
[ntdomain] No such realm NULL
++[ntdomain] returns noop
[eap] EAP packet type response id 0 length 18
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for scit-beerchen
[ldap] expand: %{Stripped-User-Name} -
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} - scit-beerchen
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=scit-beerchen)
[ldap] expand: dc=verwaltung,dc=kh-berlin,dc=de -
dc=verwaltung,dc=kh-berlin,dc=de
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to physalis:389, authentication 0
[ldap] bind as / to physalis:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=verwaltung,dc=kh-berlin,dc=de, with
filter (uid=scit-beerchen)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] user scit-beerchen authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++? if (notfound)
? Evaluating (notfound) - FALSE
++? if (notfound) - FALSE
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.48.244.28 port 3079
EAP-Message = 0x010100060d20
Message-Authenticator = 0x
State = 0xe9291e9ae928135b6c752006f18ad076
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.48.244.28 port 3079, id=0,
length=240
Cleaning up request 0 ID 0 with timestamp +22
WARNING:
!!
WARNING: !! EAP session for state 0xe9291e9ae928135b did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING:
!!
User-Name = scit-beerchen
NAS-IP-Address = 10.48.244.28
Called-Station-Id = 0016b64f44cc
Calling-Station-Id = 002268c63ff2
NAS-Identifier = 0016b64f44cc
NAS-Port = 11
Framed-MTU = 1400
State =
Failed to build FR 2.1.10 (64-bit) on Solaris 10 x86
Alan, I'm unable to build a 64-bit version of FreeRADIUS 2.1.10 on Solaris 10 9/10 s10x_u9wos_14a X86 owing to the following problem. I'm using the latest software from the 2.1.x git repository and gcc version 3.4.3. I've noticed that the 'FNM_FILE_NAME' flag is not declared in the fnmatch.h file on my system if this helps. Thanks in advance, Chris gcc -m64 -O -g -I/opt/local/include -I/opt/webstack/mysql/include/mysql -Wall -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/export/home/ecl6ch/freeradius-server/src -I/export/home/ecl6ch/freeradius-server/libltdl -c rlm_detail.c -fPIC -DPIC -o .libs/rlm_detail.o rlm_detail.c: In function `do_detail': rlm_detail.c:276: warning: comparison between pointer and integer rlm_detail.c:278: error: `FNM_FILE_NAME' undeclared (first use in this function) rlm_detail.c:278: error: (Each undeclared identifier is reported only once rlm_detail.c:278: error: for each function it appears in.) gmake[6]: *** [rlm_detail.lo] Error 1 gmake[6]: Leaving directory `/export/home/ecl6ch/freeradius-server/src/modules/rlm_detail' gmake[5]: *** [rlm_detail] Error 2 gmake[5]: Leaving directory `/export/home/ecl6ch/freeradius-server/src/modules' gmake[4]: *** [all] Error 2 gmake[4]: Leaving directory `/export/home/ecl6ch/freeradius-server/src/modules' gmake[3]: *** [modules] Error 2 gmake[3]: Leaving directory `/export/home/ecl6ch/freeradius-server/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/export/home/ecl6ch/freeradius-server/src' gmake[1]: *** [src] Error 2 gmake[1]: Leaving directory `/export/home/ecl6ch/freeradius-server' gmake: *** [all] Error 2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
attrs.pre-proxy in V2
Hi chaps,
I'm slightly confused with the different V2 semantics. I'm trying to truncate
the Framed-IP-Address to the first three quads for a particular realm
(somerealm below) when a particular attribute contains particular text:
In pre V2, something like this would do the trick:
somerealm Some-Attribute == Some,text
Framed-IP-Address =~ ^([0-9]+\.[0-9]+\.[0-9]+)\.[0-9]+,
Framed-IP-Address := `%{1}`,
Fall-Through = Yes
What would the equivalent rule for V2 be? The above doesn't appear to do what I
want.
Steve
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using LDAP with EAP-TLS
Hi Alan, Alan DeKok schrieb: You're forcing Auth-Type, and using ntlm_auth for EAP-TLS. This is wrong. Don't force Auth-Type. I didn't want that, now after kicking out ntlm_auth things work, even the cert has been accepted. I assume the problem I had was, that the time of the radius-machine was not synchrone to the network and the signal for Wlan was to low. After fixing both, the conversation worked an I got an Access-Accept. Thanks to you and Phil for the help. bye Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang conditionals
Hello...
