Re: Freeradius-Users digest, Vol 1 #3181 - 11 msgs
Alan, I have compiled the PAM-Radius module 1.3.16 using gcc 3.3.2 on Solaris = 8. It seems to have compiled OK, no errors reported. I have copied pam_radius_auth.so to /lib/security. I have setup pam_radius_auth.conf in /etc/raddb/server with my Radius = Server address and shared secret. I have configured /etc/pam.conf with the required entries, including the = debug option. When I try a telnet session to the machine I am not seeing any Radius = packets going out on the wire. I am using Ethereal to monitor the IP = traffic. Nor does the Radius server indictate that it is seeing any = packets arrive. I am also not seeing any messages in the /var/adm/messages file either. It appears that the PAM module is not being executed but I don't know = what else to look at to verify if it is functioning. The file = permissions and ownership for pam_radius_auth.so are the same as the = other PAM modules. Do you have any suggestions on the best way to determine if the module = is even running? I apppreciate your assistance. Steve VanWambeck - SMTT TDG Platform Development I have 2 solutions : 1. do you have a pam.d directory ? If it is the case, you have to configure the /etc/pam.d/application instead of pam.conf 2. In th /etc/raddb/server file, did you let the line with 127.0.0.1 ... ? I had the same probleme, and I just uncomment this line and it wotks now !! Tell me if it resolve your problem (I hope !) = = Déborah Malka Yahoo! Mail : votre e-mail personnel et gratuit qui vous suit partout ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Dialoguez en direct avec vos amis grâce à Yahoo! Messenger !Téléchargez Yahoo! Messenger sur http://fr.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help
help most of the time, helpful answers comes with a correct questions. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Default Overwriting
Hi, i have a simple question about profiling a default configuration. im using freeradius-0.9.3_1 on freebsd 5.2 with mysqlbackend and want to create a default configuration that matchs for all users that dont exists. this default configuration has other attributes then the normal single user settings for example no avpair and no ip address assignement. now i want that if a user is found but the password is wrong that the default setting go into effect. the problem here is that the attributes and values from the found user with the wrong password are forced and not the settings from the default configuration. is there a way to make a overwriting possible so that we can accept users with wrong passwords and give them other values then if the authenticate correctly? thanks in advance, christian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap/tls
I'm trying to configure EAP/TLS and my freeradius version is 0.9.3, does this version support this authentication method? if someone has used certificates can confirm me that openssl is a good option to create them? thanks a lot Bfr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-Message attribute.
Alan, The problem I was having is fixed in the latest CVS snapshot. The old version of eap.c was printing out the EAP code as the identity. Nothing. Use the latest CVS snapshot. 0.9.0 is *very* old. DEBUG2( rlm_eap: EAP packet type %s id %d length %d, eap_types[eap_msg-strvalue[0]], eap_msg-strvalue[1], (eap_msg-strvalue[2] 8) | eap_msg-strvalue[3]); The new (correct) version uses DEBUG2( rlm_eap: EAP packet type %s id %d length %d, eap_codes[eap_msg-strvalue[0]], eap_msg-strvalue[1], eap_msg-length); That is were my confusion came from. Thanks very much. Martin. