Re: Multiple attributes (Kostas Kalevras)
I've figured this out. For the sake of the list archives: If you are sending your return attributes from LDAP you must prefix them in LDAP with +=. I don't know why it wasn't working before I sent the original email to the list, but it's working now. --JST * J. S. Townsley [Fri, 26 Sep 2003] > From: J. S. Townsley <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: Multiple attributes (Kostas Kalevras) > > > Kostas Kaleveras wrote an email on this list a few months ago to help > someone with returning multiple attributes in an LDAP authenticated radius > installation. > > http://www.mail-archive.com/[EMAIL PROTECTED]/msg15855.html > > I am in this same spot, but do not userstand where I should be changing to > the += operator. Can anyone help me understand where this change should > be made? > > -JST > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple attributes (Kostas Kalevras)
Kostas Kaleveras wrote an email on this list a few months ago to help someone with returning multiple attributes in an LDAP authenticated radius installation. http://www.mail-archive.com/[EMAIL PROTECTED]/msg15855.html I am in this same spot, but do not userstand where I should be changing to the += operator. Can anyone help me understand where this change should be made? -JST - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait anyone?
It seems to not reject an auth even if the value is > 1. Exec-Program: returned: 255 Login OK: [[EMAIL PROTECTED]] (from client localhost port 0) Sending Access-Accept of id 2 to 127.0.0.1:4576 * Alan DeKok [Thu, 13 Feb 2003] > Date: Thu, 13 Feb 2003 09:02:44 -0500 > From: Alan DeKok <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Subject: Re: Exec-Program-Wait anyone? > > "J. S. Townsley" <[EMAIL PROTECTED]> wrote: > > Just for my own learning experience... can you show me the fault(s) in the > > code? I reviewed everything and it looked good. > > See src/main/auth.c. It was checking for errors from > Exec-Program-Wait, and rejecting if so. But it wasn't rejecting if > the program returned 1. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait anyone?
Just for my own learning experience... can you show me the fault(s) in the code? I reviewed everything and it looked good. --JST * Alan DeKok [Thu, 13 Feb 2003] > Date: Thu, 13 Feb 2003 08:44:25 -0500 > From: Alan DeKok <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Subject: Re: Exec-Program-Wait anyone? > > "J. S. Townsley" <[EMAIL PROTECTED]> wrote: > > Exec-Program: returned: 1 > > Login OK: [[EMAIL PROTECTED]] (from client localhost port 0) > > Sending Access-Accept of id 78 to 127.0.0.1:4644 > > > > Is there something I am missing? Documentation suggests that users will > > not authenticate if Exec-Program-Wait exits non-zero. > > You're using the latest CVS snapshot. I'll commit a fix tonight, so > check the snapshot tomorrow. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > ___ J. S. Townsley Senior Network and Systems Engineer [EMAIL PROTECTED] Integrity Online www.integrity.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program-Wait anyone?
I don't mean to double post (well, I do..), nobody has any insight as to why freeradius is misbehaving in the manner below? I have a script that does some very simple if statements in the sh shell. My script exits 0 or 1 for good auth/bad auth; but FR (current cvs) authenticates my user regardless. I have "files" in the authorize and preacct stanzas of radiusd.conf. Here's a snippet of my radius in debug mode: rlm_ldap: user [EMAIL PROTECTED] authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "LDAP2" returns ok modcall: group redundant returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module "chap" returns noop users: Matched DEFAULT at 54 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password radius_xlat: '/usr/local/bin/radchecksignup.sh' Exec-Program: /usr/local/bin/radchecksignup.sh Exec-Program output: Exec-Program: returned: 1 Login OK: [[EMAIL PROTECTED]] (from client localhost port 0) Sending Access-Accept of id 78 to 127.0.0.1:4644 Is there something I am missing? Documentation suggests that users will not authenticate if Exec-Program-Wait exits non-zero. --JST - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Called-Station-Id Revisted
Greetings list-members. I have a script that does some very simple if statements in the sh shell. My script exits 0 or 1 for good auth/bad auth; but FR (current cvs) authenticates my user regardless. I have "files" in the authorize and preacct stanzas of radiusd.conf. Here's a snippet of my radius in debug mode: rlm_ldap: user [EMAIL PROTECTED] authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "LDAP2" returns ok modcall: group redundant returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module "chap" returns noop users: Matched DEFAULT at 54 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password radius_xlat: '/usr/local/bin/radchecksignup.sh' Exec-Program: /usr/local/bin/radchecksignup.sh Exec-Program output: Exec-Program: returned: 1 Login OK: [[EMAIL PROTECTED]] (from client localhost port 0) Sending Access-Accept of id 78 to 127.0.0.1:4644 Is there something I am missing? Documentation suggests that users will not authenticate if Exec-Program-Wait exits non-zero. --JST - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroup by calledstationid?