This is probably a very silly issue. I have the following on my default
file:
update control {
Tmp-String-0 = %{sql:select a from paq where
CallingStationId='%{Calling-Station-Id}'
Tmp-String-5 = %{sql:select b from paq where
CallingStationId='%{Calling-Station-Id}'
}
if (control:Tmp-String-0 control:Tmp-String-5) {
}
On the radius logs I see the following:
expand: %{sql:select a from paq where
CallingStationId='%{Calling-Station-Id}'} - 693492
expand: %{sql:select b from paq where
CallingStationId='%{Calling-Station-Id}'}' - 174080
++[control] returns ok
++? if (control:Tmp-String-0 control:Tmp-String-5)
? Evaluating (control:Tmp-String-0 control:Tmp-String-5) - FALSE
++? if (control:Tmp-String-0 control:Tmp-String-5) - FALSE
why is the condition giving FALSE even though is already met?
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/unlang-conditionals-tp4400590p4400590.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed to build FR 2.1.10 (64-bit) on Solaris 10 x86
Chris Howley wrote: Alan, I'm unable to build a 64-bit version of FreeRADIUS 2.1.10 on Solaris 10 9/10 s10x_u9wos_14a X86 owing to the following problem. I'm using the latest software from the 2.1.x git repository and gcc version 3.4.3. I've noticed that the 'FNM_FILE_NAME' flag is not declared in the fnmatch.h file on my system if this helps. Edit src/include/autoconf.h, and delete the line saying HAVE_FNMATCH Then, re-build. But don't do configure again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang conditionals
Hello... This is probably a very silly issue. I have the following on my
default file:
update control {
Tmp-String-0 = %{sql:select a from paq where
CallingStationId='%{Calling-Station-Id}'
Tmp-String-5 = %{sql:select b from paq where
CallingStationId='%{Calling-Station-Id}'
}
if (control:Tmp-String-0 control:Tmp-String-5) { }
On the radius logs I see the following:
expand: %{sql:select a from paq where
CallingStationId='%{Calling-Station-Id}'} - 693492
expand: %{sql:select b from paq where
CallingStationId='%{Calling-Station-Id}'}' - 174080
++[control] returns ok
++? if (control:Tmp-String-0 control:Tmp-String-5)
? Evaluating (control:Tmp-String-0 control:Tmp-String-5) - FALSE
++? if (control:Tmp-String-0 control:Tmp-String-5) - FALSE
why is the condition giving FALSE even though is already met?
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/unlang-conditionals-tp4400590p4400608.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attrs.pre-proxy in V2
Steve Brown wrote: Hi chaps, I'm slightly confused with the different V2 semantics. I'm trying to truncate the Framed-IP-Address to the first three quads for a particular realm (somerealm below) when a particular attribute contains particular text: You can't really do that. IP addresses have 4 octets... My $0.02 is to put the truncated value into a separate attribute, then add the final octet to that when you create the Framed-IP-Address. What would the equivalent rule for V2 be? The above doesn't appear to do what I want. Probably because v2 is pickier: a 3-octet IP address is not valid. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP: More than one searchfilter
Hi, just one other question, how is it possible to have (or control) more than one filter in the ldap module? I use our LDAP to have access via PEAP or EAP-TLS, this works, thanks to this list. The problem now is, that workstations are stored as WORKSTATIONNAME$ (with a $ ath the end, thanks to Samba) and the user is stored with it's username. Unfortunately, the workstations come in their Radius-Request without the $ sign, just the name. So if I want to lookup a workstationname I have to add a $ sigh to every request, or LDAP won't find it. Otherwise the $ shouldn't be added while looking for a username. Is there an idea how to control the ldap filter for this? TIA Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
documentation and project organization (Was: Using LDAP with EAP-TLS)
On 05/16/2011 10:13 AM, Alexandros Gougousoudis wrote: Phil, I also understand a lot of things and I can read, but the documentation of FR is not ideal. I've googled around, looked examples and had more questions than before. Where are all these features documented, like the if then-things in the conf, all the keywords like ok=return and so on, what's the difference between Autz-Type and Auth-Type? The only thing to get help is here on the list, on the net you find a lot infos to FR 1.1 and 2 (one is deployinradius and one the FR site) sites containing a little bit information, no much more than the conf-files coming with the FR-archive. I'am not complaining, because it's an open source project, but you should note that it's sometimes not the lack of understanding than the lack of well documented features. And if I can't find the infos I need in the docs, I start to try things out. +1 I have to agree, the lack of comprehensive documentation, including an overview of concepts and the flow of operations is the greatest impediment to the success of FreeRADIUS as an open source project. The power and flexibility of FreeRADIUS is awesome, Alan and the other developers have done a wonderful job of providing the open source community with a fantastic