[Success] Group-Name : rlm_unix and rlm_passwd conflict
Hi, I was wanted to assign a Group-Name using rlm_passwd. But every try failed. In fact the unix modules (taht does nothing on my conf but was loaded) seems to conflict with passwd modules. The Group-Name set by rlm_passwd was like "destroyed" by the unix modules. Suppressing unix modules from the conf permits to have something working. BR, -- Eric Leblond <[EMAIL PROTECTED]> Alphalink - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[6]: rlm_passwd and Group-Name
On Fri, 2003-08-22 at 15:16, 3APA3A wrote: > Dear Eric Leblond, > > Try > > DEFAULT Group-Name == "ADSLParis" > > before 'test' definition. It did not change with test after group definition. BR, -- Eric Leblond <[EMAIL PROTECTED]> Alphalink - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[4]: rlm_passwd and Group-Name
Hi thanks, but I did not manage to get it check seems not to be done. Here's the log : rad_recv: Access-Request packet from host 212.30.97.74:1085, id=60, length=167 User-Name = "[EMAIL PROTECTED]" User-Password = "test" NAS-Identifier = "9massy1-1-SMS-10k" NAS-IP-Address = 172.20.1.218 Calling-Station-Id = "#9massy1-1-SMS-10k#L2TP pseudo port#1145" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 3841983609 Acct-Session-Id = "E5000479-3F462237" modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_realm: Looking up realm "alphl.telco.ipadsl" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "alphl.telco.ipadsl" rlm_realm: Adding Stripped-User-Name = "test" rlm_realm: Proxying request from user test to realm alphl.telco.ipadsl rlm_realm: Adding Realm = "alphl.telco.ipadsl" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop rlm_passwd: Added Group-Name: 'ADSLParis' to request_items modcall[authorize]: module "file_groups" returns ok users: Matched test at 1 huntgroups: Matched ADSL at 10 modcall[authorize]: module "files" returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Sending Access-Accept of id 60 to 212.30.97.74:1085 Framed-IP-Address = 217.15.82.127 Finished request 0 Le ven 22/08/2003 à 13:15, 3APA3A a écrit : > Dear Eric Leblond, > > format = "*Stripped-User-Name:Group-Name" > > adds Group-Name to configure_items list > > DEFAULT Huntgroup-Name == "ADSL", Group-Name == "ADSLParis" > > checks Group-Name to be in request. So you're looking for item in > different list. rlm_passwd can add items to reqest_list. To achieve it > you can use format > > format = "*Stripped-User-Name:~Group-Name" > > > --Friday, August 22, 2003, 2:57:23 PM, you wrote to [EMAIL PROTECTED]: > > EL> On Fri, 2003-08-22 at 12:43, 3APA3A wrote: > >> Dear Eric Leblond, > >> > >> Nothing can be said more without seeing your configuration and logs. > > EL> here it is : > > EL> radiusd.conf : > > EL> passwd file_groups { > EL>filename = /etc/raddb/groups > EL>format = "*Stripped-User-Name:Group-Name" > EL>hashsize = 100 > EL>delimiter = ":" > EL>ignorenislike = no > EL>allowmultiplekeys = no > EL> } > > > EL> authorize { > EL> suffix > EL> file_groups > EL> files > EL> } > > EL> Users : > > EL> test Auth-Type :=Local, User-Password == "test" > > EL> Framed-IP-Address = 217.15.82.127, > > EL> Fall-Through = Yes > > EL> DEFAULT Huntgroup-Name == "ADSL", Group-Name == "ADSLParis" > EL> Service-Type = Framed-User, > EL> Framed-Protocol = PPP, > EL> Tunnel-Type = L2TP, > EL> Tunnel-Medium-Type = IP, > EL> RB-Tunnel-Local-Name = LACLD, > EL> Tunnel-Client-Auth-Id = LNSAlphalink, > EL> Tunnel-Server-Auth-Id = LNSAlphalink, > EL> Tunnel-Server-Endpoint = 217.15.80.33, > EL> Tunnel-Assignment-Id = 217.15.80.33 > > EL> logs (radiusd -X) : > > EL> rad_recv: Access-Request packet from host 212.30.97.74:1085, id=21, length=167 > EL> User-Name = "[EMAIL PROTECTED]" > EL> User-Password = "test" > EL> NAS-Identifier = "9massy1-1-SMS-10k" > EL> NAS-IP-Address = 172.20.1.218 > EL> Calling-Station-Id = "#9massy1-1-SMS-10k#L2TP pseudo port#1165" > EL> Service-Type = Framed-User > EL> Framed-Protocol = PPP > EL> NAS-Port = 3841983629 > EL> Acct-Session-Id = "E500048D-3F461183" > EL> modcall: entering group authorize > EL> modcall[authorize]: module "preprocess&quo