Thank you Ossama. I will look into what you've given me thus far. Idealy I do not want to add a huntgroup to all of my users, I just want to prevent 'everyone but' user bob, user bob2, etc. Additionally, do you know if I can store the huntgroup in ldap? I am assuming I would set the huntgroup-name up as a check item, but not sure preprocess is going to know about it. --JST * Ossama Suleiman [Wed, 5 Feb 2003] > Date: Wed, 05 Feb 2003 10:33:51 +0200 > From: Ossama Suleiman <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Subject: Re: Huntgroup by calledstationid? > > > > J. S. Townsley wrote: > > >Anyone on the list ever hacked something up to create hunt groups based on > >calledstationid? > > > >I have a situation where I have a NAS with a couple different DID's on it. > >I'd like an easy method to differentiate between users on these DID's. > > > >IE, user bob can dial the local XXX number, but not the 800 number on the > >same NAS. > > > > > create 2 huntgroups, list them in the file huntgroups: > huntgroup1Called-Station-Id==123456 > huntgroup2Called-Station-Id==654321 > > then add this entry "huntgroup" to the user you want: > > bobpassword=="secret", Huntgroup-Name == "huntgroup1" > > hope that helps > --Ossama > > >Thoughts anyone? > > > >--JST > > > > > >- > >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > ___ J. S. Townsley Senior Network and Systems Engineer [EMAIL PROTECTED] Integrity Online www.integrity.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Huntgroup by calledstationid?
Anyone on the list ever hacked something up to create hunt groups based on calledstationid? I have a situation where I have a NAS with a couple different DID's on it. I'd like an easy method to differentiate between users on these DID's. IE, user bob can dial the local XXX number, but not the 800 number on the same NAS. Thoughts anyone? --JST - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap problem
Do something like this:
Define your ldap blocks:
ldap FOO{
...
}
ldap FOO2{
...
