[Success] Group-Name : rlm_unix and rlm_passwd conflict
Hi, I was wanted to assign a Group-Name using rlm_passwd. But every try failed. In fact the unix modules (taht does nothing on my conf but was loaded) seems to conflict with passwd modules. The Group-Name set by rlm_passwd was like "destroyed" by the unix modules. Suppressing unix modules from the conf permits to have something working. BR, -- Eric Leblond <[EMAIL PROTECTED]> Alphalink - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[6]: rlm_passwd and Group-Name
On Fri, 2003-08-22 at 15:16, 3APA3A wrote: > Dear Eric Leblond, > > Try > > DEFAULT Group-Name == "ADSLParis" > > before 'test' definition. It did not change with test after group definition. BR, -- Eric Leblond <[EMAIL PROTECTED]> Alphalink - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[4]: rlm_passwd and Group-Name
Hi thanks,
but I did not manage to get it check seems not to be done.
Here's the log :
rad_recv: Access-Request packet from host 212.30.97.74:1085, id=60, length=167
User-Name = "[EMAIL PROTECTED]"
User-Password = "test"
NAS-Identifier = "9massy1-1-SMS-10k"
NAS-IP-Address = 172.20.1.218
Calling-Station-Id = "#9massy1-1-SMS-10k#L2TP pseudo port#1145"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 3841983609
Acct-Session-Id = "E5000479-3F462237"
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_realm: Looking up realm "alphl.telco.ipadsl" for User-Name = "[EMAIL
PROTECTED]"
rlm_realm: Found realm "alphl.telco.ipadsl"
rlm_realm: Adding Stripped-User-Name = "test"
rlm_realm: Proxying request from user test to realm alphl.telco.ipadsl
rlm_realm: Adding Realm = "alphl.telco.ipadsl"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop
rlm_passwd: Added Group-Name: 'ADSLParis' to request_items
modcall[authorize]: module "file_groups" returns ok
users: Matched test at 1
huntgroups: Matched ADSL at 10
modcall[authorize]: module "files" returns ok
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Sending Access-Accept of id 60 to 212.30.97.74:1085
Framed-IP-Address = 217.15.82.127
Finished request 0
Le ven 22/08/2003 à 13:15, 3APA3A a écrit :
> Dear Eric Leblond,
>
> format = "*Stripped-User-Name:Group-Name"
>
> adds Group-Name to configure_items list
>
> DEFAULT Huntgroup-Name == "ADSL", Group-Name == "ADSLParis"
>
> checks Group-Name to be in request. So you're looking for item in
> different list. rlm_passwd can add items to reqest_list. To achieve it
> you can use format
>
> format = "*Stripped-User-Name:~Group-Name"
>
>
> --Friday, August 22, 2003, 2:57:23 PM, you wrote to [EMAIL PROTECTED]:
>
> EL> On Fri, 2003-08-22 at 12:43, 3APA3A wrote:
> >> Dear Eric Leblond,
> >>
> >> Nothing can be said more without seeing your configuration and logs.
>
> EL> here it is :
>
> EL> radiusd.conf :
>
> EL> passwd file_groups {
> EL>filename = /etc/raddb/groups
> EL>format = "*Stripped-User-Name:Group-Name"
> EL>hashsize = 100
> EL>delimiter = ":"
> EL>ignorenislike = no
> EL>allowmultiplekeys = no
> EL> }
>
>
> EL> authorize {
> EL> suffix
> EL> file_groups
> EL> files
> EL> }
>
> EL> Users :
>
> EL> test Auth-Type :=Local, User-Password == "test"
>
> EL> Framed-IP-Address = 217.15.82.127,
>
> EL> Fall-Through = Yes
>
> EL> DEFAULT Huntgroup-Name == "ADSL", Group-Name == "ADSLParis"
> EL> Service-Type = Framed-User,
> EL> Framed-Protocol = PPP,
> EL> Tunnel-Type = L2TP,
> EL> Tunnel-Medium-Type = IP,
> EL> RB-Tunnel-Local-Name = LACLD,
> EL> Tunnel-Client-Auth-Id = LNSAlphalink,
> EL> Tunnel-Server-Auth-Id = LNSAlphalink,
> EL> Tunnel-Server-Endpoint = 217.15.80.33,
> EL> Tunnel-Assignment-Id = 217.15.80.33
>
> EL> logs (radiusd -X) :
>
> EL> rad_recv: Access-Request packet from host 212.30.97.74:1085, id=21, length=167
> EL> User-Name = "[EMAIL PROTECTED]"
> EL> User-Password = "test"
> EL> NAS-Identifier = "9massy1-1-SMS-10k"
> EL> NAS-IP-Address = 172.20.1.218
> EL> Calling-Station-Id = "#9massy1-1-SMS-10k#L2TP pseudo port#1165"
> EL> Service-Type = Framed-User
> EL> Framed-Protocol = PPP
> EL> NAS-Port = 3841983629
> EL> Acct-Session-Id = "E500048D-3F461183"
> EL> modcall: entering group authorize
> EL> modcall[authorize]: module "preprocess&quo
Re: Re[2]: rlm_passwd and Group-Name
On Fri, 2003-08-22 at 12:43, 3APA3A wrote:
> Dear Eric Leblond,
>
> Nothing can be said more without seeing your configuration and logs.
