multuple ldap freeradius ssid
Hi, I have a question. I already read how to make this, but I'm not sur if it works ! So, what do I want ? I have 2 SSID : students and an other staff. I want to have to ldap instance for authenticating my users. In the /module/ldap, I have set ldap students { some stuff } and ldap staff { some stuff}. But now, what i need to do ? My access point is Aruba. I can use this value Aruba-Essid-Name for choosing which instance i need to use. In the /site-avaible/inner-tunel, what i need to do ? Something like that ? if (Aruba-Essid-Name==students) { students } elsif {staff} Thanks for your reply, and sorry for my english, I'm French ;) -- View this message in context: http://freeradius.1045715.n5.nabble.com/multuple-ldap-freeradius-ssid-tp4399529p4399529.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Renaming during Machine Authentication
On 05/16/2011 01:03 AM, Mark Jones wrote: Hi Phil thanks for answering. I am trying to authenticate the machines on bootup. I have an edir backend and am following this cool solutions article which is fairly old: http://www.novell.com/coolsolutions/feature/17044.html In it they talk about atrrib-rewrite but use it in the radiusd.conf file which in my limited knowledge of freeradius I think is an older way of doing it. Yeah, don't do it that way. Aside from the config in the article being subtly wrong (regexp in the 2nd rewrite module isn't right), there are easier ways to accomplish mutating the username if you need to do that, which you don't because you can just use %{mschap:User-Name} and it'll do it for you (as well as being more obvious IMHO) Right now if i join a machine to the samba domain I have created, it automatically is imported into edirectory and named machinename$. The article is not complete so I am really not sure if the machine is I'm not familiar with eDir so can't say. Is it working for you now? If not, post a debug and someone can probably suggest what needs changing. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multuple ldap freeradius ssid
seb2020 girard@gmail.com wrote: I have a question. I already read how to make this, but I'm not sur if it works ! So, what do I want ? I have 2 SSID : students and an other staff. I want to have to ldap instance for authenticating my users. You really do *not* want to do this. Have both the staff and students connect to the same SSID (for example 'eduroam') and use your RADIUS server to use an LDAP group check (or username style) to find out how to treat them. For example, place them into a different VLAN. In the /module/ldap, I have set ldap students { some stuff } and ldap staff { some stuff}. But now, what i need to do ? My access point is Aruba. I can use this value Aruba-Essid-Name for choosing which instance i need to use. In the /site-avaible/inner-tunel, what i need to do ? Something like that ? FreeRADIUS is (was?) a bit picky about how the if/else layout is, so you need: if (Aruba-Essid-Name == students) { ...students... } elsif { ...staff... } I *strongly* recommend you go with the single SSID and use RADIUS in the background; getting everyone at a latter date to move to a different SSID is a real pain. Thanks for your reply, and sorry for my english, I'm French ;) We forgive you... ;) Cheers -- Alexander Clouter .sigmonster says: A modem is a baudy house. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multuple ldap freeradius ssid
Thanks for your reply ! I will do what you say me ! I will make one SSID and chech with the group my user with the OU of the user. My user is by example : user.group.locality.tree How I can retreive the group of my user ? And this verification, I need to make in this file /site-avaible/inner-tunel ? - From Switzerland -- View this message in context: http://freeradius.1045715.n5.nabble.com/Multiple-ldap-freeradius-ssid-tp4399529p4399886.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multuple ldap freeradius ssid
Thanks for your reply ! I will do what you say me ! I will make one SSID and check with the group my user with the OU of the user. My user is by example : user.group.locality.tree How I can retreive the numbers of letters in my loginname ? And this verification, I need to make in this file /site-avaible/inner-tunel ? with something like that ? But how i can retreive the length of the username with this code ? Use Regex ? modules/ldap: ldap { basedn = ou=%{Tmp-String-0},o=XXX ... } sites-available/... authorize { if (username have 3 letters) { update request { Tmp-String-0 = ou=xx,ou=xx } } elsif (username have 8 letters) { update request { Tmp-String-0 = ou=xx,ou=xx } } } In finally, I want to put my students in the VLAN students, and the staff in the VLAN staff - From Switzerland -- View this message in context: http://freeradius.1045715.n5.nabble.com/Multiple-ldap-freeradius-ssid-tp4399529p4399919.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using LDAP with EAP-TLS
Hi, I'am trying to make FR 2.1.10 on Squeeze work with my LDAP installation. What I want to do is: A host-based authentification for my workstations. All the names of the workstations are in LDAP, the authentification itself should be done with EAP-TLS. I would like to have a hint, how to start EAP when the LDAP-Query was successfull. The LDAP-Query works I think, FR says: [ldap] user scit-beerchen authorized to use remote access, but then it tries to make some kind of password authentification (I have no password for workstations in LDAP), and is not starting EAP-TLS. The asking host scit-beerchen is in the WLAN-User Group. What could I do? Please have a look on my Debug-Output: rad_recv: Access-Request packet from host 10.48.244.28 port 3079, id=0, length=139 User-Name = scit-beerchen NAS-IP-Address = 10.48.244.28 Called-Station-Id = 0016b64f44cc Calling-Station-Id = 002268c63ff2 NAS-Identifier = 0016b64f44cc NAS-Port = 11 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x021201736369742d626565726368656e Message-Authenticator = 0x12969f7ffa42f57be53a54474c1274be # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = scit-beerchen, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [ntdomain] No '\' in User-Name = scit-beerchen, looking up realm NULL [ntdomain] No such realm NULL ++[ntdomain] returns noop [eap] EAP packet type response id 0 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for scit-beerchen [ldap] expand: %{Stripped-User-Name} - [ldap] ... expanding second conditional [ldap] expand: %{User-Name} - scit-beerchen [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=scit-beerchen) [ldap] expand: dc=verwaltung,dc=kh-berlin,dc=de - dc=verwaltung,dc=kh-berlin,dc=de [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to physalis:389, authentication 0 [ldap] bind as / to physalis:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=verwaltung,dc=kh-berlin,dc=de, with filter (uid=scit-beerchen) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user scit-beerchen authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++? if (notfound) ? Evaluating (notfound) - FALSE ++? if (notfound) - FALSE ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop [ntlm_auth] expand: --username=%{mschap:User-Name} - --username=scit-beerchen [ntlm_auth] expand: --password=%{User-Password} - --password= Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a) Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a) Exec-Program: returned: 1 ++[ntlm_auth] returns reject Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - scit-beerchen attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.8 seconds. rad_recv: Access-Request packet from host 10.48.244.28 port 3079, id=0, length=139 Cleaning up request 0 ID 0 with timestamp +1034 User-Name = scit-beerchen NAS-IP-Address = 10.48.244.28 Called-Station-Id = 0016b64f44cc Calling-Station-Id = 002268c63ff2 NAS-Identifier = 0016b64f44cc NAS-Port = 11 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x021201736369742d626565726368656e Message-Authenticator = 0x11c70e19e2f1150428f5cc12d535e57b # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = scit-beerchen, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [ntdomain] No '\' in User-Name = scit-beerchen, looking up realm NULL [ntdomain] No such realm NULL ++[ntdomain] returns noop [eap] EAP packet type response id 0 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files]