piece of critical software. They have excelled at constant innovation and timely bug fixes. The response on the mailing is exceptional. But all these positive attributes are sometimes negated by the difficulty of understanding the system. Many justifiably feel configuring FreeRADIUS is a black art. It's often been pointed out that config files, doc directory and the wiki contains all you need to know. There is a modicum of truth in that. But the reality is it's very difficult to locate, extract, interpret and interpolate the missing pieces to form a functioning mental model in order to accomplish a specific deployment task. I've worked with FreeRADIUS for a while now and I'm still confounded things I don't know, incorrect expectations of behavior (e.g. != does not work for group testing). There are things which as far as I can tell are simply not documented. Just last week I had to help someone who was frustrated by the inability to add attributes to successfully proxied Auth-Accept's using a users file. By reading the source I found the postproxy_users_file config, as far as I could tell this is completely undocumented. When it comes to supporting users Use the source Luke isn't viable. I'd like to suggest the next most import task item for the team is not the 3.0 release, it's not any change to the code base. Rather the single most import task is producing comprehensive documentation collected in a single location augmented with cookbook examples of how to solve common deployment problems. I'll wager the time spent on this list answering questions will greatly diminish thus providing free time for feature enhancements and bug fixes. I'm also concerned at the obvious frustration expressed countless times on this list were folks have spent days, weeks, or in some cases months beating their heads against the wall in frustration. There will be a tipping point at some point in the future where that frustration will doom the project as it gets replaced by an alternative or forked. I've been in open source long enough to have seen this scenario play out multiple times. Just my 2 cents, worth what you paid for it :-) I'll now return you to your regular scheduled programming :-) And in case you missed it above, Alan and everyone else have done a wonderful job and provided a fantastic service to the community. All I'm suggesting here is the task priorities need to be tweaked a bit. P.S.: One thing which has been lacking in the project is public list of the project team. One might make the assumption Alan is the sole contributor, if so then that's truly amazing. But I'm going to guess others are involved. We would like to thank them as well and perhaps have some more insight into the project's organization. At best all I've been able to do in intuit based on reading this list and the dev list over an extended period that some list participants seem to have such an extensive knowledge it suggests to me they must be on the development team, either that or just like myself they've spent a lot of time reading the source code out of necessity. Questions like, what is the project's timeline, what is upcoming in new releases, what is the anticipated release schedule, how is the project organized, who are significant players and what are their roles are information unusually published by open source projects but have been missing (maybe just another example of missing documentation?). -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Renaming during Machine Authentication
Thanks Phil. I am out of the office until Thursday but on my first message I
posted the debug from bootup where it fails..is there more output I need to
post later this week?
Mark
Sent from my Blackberry® wireless device
-Original Message-
From: Phil Mayers p.may...@imperial.ac.uk
To: freeradius-users@lists.freeradius.org
Sent: 5/16/2011 3:01:35 AM
Subject: Re: Renaming during Machine Authentication
On 05/16/2011 01:03 AM, Mark Jones wrote:
Hi Phil thanks for answering. I am trying to authenticate the
machines on bootup. I have an edir backend and am following this cool
solutions article which is fairly old:
http://www.novell.com/coolsolutions/feature/17044.html In it they
talk about atrrib-rewrite but use it in the radiusd.conf file which
in my limited knowledge of freeradius I think is an older way of
doing it.
Yeah, don't do it that way. Aside from the config in the article being
subtly wrong (regexp in the 2nd rewrite module isn't right), there are
easier ways to accomplish mutating the username if you need to do that,
which you don't because you can just use %{mschap:User-Name} and it'll
do it for you (as well as being more obvious IMHO)
Right now if i join a machine to the samba domain I have created, it
automatically is imported into edirectory and named machinename$.
The article is not complete so I am really not sure if the machine is
I'm not familiar with eDir so can't say.
Is it working for you now? If not, post a debug and someone can probably
suggest what needs changing.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This communication is intended for the use of the recipient to which it is
addressed and may contain confidential, personal and/or privileged information.