here it is :
radiusd.conf :
passwd file_groups {
filename = /etc/raddb/groups
format = "*Stripped-User-Name:Group-Name"
hashsize = 100
delimiter = ":"
ignorenislike = no
allowmultiplekeys = no
}
authorize {
suffix
file_groups
files
}
Users :
test Auth-Type :=Local, User-Password == "test"
Framed-IP-Address = 217.15.82.127,
Fall-Through = Yes
DEFAULT Huntgroup-Name == "ADSL", Group-Name == "ADSLParis"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Tunnel-Type = L2TP,
Tunnel-Medium-Type = IP,
RB-Tunnel-Local-Name = LACLD,
Tunnel-Client-Auth-Id = LNSAlphalink,
Tunnel-Server-Auth-Id = LNSAlphalink,
Tunnel-Server-Endpoint = 217.15.80.33,
Tunnel-Assignment-Id = 217.15.80.33
logs (radiusd -X) :
rad_recv: Access-Request packet from host 212.30.97.74:1085, id=21, length=167
User-Name = "[EMAIL PROTECTED]"
User-Password = "test"
NAS-Identifier = "9massy1-1-SMS-10k"
NAS-IP-Address = 172.20.1.218
Calling-Station-Id = "#9massy1-1-SMS-10k#L2TP pseudo port#1165"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 3841983629
Acct-Session-Id = "E500048D-3F461183"
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_realm: Looking up realm "alphl.telco.ipadsl" for User-Name = "[EMAIL
PROTECTED]"
rlm_realm: Found realm "alphl.telco.ipadsl"
rlm_realm: Adding Stripped-User-Name = "test"
rlm_realm: Proxying request from user test to realm alphl.telco.ipadsl
rlm_realm: Adding Realm = "alphl.telco.ipadsl"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop
rlm_passwd: Added Group-Name: 'ADSLParis' to config_items
modcall[authorize]: module "file_groups" returns ok
users: Matched test at 1
huntgroups: Matched ADSL at 10
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Sending Access-Accept of id 21 to 212.30.97.74:1085
Framed-IP-Address = 217.15.82.127
So Group-Name is set but the test seems not to work
BR,
> --Friday, August 22, 2003, 12:48:42 AM, you wrote to [EMAIL PROTECTED]:
>
> EL> Le jeu 21/08/2003 à 21:05, 3APA3A a écrit :
> >> Dear Eric Leblond,
> >>
> >> Probably you call passwd after file module. Make sure passwd is called
> >> prior to file module to assume you can use results of rlm_passwd in
> >> users file.
>
> EL> I did not miss that point (at least this one) I've put passwd file
> EL> before users in radiusd.conf. Logs show that the var is defined.