Re: Using LDAP with EAP-TLS
On 16/05/11 13:32, Alexandros Gougousoudis wrote: Hi, I'am trying to make FR 2.1.10 on Squeeze work with my LDAP installation. What I want to do is: A host-based authentification for my workstations. All the names of the workstations are in LDAP, the authentification itself should be done with EAP-TLS. I would like to have a hint, how to start EAP when the LDAP-Query was successfull. The LDAP-Query works I think, FR says: [ldap] user scit-beerchen authorized to use remote access, but then it tries to make some kind of password authentification (I have no password for workstations in LDAP), and is not starting EAP-TLS. The asking host scit-beerchen is in the WLAN-User Group. What could I do? The reason it's failing is nothing to do with LDAP. It's because you've added a module ntlm_auth to the authorize section. [ntlm_auth] expand: --username=%{mschap:User-Name} - --username=scit-beerchen [ntlm_auth] expand: --password=%{User-Password} - --password= Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a) Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a) Exec-Program: returned: 1 ++[ntlm_auth] returns reject Using Post-Auth-Type Reject You've broken the default configs by adding in modules you don't need and don't understand. Go back to the default configs. Then *just* configure LDAP, and things will work. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using LDAP with EAP-TLS
Alexandros Gougousoudis wrote: A host-based authentification for my workstations. All the names of the workstations are in LDAP, the authentification itself should be done with EAP-TLS. I would like to have a hint, how to start EAP when the LDAP-Query was successfull. You don't. Instead, do reject the user if the LDAP query failed. The LDAP-Query works I think, FR says: [ldap] user scit-beerchen authorized to use remote access, but then it tries to make some kind of password authentification (I have no password for workstations in LDAP), and is not starting EAP-TLS. The asking host scit-beerchen is in the WLAN-User Group. What could I do? Read the debug log you posted to the list. You're forcing Auth-Type, and using ntlm_auth for EAP-TLS. This is wrong. Don't force Auth-Type. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multuple ldap freeradius ssid
seb2020 girard@gmail.com wrote: I will do what you say me ! I will make one SSID and check with the group my user with the OU of the user. My user is by example : user.group.locality.tree How I can retreive the numbers of letters in my loginname ? And this verification, I need to make in this file /site-avaible/inner-tunel ? with something like that ? But how i can retreive the length of the username with this code ? Use Regex ? modules/ldap: ldap { basedn = ou=%{Tmp-String-0},o=XXX ... } sites-available/... authorize { if (username have 3 letters) { update request { Tmp-String-0 = ou=xx,ou=xx } } elsif (username have 8 letters) { update request { Tmp-String-0 = ou=xx,ou=xx } } } That's not going to work to great, it's also horrible :) If you do not have the option to use 'Ldap-Group' (you should be able to use LDAP groups, otherwise, why are you using LDAP?) to test group membership, then you will need to use something like what's below. In finally, I want to put my students in the VLAN students, and the staff in the VLAN staff The 'RFC' way to do it is add something like the following to your post-auth{} section ('authorize'/'authenticate' will Reject invalid users): # defaults update reply { Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-Id := unauthorised Termination-Action := RADIUS-Request Session-Timeout := 300 Acct-Interim-Interval := 3600 } if (request:User-Name =~ /^.{3}$/) { update reply { Tunnel-Private-Group-Id := staff } } elsif (request:User-Name =~ /^.{8}$/) { update reply { Tunnel-Private-Group-Id := student } } if (reply:Tunnel-Private-Group-Id != unauthorised) { update reply { # Cisco only support a max of 65535 Session-Timeout := 64800 } } Aruba might expect something different, so you should check with *them* (remember, this is a FreeRADIUS support mailing list, *not* an Aruba one). Cheers -- Alexander Clouter .sigmonster says: A vivid and creative mind characterizes you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using LDAP with EAP-TLS
Hi Phil, Phil Mayers schrieb: You've broken the default configs by adding in modules you don't need and don't understand. Go back to the default configs. Then *just* configure LDAP, and things will work. Thats what I did right now, EAP starts (Ubuntu 10.04, with working cert on FR 1.1) but conversation is ended without Access-OK. Phil, I also understand a lot of things and I can read, but the documentation of FR is not ideal. I've googled around, looked examples and had more questions than before. Where are all these features documented, like the if then-things in the conf, all the keywords like ok=return and so on, what's the difference between Autz-Type and Auth-Type? The only thing to get help is here on the list, on the net you find a lot infos to FR 1.1 and 2 (one is deployinradius and one the FR site) sites containing a little bit information, no much more than the conf-files coming with the FR-archive. I'am not complaining, because it's an open source project, but you should note that it's sometimes not the lack of understanding than the lack of well documented features. And if I can't find the infos I need in the docs, I start to try things out. I've added ntlm_auth to authorize requests from NT4-Users, didn't know that this is a NoGo. :-) Here's my debug: rad_recv: Access-Request packet from host 10.48.244.28 port 3079, id=0, length=139 User-Name = scit-beerchen NAS-IP-Address = 10.48.244.28 Called-Station-Id = 0016b64f44cc Calling-Station-Id = 002268c63ff2 NAS-Identifier = 0016b64f44cc NAS-Port = 11 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x021201736369742d626565726368656e Message-Authenticator = 0x651ac911817a87ba89a408f0d94ab4aa # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = scit-beerchen, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [ntdomain] No '\' in User-Name = scit-beerchen, looking up realm NULL [ntdomain] No such realm NULL ++[ntdomain] returns noop [eap] EAP packet type response id 0 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for