RE: Different user attributes based onNAS-IP-Address?AlsoSuffixwildcards available?
Using the standard schema, no it doesn't. However adding an nshortname field on *check/*reply allows us to define either a shortname from the nas table, or a null to achieve this. I was however hoping there was a nicer way. Regardless, I appreciate the time :) Cheers, John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 31 March 2006 04:03 To: FreeRadius users mailing list Subject: Re: Different user attributes based onNAS-IP-Address?AlsoSuffixwildcards available? John Mylchreest [EMAIL PROTECTED] wrote: This is a single username, but the return being selective based on NAS. For example: Radreply will reply with an IP of 1.2.0.1 if NAS=1 else it will respond with IP of 1.1.0.1 if NAS=2, else it will respond with an IP of 1.3.0.1 I'm not sure that the SQL module supports this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Communications on or through ioko's computer systems may be monitored or recorded to secure effective system operation and for other lawful purposes. Unless otherwise agreed expressly in writing, this communication is to be treated as confidential and the information in it may not be used or disclosed except for the purpose for which it has been sent. If you have reason to believe that you are not the intended recipient of this communication, please contact the sender immediately. No employee is authorised to conclude any binding agreement on behalf of ioko with another party by e-mail without prior express written confirmation. ioko365 Ltd. VAT reg 656 2443 31. Reg no 3048367. All rights reserved. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
frontend for freeradius???
@Guy Fraser Hi, I read that you've been working 'on some PHP functions to manage FreeRadius'. I'm goning to do some efforts in the same direction: extending dialup admin with managing abilities for ip-pools, simultaneous-use, rlm_counter etc. Especially I'm interested in your functions to acquire information from configuration files. best regards, Olaf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup admin ippool administraton
But the configuration information like range-start etc. is still stored in the radiusd.conf. My idea was to put these configuration information for each ippool into the mysql-db. That may be harder to do. But if you can create a patch, it will be welcome. I'm afraid this exceeds my abilities :( Thus I resigned to the fact and have started to parse the radiusd.conf via PHP. Olaf Schaefer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Separate query for authentication and authorization
Hello I want to have multiple queries in RADIUS (e.g. one for prepaid and one for postpaid users). can I do this in Free Radius, if yes how do I specify free radius to execute particular query. Also the authentication and authorization seems to call the same query. Can I have different query fro authentication and authorization. Thanks Vignesh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two times authorization and/or both proxying and serving
First of all, thanks for your help !!! We appreciate so much!! Let me explain that the misunderstanding of the sentence is probably much a problem of my poor acaedemichal english semantics. Well, I will explain the scenario I told again, trying to do it finnest possible: We have a proxy Radius that must proxy or reject the request depending on if the authserver's WISP has quota on our system. Inside proxy, we must forward the incoming request from a roaming user to a domain authserv ONLY AND ONLY IF we can verify WISP-domain has a prepaid quota in proxy's database. We want so to programme the pre-proxy block in order to determine if the request must be proxied to the final authserv or must be reject by the proxy. How can we implement this functionality from a technical point of view? Can we use a module in pre-proxy state? Or we only have the solution of programme JRadius handling the incoming request to proxy? Or maybe the logical solution is to use exec module? We need a little more help...sorry and thanks a lot from all the stuff here!!! Nets Research Group (Pompeu Fabra University of Barcelona) From: Alan DeKok [EMAIL PROTECTED] Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: Two times authorization and/or both proxying and serving Date: Thu, 30 Mar 2006 13:19:30 -0500 Mark Supersonik [EMAIL PROTECTED] wrote: My doubt is: can a freeradius server do first an authorization of a request throught a DB (i.e MySQL) and proxy then if so or reject it (if all isn't in rule)? Yes. We want only to accept access if each one of the two servers process the authentication successfully. MySQL doesn't do authentication. Your statement is incorrect. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Grandes éxitos, superhéroes, imitaciones, cine y TV... http://es.msn.kiwee.com/ Lo mejor para tu móvil. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
multiple attribute instaces and radius variables (xlat)
Andriy Gapon avg at icyb.net.ua wrote:
Is it possible to add something like %{Attr-Name[*]} that would expand
to all values of an attribute and something like %{Attr-Name[#]} that
would expand to number of attribute instances ?
This works in the CVS head. I'm not sure why it isn't in 1.1.1.
Alan,
thanks a lot for the information, I've pulled the latest version of
xlat.c from CVS.
It seems that the current version of xlat.c in HEAD is 1.107 2006/03/16,
but 1.1.1 release has xlat.c 1.72.2.7.2.1 2005/12/08.
BTW, I'd really love to see the delimiter for [*] and %Z be
configurable, but I am not sure how hard to implement it (especially
provide an interface) and if anybody besides me would use it.
