defining redundant accounts
Hi, I set up a freeradius 0.5 server to handle authentication between a NAS and a LDAP database. Things are working quite good, but I have now to configure some "redundant" accounts, so that if the LDAP database is down, authentication can still happen. The accounts names should be the same as the one defined in LDAP uid entries. When I'm trying to do this, it does not seem to work : user file: Account1Auth-Type := Local, Password == mypass Fall-Through = Yes ... DEFAULT Auth-Type := LDAP Fall-Through = Yes any idea about what does not work ? Thxs, Pierre. . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help for radius groups against LDAP attribute
Hi folks,
I'm trying to define radius default groups, based on an LDAP directory.
The group information used to determine the profile of the user should be
checked against a LDAP attribute, called "profilad".
But things are always more complicated than they seem :-))) So any help will
be highly appreciated :-)))
Here is the main LDAP organisation :
O=Myorg
|_ OU=region
|_ CN=User Name
|_ cn=userid (attribute used for authentication)
|_ ...
|_ profilad=value (attribute that should be used for group
identification)
Here is the radiusd.conf extract :
ldap {
server = "my_ldap"
basedn = "o=myorg"
filter = "(&(cn=%u)(droitad=Oui))"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
groupname_attribute = profilad
groupmembership_filter =
"(&(cn=%u)(droitad=Oui)(profilad=%GroupName))"
timeout = 30
timelimit = 30
net_timeout = 1
}
and the users extract :
DEFAULT Group = "Profil04", Login-Time := "Mo-Fr0815-1930"
Framed-Compression := Stac-LZS,
Fall-Through = yes
DEFAULT Group = "Profil01", Login-Time := "Mo-Su0815-1930"
Framed-Compression := Stac-LZS,
Fall-Through = yes
[...]
Regs,
Pierre.
.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re[2]: PIX v6.1 accounting problem
1 7 ^Z^U D e s t i n a t i o n - P o r t = 8 0 -Message d'origine- De : 3APA3A [mailto:[EMAIL PROTECTED]] Envoyé : mercredi 20 mars 2002 09:44 À : Pierre Strazza Objet : Re[2]: PIX v6.1 accounting problem Dear Pierre Strazza, It means Cisco has a Vendor-Specific packet structure different from one recommended in RFC (or sends a buggy packet). Can you sniff the packet? --Wednesday, March 20, 2002, 3:45:27 AM, you wrote to [EMAIL PROTECTED]: PS> Here is the radius.log extract : PS> Wed Mar 20 01:41:30 2002 : Error: WARNING: Malformed RADIUS packet from host PS> x.x.x.x: Vendor specific attributes do not exactly fill Vendor-Specific PS> Same error is reported while running in debug mode. PS> No further accounting information is logged. PS> The cisco box is a PIX firewall v6.1, authenticating users thru the PS> freeradius server for VPN access. PS> Pierre. PS> -Message d'origine- PS> De : Chris Parker [mailto:[EMAIL PROTECTED]] PS> Envoyé : mardi 19 mars 2002 19:13 PS> À : [EMAIL PROTECTED] PS> Objet : RE: PIX v6.1 accounting problem PS> At 05:19 PM 3/19/2002 +0100, Pierre Strazza wrote: >>The request is not loggued since an error message is reported in the >>radius.log file, indicating some non conform attributes - not proceeded. >> >>the dictionary.cisco seems to be already included in the dictionary file by >>default .. >> >>Any idea ? PS> It would really really really help if you could provide the error message PS> printed by the server, as well as any printed when you run it in debug PS> mode. PS> -Chris PS> -- PS> \\\|||/// \ StarNet Inc. \Chris Parker PS> \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering PS> | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 PS> oOo---(_)---oOo--\-- PS>\ Wholesale Internet Services - http://www.megapop.net PS> - PS> List info/subscribe/unsubscribe? See PS> http://www.freeradius.org/list/users.html PS> . PS> . PS> . PS> - PS> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ~/ZARAZA Íî Ãàððè... ÿ áåçóñëîâíî îòäàþ ïðåäïî÷òåíèå åìó, çà âûñîêóþ ïèòàòåëüíîñòü è êàêîå-òî îñîáåííî íåæíîå ìÿñî. (Òâåí) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html . . . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Defining Radius groups with specific abilitations against LDA P at tribute
I'm trying to pass specific configuration parameters for users listed in a LDAP directory. The selection has to be made against an attribute value. The main problem is that the LDAP structure (Domino server .. urgl) cannot be changed, and is not homogen :) but anyway, directory is ordered like this : O=Org |_ some CN (not to be considered) |_ some OU |_ some CN="User Name" |_ attributes |_ cn=userid (used for authentication, rlm_ldap basedn="O=Org", filter="(cn=%u)") |_ user_profile_attribute=groupname (this is the attribute I need to use to specify config parms) I need to do something like : DEFAULT Auth-Type := Ldap, Group-Name == "groupname_1" Specific_config_group_1 DEFAULT Auth-Type := Ldap, Group-Name == "groupname_2" Specific_config_group_2 ... I solved the problem by something not really clean and fast, but working, like this : rlm_ldap: basedn="O=Org" filter="(cn=%uid)" ... group is searched against attribute "user_profile_attribute" group_filter is, again, (cn=%u) users: DEFAULT Auth-Type := Ldap, Group-Name == "groupname_1" (value for attribute user_profile_attribute) Specific_config_group_1 DEFAULT Auth-Type := Ldap, Group-Name == "groupname_2" Specific_config_group_2 This is fine working right now, but I'm sure this is not the best way to do. Any experience ? Thxs, Pierre. ...