scit-beerchen [ldap] expand: %{Stripped-User-Name} - [ldap] ... expanding second conditional [ldap] expand: %{User-Name} - scit-beerchen [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=scit-beerchen) [ldap] expand: dc=verwaltung,dc=kh-berlin,dc=de - dc=verwaltung,dc=kh-berlin,dc=de [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to physalis:389, authentication 0 [ldap] bind as / to physalis:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=verwaltung,dc=kh-berlin,dc=de, with filter (uid=scit-beerchen) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user scit-beerchen authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++? if (notfound) ? Evaluating (notfound) - FALSE ++? if (notfound) - FALSE ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 10.48.244.28 port 3079 EAP-Message = 0x010100060d20 Message-Authenticator = 0x State = 0xe9291e9ae928135b6c752006f18ad076 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.48.244.28 port 3079, id=0, length=240 Cleaning up request 0 ID 0 with timestamp +22 WARNING: !! WARNING: !! EAP session for state 0xe9291e9ae928135b did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! User-Name = scit-beerchen NAS-IP-Address = 10.48.244.28 Called-Station-Id = 0016b64f44cc Calling-Station-Id = 002268c63ff2 NAS-Identifier = 0016b64f44cc NAS-Port = 11 Framed-MTU = 1400 State =
Failed to build FR 2.1.10 (64-bit) on Solaris 10 x86
Alan, I'm unable to build a 64-bit version of FreeRADIUS 2.1.10 on Solaris 10 9/10 s10x_u9wos_14a X86 owing to the following problem. I'm using the latest software from the 2.1.x git repository and gcc version 3.4.3. I've noticed that the 'FNM_FILE_NAME' flag is not declared in the fnmatch.h file on my system if this helps. Thanks in advance, Chris gcc -m64 -O -g -I/opt/local/include -I/opt/webstack/mysql/include/mysql -Wall -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/export/home/ecl6ch/freeradius-server/src -I/export/home/ecl6ch/freeradius-server/libltdl -c rlm_detail.c -fPIC -DPIC -o .libs/rlm_detail.o rlm_detail.c: In function `do_detail': rlm_detail.c:276: warning: comparison between pointer and integer rlm_detail.c:278: error: `FNM_FILE_NAME' undeclared (first use in this function) rlm_detail.c:278: error: (Each undeclared identifier is reported only once rlm_detail.c:278: error: for each function it appears in.) gmake[6]: *** [rlm_detail.lo] Error 1 gmake[6]: Leaving directory `/export/home/ecl6ch/freeradius-server/src/modules/rlm_detail' gmake[5]: *** [rlm_detail] Error 2 gmake[5]: Leaving directory `/export/home/ecl6ch/freeradius-server/src/modules' gmake[4]: *** [all] Error 2 gmake[4]: Leaving directory `/export/home/ecl6ch/freeradius-server/src/modules' gmake[3]: *** [modules] Error 2 gmake[3]: Leaving directory `/export/home/ecl6ch/freeradius-server/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/export/home/ecl6ch/freeradius-server/src' gmake[1]: *** [src] Error 2 gmake[1]: Leaving directory `/export/home/ecl6ch/freeradius-server' gmake: *** [all] Error 2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
attrs.pre-proxy in V2
Hi chaps, I'm slightly confused with the different V2 semantics. I'm trying to truncate the Framed-IP-Address to the first three quads for a particular realm (somerealm below) when a particular attribute contains particular text: In pre V2, something like this would do the trick: somerealm Some-Attribute == Some,text Framed-IP-Address =~ ^([0-9]+\.[0-9]+\.[0-9]+)\.[0-9]+, Framed-IP-Address := `%{1}`, Fall-Through = Yes What would the equivalent rule for V2 be? The above doesn't appear to do what I want. Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using LDAP with EAP-TLS
Hi Alan, Alan DeKok schrieb: You're forcing Auth-Type, and using ntlm_auth for EAP-TLS. This is wrong. Don't force Auth-Type. I didn't want that, now after kicking out ntlm_auth things work, even the cert has been accepted. I assume the problem I had was, that the time of the radius-machine was not synchrone to the network and the signal for Wlan was to low. After fixing both, the conversation worked an I got an Access-Accept. Thanks to you and Phil for the help. bye Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang conditionals
Hello... This is probably a very silly issue. I have the following on my default file: update control { Tmp-String-0 = %{sql:select a from paq where CallingStationId='%{Calling-Station-Id}' Tmp-String-5 = %{sql:select b from paq where CallingStationId='%{Calling-Station-Id}' } if (control:Tmp-String-0 control:Tmp-String-5) { } On the radius logs I see the following: expand: %{sql:select a from paq where CallingStationId='%{Calling-Station-Id}'} - 693492 expand: %{sql:select b from paq where CallingStationId='%{Calling-Station-Id}'}' - 174080 ++[control] returns ok ++? if (control:Tmp-String-0 control:Tmp-String-5) ? Evaluating (control:Tmp-String-0 control:Tmp-String-5) - FALSE ++? if (control:Tmp-String-0 control:Tmp-String-5) - FALSE why is the condition giving FALSE even though is already met? -- View this message in context: http://freeradius.1045715.n5.nabble.com/unlang-conditionals-tp4400590p4400590.html Sent from the FreeRadius - User mailing list archive at Nabble.com.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed to build FR 2.1.10 (64-bit) on Solaris 10 x86
Chris Howley wrote: Alan, I'm unable to build a 64-bit version of FreeRADIUS 2.1.10 on Solaris 10 9/10 s10x_u9wos_14a X86 owing to the following problem. I'm using the latest software from the 2.1.x git repository and gcc version 3.4.3. I've noticed that the 'FNM_FILE_NAME' flag is not declared in the fnmatch.h file on my system if this helps. Edit src/include/autoconf.h, and delete the line saying HAVE_FNMATCH Then, re-build. But don't do configure again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang conditionals
Hello... This is probably a very silly issue. I have the following on my default file: update control { Tmp-String-0 = %{sql:select a from paq where CallingStationId='%{Calling-Station-Id}' Tmp-String-5 = %{sql:select b from paq where CallingStationId='%{Calling-Station-Id}' } if (control:Tmp-String-0 control:Tmp-String-5) { } On the radius logs I see the following: expand: %{sql:select a from paq where CallingStationId='%{Calling-Station-Id}'} - 693492 expand: %{sql:select b from paq where CallingStationId='%{Calling-Station-Id}'}' - 174080 ++[control] returns ok ++? if (control:Tmp-String-0 control:Tmp-String-5) ? Evaluating (control:Tmp-String-0 control:Tmp-String-5) - FALSE ++? if (control:Tmp-String-0 control:Tmp-String-5) - FALSE why is the condition giving FALSE even though is already met? -- View this message in context: http://freeradius.1045715.n5.nabble.com/unlang-conditionals-tp4400590p4400608.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attrs.pre-proxy in V2
Steve Brown wrote: Hi chaps, I'm slightly confused with the different V2 semantics. I'm trying to truncate the Framed-IP-Address to the first three quads for a particular realm (somerealm below) when a particular attribute contains particular text: You can't really do that. IP addresses have 4 octets... My $0.02 is to put the truncated value into a separate attribute, then add the final octet to that when you create the Framed-IP-Address. What would the equivalent rule for V2 be? The above doesn't appear to do what I want. Probably because v2 is pickier: a 3-octet IP address is not valid. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP: More than one searchfilter