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 04 May 2004 20:58 To: [EMAIL PROTECTED] Subject: Re: EAP-Message attribute. [EMAIL PROTECTED] wrote: Question 1. RFC 3579 states that EAP-Start is indicated by sending an EAP-Message attribute with a length of 2 (no data). I interpret this to be the following two bytes '0x49 0x02'. Hmm... I think that's a typo, or, at least, it's not the way most clients work. But when I send a packet containing such an attribute to freeradius it does not see it as an EAP start. Below is the packet that was sent to free radius ... rad_recv: Access-Request packet from host 10.230.199.211:33118, id=1, length=92 User-Name = DNIS:123456789 NAS-IP-Address = 1.2.3.4 Service-Type = Call-Check Called-Station-Id = 0123456789 Calling-Station-Id = 0123456789 EAP-Message = 0x Which is an empty EAP message. It appears to satisfy the RFC's, but I don't think any client behaves that way. Most EAP clients use a two-byte EAP packet, which means a RADIUS EAP-Message of length 4. To get around this I send the EAP-Message 0x4f 0x0c 0x01 0xff rlm_eap: EAP packet type identity id 255 length 0 rlm_eap: Got EAP_START message modcall[authorize]: module eap returns handled Am I reading the RFC wrong? I don't think so, but in ~2 years of using the EAP module, this has never come up before. I send the following EAP-Message Radius-Attribute = 0x 4f 0c 02 ff 00 0a 01 68 65 6c 6c 6f This is a EAP-Message with code=Response and Type = Identity, = however the debug states that the type is=20 notification. What am I doing wrong? Nothing. Use the latest CVS snapshot. 0.9.0 is *very* old. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/tls
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yes, there is support for eap/tls. I am using it to authenticate wireless clients. Works fine. Certs were done with openssl. - -- Andrei Mikhailovsky Arhont Ltd - Information Security Web: http://www.arhont.com ~ http://www.wi-foo.com Tel: +44 (0)870 4431337 Fax: +44 (0)117 9690141 PGP: Key ID - 0xFF67A4F4 PGP: Server - keyserver.pgp.com BLANCA FERRERO RODRIGUEZ wrote: | I'm trying to configure EAP/TLS and my freeradius version is 0.9.3, does this version support this authentication method? if someone has used certificates can confirm me that openssl is a good option to create them? thanks a lot | | Bfr | | | - | List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQFAmMlb5bSBOf9npPQRAi5cAJ95gv0pbZXTS5RNqjlE+2kJzRJzDACglVzd 9IlEy+uYhKoMXpw9S9WacLM= =06KM -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Confused by doc/variables.txt
On Tue, 4 May 2004, Craig Huckabee wrote:
Where can the regular expressions discussed in 'doc/variables.txt' be
used ? I'd like to modify the User-Name attribute as passed in for use
as a filter for rlm_ldap.
For example, during an EAP-TLS, I get an EAP packet like this:
NAS-IP-Address = ...
NAS-Port-Type = Async
User-Name = host/g21476.fo.bar
Service-Type = Framed-User
Framed-MTU = 1500
Calling-Station-Id = ...
State = ...
EAP-Message = ...
Message-Authenticator = ...
I'd like to strip off the 'host/' from User-Name and use that as a
filter in rlm_ldap for the authorize step, like:
ldap {
...
User-Name =~ ^([^/]+)/(.*)
filter = (cn=`%{2}`)
...
}
That fails horribly (cn='') so I'm not sure where those types of regex
statements can be used in radiusd.conf.
The above won't work. You can't just add the User-Name line in the rlm_ldap
configuration and expect it to work.
You can either use rlm_attr_rewrite to strip the 'host/' part, or probably add
a Hint variable in the users file and use that as the filter:
--users--
DEFAULT User-Name =~ ^([^/]+)/(.*), Hint := `%{2}`
--radiusd.conf--
ldap {
filter = (cn=%{check:Hint})
...
}
Is that possible or am I completely misunderstanding variables.txt ?
I'm running FreeRADIUS built from CVS as of 4/21/04.