Re: Re[2]: rlm_passwd and Group-Name
On Fri, 2003-08-22 at 12:43, 3APA3A wrote: > Dear Eric Leblond, > > Nothing can be said more without seeing your configuration and logs. here it is : radiusd.conf : passwd file_groups { filename = /etc/raddb/groups format = "*Stripped-User-Name:Group-Name" hashsize = 100 delimiter = ":" ignorenislike = no allowmultiplekeys = no } authorize { suffix file_groups files } Users : test Auth-Type :=Local, User-Password == "test" Framed-IP-Address = 217.15.82.127, Fall-Through = Yes DEFAULT Huntgroup-Name == "ADSL", Group-Name == "ADSLParis" Service-Type = Framed-User, Framed-Protocol = PPP, Tunnel-Type = L2TP, Tunnel-Medium-Type = IP, RB-Tunnel-Local-Name = LACLD, Tunnel-Client-Auth-Id = LNSAlphalink, Tunnel-Server-Auth-Id = LNSAlphalink, Tunnel-Server-Endpoint = 217.15.80.33, Tunnel-Assignment-Id = 217.15.80.33 logs (radiusd -X) : rad_recv: Access-Request packet from host 212.30.97.74:1085, id=21, length=167 User-Name = "[EMAIL PROTECTED]" User-Password = "test" NAS-Identifier = "9massy1-1-SMS-10k" NAS-IP-Address = 172.20.1.218 Calling-Station-Id = "#9massy1-1-SMS-10k#L2TP pseudo port#1165" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 3841983629 Acct-Session-Id = "E500048D-3F461183" modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_realm: Looking up realm "alphl.telco.ipadsl" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "alphl.telco.ipadsl" rlm_realm: Adding Stripped-User-Name = "test" rlm_realm: Proxying request from user test to realm alphl.telco.ipadsl rlm_realm: Adding Realm = "alphl.telco.ipadsl" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop rlm_passwd: Added Group-Name: 'ADSLParis' to config_items modcall[authorize]: module "file_groups" returns ok users: Matched test at 1 huntgroups: Matched ADSL at 10 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Sending Access-Accept of id 21 to 212.30.97.74:1085 Framed-IP-Address = 217.15.82.127 So Group-Name is set but the test seems not to work BR, > --Friday, August 22, 2003, 12:48:42 AM, you wrote to [EMAIL PROTECTED]: > > EL> Le jeu 21/08/2003 à 21:05, 3APA3A a écrit : > >> Dear Eric Leblond, > >> > >> Probably you call passwd after file module. Make sure passwd is called > >> prior to file module to assume you can use results of rlm_passwd in > >> users file. > > EL> I did not miss that point (at least this one) I've put passwd file > EL> before users in radiusd.conf. Logs show that the var is defined. > > EL> BR, -- Eric Leblond <[EMAIL PROTECTED]> Alphalink - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_passwd and Group-Name
Le jeu 21/08/2003 à 21:05, 3APA3A a écrit : > Dear Eric Leblond, > > Probably you call passwd after file module. Make sure passwd is called > prior to file module to assume you can use results of rlm_passwd in > users file. I did not miss that point (at least this one) I've put passwd file before users in radiusd.conf. Logs show that the var is defined. BR, -- Eric Leblond <[EMAIL PROTECTED]> Init-Sys - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_passwd and Group-Name
Hi, I use rlm_passwd to create a Group-Name for each user. But I'm not able to do any test with if it (FreeRADIUS Version 0.8.1). I've add at the end of users : DEFAULT Group-Name == "ADSL", Huntgroup-Name == "ADSL" Service-Type = Framed-User, Framed-Protocol = PPP, Tunnel-Type = L2TP, Tunnel-Medium-Type = IP, RB-Tunnel-Local-Name = LACLD, It does nothing, even if I see that Group-Name ADSL has been added before. What need to be done to have this test working Thanks in advance, -- Eric Leblond <[EMAIL PROTECTED]> Alphalink - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: testing acl with radius