Hi, just one other question, how is it possible to have (or control) more than one filter in the ldap module? I use our LDAP to have access via PEAP or EAP-TLS, this works, thanks to this list. The problem now is, that workstations are stored as WORKSTATIONNAME$ (with a $ ath the end, thanks to Samba) and the user is stored with it's username. Unfortunately, the workstations come in their Radius-Request without the $ sign, just the name. So if I want to lookup a workstationname I have to add a $ sigh to every request, or LDAP won't find it. Otherwise the $ shouldn't be added while looking for a username. Is there an idea how to control the ldap filter for this? TIA Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
documentation and project organization (Was: Using LDAP with EAP-TLS)
On 05/16/2011 10:13 AM, Alexandros Gougousoudis wrote: Phil, I also understand a lot of things and I can read, but the documentation of FR is not ideal. I've googled around, looked examples and had more questions than before. Where are all these features documented, like the if then-things in the conf, all the keywords like ok=return and so on, what's the difference between Autz-Type and Auth-Type? The only thing to get help is here on the list, on the net you find a lot infos to FR 1.1 and 2 (one is deployinradius and one the FR site) sites containing a little bit information, no much more than the conf-files coming with the FR-archive. I'am not complaining, because it's an open source project, but you should note that it's sometimes not the lack of understanding than the lack of well documented features. And if I can't find the infos I need in the docs, I start to try things out. +1 I have to agree, the lack of comprehensive documentation, including an overview of concepts and the flow of operations is the greatest impediment to the success of FreeRADIUS as an open source project. The power and flexibility of FreeRADIUS is awesome, Alan and the other developers have done a wonderful job of providing the open source community with a fantastic piece of critical software. They have excelled at constant innovation and timely bug fixes. The response on the mailing is exceptional. But all these positive attributes are sometimes negated by the difficulty of understanding the system. Many justifiably feel configuring FreeRADIUS is a black art. It's often been pointed out that config files, doc directory and the wiki contains all you need to know. There is a modicum of truth in that. But the reality is it's very difficult to locate, extract, interpret and interpolate the missing pieces to form a functioning mental model in order to accomplish a specific deployment task. I've worked with FreeRADIUS for a while now and I'm still confounded things I don't know, incorrect expectations of behavior (e.g. != does not work for group testing). There are things which as far as I can tell are simply not documented. Just last week I had to help someone who was frustrated by the inability to add attributes to successfully proxied Auth-Accept's using a users file. By reading the source I found the postproxy_users_file config, as far as I could tell this is completely undocumented. When it comes to supporting users Use the source Luke isn't viable. I'd like to suggest the next most import task item for the team is not the 3.0 release, it's not any change to the code base. Rather the single most import task is producing comprehensive documentation collected in a single location augmented with cookbook examples of how to solve common deployment problems. I'll wager the time spent on this list answering questions will greatly diminish thus providing free time for feature enhancements and bug fixes. I'm also concerned at the obvious frustration expressed countless times on this list were folks have spent days, weeks, or in some cases months beating their heads against the wall in frustration. There will be a tipping point at some point in the future where that frustration will doom the project as it gets replaced by an alternative or forked. I've been in open source long enough to have seen this scenario play out multiple times. Just my 2 cents, worth what you paid for it :-) I'll now return you to your regular scheduled programming :-) And in case you missed it above, Alan and everyone else have done a wonderful job and provided a fantastic service to the community. All I'm suggesting here is the task priorities need to be tweaked a bit. P.S.: One thing which has been lacking in the project is public list of the project team. One might make the assumption Alan is the sole contributor, if so then that's truly amazing. But I'm going to guess others are involved. We would like to thank them as well and perhaps have some more insight into the project's organization. At best all I've been able to do in intuit based on reading this list and the dev list over an extended period that some list participants seem to have such an extensive knowledge it suggests to me they must be on the development team, either that or just like myself they've spent a lot of time reading the source code out of necessity. Questions like, what is the project's timeline, what is upcoming in new releases, what is the anticipated release schedule, how is the project organized, who are significant players and what are their roles are information unusually published by open source projects but have been missing (maybe just another example of missing documentation?). -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Renaming during Machine Authentication
Thanks Phil. I am out of the office until Thursday but on my first message I posted the debug from bootup where it fails..is there more output I need to post later this week? Mark Sent from my Blackberry® wireless device -Original Message- From: Phil Mayers p.may...@imperial.ac.uk To: freeradius-users@lists.freeradius.org Sent: 5/16/2011 3:01:35 AM Subject: Re: Renaming during Machine Authentication On 05/16/2011 01:03 AM, Mark Jones wrote: Hi Phil thanks for answering. I am trying to authenticate the machines on bootup. I have an edir backend and am following this cool solutions article which is fairly old: http://www.novell.com/coolsolutions/feature/17044.html In it they talk about atrrib-rewrite but use it in the radiusd.conf file which in my limited knowledge of freeradius I think is an older way of doing it. Yeah, don't do it that way. Aside from the config in the article being subtly wrong (regexp in the 2nd rewrite module isn't right), there are easier ways to accomplish mutating the username if you need to do that, which you don't because you can just use %{mschap:User-Name} and it'll do it for you (as well as being more obvious IMHO) Right now if i join a machine to the samba domain I have created, it automatically is imported into edirectory and named machinename$. The article is not complete so I am really not sure if the machine is I'm not familiar with eDir so can't say. Is it working for you now? If not, post a debug and someone can probably suggest what needs changing. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This communication is intended for the use of the recipient to which it is addressed and may contain confidential, personal and/or privileged information. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang conditionals
