usercollide in failover
Hi
I am trying to config radius.conf and users files to do user
collision.
PEAP works fine and if no user collision is ok.
In radius.conf suggests to use module fail-over to solve usercollide.
But always just the first user can be check, the second one can't.
(If client key in "testuser" and "22"
log
-
modcall: entering group authorize for request 8 rlm_eap: EAP
packet type response id 18 length 38 rlm_eap: No EAP Start, assuming
it's an on-going EAP conversation modcall[authorize]: module "eap"
returns updated for request 8 users: Matched testuser at
2 modcall[authorize]: module "files1" returns ok for request
8 users: Matched testuser at 2
modcall[authorize]: module "files2" returns ok for request 8modcall: group
authorize returns updated for request 8 rad_check_password:
Found Auth-Type EAPauth: type "EAP" Processing the authenticate
section of radiusd.confmodcall: entering group authenticate for request
8 rlm_eap: Request found, released from the list rlm_eap:
EAP/peap rlm_eap: processing type peap rlm_eap_peap:
Authenticate rlm_eap_tls: processing TLS eaptls_verify
returned 7 rlm_eap_tls: Done initial handshake
eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data
is valid. rlm_eap_peap: Had sent TLV failure,
rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap:
Failed in EAP select modcall[authenticate]: module "eap" returns
invalid for request 8modcall: group authenticate returns invalid for request
8auth: Failed to validate the user.
radius.conf :
files
files1{
usersfile =
${confdir}/users1
acctusersfile = ${confdir}/acct_users
compat = no }
files
files2{
usersfile =
${confdir}/users2
acctusersfile = ${confdir}/acct_users
compat = no }
authenticate { Auth-Type PAP
{
pap
} Auth-Type CHAP
{
chap
} Auth-Type MS-CHAP
{
mschap
}
unix eap}
authorize {
eap
files1 files2}
files1 :
---
testuser User-Password == "11"
---
files2 :
---
testuser User-Password == "22"
---
Can anyone help ?
RE: unknown eap types
Hi, I am still struggling to understand this. Here is what I have: 1) I configured radisud.conf without mschapv2 in eap section. And I put yes for ignore_unknown_eap_types. 2) PEAP with mschapv2 is started and things work as they are supposed to. Meaning, I see "rlm_eap: Ignoring NAK with request for unknown EAP type" and finally, the request got rejected. 3) So, what I want to do is iff rlm_eap sees unknown EAP type (either from outside the tunnel or inside the tunnel), I want the EAP request to go to the remote server defined. 4) I played around with the "Proxy-To-Realm" in the user file and I am not getting what I want. Part of it could be that I don't know exactly where to put it. If I put at the top with DEFAULT and use fall through set, EVERYTHING goes to the remote. I just want the EAP ones that the server does not understand... How do I get 3 above? Thanks in advnce, Htin > -Original Message- > From: [EMAIL PROTECTED] [mailto:freeradius- > [EMAIL PROTECTED] On Behalf Of Alan DeKok > Sent: Wednesday, April 14, 2004 12:09 PM > To: [EMAIL PROTECTED] > Subject: Re: unknown eap types > > "Htin Hlaing" <[EMAIL PROTECTED]> wrote: > > It says another module MUST then be configured to proxy the request. > > How do we configure this another module? > > In the "users" file, set "Proxy-To-Realm" to a realm where the > request will be proxied. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Restring User to a NAS/Colubris network
Hi, I love Freeradius-MySQL-Dialupadmin ... It fixed my problem in a very inexpensive way have a SuSE 8.2 BOX running Freeradius0.9.3,MySQL 3.23.55-Max, Apache2 and I want: -validate a Username only with the NAS-IP-Address For example the username "hotel" can only access to the hotspot1(NAS-IP) with/without any password. (Need the Username/NAS-IP for accounting purpose) -misselaneus question with the Colubris Networks CN3000 Wireless Access Controller I don't understant the "AVPair"-->MySQL... I have to put the atributte value "Colubris-AVPair" in the radreply (or radgroupreply) table INSERT INTO `radgroupreply` (`id`, `GroupName`, `Attribute`, `op`, `Value`, `prio`) VALUES (112, 'colubris', 'Colubris-AVPair', ':=', 'default-user-smtp-redirect=smtp.hn', 0), (113, 'colubris', 'Colubris-AVPair', ':=', 'access-list=all,ACCEPT,tcp,216.236.210.205,80', 0); Or this way INSERT INTO `radgroupreply` (`id`, `GroupName`, `Attribute`, `op`, `Value`, `prio`) VALUES (112, 'colubris', 'default-user-smtp-redirect', ':=', 'smtp.hn', 0), (113, 'colubris', 'access-list', ':=', 'all,ACCEPT,tcp,216.236.210.205,80', 0); Atte. CC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need a way to limit users to X number of hours per month.