If you received this e-mail in error, please advise me (by return e-mail or
otherwise) immediately.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang conditionals
On 16/05/11 15:37, d...@hotmail.com wrote:
Hello... This is probably a very silly issue. I have the following on my
default file:
update control {
Tmp-String-0 = %{sql:select a from paq where
CallingStationId='%{Calling-Station-Id}'
Tmp-String-5 = %{sql:select b from paq where
CallingStationId='%{Calling-Station-Id}'
}
if (control:Tmp-String-0 control:Tmp-String-5) { }
On the radius logs I see the following:
expand: %{sql:select a from paq where
CallingStationId='%{Calling-Station-Id}'} - 693492
expand: %{sql:select b from paq where
CallingStationId='%{Calling-Station-Id}'}' - 174080
++[control] returns ok
Maybe you want Tmp-Integer-X?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attrs.pre-proxy in V2
Hi Alan, Thanks for the details. On 16/05/11 16:03, Alan DeKok wrote: the Framed-IP-Address to the first three quads for a particular realm You can't really do that. IP addresses have 4 octets... Yes I know, this is a proxy only and the home server has specifically requested we do this... My $0.02 is to put the truncated value into a separate attribute, then add the final octet to that when you create the Framed-IP-Address. Sure, but I actually _want_ to send only the first 3 octets... Is that even possible? Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP: More than one searchfilter
How about (|(uid=%{user-name})(uid=%{user-name}$))
You may need to escape the $
On 16/05/2011, at 5:06 PM, Alexandros Gougousoudis
gougousoudis-l...@servicecenter-khs.de wrote:
Hi,
just one other question, how is it possible to have (or control) more than
one filter in the ldap module? I use our LDAP to have access via PEAP or
EAP-TLS, this works, thanks to this list.
The problem now is, that workstations are stored as WORKSTATIONNAME$ (with a
$ ath the end, thanks to Samba) and the user is stored with it's username.
Unfortunately, the workstations come in their Radius-Request without the $
sign, just the name. So if I want to lookup a workstationname I have to add a
$ sigh to every request, or LDAP won't find it. Otherwise the $ shouldn't
be added while looking for a username.
Is there an idea how to control the ldap filter for this?
TIA
Alex
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_auth_radius
To help others (like us) who hit this issue... R. Marc posted: Yeah, figured that; just trying to figure out why. and yes, it's sshd: # strings /usr/sbin/sshd | grep INC INCORRECT As a suggestion, if there are 5-6 pieces of software involved in authentication, don't immediately jump to blaming the PAM radius module. Not blaming, just trying to solve a problem. In our case, sshd_config had an AllowUsers blah directive to allow only one specific user to login via SSH. For a different username, that directive causes the otherwise correct password to be changed to the value INCORRECT. That is then passed on to the PAM module and pam_auth_radius sends that INCORRECT password to the RADIUS server, which appropriately denies access. Removing the AllowUsers line allowed ssh logins to succeed in the appropriate cases. If you make the same change, but wish to block some users (e.g., root) from ssh login, be sure to verify that behavior. In our case no further changes were needed. Alan Carwile -- View this message in context: http://freeradius.1045715.n5.nabble.com/pam-auth-radius-tp3388722p4400923.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang conditionals
I found out after checking other posts that the correct syntax of the IF
should be as follows:
if (%{control:Tmp-String-0} %{control:Tmp-String-5} ) { }
this is working now for me.
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/unlang-conditionals-tp4400590p4401011.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: documentation and project organization (Was: Using LDAP with EAP-TLS)
Hi John, Just to chime in, I find all of the comments in radiusd.conf, etc. distracting overwhelming. I strip out the comments from the files I'm using - usually to find out how simple the configuration really is. When I'm missing something, I refer back to the original files look up the relevant comment entry. I would prefer all of the comments be assembled into straightforward documentation, using examples for the appropriate configuration sections. My 2 cents, as we say... -John On 05/16/2011 11:20 AM, John Dennis wrote: On 05/16/2011 10:13 AM, Alexandros Gougousoudis wrote: Phil, I also understand a lot of things and I can read, but the documentation of FR is not ideal. I've googled around, looked examples and had more questions than before. Where are all these features documented, like the if then-things in the conf, all the keywords like ok=return and so on, what's the difference between Autz-Type and Auth-Type? The only thing to get help is here on the list, on the net you find a lot infos to FR 1.1 and 2 (one is deployinradius and one the FR site) sites containing a little bit information, no much more than the conf-files coming with the FR-archive. I'am not complaining, because it's an open source project, but you should note that it's sometimes not the lack of understanding than the lack of well documented features. And if I can't find the infos I need in the docs, I start to try things out. +1 I have to agree, the lack of comprehensive documentation, including an overview of concepts and the flow of operations is the greatest impediment to the success of FreeRADIUS as an open source project. The power and flexibility of FreeRADIUS is awesome, Alan and the other developers have done a wonderful job of providing the open source community with a fantastic piece of critical software. They have excelled at constant innovation and timely bug fixes. The response on the