On 1 Sep 2011, at 15:40, 2394263740 wrote: > Phil, > > Thanks a lot for your great help. > > I understand the scripts you wrote. But I don't know where I should put it in. > > Can you please kindly advise which file I should edit? > > /usr/local/etc/raddb/sites-available/default?
Yes in the authorize section, thats why the script is encapsulated within and authorize {} stanza :) -Arran > > > > ------------------ Original ------------------ > From: "freeradius-users"<freeradius-users-requ...@lists.freeradius.org>; > Date: Thu, Sep 1, 2011 02:51 AM > To: "freeradius-users"<freeradius-users@lists.freeradius.org>; > Subject: Freeradius-Users Digest, Vol 76, Issue 108 > > Send Freeradius-Users mailing list submissions to > freeradius-users@lists.freeradius.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freeradius.org/mailman/listinfo/freeradius-users > or, via email, send a message with subject or body 'help' to > freeradius-users-requ...@lists.freeradius.org > > You can reach the person managing the list at > freeradius-users-ow...@lists.freeradius.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeradius-Users digest..." > > > Today's Topics: > > 1. Re: Example configuration that proxy PEAP MSCHAPv2 to an IAS > server (Phil Mayers) > 2. Re: Special WIFI Router MAC check for the user?s first > connection. (Phil Mayers) > 3. Using rlm_passwd as a substitute for hunt groups > (jan.we...@t-systems.com) > 4. problem with LDAP backend (Frank Bonnet) > 5. Re: problem with chillispot (Alan DeKok) > 6. Re: problem with LDAP backend (Alan DeKok) > 7. Rating usage (Shreya Shah) > 8. Re: problem with chillispot (Goke M Aruna) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 31 Aug 2011 14:48:00 +0100 > From: Phil Mayers <p.may...@imperial.ac.uk> > Subject: Re: Example configuration that proxy PEAP MSCHAPv2 to an IAS > server > To: freeradius-users@lists.freeradius.org > Message-ID: <4e5e3b90.2020...@imperial.ac.uk> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > On 30/08/11 21:12, Glenn Machin wrote: > > Phil - thanks for the feedback. > > > > I just ended up proxying out to the IAS server usernames starting with > > "DOMAIN\". > > Ok. Obviously that will fail if enters their wireless credentials > without a domain. > > > > > I configured the freeradius server to not support mschapv2 but will > > support PEAP/GTC EAP/TLS. > > > > > > It seems to be working fine with the Macs, iPads and Linux systems while > > the windows systems are happy to talk to the IAS server. > > > > > > It still bugs that ntlm_auth would not authenticate to the domain > > controllers the challenge and nt-response. > > I repeat: if you send debug info, people may be able to help. > > > > > > > I assume no one else is having any issues using ntlm_auth to W2008 > > servers? It may be some Windows GPO at our site for all I know. > > Exactly which version of windows (2008 or 2008R2?) and at which > functional level is your domain? > > Did you try increasing the debug level for winbind using "smbcontrol" > and then examining the debug logs after a failed auth? > > For what it's worth, we have no problems with Windows 2008R2 domain > controllers and the "samba3x" package available under RHEL5 (samba > version 3.5.4-0.70.el5). We did have problems with earlier (Samba 3.3) > versions after we'd upgraded to 2008R2 and upgraded functional level. > > > ------------------------------ > > Message: 2 > Date: Wed, 31 Aug 2011 14:55:35 +0100 > From: Phil Mayers <p.may...@imperial.ac.uk> > Subject: Re: Special WIFI Router MAC check for the user?s first > connection. > To: freeradius-users@lists.freeradius.org > Message-ID: <4e5e3d57.2000...@imperial.ac.uk> > Content-Type: text/plain; charset=UTF-8; format=flowed > > On 31/08/11 12:38, 2394263740 wrote: > > > For example, WIFI AP 26, has the MAC address MAC26. I need ensure one > > WIFI user, say user 58, must connect to WIFI AP 26 for the first time. > > After the first connection, user 58 can connect to any WIFI AP in the > > network. > > Can someone give some advice on how to do it? > > 1. Create a whitelist of users who can authenticate to any AP using > files, rlm_passwd or ideally SQL - see the FreeRADIUS wiki > > 2. If they are *not* found in the whitelist, check the > "Called-Station-Id" attribute, which usually contains the MAC address of > the AP. If your equipment uses a different attribute, check that. > > 3. If the AP MAC is the correct one, add the user to the whitelist, > else reject > > For example: > > authorize { > > ... > update control { > Tmp-String-0 := "%{sql:select 1 from whitelist where > username='%{User-Name}'}" > } > if (control:Tmp-String-0 == 1) { > # user is in whitelist > } > elsif (Called-Station-Id == "aa-bb-cc-dd-ee-ff") { > # user is connecting to the "whitelist" AP > update control { > Tmp-String-0 = "%{sql:insert into whitelist (username) values > ('%{User-Name}')}" > } > } > else { > reject > } > ... > > } > > > ------------------------------ > > Message: 3 > Date: Wed, 31 Aug 2011 16:11:48 +0200 > From: jan.we...