Take a look at the rlm_counter and rlm_sqlcounter modules. If you have installed the server, you can do a "man rlm_counter" and get an idea of how to use this module for what you need. On Wed, 2004-04-14 at 14:57, William Ragsdale wrote: > Greetings, > I need a way to limit a user to X hours per month (I can convert to > seconds if needed). I currently have Freeradius 0.8. > Could someone help, or point me to a step by step guide on how to do > this. These resources would need to be on the web, or via email, I > don't have the free resourced to purchase the radius book (as soon as I > do I will!). -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need a way to limit users to X number of hours per month.
Greetings, I need a way to limit a user to X hours per month (I can convert to seconds if needed). I currently have Freeradius 0.8. Could someone help, or point me to a step by step guide on how to do this. These resources would need to be on the web, or via email, I don't have the free resourced to purchase the radius book (as soon as I do I will!). -- ·William - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
different pools for user with and without traffic
Hello freeradius-users,
I want freeradius to assign different IP addresses (from different
networks) according to traffic balance of users. It means that if
user have no traffic left for this month, freeradius will give him
IP address from 192.168.222.0/24, and if user still have a traffic
on a account he will receive 192.168.111.0/24. Algorythm is simple,
but i'm stuck with check-reply items. Now i have this in 'users'
file:
DEFAULT Service-Type == Framed-User
Traffic-Limit := `%{expr: %{reply:Rad-Traffic-limit} - %{sql:SELECT
sum(AcctInputOctets)+sum(Acc
tOutputOctets) FROM radacct WHERE UserName = '%u' AND Month(AcctStopTime)
=Month(NOW()) AND Year(Acc
tStopTime) = Year(NOW())}}`,
Fall-Through = 1
Reply item Rad-Traffic-Limit is coming from LDAP. And if i
understanding documentation right, i need something like this:
DEFAULT Traffic-Limit > 0, Pool-Name := "legal_pool"
Fall-Through = 1
DEFAULT Traffic-Limit <= 0, Pool-Name := "illegal_pool"
Fall-Through = 1
But, of course, radiusd blames me for this - '>' and '<=' is not
applicable to reply items. So i think i need to put value of reply
attribute Traffic-Limit to some check attribute and then compare it
and assign pool name, am i right? And if i am, then - how can i do
it? I tried many ways, but have no success.
For now those users, who have <= 0 of traffic left, just being rejected
and that's all, but i need to pass them with harder restrictions.
Main idea: they will work with the different ip addresses, and i
will configure my firewall in such manner that they will only can
use corporative mail, corporative site, all corporative and no
outer internet.
So if freeradius can assign addresses from different pools - can it
assign them according to traffic limits?
p.s.: always forgetting to say "sorry for my bad English".
