Tacacs+ Support?
Hi, How to implement Tacacs+ with freeRadius? The details available in the list looks older. Suresh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error getting data from database
Thanks oliver, there was problem in my database.. i am able to connect my user in new radius now. thanks :) NirmalOliver Graf [EMAIL PROTECTED] wrote: On Fri, Jul 22, 2005 at 04:32:56AM -0700, Nirmal wrote: Thanks for your help which file i should look into in order to remove this space ?It's in your SQL database.Oliver.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: edir + cert problem
Sayantan Bhowmick wrote:
Hi,
Make sure that the server name you specify in the LDAP
module section matches with the CN in the certificate used
by the eDirectory LDAP server. e.g if your LDAP server is
using SSL CERT DNS, write the hostname as the server name.
If you are using SSL CERT IP, write the IP address of the
server in the LDAP section.
Hope this helps.
Regards,
-Sayantan.
[EMAIL PROTECTED] 07/18/05 4:36 PM
freeradius 1.0.4 compiled with -edir support on Solaris 9.
After configuring and running freeradius, I issue a query from the
command line
radtest VALID-USER VALID-USER-PASSOWRD localhost 389 testing123
I seem to be getting an error
rlm_ldap: could not set LDAP_OPT_X_TLS_CACERTFILE option to
/opt/sfw/etc/raddb/certs/barney.b64
I have checked that I have correctly exported the certificate from the
novell server in questionand tried setting the premissions to 777
I have done a search of the online docs but cant find anything
appropriate, anyone got any ideas...
Here is the debug message from radiusd -X -f
bash-2.05# clear
You have new mail in /var/mail/root
bash-2.05# radiusd -X -f
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /usr/local/var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded LDAP
ldap: server = nds02.XXX.COM
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = cn=admin
ldap: tls_mode = no
ldap: start_tls = yes
ldap: tls_cacertfile = /opt/sfw/etc/raddb/certs/barney.b64
ldap: tls_cacertdir = (null)
ldap: tls_certfile = (null)
ldap: tls_keyfile = (null)
ldap: tls_randfile = (null)
ldap: tls_require_cert = demand
ldap: password =
ldap: basedn = o=XXX,ou=Staff
ldap: filter = (uid=%{Stripped-User-Name:-%{User-Name}})
ldap: base_filter = (objectclass=radiusprofile)
ldap: default_profile = (null)
ldap: profile_attribute = (null)
ldap: password_header = (null)
ldap: password_attribute = nspmPassword
ldap: access_attr = uid
ldap: groupname_attribute = cn
ldap: groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
ldap: groupmembership_attribute = (null)
ldap: dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
ldap: edir_account_policy_check = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
Defining whole networks for huntgroups matching!
Hello. I'm using huntgroups to group our NAS-boxes, and I'm wondering if it is possible to designate whole networks ala. A.B.C.D/24 - instead of listing all boxes with multiple NAS-IP-Address statements? We have an awful lot of dot1x NAS'es (Cisco Switches), and they're all members of a segmented internal infrastructure net. It would save me a lot of work to define a whole net to huntgrups instad of single IP-addresses. - Erling -- |sig|--- [EMAIL PROTECTED] Nettseksjonen, ITavd UiT - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Defining whole networks for huntgroups matching!
On Mon, Jul 25, 2005 at 01:36:19PM +0200, Erling Paulsen wrote: I'm using huntgroups to group our NAS-boxes, and I'm wondering if it is possible to designate whole networks ala. A.B.C.D/24 - instead of listing all boxes with multiple NAS-IP-Address statements? If you can write the network as regex, it should be possible to match all your NASes in one check. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Defining whole networks for huntgroups matching!