On 16/05/11 15:37, d...@hotmail.com wrote: Hello... This is probably a very silly issue. I have the following on my default file: update control { Tmp-String-0 = %{sql:select a from paq where CallingStationId='%{Calling-Station-Id}' Tmp-String-5 = %{sql:select b from paq where CallingStationId='%{Calling-Station-Id}' } if (control:Tmp-String-0 control:Tmp-String-5) { } On the radius logs I see the following: expand: %{sql:select a from paq where CallingStationId='%{Calling-Station-Id}'} - 693492 expand: %{sql:select b from paq where CallingStationId='%{Calling-Station-Id}'}' - 174080 ++[control] returns ok Maybe you want Tmp-Integer-X? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attrs.pre-proxy in V2
Hi Alan, Thanks for the details. On 16/05/11 16:03, Alan DeKok wrote: the Framed-IP-Address to the first three quads for a particular realm You can't really do that. IP addresses have 4 octets... Yes I know, this is a proxy only and the home server has specifically requested we do this... My $0.02 is to put the truncated value into a separate attribute, then add the final octet to that when you create the Framed-IP-Address. Sure, but I actually _want_ to send only the first 3 octets... Is that even possible? Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP: More than one searchfilter
How about (|(uid=%{user-name})(uid=%{user-name}$)) You may need to escape the $ On 16/05/2011, at 5:06 PM, Alexandros Gougousoudis gougousoudis-l...@servicecenter-khs.de wrote: Hi, just one other question, how is it possible to have (or control) more than one filter in the ldap module? I use our LDAP to have access via PEAP or EAP-TLS, this works, thanks to this list. The problem now is, that workstations are stored as WORKSTATIONNAME$ (with a $ ath the end, thanks to Samba) and the user is stored with it's username. Unfortunately, the workstations come in their Radius-Request without the $ sign, just the name. So if I want to lookup a workstationname I have to add a $ sigh to every request, or LDAP won't find it. Otherwise the $ shouldn't be added while looking for a username. Is there an idea how to control the ldap filter for this? TIA Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_auth_radius
To help others (like us) who hit this issue... R. Marc posted: Yeah, figured that; just trying to figure out why. and yes, it's sshd: # strings /usr/sbin/sshd | grep INC INCORRECT As a suggestion, if there are 5-6 pieces of software involved in authentication, don't immediately jump to blaming the PAM radius module. Not blaming, just trying to solve a problem. In our case, sshd_config had an AllowUsers blah directive to allow only one specific user to login via SSH. For a different username, that directive causes the otherwise correct password to be changed to the value INCORRECT. That is then passed on to the PAM module and pam_auth_radius sends that INCORRECT password to the RADIUS server, which appropriately denies access. Removing the AllowUsers line allowed ssh logins to succeed in the appropriate cases. If you make the same change, but wish to block some users (e.g., root) from ssh login, be sure to verify that behavior. In our case no further changes were needed. Alan Carwile -- View this message in context: http://freeradius.1045715.n5.nabble.com/pam-auth-radius-tp3388722p4400923.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang conditionals
I found out after checking other posts that the correct syntax of the IF should be as follows: if (%{control:Tmp-String-0} %{control:Tmp-String-5} ) { } this is working now for me. -- View this message in context: http://freeradius.1045715.n5.nabble.com/unlang-conditionals-tp4400590p4401011.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: documentation and project organization (Was: Using LDAP with EAP-TLS)
Hi John, Just to chime in, I find all of the comments in radiusd.conf, etc. distracting overwhelming. I strip out the comments from the files I'm using - usually to find out how simple the configuration really is. When I'm missing something, I refer back to the original files look up the relevant comment entry. I would prefer all of the comments be assembled into straightforward documentation, using examples for the appropriate configuration sections. My 2 cents, as we say... -John On 05/16/2011 11:20 AM, John Dennis wrote: On 05/16/2011 10:13 AM, Alexandros Gougousoudis wrote: Phil, I also understand a lot of things and I can read, but the documentation of FR is not ideal. I've googled around, looked examples and had more questions than before. Where are all these features documented, like the if then-things in the conf, all the keywords like ok=return and so on, what's the difference between Autz-Type and Auth-Type? The only thing to get help is here on the list, on the net you find a lot infos to FR 1.1 and 2 (one is deployinradius and one the FR site) sites containing a little bit information, no much more than the conf-files coming with the FR-archive. I'am not complaining, because it's an open source project, but you should note that it's sometimes not the lack of understanding than the lack of well documented features. And if I can't find the infos I need in the docs, I start to try things out. +1 I have to agree, the lack of comprehensive documentation, including an overview of concepts and the flow of operations is the greatest impediment to the success of FreeRADIUS as an open source project. The power and flexibility of FreeRADIUS is awesome, Alan and the other developers have done a wonderful job of providing the open source community with a fantastic piece of critical software. They have excelled at constant innovation and timely bug fixes. The response on the mailing is exceptional. But all these positive attributes are sometimes negated by the difficulty of understanding the system. Many justifiably feel configuring FreeRADIUS is a black art. It's often been pointed out that config files, doc directory and the wiki contains all you need to know. There is a modicum of truth in that. But the reality is it's very difficult to locate, extract, interpret and interpolate the missing pieces to form a functioning mental model in order to accomplish a specific deployment task. I've worked with FreeRADIUS for a while now and I'm still confounded things I don't know, incorrect expectations of behavior (e.g. != does not work for group testing). There are things which as far as I can tell are simply not documented. Just last week I had to help someone who was frustrated by the inability to add attributes to successfully proxied Auth-Accept's using a users file. By reading the source I found the postproxy_users_file config, as far as I could tell this is completely undocumented. When it comes to supporting users Use the source Luke isn't viable. I'd like to suggest the next most import task item for the team is not the 3.0 release, it's not any change to the code base. Rather the single most import task is producing comprehensive documentation collected in a single location augmented with cookbook examples of how to solve common deployment problems. I'll wager the time spent