Tuning freeRadius
Hello all, I have implemented freeRadius 0.71 with LDAP authentication and authorization. The system is working fine for the past two months. Now, I want to implement per day time quotas for users. How can I do this ? I saw some references to Max-Daily- session in Radiusd.conf, but how can I implement this with LDAP ? The radius log contains entries with username/password alongwith caller-id numbers. However, the accounting logs do not contain caller-id information. How can I enable this ? Is it now possible to authenticate / authorize users based on LDAP groups ? The NAS fails over to the secondary radius server when the primary fails. How to ensure that it reverts back to primary when the primary comes up ? Some time ago, there was a query on how to stop radius from replying if the LDAP server dies. Kostas Kalevras did give a reply on this. Can I get the answer again please ? Regards, Michael Fuller - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Caller ID in accounting file
Hello all, I am using freeRadius v0.7 with a Cisco 3640 NAS client. I have enabled accounting and while a lot of detail is available, the calling station ID is not available in the accounting logs. How to get this information ? My Cisco config pertaining to AAA is attached to this message Thanks in advance for the help, Michael S Fuller, Network Administrator, Southern Railway, India aaa new-model aaa authentication login default group radius local aaa authentication ppp default group radius local aaa authorization exec default group radius local aaa authorization network default group radius local aaa accounting network default start-stop group radius
(no subject)
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
test
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
subscribe
subscribe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS authorization based on group Memebership
Hi all, Its me again with the same question :-). I want to know whether freeRadius can authorize users based on a group or OU attribute. When I posted this question earlier, I was told that not is not possible. I am using the radiusprofileDn attribute to authorize users. however, this approach has its drawbacks. 1. Since authorization is based on an user attribute, all users have to have the radiusprofile object class, which increases overhead in direct proportion to the number of users. 2. It is not possible to grant or deny a particular service to a group of users to reflect changing requirements. The changes have to be made for every user, giving scope for errors and security holes. 3. It is not possible to know exactly how many users can access a particular service. Like, if it was based on group or OU membership, a look at the dial-up group/OU will tell me just how many people can dial into the network. I can also find out who can dialup by looking at the group membership. But it the current implementation, I have to check the attributes of each user to collect the necessary info. Has anybody done an implementation with authorisation based on group membership ? If so, please help. Regards, Michael Fuller - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorisation based on LDAP Group membership
It is not working. where am I going wrong ? Regards, Michael Fuller - Original Message - From: "Kostas Kalevras" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, June 13, 2002 1:04 PM Subject: Re: Authorisation based on LDAP Group membership > On Thu, 13 Jun 2002, Michael Fuller wrote: > > > Hi all, > > > > Thanks to Kostas Kalevras for the clarification. Will my requirement work on > > an OU basis ? I can add the attributes to the administrators on a per user > > basis, as there will be only two or three of them. > > You don't add the attributes on a per user basis, you just add a pointer to the > profile dn and nothing else. > > > > > My dial up users are a different story. I have around 500 users in my > > database. > > > > About 50 of them will not have any restrictions on connect > > - A profile without any session limit restrictions > > About 300 of them will be allowed to connect only for a limited time per > > day - A profile with restrictions on session limit. > > The rest of the users will not have any dial up > > - A profile that does not permit dial up access. > > > > I do not think it is practically possible to assign these rights on a per > > user basis. How do I assign these three profiles to these three types of > > users ? > > You just add a radiusprofiledn in the ldap entries of all your users pointing to > the correct profile dn. For your particular configuration you will only need to > do the following: > > default profile: > > Normal check/reply items > > 50 users: No user profile, the default profile will be sufficient > > 300 users: A user profle pointed by radiusprofiledn that will limit their > online time > > the rest of the users: The rest will not have a dialupaccess attribute in their > ldap entry so they will not be allowed dialup access. > > > > > Please help > > > > Thanks and regards, > > Michael Fuller > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of Athens, Greece > Work Phone: +30 10 7721861 > 'Go back to the shadow' Gandalf > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > radius-profile.ldif Description: Binary data radius-user.ldif Description: Binary data