-Message d'origine- De : Kostas Kalevras [mailto:[EMAIL PROTECTED]] Envoyé : mardi 19 mars 2002 21:24 À : [EMAIL PROTECTED] Objet : RE: Defining Radius groups with specific abilitations against LDA P at tribute On Tue, 19 Mar 2002, Pierre Strazza wrote: > > Ok for the princip, but can you explain me more about functionality ? I do > not practically understand ho I can implement this to define more than 1 > group against an attribute parameter. > > Thxs again, > Pierre. > Could you please give me an example of what you are trying to do? -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html . . . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PIX v6.1 accounting problem
Here is the radius.log extract : Wed Mar 20 01:41:30 2002 : Error: WARNING: Malformed RADIUS packet from host x.x.x.x: Vendor specific attributes do not exactly fill Vendor-Specific Same error is reported while running in debug mode. No further accounting information is logged. The cisco box is a PIX firewall v6.1, authenticating users thru the freeradius server for VPN access. Pierre. -Message d'origine- De : Chris Parker [mailto:[EMAIL PROTECTED]] Envoyé : mardi 19 mars 2002 19:13 À : [EMAIL PROTECTED] Objet : RE: PIX v6.1 accounting problem At 05:19 PM 3/19/2002 +0100, Pierre Strazza wrote: >The request is not loggued since an error message is reported in the >radius.log file, indicating some non conform attributes - not proceeded. > >the dictionary.cisco seems to be already included in the dictionary file by >default .. > >Any idea ? It would really really really help if you could provide the error message printed by the server, as well as any printed when you run it in debug mode. -Chris -- \\\|||/// \ StarNet Inc. \Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html . . . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PIX v6.1 accounting problem
The request is not loggued since an error message is reported in the radius.log file, indicating some non conform attributes - not proceeded. the dictionary.cisco seems to be already included in the dictionary file by default .. Any idea ? Pierre. -Message d'origine- De : Chris Parker [mailto:[EMAIL PROTECTED]] Envoyé : mardi 19 mars 2002 16:09 À : [EMAIL PROTECTED] Objet : Re: PIX v6.1 accounting problem At 02:55 PM 3/19/2002 +0100, Pierre Strazza wrote: >Hi again, > >I need to account acesses made on a PIX firewall v6.1 on the Radius server. >Debugging of the radiusd process shows that requests are correctly sent to >the radius accounting port, but are not handled, because of some non conform >VSA ... Won't stop it from logging the request. May stop it from logging human readable formats. Can you elaborate on 'not handled'? >Any dictionary for PIX v6.1 ? :-) PIX is cisco. Are you enabling the use of 'dictionary.cisco'? -Chris -- \\\|||/// \ StarNet Inc. \Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html . . . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Defining Radius groups with specific abilitations against LDAP at tribute
Ok for the princip, but can you explain me more about functionality ? I do not practically understand ho I can implement this to define more than 1 group against an attribute parameter. Thxs again, Pierre. -Message d'origine- De : Kostas Kalevras [mailto:[EMAIL PROTECTED]] Envoyé : mardi 19 mars 2002 16:39 À : [EMAIL PROTECTED] Objet : Re: Defining Radius groups with specific abilitations against LDAP at tribute On Tue, 19 Mar 2002, Pierre Strazza wrote: > Hi There, > > > I'm trying to define radius groups, so that I can manage specific > permissions for users against LDAP entries. Group of users must be handled > on Radius against the value of an LDAP attribute. > I tried some configurations, but still does not work. > > Any idea about that ? > Thxs in advance. > > Pierre. You can do one of the following: o Use default/regular profiles. Just add the DN of the profile entry in the corresponding user entries using the profile_attribute defined in the ldap module configuration. Something like: dn: uid=group1-dialup,ou=people,dc=company,dc=com objectclass: radiusprofile radiusPortLimit: 1 dn: uid=user1,ou=people,dc=company,dc=com objectclass: radiusprofile dialupregularprofile: uid=group1-dialup,ou=people,dc=company,dc=com o Create ldap groups containing all the users for which you want to pass specific information. Then you can do something like this: dn: cn=group1,ou=groups,dc=company,dc=com objectclass: groupofuniquenames uniquemember: uid=user1,ou=people,dc=company,dc=com [...] users file: DEFAULT Group == "group1" Port-Limit = 1 In general take a look at doc/rlm_ldap. It is quite helpfull. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html . . . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PIX v6.1 accounting problem