--
Andriy Gapon
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius log
Not sure which table to add == to the op field ?? --- Alan DeKok [EMAIL PROTECTED] wrote: fvt3 [EMAIL PROTECTED] wrote: Anyone know what it is and how to resolve it ? Add a value in the op field, like the error messages suggest? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with FreeRadius EAP/TLS and 3com OfficeConnect WirelessAP
we've solved the problem, thank you for support - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, March 30, 2006 4:55 PM Subject: Re: Problem with FreeRadius EAP/TLS and 3com OfficeConnect WirelessAP Eugenio Pasquariello [EMAIL PROTECTED] wrote: The client start the EAP transaction, start TLS and receive the server certifcate, we have used WinXp as client and then WIN requests to the user the client certificate. After the choice of the certificate, the client remain blocked. You do not have the extended key usage attributes in the server certificate. See the scripts/CA.certs script for examples, and the xpextensions file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openssl/des.h error
Christoforos Ntantogian [EMAIL PROTECTED] wrote: However, i have to install the older version. Why? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius log
fvt3 [EMAIL PROTECTED] wrote: Not sure which table to add == to the op field ?? The one that's being queried? The one that's referenced in the example schema? The one that's referenced in the examples saying how what to insert in the tables? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Separate query for authentication and authorization
vignesh [EMAIL PROTECTED] wrote: I want to have multiple queries in RADIUS (e.g. one for prepaid and one for postpaid users). can I do this in Free Radius, if yes how do I specify free radius to execute particular query. Not really. Also the authentication and authorization seems to call the same query. There is no authentication query. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: We need help
Sam Sein Muan Tie [EMAIL PROTECTED] wrote: Got it to work before then copy the config to different server, it doenst work anymore. The debug log you posted shows that no one tried to authenticate. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 1.1.1 stops responding
Stefan Winter [EMAIL PROTECTED] wrote: When I did it in -X mode, it segfaulted. The end of the -X output is: ... Could you do the same, but with core dumps enabled (ulimit -c unlimited) and symbols? That would help a lot in tracking down the problem. Also, what OS you're running on, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radrelay and detail file permissions
I have setup radius to log detail files for radrelay to use. I think
that I followed the documentation exactly except for the name of the
detail file.
detail detail-combined {
detailfile = ${radacctdir}/detail-combined
detailperm = 0600
dirperm = 0755
locking = yes
}
accounting {
detail
detail-combined
}
FreeRadius logs to this file properly if I don't startup radrelay and
the permissions remain as I would expect they should:
-rw--- 1 radiusd radiusd 1166 Mar 31 12:02 detail-combined
But when I start radrelay the permissions change:
[EMAIL PROTECTED] radacct]# radrelay -a /var/log/radius/radacct \
-d /etc/raddb -n ns2-new detail-combined
[EMAIL PROTECTED] radacct]# ls -la total 44
drwx-- 9 radiusd radiusd 4096 Mar 31 12:08 .
drwx-- 3 radiusd radiusd 4096 Mar 31 12:02 ..
drwxr-xr-x 2 radiusd radiusd 4096 Mar 31 11:42 127.0.0.1
drwxr-xr-x 2 radiusd radiusd 4096 Mar 17 16:17 216.17.128.39
drwxr-xr-x 2 radiusd radiusd 4096 Feb 7 00:30 216.237.65.2
drwxr-xr-x 2 radiusd radiusd 4096 Mar 31 00:00 216.237.67.198
drwxr-xr-x 2 radiusd radiusd 4096 Mar 31 09:34 216.237.67.217
drwxr-xr-x 2 radiusd radiusd 4096 Feb 14 09:49 216.237.72.66
drwxr-xr-x 2 radiusd radiusd 4096 Mar 31 10:39 216.237.77.3
-rw--- 1 rootroot 0 Mar 31 12:08 detail-combined
[EMAIL PROTECTED] radacct]#
I start getting error like this in my radius.log which I would expect
with the file permissions the way they are and radiusd cannot log to the
detail file properly and as a result, radrelay cannot send the
accounting request to the remote server:
Fri Mar 31 12:11:13 2006 : Error: rlm_detail: Couldn't open
file /var/log/radius/radacct/detail-combined: Permission denied
Am I missing something with the way I am starting up radrelay? Or are
there permissions that I need to check somewhere else?
Should radrelay be run as user radiusd? If so, how would I do that?
Also. My system is running Fedora Core 4 - FreeRadius Ver 1.0.4
Any help is greatly appreciated. Thanks
--
Microsoft is not the answer, it's the question. NO is the answer.
