Re: preproxy for calledstationid to realm
On Sat, 7 Feb 2004, Chris Parker wrote: At 09:55 PM 2/6/2004, Jim wrote: snip preproxy_users file: DEFAULT Called-Station-ID =~ *1234, Proxy-To-Realm := realmname You should be able to do this in the plain 'users' file as well. Yes, it will work that way. Thanks, I was pretty sure it would. It was the syntax and whitespace I was wondering about. Anybody do this with MySQL? You should be able to put the same DEFAULT entry in your SQL DB. That's the tricky part, but I think we'll figure that out after we get the other approach working. thanks, Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Replicate-To-Realm don't works in today's CVS
Sergey Holod [EMAIL PROTECTED] wrote: It seems that support for Replicate-To-Realm := some.realm don't work now. Support for Replicate-To-Realm has been removed. Use radrelay. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: preproxy for calledstationid to realm
On Sat, 7 Feb 2004, Jim wrote: Thanks, I was pretty sure it would. It was the syntax and whitespace I was wondering about. This what I had: DEFAULT Called-Station-Id =~ *1234, Proxy-To-Realm := realm Using debug: [/etc/raddb/preproxy_users]:14 WARNING! Check item Proxy-To-Realm ?found in reply item list for user DEFAULT. ?This attribute MUST go on the first line with the other check items So I changed the entry to: DEFAULT Called-Station-Id =~ *1234, Proxy-To-Realm := realm which loaded but didn't do anything. So I changed it to: DEFAULT Called-Station-Id =~ 9876541234, Proxy-To-Realm := realm which didn't do anything either. 'blahblah' is the unknown realm that should have the Proxy-To-Realm 'realm' added as a suffix (debug output with irrelevence snipped): rad_recv: Access-Request packet from host 12.12.12.12:3065, id=46, length=220 User-Name = [EMAIL PROTECTED] Called-Station-Id = 9876541234 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: Looking up realm blahblah for User-Name = [EMAIL PROTECTED] rlm_realm: No such realm blahblah modcall[authorize]: module suffix returns noop modcall[authorize]: module sql returns notfound users: Matched DEFAULT at 1 users: Matched DEFAULT at 10 modcall[authorize]: module files returns ok modcall: group authorize returns ok auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED]/password] (from client o1-7 port 25217) So, freeradius doesn't add the 'realm' realm and it's trying to auth locally (which not what we want) instead of proxying the request. The users file, btw, is only used to add certain attributes, which is why the DEFAULT was being matched: DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 1500, Service-Type = Framed-User, Session-Timeout = 21600, Idle-Timeout = 900, Fall-Through = Yes # # DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP Any idea what I'm missing? thanks, Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unknown module rcode 'DEFAULT' in attrs
Hello, Still having trouble getting attrs file included and working. Have looked at docs recommended and tried all kinds of changes to radiusd.conf and attrs file. Still don't understand, pardon me for asking basically the same question again. It seems the appropriate section of radiusd.conf where this all starts should be: authorize { preprocess attr_filter # auth_log chap attr_filter { attrsfile = /usr/local/etc/raddb/attrs } eap # realmslash suffix # # Read the 'users' file files # etc_smbpasswd mschap } When so written it ends this way running radiusd -X Module: Instantiated preprocess (preprocess) Module: Loaded attr_filter attr_filter: attrsfile = /usr/local/etc/raddb/attrs Module: Instantiated attr_filter (attr_filter) radiusd.conf[1391] Unknown module rcode 'attrsfile'. What could make it return Unknown rcode 'attrsfile'? It also fails exactly the same if the line is written as: attrsfile = ${confdir}/attrs Is writting that section with this change legal? It seems to then go to the attrs file. attr_filter { $INCLUDE /usr/local/etc/raddb/attrs } Then running radiusd -X results this way: Module: Loaded attr_filter attr_filter: attrsfile = /usr/local/etc/raddb/attrs Module: Instantiated attr_filter (attr_filter) radiusd.conf[78] Unknown module rcode 'DEFAULT'. It seems to be looking at the attrs file this way but fails on line 78 which is the DEFAULT line. This is the attrs file skipped lines # The rest of