Hi all,
I'm trying to setup freeradius-2.x to provide authentication for a Cisco
ASA VPN.
When the packet comes in I'd like to first check the LDAP database to
see if the user/pass combination work and if it not then check against
Active Directory (using ntlm_auth).
Both LDAP and AD (via n
> And many requests later you ask about it:
>
> >++? if (control:Tmp-String-0 == "ldap-student")
> >(Attribute control:Tmp-String-0 was not found)
>
> .. and it's not there. Of course it's not, since it wasn't
> set during processing of that Access-Request but much earlier
> in the exchange
>Here's the complete debug (excluding the server start-up messages). There's
>rather a lot of it which is why I tried to post the bits relevant to what I'm
>trying (rather unsuccessfully :-) ) to understand.
>
>rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=36,
>length=14
> Can you post the whole debug, not just snipetts. Are these
> from the same or from different requests in the exchange?
> Perhaps you need use_tunneled_reply rather than this.
>
Here's the complete debug (excluding the server start-up messages). There's
rather a lot of it which is why I tried to
>And I get:
>
> ++[eap] returns ok
>+- entering group post-auth {...}
>++[exec] returns noop
>++? if (control:Tmp-String-0 == "ldap-student")
>(Attribute control:Tmp-String-0 was not found)
>Sending Access-Accept of id 129 to 10.127.240.217 port 1645
>
>Towards the beginning of the debug output
>
> Update a server-side attribute when you use the module:
>
> update control {
> Tmp-String-0 = "ldap-student"
> }
>
> then in post-auth:
>
> if (control:Tm-String-0 == "ldap-student") {
> ...
>
> }
>
I'm really grateful for all your help but it still doesn't work
Leighton Man wrote:
> Logic now working correctly - Many thanks
> Final problem is to return reply attributes in the access accept message. As
> a test I added Reply-Message := "User is staff" in the update reply section
> and the server duly added it to the next access challenge message. I assum
>
> see "man unlang". The syntax and examples are documented.
>
Read it many times. The problem is not the documentation, which is great, but
my understanding which isn't!
I'm working on it but finding it heavy going.
>
>...
>ldap_staff
>if (ok) {
> update reply {
>.
Leighton Man wrote:
> I've upgraded to 2.1.3 but, sorry, I'm really struggling with the concepts.
> I can't do "if Ldap-Group" because there is no container in Active Directory
> above staff and student to query.
>
> What I think I need is:
>
> if ladp_staff returns "ok" {
> update reply{
> Now I'm trying to return different reply attributes
> depending on Active Directory group membership and restrict
> which groups can authenticate. Ldap lookups against the
> active directory root fail with operation error.
> Reconfiguring Active Directory is not a viable option so I
> have t
Hmm... would it be possible to have to give *more* output? i.e. start from a
fresh directory:
$ tar -zxf freeradius-server-2.1.3.tar.gz $ cd freeradius-server 2.1.3 $
./configure $ gmake
And show the errors (not the dozens of lines saying "building foo", or the
last dozen lines saying "er
>
>Is there any way to do what I want without upgrading?
>
You can try users file:
DEFAULT Ldap-Group == staff
some reply
DEFAULT Ldap-Group == student
some other reply
DEFAULT Auth-Type := Reject
That should be at the end of the users file (ie. anything
Leighton Man wrote:
> Tried "gmake" from the top directory and "gcc -g -O2 -D_REENTRANT
> -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -D_LIBRADIUS
> -I/export/home/cmsxljm/freeradius-server-2.1.3/src -c dict.c -fPIC -DPIC -o
> .libs/dict.o" (copy and paste from the gmake output) fro
Huh? It compiles on 3-4 different Solaris boxes that I have access to.
Did you run "make" from the TOP directory, or by cd'ing to src/lib?
Alan DeKok.
Tried "gmake" from the top directory and "gcc -g -O2 -D_REENTRANT
-D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -D_LIBRADIUS
Leighton Man wrote:
> Many thanks for this. I'm using 1.1.7 because it's available as a pre-built
> package on solaris for both sparc and x86 architectures. The idea is to get
> freeradius configured and working as fast as possible so it can be demo'd to
> management (I'm trying to retire Cisco
>I'm new to freeradius (3 weeks experience) and mailing lists (second attempt)
>so please have patience.
>I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured to
>authenticate against Active Directory using ntlm-auth.
>All working OK.
>Now I'm trying to return different reply att
>I'm new to freeradius (3 weeks experience) and mailing lists (second attempt)
>so please have patience.
>I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured to
>authenticate against Active Directory using ntlm-auth.
>All working OK.
>Now I'm trying to return different reply attri
Am 06.03.2009 um 12:20 schrieb Leighton Man:
Hi,
I'm new to freeradius (3 weeks experience) and mailing lists
(second attempt) so please have patience.
I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured
to authenticate against Active Directory using ntlm-auth.
All working
Hi,
I'm new to freeradius (3 weeks experience) and mailing lists (second attempt)
so please have patience.
I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured to
authenticate against Active Directory using ntlm-auth.
All working OK.
Now I'm trying to return different reply attribu
Hello Marc,
Sunday, July 4, 2004, 2:32:45 PM, you wrote:
MJ> Just a last question :
MJ> I need OpenLDAP when I compile FreeRadius, but once FreeRadius is compiled,
MJ> can I remove OpenLDAP or must I keep it running ?
I guess you should keep OpenLDAP installation because of
freeradius de
; <[EMAIL PROTECTED]>
Sent: Friday, July 02, 2004 17:12
Subject: Re: LDAP and Active Directory
> Hi,
>
> This may look like a reccuring question, but I've checked the
> whole mailing list and many other websites but this isn't
> clear to me.
>
>
>
> Hi,
>
> This may look like a reccuring question, but I've checked the
> whole mailing list and many other websites but this isn't
> clear to me.
>
>
> I'm currently working on a gateway using a very poor but
> strong configuration of free radius.
> This gateway has installed the minimal configur
Hi,
This may look like a reccuring question, but I've checked the
whole mailing list and many other websites but this isn't
clear to me.
I'm currently working on a gateway using a very poor but
strong configuration of free radius.
This gateway has installed the minimal configuration to made
it a
23 matches
Mail list logo
