Hi Kalik, Thanks for your help... Now i can send two Qos profiles and it's working fine.
Thanks, Gayathri On Wed, Jul 8, 2009 at 3:30 PM, < freeradius-users-requ...@lists.freeradius.org> wrote: > Send Freeradius-Users mailing list submissions to > freeradius-users@lists.freeradius.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freeradius.org/mailman/listinfo/freeradius-users > or, via email, send a message with subject or body 'help' to > freeradius-users-requ...@lists.freeradius.org > > You can reach the person managing the list at > freeradius-users-ow...@lists.freeradius.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeradius-Users digest..." > > > Today's Topics: > > 1. Re: freeradius active directory integration fails with "no > such realm" (Andrei-Florian Staicu) > 2. Re: want to authorise but not authenticate (Arran Cudbard-Bell) > 3. Re: want to authorise but not authenticate (Ivan Kalik) > 4. Re: How to configure 2 wimax qos profiles for the user in > users file (Ivan Kalik) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 08 Jul 2009 12:31:21 +0300 > From: Andrei-Florian Staicu <andrei.sta...@gmail.com> > Subject: Re: freeradius active directory integration fails with "no > such realm" > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Message-ID: <4a546769.8020...@googlemail.com> > Content-Type: text/plain; charset=ISO-8859-2; format=flowed > > Alan DeKok wrote: > > Andrei-Florian Staicu wrote: > > > >> Hello again. I've reached the output from here: > >> http://pastebin.com/d19f28a24 , and i still don't understand why it > >> doesen't call the ntlm_auth line > >> > > > > It looks like you are adding a "Proxy-To-Realm := LOCAL". > > > > ... > > > >> PEAP: Sending tunneled request > >> EAP-Message = > >> 0x02060018014950534f305c616e647265692e737461696375 > >> FreeRADIUS-Proxied-To = 127.0.0.1 > >> User-Name = "IPSO0\\andrei.staicu" > >> server inner-tunnel { > >> +- entering group authorize > >> rlm_realm: Looking up realm "IPSO0" for User-Name = > >> "IPSO0\andrei.staicu" > >> rlm_realm: Found realm "IPSO0" > >> rlm_realm: Adding Stripped-User-Name = "andrei.staicu" > >> rlm_realm: Adding Realm = "IPSO0" > >> rlm_realm: Authentication realm is LOCAL. > >> ++[ntdomain] returns noop > >> ++[mschap] returns noop > >> ++[control] returns noop > >> > > > > Why is that "update control" section there? What is in it? > > > > > > > >> rlm_eap: Request is supposed to be proxied to Realm LOCAL. Not doing > >> > > EAP. > > > > It's being proxied to realm LOCAL. You have added a LOCAL realm. > > Don't do that. > > > > > >> ++[eap] returns noop > >> WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not > >> exist! Cancelling invalid proxy request. > >> > > > > Even more proof. The IPSO0 realm above is added because it exists. > > The server does NOT add a "Proxy-To-Realm := LOCAL". You have done > > that. Delete it from your configuration. > > > > Alan DeKok. > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > It works now. Thank you very much for clearing thing up for me. > > > ------------------------------ > > Message: 2 > Date: Wed, 08 Jul 2009 10:33:22 +0100 > From: Arran Cudbard-Bell <a.cudbard-b...@sussex.ac.uk> > Subject: Re: want to authorise but not authenticate > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Message-ID: <4a5467e2.5040...@sussex.ac.uk> > Content-Type: text/plain; charset=UTF-8; format=flowed > > On 8/7/09 10:19, a.l.m.bu...@lboro.ac.uk wrote: > > hi, > > > > heres one for a wednesday morning. > > > > > > we have a system that we've been done plain authorizations > > via FreeRADIUS - the device sends the following RADIUS request > > > > username: userid > > password: userid > > > > (ie the system sends the username and makes the password the same) > > > > okay. fair enough....a bit of unlang and a check that if the username = > password > > then set the Auth-Type to something false et voila. all okay. > > > > > > it has now been decided to also do authentication via RADIUS > > and this is where things get messy. > > > > > > by removing the Auth-Type kludge, we can successfully authenticate > > a real user with their real password.... however, the authorization > > now fails because the device still sends username/password with > > the password the same as the username - this now hits the > > FreeRADIUS server which cannot find a valid Auth-Type for the user > > and thus fails authentication and therefore sends back a 'blurgh' > > to the box requesting authorization. > > authorize { > if((User-Name == User-Password) && %{ldap:etc...