Ben Plimpton
Network Engineer
[EMAIL PROTECTED]
970-963-SURF(7873) ext 5174
www.sopris.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radrelay and detail file permissions
On Friday 31 March 2006 14:17, Ben Plimpton wrote: But when I start radrelay the permissions change: [EMAIL PROTECTED] radacct]# radrelay -a /var/log/radius/radacct \ -d /etc/raddb -n ns2-new detail-combined [EMAIL PROTECTED] radacct]# ls -la total 44 drwx-- 9 radiusd radiusd 4096 Mar 31 12:08 . drwx-- 3 radiusd radiusd 4096 Mar 31 12:02 .. drwxr-xr-x 2 radiusd radiusd 4096 Mar 31 11:42 127.0.0.1 drwxr-xr-x 2 radiusd radiusd 4096 Mar 17 16:17 216.17.128.39 drwxr-xr-x 2 radiusd radiusd 4096 Feb 7 00:30 216.237.65.2 drwxr-xr-x 2 radiusd radiusd 4096 Mar 31 00:00 216.237.67.198 drwxr-xr-x 2 radiusd radiusd 4096 Mar 31 09:34 216.237.67.217 drwxr-xr-x 2 radiusd radiusd 4096 Feb 14 09:49 216.237.72.66 drwxr-xr-x 2 radiusd radiusd 4096 Mar 31 10:39 216.237.77.3 -rw--- 1 rootroot 0 Mar 31 12:08 detail-combined [EMAIL PROTECTED] radacct]# Am I missing something with the way I am starting up radrelay? Or are there permissions that I need to check somewhere else? Don't start radrelay as root. Start it as the same user you use to start RADIUS. In this case, radiusd. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql_postauth does not exec on failed logins
List, Hello:
I've got the sql postauth working for Valid Logins, but rlm_sql does not
even call sql_postauth if the login fails.
Is this by design, or do I have a configuration error?
PROCESSES SQL_POSTAUTH:
Login OK: [intermapper] (from client intermapper port 0)
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 14
rlm_sql (sql): Processing sql_postauth
radius_xlat: 'intermapper'
rlm_sql (sql): sql_set_user escaped user -- 'intermapper'
radius_xlat: 'insert into radauth (UserName, Password, RadReply,
NASIPAddress, NASIdentifier, NASPort, CalledStationId, CallingStationId)
values ('intermapper', 'password', 'Access-Accept', '10.15.1.15', '', '',
'', '')'
rlm_sql (sql) in sql_postauth: query is insert into radauth (UserName,
Password, RadReply, NASIPAddress, NASIdentifier, NASPort, CalledStationId,
CallingStationId) values ('intermapper', 'password', 'Access-Accept',
'10.15.1.15', '', '', '', '')
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
DOESNT PROCESS SQL_POSTAUTH:
rlm_sql (sql): sql_set_user escaped user -- '00111AE0D100'
radius_xlat: 'select id, username, attribute, value, op from radcheck where
username = '00111AE0D100' order by id'
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql (sql): User 00111AE0D100 not found in radcheck
radius_xlat: ''
radius_xlat: 'select radgroupreply.id, radgroupreply.groupname,
radgroupreply.attribute, radgroupreply.value, radgroupreply.op from
radgroupreply, usergroup where usergroup.username = '00111AE0D100' and
usergroup.groupname = radgroupreply.groupname order by radgroupreply.id'
rlm_sql (sql): Released sql socket id: 0
modcall[authorize]: module sql returns ok for request 6
modcall[authorize]: module files returns notfound for request 6
modcall: leaving group authorize (returns ok) for request 6
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [00111AE0D100/12810341630068900201] (from client ubr7223
port 6)
Sending Access-Reject of id 222 to 63.252.228.2 port 21745
Finished request 6
Going to the next request
--- Walking the entire request list ---
Waking up in 5 seconds...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql_postauth does not exec on failed logins
Duane Cox [EMAIL PROTECTED] wrote: I've got the sql postauth working for Valid Logins, but rlm_sql does not even call sql_postauth if the login fails. You must list sql in the reject subsection of postauth. See the default configs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: special characters in passwords + FR + ldap
Hi, Thank you for the support, we will try it out in that way. Natalia On 3/30/06, Alan DeKok [EMAIL PROTECTED] wrote: Natalia Escalera [EMAIL PROTECTED] wrote: Command: /usr/local/bin/radtest username test$2006 x.x.x.x 1 test123 Output: Sending Access-Request of id 215 to x.x.x.x port 1812 User-Name = username User-Password = test006#- No dollar sign, no number 2 $2 is a Unix shell variable.This has nothing to do with FreeRADIUS./usr/local/bin/radtest username 'test$2006' x.x.x.x 1 test123will work.Note SINGLE quotes, not DOUBLE quotes.Alan DeKok. -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