mailing is exceptional. But all these positive attributes are sometimes negated by the difficulty of understanding the system. Many justifiably feel configuring FreeRADIUS is a black art. It's often been pointed out that config files, doc directory and the wiki contains all you need to know. There is a modicum of truth in that. But the reality is it's very difficult to locate, extract, interpret and interpolate the missing pieces to form a functioning mental model in order to accomplish a specific deployment task. I've worked with FreeRADIUS for a while now and I'm still confounded things I don't know, incorrect expectations of behavior (e.g. != does not work for group testing). There are things which as far as I can tell are simply not documented. Just last week I had to help someone who was frustrated by the inability to add attributes to successfully proxied Auth-Accept's using a users file. By reading the source I found the postproxy_users_file config, as far as I could tell this is completely undocumented. When it comes to supporting users Use the source Luke isn't viable. I'd like to suggest the next most import task item for the team is not the 3.0 release, it's not any change to the code base. Rather the single most import task is producing comprehensive documentation collected in a single location augmented with cookbook examples of how to solve common deployment problems. I'll wager the time spent on this list answering questions will greatly diminish thus providing free time for feature enhancements and bug fixes. I'm also concerned at the obvious frustration expressed countless times on this list were folks have spent days, weeks, or in some cases months beating their heads against the wall in frustration. There will be a tipping point at some point in the future where that frustration will doom the project as it gets replaced by an alternative or forked. I've been in open source long enough to have seen this scenario play out multiple times. Just my 2 cents, worth what you paid for it :-) I'll now return you to your regular scheduled programming :-) And in case you missed it above, Alan and everyone else have done a wonderful job and provided a fantastic service to the community. All I'm suggesting here is the task priorities need to be tweaked a bit. P.S.: One thing which has been lacking in the project is public list of the project team. One might make the assumption Alan is the sole contributor, if so then that's truly amazing. But I'm going to guess others are involved. We would like to thank them as well and perhaps have some more insight into the project's organization. At best all I've been able to do in intuit based on reading this list and the dev list over an extended period that some list participants seem to have such an extensive knowledge it suggests to me they must be on the development team, either that or just like myself they've spent a lot of time reading the source code out of necessity. Questions like, what is the project's timeline, what is upcoming in new
Re: documentation and project organization (Was: Using LDAP with EAP-TLS)
John, I believe Alan started a project to try and improve documentation in May last year. A few documents were converted RST format, but I don't think it was ever completed. I'm going to suggest the same thing I did back then. Add RST support to the Wiki, setup a well defined documentation structure (as in these are the subjects and example configurations that should be covered), and then roll page exports from the wiki into the documentation that 'ships' with FreeRADIUS. There's so much to document that it needs to be a collaborative effort. -Arran Arran Cudbard-Bell RM-RF Limited - Security consultation and contracting VoIP: +1 916-436-1352 Cell: +44 7854041841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: documentation and project organization (Was: Using LDAP with EAP-TLS)
On 05/16/2011 02:20 PM, Arran Cudbard-Bell wrote: John, I believe Alan started a project to try and improve documentation in May last year. A few documents were converted RST format, but I don't think it was ever completed. I'm going to suggest the same thing I did back then. Add RST support to the Wiki, setup a well defined documentation structure (as in these are the subjects and example configurations that should be covered), and then roll page exports from the wiki into the documentation that 'ships' with FreeRADIUS. There's so much to document that it needs to be a collaborative effort. Sounds like a fine plan to me. I do recall the documentation effort from last year. But the various promises of documentation seem to wither on the vine, the effort you cite is a perfect example. Maybe Alan's book is the answer, but that's been promised for a long time too. My basic take this is the classic developer's dilemma, developers want to write code, not documentation. When time allocation occurs the choice is to write code and defer the doc. But doc must get done, it needs an owner who is going to own the task and get it done. FWIW, I constantly get complaints about the difficulty of using FreeRADIUS and the lack of usable documentation. Only last week this reached all the way to my manager who had to intervene and assert this is an upstream project issue and not something Red Hat can fix. Sorry, just being the messenger, just trying to ultimately help by saying there is a pain point and not sweep it under the rug. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: documentation and project organization (Was: Using LDAP with EAP-TLS)