}
Then do your authtype:
authtype LDAP {
FOO
FOO2
}
Actually, you may want to make that:
authtype LDAP {
redundant {
FOO
FOO2
}
}
--JST
On Mon, 22 Jul 2002, Brian Leung wrote:
> Date: Mon, 22 Jul 2002 17:30:27 +0800 (HKT)
> From: Brian Leung <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: ldap problem
>
> hi all,
>
> i try to add these in the radiusd.conf
> authtype LDAP {
> ldap
> }
>
> authtype LDAP1 {
> ldap1
> }
>
> but when i start it and it prompt me
> radiusd.conf[650] Failed to link to module 'rlm_ldap1': file not found
>
> how should i fixed? Thank you
>
> Regards,
> Brian Leung
> System Engineer
> Pacific Supernet
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 0.5 complaining about UNKNOWN-NAS (that was previouslyworking)
I noticed this started happening on my servers as well. Started with one of the CVS versions between .4 and .5. I have never used NASLIST file though, I was under the impression that was login/ip information for concurrency features. --JST On Wed, 20 Mar 2002, Mike Cathey wrote: > Date: Wed, 20 Mar 2002 11:05:02 -0500 > From: Mike Cathey <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Subject: Re: freeradius 0.5 complaining about UNKNOWN-NAS (that was > previously working) > > Vincent, > > [EMAIL PROTECTED] wrote: > > Note: certain parts of this email have been munged for confidentiality > > reasons. (i.e. IP addresses, login names, and passwords have been > > scrambled.) > > > > I recently upgraded my primary RADIUS server from freeradius 0.3 to 0.5. > > Now, however, I'm getting strange entries in my radius.log file: > > > > Tue Mar 19 10:57:29 2002 : Auth: Login OK: [someguy] (from nas UNKNOWN-NAS > > port 2 cli 144.74.x.y) > > > > > What does raddb/naslist have in it? > > Cheers, > > Mike > > > > I have at least four different NASes that are defined with shortnames in > > clients.conf that now generate similar log lines in radius.log. Devices > > are from multiple manufacturers (primarily Cisco and Marconi). None of the > > configurations for any of these NASes have changed; only freeradius has > > been upgraded from 0.3 to 0.5 . (clients.conf was also not changed going > > from 0.3 to 0.5.) > > > > So I'm pretty stumped as to why freeradius is all of a sudden calling these > > unknown nases, but still allowing them to authenticate. I threw the server > > into debug mode, and obtained the following (as an example)... Maybe it > > can help. Anyone have any ideas here? > > > > --- Walking the entire request list --- > > Cleaning up request 0 ID 105 with timestamp 3c98a291 > > Nothing to do. Sleeping until we see a request. > > rad_recv: Access-Request packet from host 144.74.m.N:1645, id=106, > > length=79 > > NAS-IP-Address = 144.74.m.N<--- 144.74.m.N matches the IP > > in above line, and also what's in clients.conf > > NAS-Port = 2 > > NAS-Port-Type = Virtual > > User-Name = "someguy" > > Calling-Station-Id = "144.74.x.y" > > Password = "(deleted)" > > modcall: entering group authorize > > modcall[authorize]: module "preprocess" returns ok > > modcall[authorize]: module "suffix" returns ok > > users: Matched DEFAULT at 71 > > modcall[authorize]: module "files" returns ok > > modcall: group authorize returns ok > > rad_check_password: Found Auth-Type System > > auth: type "System" > > modcall: entering group authenticate > > modcall[authenticate]: module "unix" returns ok > > modcall: group authenticate returns ok > > radius_xlat: '[primary_radius_server] Hello, someguy' > > Login OK: [someguy] (from nas UNKNOWN-NAS port 2 cli 144.74.x.y) > > Sending Access-Accept of id 106 to 144.74.m.N:1645 > > Reply-Message = "[primary_radius_server] Hello, someguy" > > Cisco-AVPair = "shell:priv-lvl=x" > > Service-Type = Login-User > > Finished request 1 > > Going to the next request > > --- Walking the entire request list --- > > Waking up in 6 seconds... > > --- Walking the entire request list --- > > Cleaning up request 1 ID 106 with timestamp 3c98a2ae > > Nothing to do. Sleeping until we see a request. > > > > If there's anything else that would be handy in debuging, let me know and > > I'll grab it! :) > > > > Vincent Giovannone > > Network Infrastructure Group > > Information Services Division > > Rush - Presbyterian St. Luke's Medical Center > > (312) 942-4242 > > > > "Monday" is the term used to signify the eighth day of my work week. > > > > > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > > > -- ___ J. S. Townsley Senior Network and Systems Engineer [EMAIL PROTECTED] Integrity Online - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accurate Accounting?