--
Best regards,
Alexandermailto:[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unknown eap types
"Htin Hlaing" <[EMAIL PROTECTED]> wrote: > It says another module MUST then be configured to proxy the request. > How do we configure this another module? In the "users" file, set "Proxy-To-Realm" to a realm where the request will be proxied. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unknown eap types
Hi, In the radiusd.conf file, we can let the FreeRadius proxy the unknown eap types to another Radius server. But, it's not quite clear from the description on how to do it. # By setting this # configuration to "yes", you can tell the server to # instead keep processing the request. Another module # MUST then be configured to proxy the request to # another RADIUS server which supports that EAP type. # # If another module is NOT configured to handle the # request, then the request will still end up being # rejected. ignore_unknown_eap_types = no It says another module MUST then be configured to proxy the request. How do we configure this another module? Is there an existing rlm module to use or we need to write a new one to do something like this...? Thanks, Htin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP and CHAP on same system
Of course not. Never meant to imply that you did. I had no idea what it was and was just letting you know I never used it, or what ever it was. I had no idea if it was a program or other. Bob - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, April 14, 2004 11:19 AM Subject: Re: PAP and CHAP on same system > "Bob Ross" <[EMAIL PROTECTED]> wrote: > > CVS?, never used it. > > Did I tell you to use CVS? > > See the web page for details on what the CVS snapshot is, and where > to get it. > > Alan DeKok. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP and CHAP on same system
"Bob Ross" <[EMAIL PROTECTED]> wrote: > CVS?, never used it. Did I tell you to use CVS? See the web page for details on what the CVS snapshot is, and where to get it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP and CHAP on same system
This turns out to be a bit of trouble to maintain the list when users have to be locked because of no payment or other things. > FreeRADIUS doesn't care. If you have a clear-text password in a > local database, it will do PAP/CHAP, or whatever else is in the > request. > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP and CHAP on same system
CVS?, never used it. - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, April 14, 2004 10:57 AM Subject: Re: PAP and CHAP on same system > "Bob Ross" <[EMAIL PROTECTED]> wrote: > > After 9 years we started to expand services using realms for wholesale > > dialup out of our area. They require us to use CHAP. We have been PAP. They > > first told us it was PAP but after we went to set up it's CHAP. > > FreeRADIUS doesn't care. If you have a clear-text password in a > local database, it will do PAP/CHAP, or whatever else is in the > request. > > > We have mysql loaded on the server but doesn't run correct, and have never > > used it, and I don't have time to learn how to set it up. The money has been > > paid and we need to get this going some how with as much ease as possible. > > > > We are looking migrate over to FreeRadius if this can be done. > > Yes. > > > If I was to install two radius servers, one using port 1645/1646 for CHAP > > and one using 1812/1813 for PAP > > If you use the latest CVS snapshot, you only need one server. > > > Is it possible for the CHAP server to send the request to the PAP server for > > authentication on the system files? > > If you mean /etc/passwd, no. See the FAQ> > > > This would eliminate the need for passwords in plain text because all would > > be read in the end from the system files. > > No. See the FAQ. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP and CHAP on same system
"Bob Ross" <[EMAIL PROTECTED]> wrote: > After 9 years we started to expand services using realms for wholesale > dialup out of our area. They require us to use CHAP. We have been PAP. They > first told us it was PAP but after we went to set up it's CHAP. FreeRADIUS doesn't care. If you have a clear-text password in a local database, it will do PAP/CHAP, or whatever else is in the request. > We have mysql loaded on the server but doesn't run correct, and have never > used it, and I don't have time to learn how to set it up. The money has been > paid and we need to get this going some how with as much ease as possible. > > We are looking migrate over to FreeRadius if this can be done. Yes. > If I was to install two radius servers, one using port 1645/1646 for CHAP > and one using 1812/1813 for PAP If you use the latest CVS snapshot, you only need one server. > Is it possible for the CHAP server to send the request to the PAP server for > authentication on the system files? If you mean /etc/passwd, no. See the FAQ> > This would eliminate the need for passwords in plain text because all would > be read in the end from the system files. No. See the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP and CHAP on same system
Hello Bob, Wednesday, April 14, 2004, 8:56:43 PM, you wrote: BR> Is it possible for the CHAP server to send the request to the PAP server for BR> authentication on the system files? It is not possible by design of CHAP. CHAP stands for this (simplified) scheme: 1. client send request for authentication (often with sending a username) to server 2. server answering to this request with a challenge, which is similar to random string 3. client hashes password with this string in a one-way-hashing manner, typically MD5, so no one can decrypt a password from this hash, even having a challenge string, and then send result to server. 4. server hashes _cleartext_ password with the same challenge string that was passed to client and then compares both resulting strings, and if they match - client receive Accept, otherwise - Reject. So, as you can see, if server does not have a cleartext password - it cannot produce the same result as client did. BR> This would eliminate the need for passwords in plain text because all would BR> be read in the end from the system files. You have a choice - 1. PAP - passwords can be snifferred from the network, but on a server they are secure. 2. CHAP - passwords cannot be sniffered or decrypted from the line, but on a server they aren't secure. I think you have to use CHAP and take some time to secure your server, because on practice there are many of sniffers and a little of hackers. Of course, then you will have to watch out for a security bulletins on a software you run on a server and all of that anti-hackers stuff. -- Best regards, Alexandermailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP and CHAP on same system
I hope this can be done. After 9 years we started to expand services using realms for wholesale dialup out of our area. They require us to use CHAP. We have been PAP. They first told us it was PAP but after we went to set up it's CHAP. We have mysql loaded on the server but doesn't run correct, and have never used it, and I don't have time to learn how to set it up. The money has been paid and we need to get this going some how with as much ease as possible. We are looking migrate over to FreeRadius if this can be done. If I was to install two radius servers, one using port 1645/1646 for CHAP and one using 1812/1813 for PAP Is it possible for the CHAP server to send the request to the PAP server for authentication on the system files? This would eliminate the need for passwords in plain text because all would be read in the end from the system files. If this is possible, a page with directions would be great! Thanks Bob Ross - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying PEAP/MSCHAP
Woohoo!!! I think I finally got it to work!
