Hello, Im resending agian this question with a hope that someone can respond.
-----Opprinnelig melding----- Fra: freeradius-users-bounces+saleh.abuzid=hist...@lists.freeradius.org [mailto:freeradius-users-bounces+saleh.abuzid=hist...@lists.freeradius.org] På vegne av freeradius-users-requ...@lists.freeradius.org Sendt: 20. juli 2010 20:37 Til: freeradius-users@lists.freeradius.org Emne: Freeradius-Users Digest, Vol 63, Issue 75 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-requ...@lists.freeradius.org You can reach the person managing the list at freeradius-users-ow...@lists.freeradius.org When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..." Today's Topics: 1. proxy everyone (marco perugini) 2. Re: Redirection to the NAS of an external CoA request (newtownz) 3. Re: proxy everyone (Alan DeKok) 4. Re: Redirection to the NAS of an external CoA request (Alan DeKok) 5. Re: Acct-Interim-Interval not working (Alan DeKok) 6. AD groups in user file for dynamic Vlans (Saleh Abuzid) ---------------------------------------------------------------------- Message: 1 Date: Tue, 20 Jul 2010 19:12:45 +0200 From: marco perugini <m.perug...@4it.it> Subject: proxy everyone To: freeradius-users@lists.freeradius.org Message-ID: <4c45d90d.2070...@4it.it> Content-Type: text/plain; charset=ISO-8859-15; format=flowed hi list! i'm setting up my freeradius architecture with a single proxy and multiple servers; here's my scenario: freeradius server # 1 -> my own server [realm local.net] freeradius server # 2 -> external server [realm ext.net] freeradius proxy -> i know everything about users i proxy towards my server [# 1] but i don't know anything about users i proxy towards external server [# 2]. i would proxy every_usern...@ext.net just to log requests. so this is my question for you: can i use rlm_realm to proxy an entire realm without knowing the usernames just to trace auth/acct requests? or i'm crazy at all? i hope you'll understand my question......... ;) thanks, duffy ------------------------------ Message: 2 Date: Tue, 20 Jul 2010 10:38:32 -0700 (PDT) From: newtownz <jean...@sympatico.ca> Subject: Re: Redirection to the NAS of an external CoA request To: freeradius-users@lists.freeradius.org Message-ID: <29216134.p...@talk.nabble.com> Content-Type: text/plain; charset=us-ascii Here are a few lines from my cfg files: In radiusd.conf: proxy_requests = yes $INCLUDE proxy.conf In proxy.conf: #(this is where I want to forward) home_server aruba { type = coa ipaddr = xx.yy.110.148 port = 1812 src_ipaddr = xx.yy.110.128 coa { # Initial retransmit interval: 1..5 irt = 2 # Maximum Retransmit Timeout: 1..30 (0 == no maximum) mrt = 16 # Maximum Retransmit Count: 1..20 (0 == retransmit forever) mrc = 5 # Maximum Retransmit Duration: 5..60 mrd = 30 } secret = testing123 } home_server_pool to_aruba { home_server = aruba } ###Not really sure about the validity of the last 3 lines... And now I'm puzzled as to how to set the Home-server-pool as stated in recv-coa section of coa: recv-coa { # CoA && Disconnect packets can be proxied in the same # way as authentication or accounting packets. # Just set Proxy-To-Realm, or Home-Server-Pool, and the # packets will be proxied. I tried to find the way that it is done for authentication packet and did not succeed. Also I just want to know if my understanding about the whole process of proxying the CoA is right: The default server config file is of no use here, in the coa I have to state somehow that I want the request to be forwarded to the controller and in the proxy.conf file I have to create this controller-server so that freeradius won't complain about an unknown IP address. Jean Alan DeKok-2 wrote: > > newtownz wrote: >> I'm trying to figure out how to send a CoA from freeRadius >> to the NAS. The set-up I have involves two servers and an >> Aruba controller. > > i.e. proxying CoA packets through FreeRADIUS to the NAS. > > While this should work, it's not a deeply tested scenario. > >> In this test set-up the client authenticates locally on the >> freeRadius server. The server listen on port 3799 for a CoA request >> that is generated from another computer, the freeRadius accepts >> the request and sends a ACK to the generator but it does not >> send anything to the NAS, > > Did you configure the server to proxy the CoA request? Look for > "proxy" in raddb/sites-available/coa in 2.1.9. > >> I tried to supply in the request a >> NAS-IP-Address attribute and also tried with Packet-Dst-IP-Address >> with no success. Also tried different things in CoA and Originate-CoA >> with the same results. > > Well.. the "coa" documents exactly what you need to do. Trying random > *undocumented* things won't make it work. > >> The goal I'm trying to reach is to supply the user-name in the >> CoA request that will force the client to silently reconnect and >> in the meantime I will have changed the Access-List accessible to >> the client. > > Use a Disconnect-Request packet to make the client disconnect. > >> 1: Is it possible to send a CoA request to the freeRadius server >> and then have it relay the request to the Aruba controller? > > Yes. This is called "proxying" > >> 2: If it is possible what do I have to put in the configs file >> and where? > > This is documented. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- View this message in context: http://old.nabble.com/Redirection-to-the-NAS-of-an-external-CoA-request-tp29206196p29216134.html Sent from the FreeRadius - User mailing list archive at Nabble.com. ------------------------------ Message: 3 Date: Tue, 20 Jul 2010 20:01:29 +0200 From: Alan DeKok <al...@deployingradius.com> Subject: Re: proxy everyone To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <4c45e479.8020...@deployingradius.com> Content-Type: text/plain; charset=ISO-8859-1 marco perugini wrote: > so this is my question for you: can i use rlm_realm to proxy an entire > realm without knowing the usernames just to trace auth/acct requests? Yes. That's what realms are for. People have been doing this with RADIUS since 1995 or so. Alan DeKok. ------------------------------ Message: 4 Date: Tue, 20 Jul 2010 20:03:03 +0200 From: Alan DeKok <al...@deployingradius.com> Subject: Re: Redirection to the NAS of an external CoA request To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <4c45e4d7.4010...@deployingradius.com> Content-Type: text/plain; charset=ISO-8859-1 newtownz wrote: > And now I'm puzzled as to how to set the Home-server-pool > as stated in recv-coa section of coa: recv-coa { ... update control { Home-Server-Pool := to_aruba } ... } > I tried to find the way that it is done for authentication packet > and did not succeed. raddb/proxy.conf documents proxying for Access-Request && Accounting-Request packets. > Also I just want to know if my understanding about the whole > process of proxying the CoA is right: > > The default server config file is of no use here, in the coa > I have to state somehow that I want the request to be forwarded > to the controller and in the proxy.conf file I have to create > this controller-server so that freeradius won't complain about > an unknown IP address. Yes. You have to define WHERE it will be proxied. Since RADIUS uses shared secrets, you have to define the shared secret, too. Alan DeKok. ------------------------------ Message: 5 Date: Tue, 20 Jul 2010 20:26:55 +0200 From: Alan DeKok <al...@deployingradius.com> Subject: Re: Acct-Interim-Interval not working To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <4c45ea6f.2000...@deployingradius.com> Content-Type: text/plain; charset=ISO-8859-1 Bishal wrote: > I am using freeradius 2.1.6 on FreeBSD 7.2 and using rp-pppoe server > 3.10 on gentoo linux. During live session it is not updating > acct-input/ouput-octets. Is the NAS sending packets with those fields? What does debug mode say? > Earlier with mpd pppoe server on freebsd it was > working fine accounting input and output octets were updating every > 5mins as configured in mpd server but now I have migrated my pppoe > server to rp-pppoe and it's not updating account values. Well... this really sounds like an issue with rp-pppoe. Alan DeKok. ------------------------------ Message: 6 Date: Tue, 20 Jul 2010 20:37:09 +0200 From: "Saleh Abuzid" <saleh.abu...@hist.no> Subject: AD groups in user file for dynamic Vlans To: <freeradius-users@lists.freeradius.org> Message-ID: <0a3ab621ffabe848bca6fb42db2e5a13045...@ex-vs01.ad.hist.no> Content-Type: text/plain; charset="iso-8859-1" Hello Freeradiususers, I m trying to get freeradius to send vlan id to some group in AD( win 2003), but it seems that radius can not pull out the info. about the groups even that the radius is joined in AD. Radius ignores the group and goes back to the default or preferred Vlan. I m runing the last vers. of FreeRadius, her is my config : DEFAULT Ldap-Group == XXXXXXXXX, NAS-IP-Address == "xxx.xxx.xxx.xxx" Service-Type = Login-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 210, Fall-Through = no When I remove the Ldap-Group then radius can send a req. to vlan 210. Just for info I m abel to pull out info. via wbinfo -g, I wonder if we have to do something in : /etc/freeradius/modules/mschap in last lines: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=AD --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } Any sugg. Best regards Saleh Abuzid Gunnerus gate 1 H?gskolen i S?r-Tr?ndlag (HiST) SPO-IKT Avdelingsingeni?r tlf: 73559672 E-mail: saleh.abu...@hist.no Saleh Abuzid Gunnerus gate 1 H?gskolen i S?r-Tr?ndlag (HiST) SPO-IKT Avdelingsingeni?r tlf: 73559672 E-mail: saleh.abu...@hist.no Saleh Abuzid Gunnerus gate 1 H?gskolen i S?r-Tr?ndlag (HiST) SPO-IKT Avdelingsingeni?r tlf: 73559672 E-mail: saleh.abu...@hist.no -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20100720/38cd0756/attachment.html> ------------------------------ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 63, Issue 75 ************************************************ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