}){ > update control { > Auth-Type := 'NULL' > } > } > else { > // Authentication modules > } > } > > > Auth-Type NULL { > ok > } > > > > > this is to be expected because there is nothing in the request to > > distoniguish between an authorization request and an authentication > > request. > > > > so the question is, how do we handle this so that the system can > > send a username=password for authorization AND a proper authentication > > can happen WITHOUT (hers a gotcha) the user doing something cute > > like putting their username in as their password! ;-) > > Slightly confused as to what you want... Try again without the caffeine ? > > Arran > > -- > Arran Cudbard-Bell <a.cudbard-b...@sussex.ac.uk>, > Systems Administrator (AAA), > Infrastructure Services (IT Services), > E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT > DDI+FAX: +44 1273 873900 | INT: 3900 > GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 > > > ------------------------------ > > Message: 3 > Date: Wed, 8 Jul 2009 10:35:04 +0100 (BST) > From: "Ivan Kalik" <t...@kalik.net> > Subject: Re: want to authorise but not authenticate > To: "FreeRadius users mailing list" > <freeradius-users@lists.freeradius.org> > Message-ID: > <10825.194.176.105.43.1247045704.squir...@webmail.kalik.net> > Content-Type: text/plain;charset=utf-8 > > > we have a system that we've been done plain authorizations > > via FreeRADIUS - the device sends the following RADIUS request > > > > username: userid > > password: userid > > > > (ie the system sends the username and makes the password the same) > > > > okay. fair enough....a bit of unlang and a check that if the username = > > password > > then set the Auth-Type to something false et voila. all okay. > > > > > > it has now been decided to also do authentication via RADIUS > > and this is where things get messy. > > > > > > by removing the Auth-Type kludge, we can successfully authenticate > > a real user with their real password.... however, the authorization > > now fails because the device still sends username/password with > > the password the same as the username - this now hits the > > FreeRADIUS server which cannot find a valid Auth-Type for the user > > and thus fails authentication and therefore sends back a 'blurgh' > > to the box requesting authorization. > > > > this is to be expected because there is nothing in the request to > > distoniguish between an authorization request and an authentication > > request. > > > > so the question is, how do we handle this so that the system can > > send a username=password for authorization AND a proper authentication > > can happen WITHOUT (hers a gotcha) the user doing something cute > > like putting their username in as their password! ;-) > > Send Service-Type = Authorize-Only in authorization request. Then you can > distinguish between the requsts. Or do authorization in the same time as > authentication. > > Without opening a major security hole. You can set Auth-Type to Accept if > User-Name = User-Password in the request but that would enable anyone to > log in knowing just username. > > Ivan Kalik > Kalik Informatika ISP > > > > ------------------------------ > > Message: 4 > Date: Wed, 8 Jul 2009 10:39:48 +0100 (BST) > From: "Ivan Kalik" <t...@kalik.net> > Subject: Re: How to configure 2 wimax qos profiles for the user in > users file > To: "FreeRadius users mailing list" > <freeradius-users@lists.freeradius.org> > Message-ID: > <59554.194.176.105.43.1247045988.squir...@webmail.kalik.net> > Content-Type: text/plain;charset=utf-8 > > > I am trying to configure the two wimax qos profiles for the single user > as > > one for uplink and another for downlink. > > If i configure the same attributes two times, in the Access-Accept > message > > the first configured wimax attribute value only is sending but its not > > sending the same attribute again which has different value. is there any > > way > > to do this and make it work? > > http://wiki.freeradius.org/Operators > > += > > Ivan Kalik > Kalik Informatika ISP > > > > ------------------------------ > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > End of Freeradius-Users Digest, Vol 51, Issue 30 > ************************************************ >
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html