Re: preproxy for calledstationid to realm

[Jim]

On Sat, 7 Feb 2004, Chris Parker wrote:

 At 09:55 PM 2/6/2004, Jim wrote:
 
 snip
 preproxy_users file:
 
 
 DEFAULT
 Called-Station-ID =~ *1234, Proxy-To-Realm := realmname
  
 
 You should be able to do this in the plain 'users' file as well.  Yes,
 it will work that way.  

Thanks, I was pretty sure it would. It was the syntax and whitespace I was
wondering about. 

 Anybody do this with MySQL?
 
 You should be able to put the same DEFAULT entry in your SQL DB.

That's the tricky part, but I think we'll figure that out after we get
the other approach working. 

thanks,
Jim


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Replicate-To-Realm don't works in today's CVS

[Alan DeKok]

Sergey Holod [EMAIL PROTECTED] wrote:
 It seems that support for Replicate-To-Realm := some.realm don't
 work now.

  Support for Replicate-To-Realm has been removed.  Use radrelay.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: preproxy for calledstationid to realm

[Jim]

On Sat, 7 Feb 2004, Jim wrote:

 Thanks, I was pretty sure it would. It was the syntax and whitespace I was
 wondering about. 

This what I had:

DEFAULT 
Called-Station-Id =~ *1234, Proxy-To-Realm := realm

Using debug:

[/etc/raddb/preproxy_users]:14 WARNING! Check item Proxy-To-Realm ?found
in reply item list for user DEFAULT. ?This attribute MUST go on
 the first line with the other check items

So I changed the entry to:

DEFAULT Called-Station-Id =~ *1234, Proxy-To-Realm := realm

which loaded but didn't do anything. So I changed it to:

DEFAULT Called-Station-Id =~ 9876541234, Proxy-To-Realm := realm

which didn't do anything either. 'blahblah' is the unknown realm that
should have the Proxy-To-Realm 'realm' added as a suffix (debug output
with irrelevence snipped):

rad_recv: Access-Request packet from host 12.12.12.12:3065, id=46, length=220
User-Name = [EMAIL PROTECTED]
Called-Station-Id = 9876541234
modcall: entering group authorize
  modcall[authorize]: module preprocess returns ok
rlm_realm: Looking up realm blahblah for User-Name = [EMAIL PROTECTED]
rlm_realm: No such realm blahblah
  modcall[authorize]: module suffix returns noop
  modcall[authorize]: module sql returns notfound
users: Matched DEFAULT at 1
users: Matched DEFAULT at 10
  modcall[authorize]: module files returns ok
modcall: group authorize returns ok
auth: No authenticate method (Auth-Type) configuration found for the request: 
Rejecting the user
auth: Failed to validate the user.
Login incorrect: [EMAIL PROTECTED]/password] (from client o1-7 port 25217)

So, freeradius doesn't add the 'realm' realm and it's trying to auth
locally (which not what we want) instead of proxying the request.

The users file, btw, is only used to add certain attributes, which is why 
the DEFAULT was being matched:

DEFAULT Service-Type == Framed-User
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 1500,
Service-Type = Framed-User,
Session-Timeout = 21600,
Idle-Timeout = 900,
Fall-Through = Yes
#
#
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP

Any idea what I'm missing?

thanks,
Jim




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Unknown module rcode 'DEFAULT' in attrs

[John Ensley]

Hello,
Still having trouble getting attrs file included and working. Have
looked at docs recommended and tried all kinds of changes to
radiusd.conf and attrs file.  Still don't understand, pardon me for
asking basically the same question again.

It seems the appropriate section of radiusd.conf where this all starts
should be:

authorize {
preprocess
attr_filter 
# auth_log
chap
attr_filter {
attrsfile = /usr/local/etc/raddb/attrs
}
eap
# realmslash
suffix
#
#  Read the 'users' file
files
# etc_smbpasswd
mschap
}

When so written it ends this way running radiusd -X

Module: Instantiated preprocess (preprocess)
Module: Loaded attr_filter
attr_filter: attrsfile = /usr/local/etc/raddb/attrs
Module: Instantiated attr_filter (attr_filter)
radiusd.conf[1391] Unknown module rcode 'attrsfile'.

What could make it return Unknown rcode 'attrsfile'?  
It also fails exactly the same if the line is written as:
attrsfile = ${confdir}/attrs

Is writting that section with this change legal?  It seems to then go to
the attrs file.

attr_filter {
$INCLUDE /usr/local/etc/raddb/attrs
}

Then running radiusd -X results this way:
Module: Loaded attr_filter
attr_filter: attrsfile = /usr/local/etc/raddb/attrs
Module: Instantiated attr_filter (attr_filter)
radiusd.conf[78] Unknown module rcode 'DEFAULT'.