on this list answering questions will greatly diminish thus providing free time for feature enhancements and bug fixes. I'm also concerned at the obvious frustration expressed countless times on this list were folks have spent days, weeks, or in some cases months beating their heads against the wall in frustration. There will be a tipping point at some point in the future where that frustration will doom the project as it gets replaced by an alternative or forked. I've been in open source long enough to have seen this scenario play out multiple times. Just my 2 cents, worth what you paid for it :-) I'll now return you to your regular scheduled programming :-) And in case you missed it above, Alan and everyone else have done a wonderful job and provided a fantastic service to the community. All I'm suggesting here is the task priorities need to be tweaked a bit. P.S.: One thing which has been lacking in the project is public list of the project team. One might make the assumption Alan is the sole contributor, if so then that's truly amazing. But I'm going to guess others are involved. We would like to thank them as well and perhaps have some more insight into the project's organization. At best all I've been able to do in intuit based on reading this list and the dev list over an extended period that some list participants seem to have such an extensive knowledge it suggests to me they must be on the development team, either that or just like myself they've spent a lot of time reading the source code out of necessity. Questions like, what is the project's timeline, what is upcoming in new
Re: documentation and project organization (Was: Using LDAP with EAP-TLS)
John, I believe Alan started a project to try and improve documentation in May last year. A few documents were converted RST format, but I don't think it was ever completed. I'm going to suggest the same thing I did back then. Add RST support to the Wiki, setup a well defined documentation structure (as in these are the subjects and example configurations that should be covered), and then roll page exports from the wiki into the documentation that 'ships' with FreeRADIUS. There's so much to document that it needs to be a collaborative effort. -Arran Arran Cudbard-Bell RM-RF Limited - Security consultation and contracting VoIP: +1 916-436-1352 Cell: +44 7854041841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: documentation and project organization (Was: Using LDAP with EAP-TLS)
On 05/16/2011 02:20 PM, Arran Cudbard-Bell wrote: John, I believe Alan started a project to try and improve documentation in May last year. A few documents were converted RST format, but I don't think it was ever completed. I'm going to suggest the same thing I did back then. Add RST support to the Wiki, setup a well defined documentation structure (as in these are the subjects and example configurations that should be covered), and then roll page exports from the wiki into the documentation that 'ships' with FreeRADIUS. There's so much to document that it needs to be a collaborative effort. Sounds like a fine plan to me. I do recall the documentation effort from last year. But the various promises of documentation seem to wither on the vine, the effort you cite is a perfect example. Maybe Alan's book is the answer, but that's been promised for a long time too. My basic take this is the classic developer's dilemma, developers want to write code, not documentation. When time allocation occurs the choice is to write code and defer the doc. But doc must get done, it needs an owner who is going to own the task and get it done. FWIW, I constantly get complaints about the difficulty of using FreeRADIUS and the lack of usable documentation. Only last week this reached all the way to my manager who had to intervene and assert this is an upstream project issue and not something Red Hat can fix. Sorry, just being the messenger, just trying to ultimately help by saying there is a pain point and not sweep it under the rug. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: documentation and project organization (Was: Using LDAP with EAP-TLS)
If I knew more about it I would take my time to write some ... examples, use cases, case studies, whatever. But, I can barely get by - each time I think I understand something it turns out I really don't. I don't want to spread bad info so I say nothing - usually :) IMHO a good starting point would be a single point of all authorized documentation: freeradius.org, Wiki, don't care - but it's frustrating when you find doc that seems legit that conflicts with other doc that also seems legit. The single source of info then needs to have whatever is there vetted by those that actually KNOW whats what and kept current. Unfortunately most people don't understand the details of PEAP, *CHAP, GTC, certs, etc. so they simply follow instructions verbatim. If those instructions are wrong, skip some steps, or even have basic typo's: it will lead to a lot of frustration not only to the novice user, but the smart people on here that constantly address the same simple issues. I will step up to the plate and offer up a standard format for a Recipe. I will pick an easy deployment scenario - such as: How do I configure FR to authenticate VTY access to my Cisco gear using AD on the backend, and users must be a member of GroupX I'm sure I will get some things wrong, but perhaps we can at least settle on a common template/format which will at least help moving forward. -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of John Dennis Sent: Monday, May 16, 2011 1:52 PM To: FreeRadius users mailing list Subject: Re: documentation and project organization (Was: Using LDAP with EAP-TLS) On 05/16/2011 02:20 PM, Arran Cudbard-Bell wrote: John, I believe Alan started a project to try and improve documentation in May last year. A few documents were converted RST format, but I don't think it was ever completed. I'm going to suggest the same thing I did back then. Add RST support to the Wiki, setup a well defined documentation structure (as in these are the subjects and example configurations that should be covered), and then roll page exports from the wiki into the documentation that 'ships' with FreeRADIUS. There's so much to document that it needs to be a collaborative effort. Sounds like a fine plan to me. I do recall the documentation effort from last year. But the various promises of documentation seem to wither on the vine, the effort you cite is a perfect example. Maybe Alan's book is the answer, but that's been promised for a long time too. My basic take this is the classic developer's dilemma, developers want to write code, not documentation. When time allocation occurs the choice is to write code and defer the doc. But doc must get done, it needs an owner who is going to own the task and get it done. FWIW, I constantly get complaints about the difficulty of using FreeRADIUS and the lack of usable documentation. Only last week this reached all the way to my manager who had to intervene and assert this is an upstream project issue and not something Red Hat can fix. Sorry, just being the messenger, just trying to ultimately help by saying there is a pain point and not sweep it under the rug. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attrs.pre-proxy in V2