Or you can just go: myhuntgroup NAS-IP-Address == A.B.C.* works just fine :) Mike Oliver Graf wrote: On Mon, Jul 25, 2005 at 01:36:19PM +0200, Erling Paulsen wrote: I'm using huntgroups to group our NAS-boxes, and I'm wondering if it is possible to designate whole networks ala. A.B.C.D/24 - instead of listing all boxes with multiple NAS-IP-Address statements? If you can write the network as regex, it should be possible to match all your NASes in one check. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about adding new attributes
Dear Alan, Thanks for the details. I am bit new to this field so if I am asking very prelimnary questions then excuse me. If I understood the concept, the addition of the new attribute will have following steps. Correct me if I am wrong. 1) Include the vendor specific file in the main dictionary file. 2) Define the Vendor Name with code (How to get this code?) (Do we need to add this vendor code in user config file when we want that attribute to be added in reply?) 3) Define the Attibutes what you require 4) Define the possible values for the attribute (Does is check for the wrong value set in the configuration file?) If this is done then we can add the field in the request and response message respectively. Now my question goes like this. Lets take an example I want to send the username in the request. When the AAA server want to reply it will attribute form a packet with the attibutes mentioned in the 'user' configuration file. But say we want to add the attribute in the reply message whose value is based on the already defined attribute? Does user need to take care of adding that attribute or we need to modify the code to add such inteligence to the code? If yes then which file may need to change? Thanks in advance. Best Regards, Wable R. U. - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, July 21, 2005 10:51 PM Subject: Re: about adding new attributes Ranjitsinh Wable [EMAIL PROTECTED] wrote: I wanted to add one private attribute to the Free Radius server. So Let me know how should I will be going to do this. Read the dictionary file, and man dictionary 1) How to add the new attribute in the Dictionary Read the dictionary file, and man dictionary 2) Where I need to handle the parsing for it. (File name) Once it's in the dictionary, it's just another attribute. Read the documentation and examples. 3) Where shall I handle the processing of attribute? I have no idea what you mean by that. Is there any standard mechanism to do it? Or guidelines to do so? The documentation? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Defining whole networks for huntgroups matching!
On Mon, Jul 25, 2005 at 10:39:19PM +1000,Michael Mitchell, The Induhvidual, scrabbled: Or you can just go: myhuntgroup NAS-IP-Address == A.B.C.* works just fine :) Mike Just what I needed. Thank you. - Erling -- |sig|--- [EMAIL PROTECTED] Nettseksjonen, ITavd UiT - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up freeradius to work with cisco aironet accesspoints in a custom environment
Hello, thank you for your response. Alan DeKok schrieb: Mario Lipinski [EMAIL PROTECTED] wrote: And how to use it in the SQL template or configuration? The sample SQL configuration in sql.conf? I will have a closer look at this now. Maybe you could give me a hint how to configure Freeradius to look for MAC Addresses and EAP authentication in different tables? Another table contains user information like Domain, Username and Password and much of other information. The passwords are encrypted (unix password crypt). Then you can't do LEAP. What else could i do? Is there a solution which works with unix crypt and without a ssl certification infrastructure? Can i do LEAP with Samba-Passwords (which are also stored in the db)? I think this should work in general but not with the MSChapv2 implementation in FreeRadius. Is there any way? Any help is appreciated. Whould be also nice, if you could point out some interesting and not too long documentation on theses special topics. The server contains general information on what the configuration options are, and what they mean. The server does NOT contain detailed information on how to set up your site configuration, because every site is different. OK. Thats all that my writing is about. I don't know how to really get away from the sample layout. For example how to distinguish between MAC-Address and EAP authentication requests. I think the problem i atm have is, that i don't understand much about radius and so cannot point out where my problem exactly is... I will try to get some more deeper into it now. Mario - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Tunnel-Password fails proxy: tunnel password is too long for the attribute
when a backend radius server sends bakc the following tunnel attributes, the freeradius 1.0.2 fails the request with tunnel password is too long for the attribute( discovered by radiusd -X). Tunnel-Server-Endpoint = 1:82.111.96.178 Tunnel-Type = 1:L2TP Tunnel-Medium-Type = 1:IP Tunnel-Password = 1:lab Framed-Protocol = PPP if I comment out the Tunnel-Passord, the proxied reply returns fine. I guess this is a problem with the tagged stting for the password, partt of which is encrypted perhaps? the backend is Radiator 3.8. directly querying the backed, without freeradius proxying, works fine. tariq - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tacacs+ Support?