Hi again, I need to account acesses made on a PIX firewall v6.1 on the Radius server. Debugging of the radiusd process shows that requests are correctly sent to the radius accounting port, but are not handled, because of some non conform VSA ... Any dictionary for PIX v6.1 ? :-) Regards, Pierre. . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Defining Radius groups with specific abilitations against LDAP attribute
Hi There, I'm trying to define radius groups, so that I can manage specific permissions for users against LDAP entries. Group of users must be handled on Radius against the value of an LDAP attribute. I tried some configurations, but still does not work. Any idea about that ? Thxs in advance. Pierre. . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Help needed for defining radius groups
Thxs for your answer ... things will not be tricky as i'm not an ldap expert :) I also have another question ... I need to define connection times, so that the user can connect from 8h00am to 17h00 pm and not after ... Any experience on this functionnality implemented on freeradius ? -Message d'origine- De : Kostas Kalevras [mailto:[EMAIL PROTECTED]] Envoyé : mardi 5 mars 2002 21:01 À : [EMAIL PROTECTED] Objet : Re: Help needed for defining radius groups On Tue, 5 Mar 2002, Pierre Strazza wrote: > Hi there !! > > I'm desesperately trying to define groups of users in radius according to > groups referenced in an LDAP directory. > What I plan is to pass specific informations to the NAS according to the > group the user belong. So I need to define groups of users, instead of users > themselves in the radius users config file. > > Can anyone help ? > Thxs in advance, > > Pierre. You can do one of the following: o Use default/regular profiles. Just add the DN of the profile entry in the corresponding user entries using the profile_attribute defined in the ldap module configuration. Something like: dn: uid=group1-dialup,ou=people,dc=company,dc=com objectclass: radiusprofile radiusPortLimit: 1 dn: uid=user1,ou=people,dc=company,dc=com objectclass: radiusprofile dialupregularprofile: uid=group1-dialup,ou=people,dc=company,dc=com o Create ldap groups containing all the users for which you want to pass specific information. Then you can do something like this: dn: cn=group1,ou=groups,dc=company,dc=com objectclass: groupofuniquenames uniquemember: uid=user1,ou=people,dc=company,dc=com [...] users file: DEFAULT Group == "group1" Port-Limit = 1 In general take a look at doc/rlm_ldap. It is quite helpfull. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html . . . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help needed for defining radius groups
Hi there !! I'm desesperately trying to define groups of users in radius according to groups referenced in an LDAP directory. What I plan is to pass specific informations to the NAS according to the group the user belong. So I need to define groups of users, instead of users themselves in the radius users config file. Can anyone help ? Thxs in advance, Pierre. . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
updating DNS tables with DDNS request
Hi there, Any idea about how to implement dynamic DNS update (DDNS) with FreeRadius v0.4, based uppon ip adresses dynamically attributed by a Cisco PIX after authentication on the Radius server ? Comments / samples appreciated. Bests regards, Pierre. . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Passing access-list number from Radius server to Cisco PIX firewall - FreeRadius v0.4
Hello there, I'm trying to set a configuration with a PIX firewall as an authentication gateway, relying on a freeradius server, which picks up users in a LDAP directory. I'd like to be able to : - pass access-lists numbers according radius groups (based on LDAP groups) to the PIX, - assign an dynamic IP adress (to be passed to the PIX ??) choosen on an adress pool, defined against groups (Radius or LDAP groups), - and finally, be able to pass to the final client through the PIX informations such as WINS and DNS servers ... Big task, ain't it ? :) So, as this has to be completed as soon as possible, any help, suggestions, comments, or, best of all, config samples really apreciated. Thx to all of you, Pierre. . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Passing access-list number from Radius server to Cisco PIX firewall - FreeRadius v0.4
Hello there, I'm trying to set a configuration with a PIX firewall as an authentication gateway, relying on a freeradius server, which picks up users in a LDAP directory. I'd like to be able to : - pass access-lists numbers according radius groups (based on LDAP groups) to the PIX, - assign an dynamic IP adress (to be passed to the PIX ??) choosen on an adress pool, defined against groups (Radius or LDAP groups), - and finally, be able to pass to the final client through the PIX informations such as WINS and DNS servers ... Big task, ain't it ? :) So, as this has to be completed as soon as possible, any help, suggestions, comments, or, best of all, config samples really apreciated. Thx to all of you, Pierre. . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