If I knew more about it I would take my time to write some ... examples, use cases, case studies, whatever. But, I can barely get by - each time I think I understand something it turns out I really don't. I don't want to spread bad info so I say nothing - usually :) IMHO a good starting point would be a single point of all authorized documentation: freeradius.org, Wiki, don't care - but it's frustrating when you find doc that seems legit that conflicts with other doc that also seems legit. The single source of info then needs to have whatever is there vetted by those that actually KNOW whats what and kept current. Unfortunately most people don't understand the details of PEAP, *CHAP, GTC, certs, etc. so they simply follow instructions verbatim. If those instructions are wrong, skip some steps, or even have basic typo's: it will lead to a lot of frustration not only to the novice user, but the smart people on here that constantly address the same simple issues. I will step up to the plate and offer up a standard format for a Recipe. I will pick an easy deployment scenario - such as: How do I configure FR to authenticate VTY access to my Cisco gear using AD on the backend, and users must be a member of GroupX I'm sure I will get some things wrong, but perhaps we can at least settle on a common template/format which will at least help moving forward. -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of John Dennis Sent: Monday, May 16, 2011 1:52 PM To: FreeRadius users mailing list Subject: Re: documentation and project organization (Was: Using LDAP with EAP-TLS) On 05/16/2011 02:20 PM, Arran Cudbard-Bell wrote: John, I believe Alan started a project to try and improve documentation in May last year. A few documents were converted RST format, but I don't think it was ever completed. I'm going to suggest the same thing I did back then. Add RST support to the Wiki, setup a well defined documentation structure (as in these are the subjects and example configurations that should be covered), and then roll page exports from the wiki into the documentation that 'ships' with FreeRADIUS. There's so much to document that it needs to be a collaborative effort. Sounds like a fine plan to me. I do recall the documentation effort from last year. But the various promises of documentation seem to wither on the vine, the effort you cite is a perfect example. Maybe Alan's book is the answer, but that's been promised for a long time too. My basic take this is the classic developer's dilemma, developers want to write code, not documentation. When time allocation occurs the choice is to write code and defer the doc. But doc must get done, it needs an owner who is going to own the task and get it done. FWIW, I constantly get complaints about the difficulty of using FreeRADIUS and the lack of usable documentation. Only last week this reached all the way to my manager who had to intervene and assert this is an upstream project issue and not something Red Hat can fix. Sorry, just being the messenger, just trying to ultimately help by saying there is a pain point and not sweep it under the rug. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attrs.pre-proxy in V2
Steve Brown wrote: Sure, but I actually _want_ to send only the first 3 octets... Is that even possible? No. IP addresses have 4 octets. You can set the fourth octet to zero. *Nothing* else is possible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: documentation and project organization (Was: Using LDAP with EAP-TLS)
Arran Cudbard-Bell wrote: I believe Alan started a project to try and improve documentation in May last year. A few documents were converted RST format, but I don't think it was ever completed. I received a number of patches from one person, a few from another one or two, and nothing else. I've been saying for ~10 years that this is a community effort. I'd *like* additional documentation, but I don't get paid to write it. I get paid to write code. The community has spoken: documentation isn't important enough. I'd like to change that, but I'm busy. I'm going to suggest the same thing I did back then. Add RST support to the Wiki, setup a well defined documentation structure (as in these are the subjects and example configurations that should be covered), and then roll page exports from the wiki into the documentation that 'ships' with FreeRADIUS. My $0.02 is that we should use github. They now support git-backed Wikis, which use markdown. It's close enough, and has a lot of benefits. But it requires converting the existing Wiki pages. I'm not inclined to do it, as I have too many other things to do. There's so much to document that it needs to be a collaborative effort. It's not hard. Read the comments in the config files, and write a document summarizing them. Add one or two simple examples. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: documentation and project organization (Was: Using LDAP with EAP-TLS)
John Dennis wrote: Sounds like a fine plan to me. I do recall the documentation effort from last year. But the various promises of documentation seem to wither on the vine, the effort you cite is a perfect example. Maybe Alan's book is the answer, but that's been promised for a long time too. I had planned on finishing it this spring. I got busy, in a you don't want to know kind of way. FWIW, I constantly get complaints about the difficulty of using FreeRADIUS and the lack of usable documentation. Only last week this reached all the way to my manager who had to intervene and assert this is an upstream project issue and not something Red Hat can fix. Sorry, just being the messenger, just trying to ultimately help by saying there is a pain point and not sweep it under the rug. If the customers care, refer them to me. If it's a priority for them, someone can be found to do the work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: documentation and project organization (Was: Using LDAP with EAP-TLS)