Steve Brown wrote: Sure, but I actually _want_ to send only the first 3 octets... Is that even possible? No. IP addresses have 4 octets. You can set the fourth octet to zero. *Nothing* else is possible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: documentation and project organization (Was: Using LDAP with EAP-TLS)
Arran Cudbard-Bell wrote: I believe Alan started a project to try and improve documentation in May last year. A few documents were converted RST format, but I don't think it was ever completed. I received a number of patches from one person, a few from another one or two, and nothing else. I've been saying for ~10 years that this is a community effort. I'd *like* additional documentation, but I don't get paid to write it. I get paid to write code. The community has spoken: documentation isn't important enough. I'd like to change that, but I'm busy. I'm going to suggest the same thing I did back then. Add RST support to the Wiki, setup a well defined documentation structure (as in these are the subjects and example configurations that should be covered), and then roll page exports from the wiki into the documentation that 'ships' with FreeRADIUS. My $0.02 is that we should use github. They now support git-backed Wikis, which use markdown. It's close enough, and has a lot of benefits. But it requires converting the existing Wiki pages. I'm not inclined to do it, as I have too many other things to do. There's so much to document that it needs to be a collaborative effort. It's not hard. Read the comments in the config files, and write a document summarizing them. Add one or two simple examples. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: documentation and project organization (Was: Using LDAP with EAP-TLS)
John Dennis wrote: Sounds like a fine plan to me. I do recall the documentation effort from last year. But the various promises of documentation seem to wither on the vine, the effort you cite is a perfect example. Maybe Alan's book is the answer, but that's been promised for a long time too. I had planned on finishing it this spring. I got busy, in a you don't want to know kind of way. FWIW, I constantly get complaints about the difficulty of using FreeRADIUS and the lack of usable documentation. Only last week this reached all the way to my manager who had to intervene and assert this is an upstream project issue and not something Red Hat can fix. Sorry, just being the messenger, just trying to ultimately help by saying there is a pain point and not sweep it under the rug. If the customers care, refer them to me. If it's a priority for them, someone can be found to do the work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: documentation and project organization (Was: Using LDAP with EAP-TLS)
Gary Gatten wrote: I will step up to the plate and offer up a standard format for a Recipe. I will pick an easy deployment scenario - such as: How do I configure FR to authenticate VTY access to my Cisco gear using AD on the backend, and users must be a member of GroupX That's configuring 4 things at once... people will find it useful, but my worry is that it's too specific. I'm sure I will get some things wrong, but perhaps we can at least settle on a common template/format which will at least help moving forward. A template recipe sounds like a wonderful idea. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: documentation and project organization (Was: Using LDAP with EAP-TLS)
John Center wrote: Just to chime in, I find all of the comments in radiusd.conf, etc. distracting overwhelming. I strip out the comments from the files I'm using - usually to find out how simple the configuration really is. When I'm missing something, I refer back to the original files look up the relevant comment entry. I would prefer all of the comments be assembled into straightforward documentation, using examples for the appropriate configuration sections. Sure. Submit a patch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: documentation and project organization (Was: Using LDAP with EAP-TLS)
John Dennis wrote: But all these positive attributes are sometimes negated by the difficulty of understanding the system. Many justifiably feel configuring FreeRADIUS is a black art. It's often been pointed out that config files, doc directory and the wiki contains all you need to know. There is a modicum of truth in that. But the reality is it's very difficult to locate, extract, interpret and interpolate the missing pieces to form a functioning mental model in order to accomplish a specific deployment task. Yup. I've worked with FreeRADIUS for a while now and I'm still confounded things I don't know, incorrect expectations of behavior (e.g. != does not work for group testing). There are things which as far as I can tell are simply not documented. Oh yes, lots. Just last week I had to help someone who was frustrated by the inability to add attributes to successfully proxied Auth-Accept's using a users file. By reading the source I found the postproxy_users_file config, as far as I could tell this is completely undocumented. When it comes to supporting users Use the source Luke isn't viable. Yes, well... there isn't much to argue with there. I'd like to suggest the next most import task item for the team is not the 3.0 release, it's not any change to the code base. Rather the single most import task is producing comprehensive documentation collected in a single location augmented with cookbook examples of how to solve common deployment problems. Sure. Except that 3.0 is pretty much ready now. I'll wager the time spent on this list answering questions will greatly diminish thus providing free time for feature enhancements and bug fixes. For me, time on the list is 30 seconds in between other work. i.e. wait for compile: answer post. It's really quite minimal, despite the volume of messages I send. I'm also concerned at the obvious frustration expressed countless times on this list were folks have spent days, weeks, or in some cases months beating their heads against the wall in frustration. There will be a tipping point at some point in the future where that frustration will doom the project as it gets replaced by an alternative or forked. I've been in open source long enough to have seen this scenario play out multiple times. The level of frustration has diminished significantly with 2.0, and again with 2.1. The default configurations just work, and the debug messages have been improved to the point where mere mortals can understand them. One thing which has been lacking in the project is public list of the project team. One might make the assumption Alan is the sole contributor, if so then that's truly amazing. Look at github. The only person other than me who's had meaningful contributions in the last 2 years is Phil Mayers. Many other authors listed (e.g. Dante) are contractual obligations, implemented by me. But I'm going to guess others are involved. We would like to thank them as well and perhaps have some more insight into the project's organization. At best all I've been able to do in intuit based on reading this list and the dev list over an extended period that some list participants seem to have such an extensive knowledge it suggests to me they must be on the development team, either that or just like myself they've spent a lot of time reading the source code out of necessity. There are a number of people who run multiple RADIUS servers (machines products) for their living. They're familiar with pretty much everything. We're all in their debt for answers, docs, bug reports, bug fixes, etc. Questions like, what is the project's timeline, what is upcoming in new releases, what is the anticipated release schedule, how is the project organized, who are significant players and what are their roles are information unusually published by open source projects but have been missing (maybe just another example of missing documentation?). Project timeline: whenever What's upcoming: see doc/ChangeLog in git. release schedule: usually every 3-4 months organization / people / roles: code: Alan mgmt: Alan docs: Alan web site: Alan releases: Alan bug fixes: Alan Wiki: Peter Nixon Sense a theme? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AD Authentication + radius + foundryAP