I put the following in the eap.conf file:
peap {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# PEAP tunnel, we recommend using MS-CHAPv2,
# as that is the default type supported by
# Windows clients.
default_eap_type = mschapv2
proxy_tunneled_request_as_eap = no
copy_request_to_tunnel = yes
}
And put this in the top of the users file:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := "adt.com"
I'm gonna do some more testing, but it looks like this works. I can
proxy the inner MSCHAP authentication either to my other freeradius
test server, or to my Microsoft IAS server (which was the real point).
Now I'm gonna try and add LEAP and TTLS.
Thanks for all your help man! You rock!
On Apr 14, 2004, at 9:46 AM, Alan DeKok wrote:
Bob McCormick <[EMAIL PROTECTED]> wrote:
If I include both of these lines:
DEFAULT FreeRADIUS-Proxied-To =* 127.0.0.1, Proxy-To-Realm := LOCAL
Hmm... I think that should have been "!*" instead of "=*".
Then the "myrealm" radius server does receive a request from the
proxy,
but issues the following complaint in it's output logs:
auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.
So... configure the "myrealm" radius server to handle whatever
authentication is in the tunneled session.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with ldap + ssl + eap-ttls
On Wed, 2004-04-14 at 10:41, Alan DeKok wrote: > The alternative is to define OpenSSL locking functions, which > OpenSSL will call when it needs thread safety. The examples in > OpenSSL can be used as a start. Yeah, that's what I was really trying to say... s/callbacks/locking callbacks/ on my previous email :) I've been been doing some looking into this in the OpenSSL book. It looks pretty straightforward. -- --Mike -- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying PEAP/MSCHAP
Bob McCormick <[EMAIL PROTECTED]> wrote: > If I include both of these lines: > > DEFAULTFreeRADIUS-Proxied-To =* 127.0.0.1, Proxy-To-Realm := LOCAL Hmm... I think that should have been "!*" instead of "=*". > Then the "myrealm" radius server does receive a request from the proxy, > but issues the following complaint in it's output logs: > > auth: type Local > auth: No User-Password or CHAP-Password attribute in the request > auth: Failed to validate the user. So... configure the "myrealm" radius server to handle whatever authentication is in the tunneled session. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with ldap + ssl + eap-ttls
Michael Griego <[EMAIL PROTECTED]> wrote: > Has switching to OpenSSL thread-safe callbacks as opposed to protecting > OpenSSL calls with a mutex ever been explored? The issue is not thread-safe callbacks, but that the OpenSSL functions called by FreeRADIUS are not thread-safe. Protecting the calls with a mutex helps a little, if only one module is using OpenSSL. The alternative is to define OpenSSL locking functions, which OpenSSL will call when it needs thread safety. The examples in OpenSSL can be used as a start. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying PEAP/MSCHAP
Sorry to bother you some more, but I'm back! :-) If I include both of these lines: DEFAULT FreeRADIUS-Proxied-To =* 127.0.0.1, Proxy-To-Realm := LOCAL DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := "myrealm" In the config on my proxy radius server, the log on the "myrealm" radius server never sees any requests. On the other hand, if I *only* include this line: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := "myrealm" Then the "myrealm" radius server does receive a request from the proxy, but issues the following complaint in it's output logs: auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. I'm stumped again. Any suggestions? On Apr 13, 2004, at 2:28 PM, Alan DeKok wrote: Bob McCormick <[EMAIL PROTECTED]> wrote: Sorry, I guess my description was a little vague. I want to handle on EAP types on the proxy radius server, but send the inner MS-CHAP request to another radius server. OK.. PEAP is the only one listed in my config right now just because it's the only one I've been testing with (I'm trying to follow your advice actually Don't listen to *everything* I say... and keep the config as simple as I can). That's a good idea, though. So the issues are: a) somehow tell tunneled sessions from non-tunneled sessions b) proxy tunneled sessions c) don't proxy non-tunneled sessions Requests inside of the tunnel have "FreeRADIUS-Proxied-To = 127.0.0.1" set. Requests outside of the tunnel don't have that attribute at all. So you should be able to do: #--- DEFAULT FreeRADIUS-Proxied-To =* 127.0.0.1, Proxy-To-Realm := LOCAL #--- i.e. for requests outside of the tunnel, force them to be handled locally. #--- DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := "foo.com" #--- i.e. for requests inside of the tunnel, force them to be proxied to "foo.com". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with ldap + ssl + eap-ttls