Gary Gatten wrote: I will step up to the plate and offer up a standard format for a Recipe. I will pick an easy deployment scenario - such as: How do I configure FR to authenticate VTY access to my Cisco gear using AD on the backend, and users must be a member of GroupX That's configuring 4 things at once... people will find it useful, but my worry is that it's too specific. I'm sure I will get some things wrong, but perhaps we can at least settle on a common template/format which will at least help moving forward. A template recipe sounds like a wonderful idea. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: documentation and project organization (Was: Using LDAP with EAP-TLS)
John Center wrote: Just to chime in, I find all of the comments in radiusd.conf, etc. distracting overwhelming. I strip out the comments from the files I'm using - usually to find out how simple the configuration really is. When I'm missing something, I refer back to the original files look up the relevant comment entry. I would prefer all of the comments be assembled into straightforward documentation, using examples for the appropriate configuration sections. Sure. Submit a patch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: documentation and project organization (Was: Using LDAP with EAP-TLS)
John Dennis wrote: But all these positive attributes are sometimes negated by the difficulty of understanding the system. Many justifiably feel configuring FreeRADIUS is a black art. It's often been pointed out that config files, doc directory and the wiki contains all you need to know. There is a modicum of truth in that. But the reality is it's very difficult to locate, extract, interpret and interpolate the missing pieces to form a functioning mental model in order to accomplish a specific deployment task. Yup. I've worked with FreeRADIUS for a while now and I'm still confounded things I don't know, incorrect expectations of behavior (e.g. != does not work for group testing). There are things which as far as I can tell are simply not documented. Oh yes, lots. Just last week I had to help someone who was frustrated by the inability to add attributes to successfully proxied Auth-Accept's using a users file. By reading the source I found the postproxy_users_file config, as far as I could tell this is completely undocumented. When it comes to supporting users Use the source Luke isn't viable. Yes, well... there isn't much to argue with there. I'd like to suggest the next most import task item for the team is not the 3.0 release, it's not any change to the code base. Rather the single most import task is producing comprehensive documentation collected in a single location augmented with cookbook examples of how to solve common deployment problems. Sure. Except that 3.0 is pretty much ready now. I'll wager the time spent on this list answering questions will greatly diminish thus providing free time for feature enhancements and bug fixes. For me, time on the list is 30 seconds in between other work. i.e. wait for compile: answer post. It's really quite minimal, despite the volume of messages I send. I'm also concerned at the obvious frustration expressed countless times on this list were folks have spent days, weeks, or in some cases months beating their heads against the wall in frustration. There will be a tipping point at some point in the future where that frustration will doom the project as it gets replaced by an alternative or forked. I've been in open source long enough to have seen this scenario play out multiple times. The level of frustration has diminished significantly with 2.0, and again with 2.1. The default configurations just work, and the debug messages have been improved to the point where mere mortals can understand them. One thing which has been lacking in the project is public list of the project team. One might make the assumption Alan is the sole contributor, if so then that's truly amazing. Look at github. The only person other than me who's had meaningful contributions in the last 2 years is Phil Mayers. Many other authors listed (e.g. Dante) are contractual obligations, implemented by me. But I'm going to guess others are involved. We would like to thank them as well and perhaps have some more insight into the project's organization. At best all I've been able to do in intuit based on reading this list and the dev list over an extended period that some list participants seem to have such an extensive knowledge it suggests to me they must be on the development team, either that or just like myself they've spent a lot of time reading the source code out of necessity. There are a number of people who run multiple RADIUS servers (machines products) for their living. They're familiar with pretty much everything. We're all in their debt for answers, docs, bug reports, bug fixes, etc. Questions like, what is the project's timeline, what is upcoming in new releases, what is the anticipated release schedule, how is the project organized, who are significant players and what are their roles are information unusually published by open source projects but have been missing (maybe just another example of missing documentation?). Project timeline: whenever What's upcoming: see doc/ChangeLog in git. release schedule: usually every 3-4 months organization / people / roles: code: Alan mgmt: Alan docs: Alan web site: Alan releases: Alan bug fixes: Alan Wiki: Peter Nixon Sense a theme? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AD Authentication + radius + foundryAP
= no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = yes
}
Module: Instantiating ntdomain
realm ntdomain {
format = prefix
delimiter = \
ignore_default = no
ignore_null = yes
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = /etc/freeradius/users
acctusersfile = /etc/freeradius/acct_users
preproxy_usersfile = /etc/freeradius/preproxy_users
compat = no
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = /var/log/freeradius/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = /etc/freeradius/attrs.access_reject
key = %{User-Name}