@t-systems.com > Subject: Using rlm_passwd as a substitute for hunt groups > To: <freeradius-users@lists.freeradius.org> > Message-ID: > <3dd77603d0726248a46541d5119607ce27dfc71...@he111524.emea1.cds.t-internal.com> > > Content-Type: text/plain; charset="us-ascii" > > >Did you remember to actually define 'My-Device-Group' as an attribute? > > > >-Arran > > > >Arran Cudbard-Bell > >a.cudba...@freeradius.org > > > >RADIUS - Half the complexity of Diameter > > > Dictionary: > ATTRIBUTE My-Device-Group 3000 string > > > ------------------------------ > > Message: 4 > Date: Wed, 31 Aug 2011 17:02:32 +0200 > From: Frank Bonnet <f.bon...@esiee.fr> > Subject: problem with LDAP backend > To: freeradius-users@lists.freeradius.org > Message-ID: <4e5e4d08.5060...@esiee.fr> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Hello > > Still trying to use freeradius with chillispot I still have problems > > I'm trying to use mixed authentication > > MAC addresses for some video devices in the "users" file > as follows : > > 00-06-F4-0D-08-66 Auth-Type := Local, User-Password == "xxxxxxxx" > Framed-IP-Address = 192.168.182.213, > Fall-Through = Yes > > LDAP backend for "real" users at the end of the "users" file I have this > statement > > DEFAULT Auth-Type = LDAP > Fall-Through = 1 > > This configuration were working well on a very old debian machine which > died suddenly > > When I try to access the the chilli portal it ask radius for authentication > but it dows not work. See below the debug trace of radius daemon. > Help greatly appreciated, thank you. > > > Wed Aug 31 16:52:39 2011 : Debug: Processing the authorize section of > radiusd.conf > Wed Aug 31 16:52:39 2011 : Debug: modcall: entering group authorize for > request 15 > Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling > preprocess (rlm_preprocess) for request 15 > Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from > preprocess (rlm_preprocess) for request 15 > Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module > "preprocess" returns ok for request 15 > Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling eap > (rlm_eap) for request 15 > Wed Aug 31 16:52:39 2011 : Debug: rlm_eap: No EAP-Message, not doing EAP > Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from > eap (rlm_eap) for request 15 > Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module "eap" > returns noop for request 15 > Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling files > (rlm_files) for request 15 > Wed Aug 31 16:52:39 2011 : Debug: users: Matched entry DEFAULT at > line 398 > Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from > files (rlm_files) for request 15 > Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module "files" > returns ok for request 15 > Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling ldap > (rlm_ldap) for request 15 > Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: - authorize > Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: performing user > authorization for xxxxxxxx > Wed Aug 31 16:52:39 2011 : Debug: radius_xlat: '(uid=xxx)' > Wed Aug 31 16:52:39 2011 : Debug: radius_xlat: 'ou=Users,dc=esiee,dc=fr' > Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 > Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 > Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: performing search in > ou=Users,dc=esiee,dc=fr, with filter (uid=hrazdira) > Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: checking if remote access > for xxxxxxxx is allowed by uid > Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: looking for check items in > directory... > Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: looking for reply items in > directory... > Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: user xxxxxxxx authorized to > use remote access > Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 > Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from > ldap (rlm_ldap) for request 15 > Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module "ldap" > returns ok for request 15 > Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling pap > (rlm_pap) for request 15 > Wed Aug 31 16:52:39 2011 : Debug: rlm_pap: WARNING! No "known good" > password found for the user. Authentication may fail because of this. > Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from > pap (rlm_pap) for request 15 > Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module "pap" > returns noop for request 15 > Wed Aug 31 16:52:39 2011 : Debug: modcall: leaving group authorize > (returns ok) for request 15 > Wed Aug 31 16:52:39 2011 : Debug: rad_check_password: Found Auth-Type > LDAP > Wed Aug 31 16:52:39 2011 : Debug: auth: type "LDAP" > Wed Aug 31 16:52:39 2011 : Debug: Processing the authenticate section > of radiusd.conf > Wed Aug 31 16:52:39 2011 : Debug: modcall: entering group authenticate > for request 15 > Wed Aug 31 16:52:39 2011 : Debug: modsingle[authenticate]: calling > ldap (rlm_ldap) for request 15 > Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: - authenticate > Wed Aug 31 16:52:39 2011 : Auth: rlm_ldap: Attribute "User-Password" is > required for authentication. Cannot use "CHAP-Password". > Wed Aug 31 16:52:39 2011 : Debug: modsingle[authenticate]: returned > from ldap (rlm_ldap) for request 15 > Wed Aug 31 16:52:39 2011 : Debug: modcall[authenticate]: module "ldap" > returns invalid for request 15 > Wed Aug 31 16:52:39 2011 : Debug: modcall: leaving group authenticate > (returns invalid) for request 15 > Wed Aug 31 16:52:39 2011 : Debug: auth: Failed to validate the user. > Wed Aug 31 16:52:39 2011 : Debug: Delaying request 15 for 1 seconds > Wed Aug 31 16:52:39 2011 : Debug: Finished request 15 > Wed Aug 31 16:52:39 2011 : Debug: Going to the next request > Wed Aug 31 16:52:39 2011 : Debug: --- Walking the entire request list --- > > > > ------------------------------ > > Message: 5 > Date: Wed, 31 Aug 2011 12:27:36 -0400 > From: Alan DeKok <al...@deployingradius.com> > Subject: Re: problem with chillispot > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Message-ID: <4e5e60f8.8070...@deployingradius.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Goke M Aruna wrote: > > Is it bug on freeradius v2? > > No. > > > I got the chillispot working with freeradius 1.7 then and still tested > > same recently but v2 of radius give same error while v1 work > > seamlessly. I compiled this on centos 5.6. > > You mistyped the shared secret. > > Alan DeKok. > > > ------------------------------ > > Message: 6 > Date: Wed, 31 Aug 2011 12:30:45 -0400 > From: Alan DeKok <al...@deployingradius.com> > Subject: Re: problem with LDAP backend > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Message-ID: <4e5e61b5.2000...@deployingradius.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Frank Bonnet wrote: > > MAC addresses for some video devices in the "users" file > > as follows : > > > > 00-06-F4-0D-08-66 Auth-Type := Local, User-Password == "xxxxxxxx" > > That's wrong. See the debug output for reasons why. See the FAQ for > correct examples. > > > LDAP backend for "real" users at the end of the "users" file I have this > > statement > > > > DEFAULT Auth-Type = LDAP > > Fall-Through = 1 > > That's not needed. > > > Wed Aug 31 16:52:39 2011 : Auth: rlm_ldap: Attribute "User-Password" is > > required for authentication. Cannot use "CHAP-Password". > > That's pretty clear. The NAS is sending a CHAP request. You can't do > that with "Auth-Type LDAP" > > Instead, list "ldap" in the "authorize" section. > > Don't set Auth-Type. It's almost always wrong. > > Alan DeKok. > > > ------------------------------ > > Message: 7 > Date: Wed, 31 Aug 2011 13:23:20 -0400 > From: Shreya Shah <shreya.ns...@gmail.com> > Subject: Rating usage > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Message-ID: > <CANN_Z9KOKD0HfM+s_wVmZTyobN=8qclxbfdqbbrx+kbpubo...@mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > Is it possible to rate users based on their data usage and reject > authentication to those users exceeding the limit ? > > I think I can achieve rating using counter.conf and reading the usage from > radacct but not sure how to reject this user from authenticating when he > exceeds this usage limit ? > > Thanks, > Shreya. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110831/ad586a05/attachment.html> > > ------------------------------ > > Message: 8 > Date: Wed, 31 Aug 2011 19:51:20 +0100 > From: Goke M Aruna <gok...@gmail.com> > Subject: Re: problem with chillispot > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Message-ID: > <CAE=ditpqorojhxqa7u+btcuxheh0_1v-tahmuw1ntgio9_e...@mail.gmail.com> > Content-Type: text/plain; charset=UTF-8 > > Hi Allan, > Mistyped shared-secret? How can I confirm that? > > Thank you. > > On 8/31/11, Alan DeKok <al...@deployingradius.com> wrote: > > Goke M Aruna wrote: > >> Is it bug on freeradius v2? > > > > No. > > > >> I got the chillispot working with freeradius 1.7 then and still tested > >> same recently but v2 of radius give same error while v1 work > >> seamlessly. I compiled this on centos 5.6. > > > > You mistyped the shared secret. > > > > Alan DeKok. > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > -- > Sent from my mobile device > > > ------------------------------ > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > End of Freeradius-Users Digest, Vol 76, Issue 108 > ************************************************* > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html