On Wed, 2004-04-14 at 10:16, Alan DeKok wrote: > I think this will require a few more patches to the server, as > OpenSSL isn't thread-safe (I don't know why...) Has switching to OpenSSL thread-safe callbacks as opposed to protecting OpenSSL calls with a mutex ever been explored? -- --Mike -- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session/User Limits Per Profile
"David Barker - 4d Hosting" <[EMAIL PROTECTED]> wrote: > It is possible to limit the maximum number of users (or sessions) allowed > online in each profile? Perhaps. > For example, we have Profile 1 with a user limit of 10 and Profile 2 with a > user limit of 5 - So that when there are 10 users online (or 10 sessions > open) for Profile 1 it'll just reject the users login attempts until one of > those 10 has disconnected. The easiest way to do this is to write a script which keeps track of this. See scripts/exec-program-wait for an example script. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with ldap + ssl + eap-ttls
David Hart <[EMAIL PROTECTED]> wrote: > I remain where I was originally. If I use openssl from the RedHat > distribution as the default and mangle the Makefiles for eap-tls and > eap-ttls to use the newer libraries, eap and ldap authentication work > happily together, but I can't secure the ldap connection. I think this will require a few more patches to the server, as OpenSSL isn't thread-safe (I don't know why...) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No TLS?
"Robert Baron" <[EMAIL PROTECTED]> wrote: > The aim is: Support consultants from other comanys with a network access via > 802.11x. > The plan is to create accounts (Radiusaccounts) and give them to the > consultants. They can type in the username and password to their WinXP > Machines. Doing this in the right way (with matching username and password) > the machine can access to the network. ... > Sending Access-Challenge of id 128 to 192.168.100.55:3600 > Service-Type = Framed-User > Framed-Protocol = PPP > Framed-IP-Address = 192.168.100.50 > Framed-IP-Netmask = 255.255.255.0 This won't work. The challenge isn't supposed to assign IP addresses. And don't use Framed-IP-Netmask. See the FAQ. And you can't assign IP address when the client is performing EAP authentication. > This starts then every 6 seconds, because I don't get assigned the > IP-Adress. Ensure that the authentication works, and that there is a final Access-Accept. Once that happens, the wireless client will do DHCP to obtain an IP address. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with username and passowrd
"Markus Ebel" <[EMAIL PROTECTED]> wrote: > > Look at the responses which don't get a LAN Security Error, and > > compare them to the responses which do get a LAN Security Error. Make > > the bad ones similar to the good ones, and it should work. > > Sorry, but i don't unserstand how to do that. You've configured the server to send both responses. So configure the server to make the responses more similar. > The Ascend-Log only tells me that there is a LAN Security Error when > someone is trying connect with a Username/Password-Configuration. > With a CLID-Configuration everything works fine. Have you tried looking in the Ascend documentation for why this is happening? > We are working with the same configuration on a cistron-Radisserver > and it works. But the machine is rather old and we want to use > freeradius instead. Then run Cistron in debug mode, and see what is in the Access-Accept packets. Make FreeRADIUS send the same attributes in the Access-Accept. This shouldn't be difficult. If you've configured the server to send attributes in the Access-Accept, you already know what to do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAPS and non-standard ports - patch
On Fri, 2 Apr 2004, Tarun Bhushan wrote: > Hi Kostas > > I wanted to submit a patch to rlm_ldap (see below). The patch is very simple > - the addition of one line, and change of an existing line, to rlm_ldap.c. > Added, thanks -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User with 2 profiles but different simultaneous-use in each