this file contains the DEFAULT entry. # DEFAULT matches with all realm names. # DEFAULT Service-Type == Framed-User, Service-Type == Login-User, Login-Service == Telnet, Login-Service == Rlogin, Login-Service == TCP-Clear, Login-TCP-Port = 65536, Framed-IP-Address == 255.255.255.254, Framed-IP-Netmask == 255.255.255.255, Framed-Protocol == PPP, Framed-Protocol == SLIP, Framed-Compression == Van-Jacobson-TCP-IP, Framed-MTU = 576, Framed-Filter-ID =* ANY, Reply-Message =* ANY, Proxy-State =* ANY, Session-Timeout = 28800, Idle-Timeout = 600, Port-Limit = 2, Ascend-Data-Filter := ip in forward tcp est, Ascend-Data-Filter += ip in forward dstip 204.248.85.116/32, Ascend-Data-Filter += ip in drop tcp dstport = 25, Ascend-Data-Filter += ip in forward, Fall-Through = no Is this a all or nothing type situation, where if anything is wrong in the DEFAULT section of attrs file it fails on the first line? Is the problem here in this file or back in radiusd.conf because of the failure concerning 'attrsfile'? Thanks much, John Ensley - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: preproxy for calledstationid to realm
im [EMAIL PROTECTED] wrote: preproxy_users file: DEFAULT Called-Station-ID =~ *1234, Proxy-To-Realm := realmname What do you expect this to do? The purpose of the preproxy_users file is to massage a request AFTER you have decided to proxy it, and BEFORE it is sent to the proxy. If you're trying to set Proxy-to-Realm in that file, and expecting the request to be proxued, it won't work. You have to decide to proxy requests during the authorize stage, which means the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxied server not sending VSA's back
[EMAIL PROTECTED] [EMAIL PROTECTED] wrote: However, I do not get back the necessary vendor specific reply item that is required. If the ISP on the other end uses radtest on his radius server and makes a request using localhost, he DOES get the necessary reply item. As always, run the server in debugging mode. You will see then waht attributes are sent to FreeRADIUS in the reply from the home server, and you will see what reply is sent by FreRADIUS. You will also see which modules are used to process one reply into the other. One of those modules is doing the filtering. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems Proxying through FreeRADIUS to ICRadius
[EMAIL PROTECTED] [EMAIL PROTECTED] wrote: We have verified that our secrets match, my radius is set up as client and in the other ISP's nas list. Ok... My radius server and NAS is behind a firewall, on a private 10.1.x.x subnet and then get's nat'ed. So is your RADIUS server set up as a client, or is your firewall listed? RADIUS firewalls don't play well together. I would strongly suggest that you NOT put the server behind a NAT gateway. One suggestion was to force my radius server to send my external IP address as the NAS-IP-Address for that realm. Is that possible? If so how? It won't make any difference. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP with Ldap
Jean-Paul Chapalain [EMAIL PROTECTED] wrote: Now, i want use EAP/PEAP with user/password checked in my Ldap Backend. Is this config possible ? No. You can get a clear-text password from LDAP, and then use that to do PEAP authentication. For PEAP, there isn't have Auth-Type in users file ! No. The server figures it out on its own. For PEAP with Ldap check, what's the config for the user (Auth-Type := LDAP) ? Absolutely not. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: is ttls with eap md5 ms-chap is supported?
raghavendra [EMAIL PROTECTED] wrote: I could bring-up free-radius server for TTLS setup only with PAP CHAP protocols, And could not bring up for EAP-MD5, MS-CHAP v2 protocols, If you ran the server in debugging mode, you would see why. I've used EAP-MD5 and Ms-CHAP with TTLS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy and Realms
I'm using a freeradius server to identify proxies to about 3 other RADIUS servers. One of them happens to be a freeradius server. When it puts the acct information in the DB (on both the proxyied and proxying, it just puts in DEFAULT as the realm, though it got proxyied via realm theisp.com. Where, and on which server, can I set it so that theisp.com gets put into realm in both acctounting DB's? Anson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html