On Tue, 2003-08-19 at 17:10, Oliver Graf wrote: > On Tue, Aug 19, 2003 at 05:04:54PM +0200, Eric Leblond wrote: > > On Tue, 2003-08-19 at 16:58, Oliver Graf wrote: > > > On Tue, Aug 19, 2003 at 04:56:17PM +0200, Eric Leblond wrote: > > > > > > > > Can your firewall software speak to a radius server? > > > > I'm coding it ;-) (http://www.gnufw.org) > > I just wanna know it a test of the kind : > > IP in good range > > port in good range > > ... > > is admissible on a radius server like freeradius. > > I would try it the other way around... the radius returns some rules > in the attributes and your software does the matching. > > Other solution: just program a freeradius module which does the > address checking magic. This is not really hard. good idea > On the other hand: should every ip packet result in a radius request= > than your server is dead meat. True, but not if you only test packet with state NEW (beginning of connection in netfilter) that's only a few number you have to test. > So the best solution is to just load the firewall config from the > server, but does this make sense? really no for me. -- Eric Leblond <[EMAIL PROTECTED]> Alphalink - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: testing acl with radius
On Tue, 2003-08-19 at 16:58, Oliver Graf wrote: > On Tue, Aug 19, 2003 at 04:56:17PM +0200, Eric Leblond wrote: > > Can your firewall software speak to a radius server? I'm coding it ;-) (http://www.gnufw.org) I just wanna know it a test of the kind : IP in good range port in good range ... is admissible on a radius server like freeradius. BR, -- Eric Leblond <[EMAIL PROTECTED]> Alphalink - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: testing acl with radius
On Tue, 2003-08-19 at 16:51, Oliver Graf wrote: > On Tue, Aug 19, 2003 at 04:01:18PM +0200, Eric Leblond wrote: > > I like to know if it is possible to test Acl with freeradius (classic IP > > filtering) > > block the radius ports and see if your nas gets to your freeradius. is > this the test you have in mind? but perhaps a packet generator would > be more fitting for this task... Oops, I was meaning : Is it possible to have a firewall check packet against premission given by a radius server ? -- Eric Leblond <[EMAIL PROTECTED]> Alphalink - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
testing acl with radius
Hi, I like to know if it is possible to test Acl with freeradius (classic IP filtering) Thanks in advance, -- Eric Leblond <[EMAIL PROTECTED]> Alphalink - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group membership in "users" file
On Wed, 2003-07-30 at 22:38, Navid Sheikhol Eslami wrote: > I guess my approach was just wrong then :) > > Any suggestion to do the same thing, but with a different Check > attribute? :) Same question ! I did not manage to find how to group users using only the users file. Thanks in advance, -- Eric Leblond <[EMAIL PROTECTED]> Alphalink - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Create group in users ?
Hi, I like to create group without using an external password file. I try something like that but it does not work : DEFAULT Group=="titi" jhJHJ = fezf user.cool Group := "titi", fferfr = fezfef, Fall-Trough = yes How can I achieve this ? Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multi linking...
On Wed, 2003-07-16 at 15:01, Chris Knipe wrote: > Lo everyone, > > Very basic, can a PPTP VPN tunnel be multi-linked? I've done that with linux : create 10 gre tunnels use eql to aggregate the tunnels create a PPTP VPN on the eql. Hope this help BR, -- Eric Leblond <[EMAIL PROTECTED]> Alphalink - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html