Re: Authorisation based on LDAP Group membership
Hi all, Thanks to Kostas Kalevras for the clarification. Will my requirement work on an OU basis ? I can add the attributes to the administrators on a per user basis, as there will be only two or three of them. My dial up users are a different story. I have around 500 users in my database. About 50 of them will not have any restrictions on connect - A profile without any session limit restrictions About 300 of them will be allowed to connect only for a limited time per day - A profile with restrictions on session limit. The rest of the users will not have any dial up - A profile that does not permit dial up access. I do not think it is practically possible to assign these rights on a per user basis. How do I assign these three profiles to these three types of users ? Please help Thanks and regards, Michael Fuller - Original Message - From: "Kostas Kalevras" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, June 12, 2002 7:22 PM Subject: Re: Authorisation based on LDAP Group membership > On Wed, 12 Jun 2002, Michael Fuller wrote: > > > Hi all, > > > > I have installed openldap and freeradius on a Red Hat v7.3 box. I want to > > use ldap for radius authentication and authorisation. > > > > I want to control authorisation on a per group basis, and added the > > radiusprofile object class to a group. The radiusServiceType was then set to > > Administrative-User. However, members of this group are not able to telnet > > to any of our cisco routers. The arrangement works fine if I follow the > > same procedure on a per user basis. > > > > Is there any change that I have to make to radiusd.conf ? Where am I going > > wrong ? > > > > Please help. > > > > Regards, > > Michael Fuller > > The profiles don't work on a group basis. What you can is to add a > profile_attribute (the name can be configured through the profile_attribute > configuration directive) in the ldap entries of all the users belonging in the > administrator group. That attribute will point to the DN of an entry containing > the radiusServiceType attribute. In other words: > > dn: uid=admin,ou=people,dc=your,dc=company,dc=com > cn: Administrator > radiusprofiledn: uid=admin-profile,ou=people,dc=your,dc=company,dc=com > [...] > > dn: uid=admin-profile,ou=people,dc=your,dc=company,dc=com > cn: Administrator Dialup Profile > radiusServiceType: Administrative-User > > That should work just fine. > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of Athens, Greece > Work Phone: +30 10 7721861 > 'Go back to the shadow' Gandalf > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authorisation based on LDAP Group membership
Hi all, I have installed openldap and freeradius on a Red Hat v7.3 box. I want to use ldap for radius authentication and authorisation. I want to control authorisation on a per group basis, and added the radiusprofile object class to a group. The radiusServiceType was then set to Administrative-User. However, members of this group are not able to telnet to any of our cisco routers. The arrangement works fine if I follow the same procedure on a per user basis. Is there any change that I have to make to radiusd.conf ? Where am I going wrong ? Please help. Regards, Michael Fuller - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Linux Newbie - Help with Radius Profiles
Hi All, I am using freeradius and the version of Openldap that is included with Red Hat v 7.3. I need to assign different radius attributes to different users. I have created a radius profile with servicetype=Administrative in Openldap through a ldif file. How do I link this profile to the users who need it ? PLEASE HELP. Regards, Michael Fuller - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization via LDAP & Authentication via PAM
Hi all,
I am trying to get both authentication and authorisation through LDAP. While
authentication works, authorisation still evades me. Ideas anybody ?
Regards,
Michael Fuller
- Original Message -
From: "Kostas Kalevras" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, May 28, 2002 5:14 PM
Subject: Re: Authorization via LDAP & Authentication via PAM
> On Tue, 28 May 2002, Allister Maguire wrote:
>
> > Hello,
> >
> > I have got this working by setting:
> >
> > DEFAULT Auth-Type := pam
> > Fall-Through = 1
> >
> > In the users file.
> >
> > I also want to restrict dialin access to certain ldap users, so I
> > changed the ldap filter:
> >
> > filter = "(&(uid=%u)(msNPAllowDialin=TRUE))"
> >
> > In the ldap {} module.
> >
> > Only problem is if I set msNPAllowDialin=FALSE, they still get a
> > Access-Accept because the files, pam module return ok (I think).
>
> You could also use the access_attr configuration directive. Then the
module will
> return reject (well actually userlock) instead of notfound.