}
} # modules
} # server
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pam
Module: Instantiating pam
pam {
pam_auth = radiusd
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating auth_log
detail auth_log {
detailfile =
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
header = %t
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port
}
Module: Checking accounting {...} for more modules to load
Module: Instantiating detail
detail {
detailfile =
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d
header = %t
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = /var/log/freeradius/radwtmp
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = /etc/freeradius/attrs.accounting_response
key = %{User-Name}
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = *
port = 1812
}
listen {
type = acct
ipaddr = *
port = 1813
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.103.10 port 32890, id=83,
length=158
User-Name = ATL\\user
NAS-IP-Address = 192.168.103.10
NAS-Port = 6145
Called-Station-Id = 00-90-0B-0A-81-96:radtest
Calling-Station-Id = 00-26-C7-6F-FF-64
Framed-MTU = 900
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 802.11g
EAP-Message = 0x020100110141544c5c7069706b696e5f6d
Message-Authenticator = 0xf18704d104d0322078509df754b74003
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/freeradius/radacct/192.168.103.10/auth-detail-20110516
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.103.10/auth-detail-20110516
[auth_log] expand: %t - Mon May 16 15:28:41 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[ntdomain] Looking up realm ATL for User-Name = ATL\user
[ntdomain] No such realm ATL
++[ntdomain] returns noop
[eap] EAP packet type response id 1 length 17
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap
RE: documentation and project organization (Was: Using LDAP with EAP-TLS)
Good point about configuring multiple things at once - but that is a recipe - right? Several ingredients that make a tasty cake? I think it would be a pretty common deployment scenario: lots of people have Cisco and AD, and want to auth their Cisco admins / VTY access against AD. We used this exact scenario as a basic starting point with FR (and I've noticed others on here do the same) before moving on to more complicated setups. I probably should doc some stuff for internal use regardless, so even if no one else finds it useful it won't be a waste of time. G -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Monday, May 16, 2011 2:31 PM To: FreeRadius users mailing list Subject: Re: documentation and project organization (Was: Using LDAP with EAP-TLS) Gary Gatten wrote: I will step up to the plate and offer up a standard format for a Recipe. I will pick an easy deployment scenario - such as: How do I configure FR to authenticate VTY access to my Cisco gear using AD on the backend, and users must be a member of GroupX That's configuring 4 things at once... people will find it useful, but my worry is that it's too specific. I'm sure I will get some things wrong, but perhaps we can at least settle on a common template/format which will at least help moving forward. A template recipe sounds like a wonderful idea. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: documentation and project organization (Was: Using LDAP with EAP-TLS)
On 05/16/2011 03:41 PM, Alan DeKok wrote: organization / people / roles: code: Alan mgmt: Alan docs: Alan web site: Alan releases: Alan bug fixes: Alan Wiki: Peter Nixon Sense a theme? I do see a theme but I also see a problem. FreeRADIUS has gotten big enough that 1 person, even one as amazing as you are, can't do it all. I humbly suggest you try to offload some of the work by running this as a project and having a team. You can delegate responsibilities, coordinate and still have a significant architectural and coding role. Plus you get the added benefit of being Benevolent Dictator for Life of FreeRADIUS (http://en.wikipedia.org/wiki/Benevolent_Dictator_For_Life) -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: documentation and project organization (Was: Using LDAP with EAP-TLS)
John Dennis wrote: I do see a theme but I also see a problem. FreeRADIUS has gotten big enough that 1 person, even one as amazing as you are, can't do it all. I humbly suggest you try to offload some of the work by running this as a project and having a team. Sure. Volunteers? It was run as a team for a while. The main team members gradually got busy doing other things. You can delegate responsibilities, coordinate and still have a significant architectural and coding role. Sure. Using git means that delegation is much less of an issue, though. Simply fork FreeRADIUS using github, write patches, and submit them. That's how all of the recent third-party patches have gone in. Again: look at the track record. Pretty much any interesting new feature, or patch or bugfix gets added. But the volume of such submissions is pretty low. There's no need to volunteer, or to take on a role. Just do the work, and the title will come automatically. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
variable string replace (i presume using UNLANG?)
Hi all,
I am looking to replace a string, before sending the query off to sql...
right now, it is %{SQL-User-Name} (sql_user_name = %{User-Name}
), but the value is going to be like:
mppp%sstap...@domain.com
and i want to remove the mppp% (which will always be prefixed, or not
exist) so that the variable only is
sstap...@domain.com
Is that easy to do? I have searched the docs, but came up empty (sorry
if it has been discussed already... just didnt find it)
I could always write it in the query to replace the string:
SELECT REPLACE('mppps%sstap...@domain.com', 'mppp%', '');
but not sure if that is the most efficient way to do it?
Thanks in advance.
Steve.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