I'd just like to get a feel for how all of you are doing your accounting. I need an accurate accounting method so that I can watch my users sessions more closely when they are reaching peak usage on some of my networks. I've always used SQL for this, but I have more and more sessions with zero accountstoptime and zero acctsessiontime. I do realize some of this is just due to the nature of UDP but it still seems a bit excessive. I've had this problem with multiple dialup wholesalers, and even my own legacy POP's. My previous radius implementation with SBR had this same problem. So, how do you guys handle it? Still doing accounting with detail records? I guess I could look and see if my detail records are in sync with my SQL accounting. --JST - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: maximum number of threads
Hey David. Grab FR version .5, this was fixed a month ago or so. --JST On Sun, 17 Mar 2002, David Birkbeck wrote: > Date: Sun, 17 Mar 2002 22:01:31 -0700 > From: David Birkbeck <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Subject: maximum number of threads > > All, > > I'm running into a problem with my server not being able to process > authentication requests do to the following error "Info: The maximum number > of threads (250) are active, cannot spawn new thread to handle request". I > am running RedHat 7.0 with FreeRADIUS 0.4 duel Pentium 4 733 processors. Any > ideas? > > Dave > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > -- ___ J. S. Townsley Senior Network and Systems Engineer [EMAIL PROTECTED] Integrity Online - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
lower_pass not working?
lower_user is working. lower_pass is not. under recent cvs. reproduced under .4 stable release. lower_pass works with config value of 'before'. I am using 'after'. Anyone else seeing this problem? --JST - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap default profile not working in recent cvs?
Done. But it still isn't replying with the attributes in LDAP, just:
Service-Type = Framed-User
Framed-Protocol = PPP
The only attributes NOT coming from LDAP :/
--JST
On Thu, 21 Feb 2002, Kostas Kalevras wrote:
> Date: Thu, 21 Feb 2002 02:01:21 +0200 (EET)
> From: Kostas Kalevras <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: Re: ldap default profile not working in recent cvs?
>
> On Wed, 20 Feb 2002, J. S. Townsley wrote:
>
> >
> > I have three radius servers all with identical configuration files.
> >
> > I use Ascend-Data-Filter to send an access list back to my users, I do
> > this via the default_profile setting in the ldap {} block.
> >
> > This has been working in previous versions, and still works on one of my
> > servers:
> >
> > radiusd: FreeRADIUS Version 0.4, for host i686-pc-linux-gnu, built on Jan
> > 15 2002 at 10:21:11
> >
> > However, My two production servers are not working, they are:
> >
> > radiusd: FreeRADIUS Version 0.5, for host i686-pc-linux-gnu, built on Feb
> > 5 2002 at 07:03:51
> >
> > and:
> >
> > radiusd: FreeRADIUS Version 0.5, for host i686-pc-linux-gnu, built on Feb
> > 18 2002 at 13:36:58
> >
> > I will attach a radiusd -X.
> >
> > It looks like:
> > rlm_ldap: performing search in uid=radprofileascend, ou=radius,
> > dc=mydomain, dc=com, with filter (objectclass=radiusprofile)
> > ber_dump: buf=0x080cc9a0 ptr=0x080cc9a4 end=0x080c len=808
>
> Could you try seting ldap_cache_timeout to zero? The openldap ldap caching is
> not quite what it should be.
>
> --
> Kostas Kalevras Network Operations Center
> [EMAIL PROTECTED]National Technical University of Athens, Greece
> Work Phone: +30 10 7721861
> 'Go back to the shadow' Gandalf
>
> >
> > is where the problem begins. another note, it's not mapping the
> > attributes from ldap when I first start the server, like my older server
> > does.
> >
> > Any help is apreciated.
> >
> > --JST
> >
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap default profile not working in recent cvs?
I have three radius servers all with identical configuration files.
I use Ascend-Data-Filter to send an access list back to my users, I do
this via the default_profile setting in the ldap {} block.
This has been working in previous versions, and still works on one of my
servers:
radiusd: FreeRADIUS Version 0.4, for host i686-pc-linux-gnu, built on Jan
15 2002 at 10:21:11
However, My two production servers are not working, they are:
radiusd: FreeRADIUS Version 0.5, for host i686-pc-linux-gnu, built on Feb
5 2002 at 07:03:51
and:
radiusd: FreeRADIUS Version 0.5, for host i686-pc-linux-gnu, built on Feb
18 2002 at 13:36:58
I will attach a radiusd -X.