>
> EL> BR,
--
Eric Leblond <[EMAIL PROTECTED]>
Alphalink
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_passwd and Group-Name
Le jeu 21/08/2003 à 21:05, 3APA3A a écrit : > Dear Eric Leblond, > > Probably you call passwd after file module. Make sure passwd is called > prior to file module to assume you can use results of rlm_passwd in > users file. I did not miss that point (at least this one) I've put passwd file before users in radiusd.conf. Logs show that the var is defined. BR, -- Eric Leblond <[EMAIL PROTECTED]> Init-Sys - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_passwd and Group-Name
Hi, I use rlm_passwd to create a Group-Name for each user. But I'm not able to do any test with if it (FreeRADIUS Version 0.8.1). I've add at the end of users : DEFAULT Group-Name == "ADSL", Huntgroup-Name == "ADSL" Service-Type = Framed-User, Framed-Protocol = PPP, Tunnel-Type = L2TP, Tunnel-Medium-Type = IP, RB-Tunnel-Local-Name = LACLD, It does nothing, even if I see that Group-Name ADSL has been added before. What need to be done to have this test working Thanks in advance, -- Eric Leblond <[EMAIL PROTECTED]> Alphalink - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: testing acl with radius
On Tue, 2003-08-19 at 17:10, Oliver Graf wrote: > On Tue, Aug 19, 2003 at 05:04:54PM +0200, Eric Leblond wrote: > > On Tue, 2003-08-19 at 16:58, Oliver Graf wrote: > > > On Tue, Aug 19, 2003 at 04:56:17PM +0200, Eric Leblond wrote: > > > > > > > > Can your firewall software speak to a radius server? > > > > I'm coding it ;-) (http://www.gnufw.org) > > I just wanna know it a test of the kind : > > IP in good range > > port in good range > > ... > > is admissible on a radius server like freeradius. > > I would try it the other way around... the radius returns some rules > in the attributes and your software does the matching. > > Other solution: just program a freeradius module which does the > address checking magic. This is not really hard. good idea > On the other hand: should every ip packet result in a radius request= > than your server is dead meat. True, but not if you only test packet with state NEW (beginning of connection in netfilter) that's only a few number you have to test. > So the best solution is to just load the firewall config from the > server, but does this make sense? really no for me. -- Eric Leblond <[EMAIL PROTECTED]> Alphalink - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: testing acl with radius
On Tue, 2003-08-19 at 16:58, Oliver Graf wrote: > On Tue, Aug 19, 2003 at 04:56:17PM +0200, Eric Leblond wrote: > > Can your firewall software speak to a radius server? I'm coding it ;-) (http://www.gnufw.org) I just wanna know it a test of the kind : IP in good range port in good range ... is admissible on a radius server like freeradius. BR, -- Eric Leblond <[EMAIL PROTECTED]> Alphalink - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: testing acl with radius
On Tue, 2003-08-19 at 16:51, Oliver Graf wrote: > On Tue, Aug 19, 2003 at 04:01:18PM +0200, Eric Leblond wrote: > > I like to know if it is possible to test Acl with freeradius (classic IP > > filtering) > > block the radius ports and see if your nas gets to your freeradius. is > this the test you have in mind? but perhaps a packet generator would > be more fitting for this task... Oops, I was meaning : Is it possible to have a firewall check packet against premission given by a radius server ? -- Eric Leblond <[EMAIL PROTECTED]> Alphalink - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
testing acl with radius
Hi, I like to know if it is possible to test Acl with freeradius (classic IP filtering) Thanks in advance, -- Eric Leblond <[EMAIL PROTECTED]> Alphalink - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group membership in "users" file
On Wed, 2003-07-30 at 22:38, Navid Sheikhol Eslami wrote: > I guess my approach was just wrong then :) > > Any suggestion to do the same thing, but with a different Check > attribute? :) Same question ! I did not manage to find how to group users using only the users file. Thanks in advance, -- Eric Leblond <[EMAIL PROTECTED]> Alphalink - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Create group in users ?
Hi, I like to create group without using an external password file. I try something like that but it does not work : DEFAULT Group=="titi" jhJHJ = fezf user.cool Group := "titi", fferfr = fezfef, Fall-Trough = yes How can I achieve this ? Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multi linking...
On Wed, 2003-07-16 at 15:01, Chris Knipe wrote: > Lo everyone, > > Very basic, can a PPTP VPN tunnel be multi-linked? I've done that with linux : create 10 gre tunnels use eql to aggregate the tunnels create a PPTP VPN on the eql. Hope this help BR, -- Eric Leblond <[EMAIL PROTECTED]> Alphalink - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