On Wed, 7 Apr 2004, Kostas Zorbadelos wrote: > At Tue, 6 Apr 2004 12:14:59 +0300 (EEST), > Kostas Kalevras wrote: > > > Dear Kostas > first of all thanks for your answer. > I don't have this module compiled in the binary versions I compiled. I > saw its source code however inside src/modules. Is it an experimental > module that needs to be 'activated' in the configure step? > What is its function exactly? (I know that you are the most relevant > person to ask and I didn't see any documentation for it apart from the > source code) > Using this module can I achieve the locking senario I want? That is, > when the user is logged in an ISDN line (has Simultaneous-Use=2) > can I reject him if he tries to loggin as an ADSL at the same time? Wel now that i think of it, the module can't really help you on that subject. But in any case you can check the comments in the latest radiusd.conf, it's now part of the stable modules list. As for your problem, you can just always set Simultaneous-Use = 1. For ISDN you just need to also set Port-Limit = 2 for the user to be able to use 2 channels. So everything should work just fine with just that. Just make sure that Port-Limit is only returned on ISDN connections, else a user can get 2 DSL connections from the PTT and do multilink PPP (just guessing i am not that familiar with how ADSL works, i think it just transmits PPP frames so it's possible). Since you are using LDAP something like this: --users-- DEFAULT NAS-Port-Type == ISDN, Ldap-Group == "adsl-users" Port-Limit := 2 > > Looking forward to your answer to also learn the role of your module. > > Kostas > > > On Mon, 5 Apr 2004, Kostas Zorbadelos wrote: > > > > > > > > > > > Hello to everyone. > > > I have the following problem where I work. We have a user, lets say > > > kzorba that is an ADSL user and has a specific profile (check and > > > reply attributes). We want to limit the Simultaneous-Use of > > > the user for this service to 1. We also want for the same user to be > > > able to use an ISDN 128 backup connection in case his ADSL line has a > > > problem. I this case our user has a different profile and > > > Simultaneous-Use 2 (in order to be able to login twice for the 2 isdn > > > channels). So the question is: how can I lock the user in a way that > > > when he uses his ADSL connection, not to be able to connect with ISDN > > > at all (that's easy since Simultaneous-Use is 1 in this case and won't > > > be allowed to login for anything else) and the opposite (when in as an > > > ISDN not to be able to use the ADSL). > > > Any suggestions are highly appreciated. > > > > Since you keep different profiles for each connection (ADSL or ISDN) then you > > can add a check item for the NAS-Port-Type (Virtual or ISDN) in each one and use > > rlm_checkval to only allow the corresponding port-type for each profile. > > > > > > > > Thanks in advance > > > > > > Kostas > > > > > > PS: By the way we have our user database in LDAP but I think that's > > > irrelevant. > > > > > > - > > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > > > -- > > Kostas Kalevras Network Operations Center > > [EMAIL PROTECTED] National Technical University of Athens, Greece > > Work Phone: +30 210 7721861 > > 'Go back to the shadow' Gandalf > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: client.conf and proxy.conf
> -Original Message- > From: [EMAIL PROTECTED] [mailto:freeradius- > [EMAIL PROTECTED] On Behalf Of Alan DeKok > Sent: Tuesday, April 13, 2004 7:17 PM > > Another question is; does current functionality of rlm_sql (specifically > > mysql) all the config info of client.conf and proxy.conf in database..? > > I'm not sure I can parse that sentence. I think the answer is "No.". > > Alan DeKok. > Arghsorry... I don't know where my 'ow' disappeared from 'allow'. I guess the answer is still no to whether we can drive the config info of client.conf and proxy.conf from database.. Htin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with username and passowrd
Hi Alan > If RADIUS is sending an Access-Accept, then the NAS is rejecting > them. > > Look at the responses which don't get a LAN Security Error, and > compare them to the responses which do get a LAN Security Error. Make > the bad ones similar to the good ones, and it should work. Sorry, but i don´t unserstand how to do that. The Ascend-Log only tells me that there is a LAN Security Error when someone is trying connect with a Username/Password-Configuration. With a CLID-Configuration everything works fine. We are working with the same configuration on a cistron-Radisserver and it works. But the machine is rather old and we wan´t to use freeradius instead. please help thanx cu Markus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