It looks like:
rlm_ldap: performing search in uid=radprofileascend, ou=radius,
dc=mydomain, dc=com, with filter (objectclass=radiusprofile)
ber_dump: buf=0x080cc9a0 ptr=0x080cc9a4 end=0x080c len=808
is where the problem begins. another note, it's not mapping the
attributes from ldap when I first start the server, like my older server
does.
Any help is apreciated.
--JST
radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/clients.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
read_config_files: reading dictionary
read_config_files: reading clients
read_config_files: reading realms
read_config_files: reading naslist
main: max_request_time = 5
main: cleanup_delay = 3
main: max_requests = 9000
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_auth = yes
main: log_auth_badpass = no
main: log_auth_goodpass = yes
main: pidfile = "/usr/local/var/run/radiusd.pid"
main: user = "nobody"
main: group = "nobody"
main: usercollide = no
main: lower_user = "yes"
main: lower_pass = "yes"
main: nospace_user = "no"
main: nospace_pass = "no"
main: proxy_requests = no
main: debug_level = 0
read_config_files: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded LDAP
ldap: server = "ldap1.mydomain.com"
ldap: port = 389
ldap: net_timeout = 2
ldap: timeout = 8
ldap: timelimit = 6
ldap: ldap_cache_timeout = 120
ldap: ldap_cache_size = 0
ldap: identity = "cn=Manager, dc=mydomain, dc=com"
ldap: start_tls = no
ldap: password = "HEHEHEH"
ldap: basedn = "ou=radius, dc=mydomain, dc=com"
ldap: filter = "(uid=%u)"
ldap: default_profile = "uid=radprofileascend, ou=radius, dc=mydomain, dc=com"
ldap: profile_attribute = "(null)"
ldap: access_group = "(null)"
ldap: password_header = "(null)"
ldap: password_attribute = "userpassword"
ldap: access_attr = "(null)"
ldap: groupname_attribute = "cn"
ldap: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 40
ldap: ldap_connections_number = 5
ldap: authtype = "(null)"
conns: (nil)
rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP simultaneous-use mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP ascend-data-filter mapped to RADIUS Ascend-Data-Filter
rlm_ldap: LDAP cisco-avpair mapped to RADIUS Cisco-AVPair
rlm_ldap: LDAP service-type mapped to RADIUS Service-Type
rlm_ldap: LDAP framed-protocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP framed-ip-address mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP framed-ip-netmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP framed-route mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP session-timeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP idle-timeout mapped to RADIUS
CHAP and LDAP
I've been reviewing the website and FAQ for CHAP and LDAP related discussion but can't find much. Looks like there is no support for CHAP unless you have your passwords stored in cleartext on the server. If I were to setup my accounts as cleartext in LDAP is their current structure for authenticating those users via CHAP requests? I've seen modules for other radius servers to handle these kinds of requests, but not finding much for FreeRadius. Thanks much, in advance. --JST _______ J. S. Townsley Senior Network and Systems Engineer [EMAIL PROTECTED] Integrity Online - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[OT?] Ascend not sending Acct-Session-Time?
I'm working through my last couple bugs before deploying freeradius on my networks. I found this morning that Ascend NAS boxes are not reporting Acct-Session-Time like my portmasters and cisco nas boxes do. Has anyone seen this before? I'm getting rlm_sql errors on trying to update a record with zero session length, and I believe the prior issue I mentioned is the cause. --JST - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP and Simultaneous-Use
Ahh! Please ignore this post. I'm dumb, forgot to check the ldap attribute mappings file. =) On Thu, 20 Sep 2001, J. S. Townsley wrote: > Date: Thu, 20 Sep 2001 14:14:30 -0700 (PDT) > From: J. S. Townsley <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: LDAP and Simultaneous-Use > > > Are all attributes stored in LDAP treated as return type attributes? > > I would like to use simultaneous-use, but it seems to have to be a > check-item, not reply-item. > > Anyone run into this particular problem? Just trying to get my rad_check > script called for checking concurrent sessions. > > --JST > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP and Simultaneous-Use
Are all attributes stored in LDAP treated as return type attributes? I would like to use simultaneous-use, but it seems to have to be a check-item, not reply-item. Anyone run into this particular problem? Just trying to get my rad_check script called for checking concurrent sessions. --JST - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration questions
Didn't see this hit the list yesterday. Sending again.