It seems to be looking at the attrs file this way but fails on line 78
which is the DEFAULT line.

This is the attrs file
skipped lines
# The rest of this file contains the DEFAULT entry.
# DEFAULT matches with all realm names.
#
DEFAULT
Service-Type == Framed-User,
Service-Type == Login-User,
Login-Service == Telnet,
Login-Service == Rlogin,
Login-Service == TCP-Clear,
Login-TCP-Port = 65536,
Framed-IP-Address == 255.255.255.254,
Framed-IP-Netmask == 255.255.255.255,
Framed-Protocol == PPP,
Framed-Protocol == SLIP,
Framed-Compression == Van-Jacobson-TCP-IP,
Framed-MTU = 576,
Framed-Filter-ID =* ANY,
Reply-Message =* ANY,
Proxy-State =* ANY,
Session-Timeout = 28800,
Idle-Timeout = 600,
Port-Limit = 2,
Ascend-Data-Filter := ip in forward tcp est,
Ascend-Data-Filter += ip in forward dstip 204.248.85.116/32,
Ascend-Data-Filter += ip in drop tcp dstport = 25,
Ascend-Data-Filter += ip in forward,
Fall-Through = no

Is this a all or nothing type situation, where if anything is wrong in
the DEFAULT section of attrs file it fails on the first line?  Is the
problem here in this file or back in radiusd.conf because of the failure
concerning 'attrsfile'? 

Thanks much,
John Ensley






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: preproxy for calledstationid to realm

[Alan DeKok]

im [EMAIL PROTECTED] wrote:
 preproxy_users file:
 
 
 DEFAULT
Called-Station-ID =~ *1234, Proxy-To-Realm := realmname
 

  What do you expect this to do?

  The purpose of the preproxy_users file is to massage a request
AFTER you have decided to proxy it, and BEFORE it is sent to the
proxy.

  If you're trying to set Proxy-to-Realm in that file, and expecting
the request to be proxued, it won't work.  You have to decide to proxy
requests during the authorize stage, which means the users file.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxied server not sending VSA's back

[Alan DeKok]

[EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
 However, I do not get back the necessary vendor specific
 reply item that is required.  If the ISP on the other end
 uses radtest on his radius server and makes a request
 using localhost, he DOES get the necessary reply item.

  As always, run the server in debugging mode.  You will see then waht
attributes are sent to FreeRADIUS in the reply from the home server,
and you will see what reply is sent by FreRADIUS.  You will also see
which modules are used to process one reply into the other.

  One of those modules is doing the filtering.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems Proxying through FreeRADIUS to ICRadius

[Alan DeKok]

[EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
 We have verified that our secrets match, my radius is set up as
 client and in the other ISP's nas list.

  Ok...

 My radius server and NAS is behind a firewall, on a private 10.1.x.x subnet
 and then get's nat'ed.

  So is your RADIUS server set up as a client, or is your firewall listed?

  RADIUS  firewalls don't play well together.  I would strongly
suggest that you NOT put the server behind a NAT gateway.

 One suggestion was to force my radius server to send my external IP address
 as the NAS-IP-Address for that realm.  Is that possible?  If so how?

  It won't make any difference.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP with Ldap

[Alan DeKok]

Jean-Paul Chapalain [EMAIL PROTECTED] wrote:
 Now, i want use EAP/PEAP with user/password checked in my Ldap Backend.
 
 Is this config possible ?

  No.

  You can get a clear-text password from LDAP, and then use that to do
PEAP authentication.

 For PEAP, there isn't have Auth-Type in users file !

  No.  The server figures it out on its own.

 For PEAP with Ldap check, what's the config for the user (Auth-Type := 
 LDAP) ?

  Absolutely not.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: is ttls with eap md5 ms-chap is supported?

[Alan DeKok]

raghavendra [EMAIL PROTECTED] wrote:
 I could bring-up free-radius server for TTLS setup only with PAP  CHAP protocols,
 And could not bring up for EAP-MD5, MS-CHAP v2 protocols,

  If you ran the server in debugging mode, you would see why.

  I've used EAP-MD5 and Ms-CHAP with TTLS.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Proxy and Realms

[Anson Rinesmith]

I'm using a freeradius server to identify proxies to about 3 other RADIUS
servers.
One of them happens to be a freeradius server. When it puts the acct
information in the DB (on both the proxyied and proxying, it just puts in
DEFAULT as the realm, though it got proxyied via realm theisp.com.
Where, and on which server, can I set it so that theisp.com gets put into
realm in both acctounting DB's?

Anson


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html