K. Suresh [EMAIL PROTECTED] wrote: How to implement Tacacs+ with freeRadius? The details available in the list looks older. Wait two weeks. I've been hearing rumors. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about adding new attributes
Ranjitsinh Wable [EMAIL PROTECTED] wrote: I am bit new to this field so if I am asking very prelimnary questions then excuse me. Your questions are answered in the existing documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up freeradius to work with cisco aironet accesspoints in a custom environment
Mario Lipinski [EMAIL PROTECTED] wrote: I will have a closer look at this now. Maybe you could give me a hint how to configure Freeradius to look for MAC Addresses and EAP authentication in different tables? The sql documentation included with FreeRADIUS should say how to configure it in general. Follow those examples for your situation. Can i do LEAP with Samba-Passwords (which are also stored in the db)? Yes. I think this should work in general but not with the MSChapv2 implementation in FreeRadius. Is there any way? It works. OK. Thats all that my writing is about. I don't know how to really get away from the sample layout. For example how to distinguish between MAC-Address and EAP authentication requests. Read the debug log. You have the information in front of you. I don't have access to your system, so it wouild be inappropriate of me to guess. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
bug in translating Tunnel-Type inusers file?
for the followiing profile .. the tunnel type is sent as value 1 not 3... [EMAIL PROTECTED] Password == 888, NAS-IP-Address == 1.2.3.4 Tunnel-Server-Endpoint := 1:3.4.5.6, Tunnel-Type := 1:L2TP, Tunnel-Medium-Type := 1:IP, Tunnel-Password := 1:***, User-Service := Framed-User, Framed-Protocol := PPP recevived .. Attributes: Tunnel-Server-Endpoint = 49::82.111.96.178 Tunnel-Type = 1:PPTP Tunnel-Medium-Type = 0:IP Tunnel-Password = 013518217510b15321116222143219220227'186196 231 Framed-Protocol = PPP even if i remove the quotes in the users file on freeradius 1.0.2 the result is the same. tariq - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: bug in translating Tunnel-Type inusers file?
Tariq Rashid [EMAIL PROTECTED] wrote: for the followiing profile .. the tunnel type is sent as value 1 not 3... [EMAIL PROTECTED] Password == 888, NAS-IP-Address == 1.2.3.4 Tunnel-Server-Endpoint := 1:3.4.5.6, Tunnel-Type := 1:L2TP, The permitted tag formats are: Tunnel-Type:1 = L2TP Tunnel-Type = :1:L2TP See src/lib/valuepair.c, function pairmake(), look for merit Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tunnel-Password fails proxy: tunnel password is too long for the attribute
Tariq Rashid [EMAIL PROTECTED] wrote: when a backend radius server sends bakc the following tunnel attributes, the freeradius 1.0.2 fails the request with tunnel password is too long for the attribute( discovered by radiusd -X). Ok... Tunnel-Password = 1:lab That's not the correct format for tags. if I comment out the Tunnel-Passord, the proxied reply returns fine. I though you said that the backend server sent the attribute? How do you comment it out? I guess this is a problem with the tagged stting for the password, partt of which is encrypted perhaps? the backend is Radiator 3.8. See src/lib/radius.c. A byte in the attribute says how long it is. If en/decrypted wrong, the byte will be garbage. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: filter id stored in LDAP
Do you know if FreeRADIUS support this? Sorry, I just noticed that gmail has me replying to you rather than the list. On 7/21/05, Dusty Doris [EMAIL PROTECTED] wrote: On Wed, 20 Jul 2005, sean wagoner wrote: Can the actual Filter ID be store in and retreived by the radius server. By this I mean not just the name of the filter but it's actual contents? If so how? Sure. The file ldap.attrmap maps radius attributes to ldap attributes. By default there is one that is for filter-id. replyItem Filter-ID radiusFilterID To use, it just put radiusFilterID in your ldap directory under either the user, or the default profile user. For example. dn: cn=someuser,ou=radius,dc=yourdomain objectclass: radiusprofile objectclass: person cn: someuser sn: someuser userpassword: password radiusFilterID: Somefilterid This would pull radiusFilterID from ldap and make it a Filter-ID reply item, such as Filter-ID = Somefilterid - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Appearing of the same Attribute variables
Metz, Frederic [EMAIL PROTECTED] wrote: now I tried the actual CVS nightly snapshot of today, because of shared lib errors I disabled the rlm_eap module in Make.inc, I need the radius server in the first step only for accounting. It's fixed in the CVS head. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