Thank you Chris, it's working perfectly.
A question regarding attributes and ldap. I cannot put all my attributes
in LDAP because one of my vendors doesn't work when it receives cisco av
pair AND ascend data filter. I noticed the following in documentation:
# default: NULL - use only user specific attributes or attributes,
# supplied by other modules.
What other module(s) would be apropriate? I didn't see any other
documentation. rlm_attr_filter doesn't look like what I need.
Again, any help is apreciated.
--JST
On Wed, 22 Aug 2001, Chris Parker wrote:
> Date: Wed, 22 Aug 2001 09:52:12 -0500
> From: Chris Parker <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: Re: Configuration questions
>
> At 12:15 AM 8/22/2001 -0700, you wrote:
>
> >Greetings list members.
> >
> >I am testing free radius currently and have a couple questions.
> >
> >I use the LDAP module for authentication. I have two realms, each on
> >separate DN's. How can I have two separate ldap configurations?
>
> You can declare them as two separate instances in the config file:
>
> modules {
> ...
> ldap LDAPONE{
> server = "server1.foobar.biz"
> # identity = "cn=admin,o=My Org,c=UA"
> # password = mypass
> basedn = "o=My Org,c=UA"
> filter = "(uid=%u)"
> ...
> }
> ldap LDAPTWO{
> server = "server2.foobar.biz"
> # identity = "cn=admin,o=My Org,c=UA"
> # password = mypass
> basedn = "o=My Org,c=UA"
> filter = "(uid=%u)"
> ...
> }
> ...
> }
>
> Then call the modules as LDAPONE and LDAPTWO in the auth sections. See
> the SQL module examples on how to do multiple instances.
>
>
> >It would be neat to be able to specify ldap_realma { binddn= etc..} and
> >then ldap_realmb { binddn= etc..}, then do a fall through type of deal in
> >the authenticate block. Is there current structure for this,
> >or do I need a second radius server/implementation to do this properly?
>
> Read the docs, and look at the examples. This is explained in intricate
> detail in 'doc/configurable_failover'.
>
> >Secondly, do we have the ability to send attributes back to specific
> >radius clients? I like to apply SMTP filters to NAS devices via
> >attributes such as 242, but this becomes difficult when you have some
> >ascend, cisco, portmaster, and cvx boxes on your network.
> >
> >I need to be able to do attributes X for client A (or maybe client group
> >A?) and attributes N for client B.
>
> I have a similar need, as cisco's and pm's require slightly different
> syntax for 'Filter-ID' ( appending a .in to cisco's ). For things other
> than that, you can send attributes from other vendors, and they should
> be ignored by other vendors. However, not all vendors read the same
> RFC apparently, so this may not be the case, but that's another rant. :)
>
> For now, there isn't a way to do what you want, but there is a need for
> something similar, so have patience and it'll be there.
>
> -Chris
> --
> \\\|||/// \ Chris Parker-Manager, Development Engineering
> \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED]
> | @ @ |\ http://www.starnetwx.net \ (847) 963-0116
> oOo---(_)---oOo--\--
>\ Without C we would have 'obol', 'basi', and 'pasal'
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
___
J. S. Townsley Senior Network and Systems Engineer
[EMAIL PROTECTED] Integrity Online
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration questions
Thank you Chris, it's working perfectly.