>
> >
> >
> >
> > modcall[authorize]: module "ldap" returns notfound
> > modcall: group authorize returns ok
> > rad_check_password: Found Auth-Type pam
> > auth: type "Pam"
> > modcall: entering group authenticate
> > pam_pass: using pamauth string for pam.conf lookup
> > pam_pass: authentication succeeded for
> > modcall[authenticate]: module "pam" returns ok
> > modcall: group authenticate returns ok
> > Sending Access-Accept of id 1 to 127.0.0.1:32826
> > Finished request 1
> > Going to the next request
> > Thread 2 waiting to be assigned a request
> >
> >
> > How many need to fail, for the Access-Request to fail?
>
> Check out the doc/configurable_failover. You could do something like this
in
> your authorize section:
>
> authorize{
> ldap{
> notfound = return
> }
> [...]
> }
>
> Hope it helps
>
> --
> Kostas Kalevras Network Operations Center
> [EMAIL PROTECTED] National Technical University of Athens, Greece
> Work Phone: +30 10 7721861
> 'Go back to the shadow' Gandalf
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Idea
No IdeaHi All, Same problem here too. Any help will be appreciated please. Another issue how I can give different permissions to ldap users to be able lets say when they telnet to a device and authenticated be ldap to access in different permissions like administrator, or normal user can I control this what do you think If it come to radius only you can define under /raddb/user the user name to be authenticated and something called service-type=administrative-user But hoe to do like that with ldap users now pls Regards, Michael Fuller - Original Message - From: Mazen R. Kassem To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, May 28, 2002 4:36 PM Subject: No Idea Hi guys After integrating LDAP and Radius I checked the radius functionality it went ok "radtest" returns Accept which is perfect so my Radius clients being authenticated by ldap but ldapsearch not working returns always object not found .any idea how comes. Another issue how I can give different permissions to ldap users to be able lets say when they telnet to a device and authenticated be ldap to access in different permissions like administrator, or normal user can I control this what do you think If it come to radius only you can define under /raddb/user the user name to be authenticated and something called service-type=administrative-user But hoe to do like that with ldap users now pls Integrated Networks Co. Tel: 2734474 x 148 Fax: 2734117 x 148 Mob: 054170626 Email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help on freeRadius
Hi All, I have configured Radius authentication for our Cisco routers using freeRadius and Openldap. I used the AA authentication ... command on the cisco router to do this. The system is working fine, and I am able to authenticate users against the freeradius server with openldap. Now, I want to configure aaa authorisation for the cisco routers. How do I configure freeRadius and openldap to permit telnet access only to a few users, and deny telnet to the rest ? Many thanks for the help Michael Fuller. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius and Open Ldap
Hi all, I have successfully integrated Openldap and Free Radius for Authentication. Now I want to configure the Authorisation part. With Windows 2000 Internet Authentication Service (IAS), I used Windows groups and profile properties for authorisation. Can I use linux groups and assign profiles to them before putting users in them ? Could you please point me to a step by step How-To ? I have been searching in vain since yesterday. Thanks in advance for all the help Michael S Fuller - Original Message - From: "Kostas Kalevras" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, May 15, 2002 8:21 PM Subject: Re: Free Radius and Open Ldap > On Wed, 15 May 2002, Michael Fuller wrote: > > > Hi all, > > > > This is from a Linux Newbei. > > > > I am using Free Radius with Open Ldap authentication. The config is straight > > forward, with no special add ons. How do I control user attributes ? I need > > one set of users to have administrative access, and the other only framed > > PPP access. > > > > Any help will be greatly appreciated. > > > > Thanks and regards, > > Michael S Fuller > > Read doc/rlm_ldap. You should use the Default and Regular profiles. > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of Athens, Greece > Work Phone: +30 10 7721861 > 'Go back to the shadow' Gandalf > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Free Radius and Open Ldap
Hi all, This is from a Linux Newbei. I am using Free Radius with Open Ldap authentication. The config is straight forward, with no special add ons. How do I control user attributes ? I need one set of users to have administrative access, and the other only framed PPP access. Any help will be greatly appreciated. Thanks and regards, Michael S Fuller _ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