= no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = suffix delimiter = @ ignore_default = no ignore_null = yes } Module: Instantiating ntdomain realm ntdomain { format = prefix delimiter = \ ignore_default = no ignore_null = yes } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = /etc/freeradius/users acctusersfile = /etc/freeradius/acct_users preproxy_usersfile = /etc/freeradius/preproxy_users compat = no } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = /var/log/freeradius/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = /etc/freeradius/attrs.access_reject key = %{User-Name} } } # modules } # server server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pam Module: Instantiating pam pam { pam_auth = radiusd } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating auth_log detail auth_log { detailfile = /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port } Module: Checking accounting {...} for more modules to load Module: Instantiating detail detail { detailfile = /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = /var/log/freeradius/radwtmp } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = /etc/freeradius/attrs.accounting_response key = %{User-Name} } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = * port = 1812 } listen { type = acct ipaddr = * port = 1813 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.103.10 port 32890, id=83, length=158 User-Name = ATL\\user NAS-IP-Address = 192.168.103.10 NAS-Port = 6145 Called-Station-Id = 00-90-0B-0A-81-96:radtest Calling-Station-Id = 00-26-C7-6F-FF-64 Framed-MTU = 900 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 802.11g EAP-Message = 0x020100110141544c5c7069706b696e5f6d Message-Authenticator = 0xf18704d104d0322078509df754b74003 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/freeradius/radacct/192.168.103.10/auth-detail-20110516 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.103.10/auth-detail-20110516 [auth_log] expand: %t - Mon May 16 15:28:41 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [ntdomain] Looking up realm ATL for User-Name = ATL\user [ntdomain] No such realm ATL ++[ntdomain] returns noop [eap] EAP packet type response id 1 length 17 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap
RE: documentation and project organization (Was: Using LDAP with EAP-TLS)
Good point about configuring multiple things at once - but that is a recipe - right? Several ingredients that make a tasty cake? I think it would be a pretty common deployment scenario: lots of people have Cisco and AD, and want to auth their Cisco admins / VTY access against AD. We used this exact scenario as a basic starting point with FR (and I've noticed others on here do the same) before moving on to more complicated setups. I probably should doc some stuff for internal use regardless, so even if no one else finds it useful it won't be a waste of time. G -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Monday, May 16, 2011 2:31 PM To: FreeRadius users mailing list Subject: Re: documentation and project organization (Was: Using LDAP with EAP-TLS) Gary Gatten wrote: I will step up to the plate and offer up a standard format for a Recipe. I will pick an easy deployment scenario - such as: How do I configure FR to authenticate VTY access to my Cisco gear using AD on the backend, and users must be a member of GroupX That's configuring 4 things at once... people will find it useful, but my worry is that it's too specific. I'm sure I will get some things wrong, but perhaps we can at least settle on a common template/format which will at least help moving forward. A template recipe sounds like a wonderful idea. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: documentation and project organization (Was: Using LDAP with EAP-TLS)
On 05/16/2011 03:41 PM, Alan DeKok wrote: organization / people / roles: code: Alan mgmt: Alan docs: Alan web site: Alan releases: Alan bug fixes: Alan Wiki: Peter Nixon Sense a theme? I do see a theme but I also see a problem. FreeRADIUS has gotten big enough that 1 person, even one as amazing as you are, can't do it all. I humbly suggest you try to offload some of the work by running this as a project and having a team. You can delegate responsibilities, coordinate and still have a significant architectural and coding role. Plus you get the added benefit of being Benevolent Dictator for Life of FreeRADIUS (http://en.wikipedia.org/wiki/Benevolent_Dictator_For_Life) -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: documentation and project organization (Was: Using LDAP with EAP-TLS)
John Dennis wrote: I do see a theme but I also see a problem. FreeRADIUS has gotten big enough that 1 person, even one as amazing as you are, can't do it all. I humbly suggest you try to offload some of the work by running this as a project and having a team. Sure. Volunteers? It was run as a team for a while. The main team members gradually got busy doing other things. You can delegate responsibilities, coordinate and still have a significant architectural and coding role. Sure. Using git means that delegation is much less of an issue, though. Simply fork FreeRADIUS using github, write patches, and submit them. That's how all of the recent third-party patches have gone in. Again: look at the track record. Pretty much any interesting new feature, or patch or bugfix gets added. But the volume of such submissions is pretty low. There's no need to volunteer, or to take on a role. Just do the work, and the title will come automatically. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
variable string replace (i presume using UNLANG?)
Hi all, I am looking to replace a string, before sending the query off to sql... right now, it is %{SQL-User-Name} (sql_user_name = %{User-Name} ), but the value is going to be like: mppp%sstap...@domain.com and i want to remove the mppp% (which will always be prefixed, or not exist) so that the variable only is sstap...@domain.com Is that easy to do? I have searched the docs, but came up empty (sorry if it has been discussed already... just didnt find it) I could always write it in the query to replace the string: SELECT REPLACE('mppps%sstap...@domain.com', 'mppp%', ''); but not sure if that is the most efficient way to do it? Thanks in advance. Steve. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html