A question regarding attributes and ldap. I cannot put all my attributes
in LDAP because one of my vendors doesn't work when it receives cisco av
pair AND ascend data filter. I noticed the following in documentation:
# default: NULL - use only user specific attributes or attributes,
# supplied by other modules.
What other module(s) would be apropriate? I didn't see any other
documentation. rlm_attr_filter doesn't look like what I need.
Again, any help is apreciated.
--JST
On Wed, 22 Aug 2001, Chris Parker wrote:
> Date: Wed, 22 Aug 2001 09:52:12 -0500
> From: Chris Parker <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: Re: Configuration questions
>
> At 12:15 AM 8/22/2001 -0700, you wrote:
>
> >Greetings list members.
> >
> >I am testing free radius currently and have a couple questions.
> >
> >I use the LDAP module for authentication. I have two realms, each on
> >separate DN's. How can I have two separate ldap configurations?
>
> You can declare them as two separate instances in the config file:
>
> modules {
> ...
> ldap LDAPONE{
> server = "server1.foobar.biz"
> # identity = "cn=admin,o=My Org,c=UA"
> # password = mypass
> basedn = "o=My Org,c=UA"
> filter = "(uid=%u)"
> ...
> }
> ldap LDAPTWO{
> server = "server2.foobar.biz"
> # identity = "cn=admin,o=My Org,c=UA"
> # password = mypass
> basedn = "o=My Org,c=UA"
> filter = "(uid=%u)"
> ...
> }
> ...
> }
>
> Then call the modules as LDAPONE and LDAPTWO in the auth sections. See
> the SQL module examples on how to do multiple instances.
>
>
> >It would be neat to be able to specify ldap_realma { binddn= etc..} and
> >then ldap_realmb { binddn= etc..}, then do a fall through type of deal in
> >the authenticate block. Is there current structure for this,
> >or do I need a second radius server/implementation to do this properly?
>
> Read the docs, and look at the examples. This is explained in intricate
> detail in 'doc/configurable_failover'.
>
> >Secondly, do we have the ability to send attributes back to specific
> >radius clients? I like to apply SMTP filters to NAS devices via
> >attributes such as 242, but this becomes difficult when you have some
> >ascend, cisco, portmaster, and cvx boxes on your network.
> >
> >I need to be able to do attributes X for client A (or maybe client group
> >A?) and attributes N for client B.
>
> I have a similar need, as cisco's and pm's require slightly different
> syntax for 'Filter-ID' ( appending a .in to cisco's ). For things other
> than that, you can send attributes from other vendors, and they should
> be ignored by other vendors. However, not all vendors read the same
> RFC apparently, so this may not be the case, but that's another rant. :)
>
> For now, there isn't a way to do what you want, but there is a need for
> something similar, so have patience and it'll be there.
>
> -Chris
> --
> \\\|||/// \ Chris Parker-Manager, Development Engineering
> \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED]
> | @ @ |\ http://www.starnetwx.net \ (847) 963-0116
> oOo---(_)---oOo--\--
>\ Without C we would have 'obol', 'basi', and 'pasal'
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
___
J. S. Townsley Senior Network and Systems Engineer
[EMAIL PROTECTED] Integrity Online
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuration questions
Greetings list members.
I am testing free radius currently and have a couple questions.
I use the LDAP module for authentication. I have two realms, each on
separate DN's. How can I have two separate ldap configurations?
It would be neat to be able to specify ldap_realma { binddn= etc..} and
then ldap_realmb { binddn= etc..}, then do a fall through type of deal in
the authenticate block. Is there current structure for this,
or do I need a second radius server/implementation to do this properly?
Secondly, do we have the ability to send attributes back to specific
radius clients? I like to apply SMTP filters to NAS devices via
attributes such as 242, but this becomes difficult when you have some
ascend, cisco, portmaster, and cvx boxes on your network.
I need to be able to do attributes X for client A (or maybe client group
A?) and attributes N for client B.
If anyone has any insight, suggestions, or simply wants to point me to
some more documentation please reply.
Thanks much,
--JST
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