Thanks,
Craig
PS Forgive the wandering nature of this e-mail, 12+ hours at work...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to config to get group attributes
John Duino [EMAIL PROTECTED] wrote: Users authenticate fine, but I am not getting any group information back to the Aventail. tcpdump confirms no info being passed. The group info is primarily in NIS, but I have even tried putting some in the local /etc/group for testing without success. There are no standard RADIUS attributes to send group information in a RADIUS packet. As of recently in the CVS snapshots, there is a dictionary.unix file, with Unix group related attributes. However... if the NAS documentation doesn't say it understands those attributes, then it won't use them. I'm using Unix authentication (system uses NIS) and I'm attempting to access this from an Aventail EX1500. Uh, no. The Aventail is authenticating via RADIUS. FreeRADIUS can be configured to do authentication against /etc/passwd, but the Aventail NAS doesn't know that this is happening. I do not totally (obviously) grasp the intricacies of the radiusd.conf file, multiple authentication schemes, etc. It has nothing to do with radiusd.conf. Why are you trying to send Unix group information to the NAS? Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/tls
BLANCA FERRERO RODRIGUEZ [EMAIL PROTECTED] wrote: I'm trying to configure EAP/TLS and my freeradius version is 0.9.3, does this version support this authentication method? Yes. if someone has used certificates can confirm me that openssl is a good option to create them? thanks a lot Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Default Overwriting
jesk [EMAIL PROTECTED] wrote: now i want that if a user is found but the password is wrong that the default setting go into effect. Please read doc/aaa.txt. The authorize section is processed BEFORE the user is authenticated. And the only time you can re-write the response is after the user has been authenticated. Therefore, you can't do it in the authorize section. As of the latest CVS head, you can use the post-auth section, with a reject block, to re-write the response. You'll probably have to write your own module to do this, though, as it's very specific to your system. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius-Users digest, Vol 1 #3181 - 11 msgs
The system that I am using does not have the /etc/pam.d directory. I also have the 127.0.0.1 local loopback IP uncommented. =SvW= õ¿õ ~ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of deborha malka Sent: Wednesday, May 05, 2004 12:05 AM To: [EMAIL PROTECTED] Subject: Re: Freeradius-Users digest, Vol 1 #3181 - 11 msgs Alan, I have compiled the PAM-Radius module 1.3.16 using gcc 3.3.2 on Solaris = 8. It seems to have compiled OK, no errors reported. I have copied pam_radius_auth.so to /lib/security. I have setup pam_radius_auth.conf in /etc/raddb/server with my Radius = Server address and shared secret. I have configured /etc/pam.conf with the required entries, including the = debug option. When I try a telnet session to the machine I am not seeing any Radius = packets going out on the wire. I am using Ethereal to monitor the IP = traffic. Nor does the Radius server indictate that it is seeing any = packets arrive. I am also not seeing any messages in the /var/adm/messages file either. It appears that the PAM module is not being executed but I don't know = what else to look at to verify if it is functioning. The file = permissions and ownership for pam_radius_auth.so are the same as the = other PAM modules. Do you have any suggestions on the best way to determine if the module = is even running? I apppreciate your assistance. Steve VanWambeck - SMTT TDG Platform Development I have 2 solutions : 1. do you have a pam.d directory ? If it is the case, you have to configure the /etc/pam.d/application instead of pam.conf 2. In th /etc/raddb/server file, did you let the line with 127.0.0.1 ... ? I had the same probleme, and I just uncomment this line and it wotks now !! Tell me if it resolve your problem (I hope !) = = Déborah Malka Yahoo! Mail : votre e-mail personnel et gratuit qui vous suit partout ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Dialoguez en direct avec vos amis grâce à Yahoo! Messenger !Téléchargez Yahoo! Messenger sur http://fr.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
openssl
I'm using this HOWTO http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm to configure eap/tls over freeradius. I'm trying to install openssl as it's explained there but when I have to verify the sym link between some files I'm not very sure about how to do this. Should the linked files be in the lib directory where I've installed openssl (/usr/local/...)?if that is the case they're not there, or should I check the Makefile to see that there is a line with the link? thanks a lot, I'm not LINUX administrator so I'm a bit lost with these issues. bfr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Confused by doc/variables.txt
Kostas Kalevras wrote:
The above won't work. You can't just add the User-Name line in the rlm_ldap
configuration and expect it to work.
I didn't expect it to just work, but I wanted to at least try something
before posting a question. The documentation isn't as clear as your
answer so I was grasping at straws.
You can either use rlm_attr_rewrite to strip the 'host/' part, or probably add
a Hint variable in the users file and use that as the filter:
--users--
DEFAULT User-Name =~ ^([^/]+)/(.*), Hint := `%{2}`
--radiusd.conf--
ldap {
filter = (cn=%{check:Hint})
...
}
I tried adding the expression to the users file as you suggest - that
doesn't appear to work either. I still end up with a cn='' filter. Any
other ideas are greatly appreciated.
Thanks,
Craig
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to config to get group attributes
On Wed, 2004-05-05 at 07:22, Alan DeKok wrote: John Duino [EMAIL PROTECTED] wrote: Users authenticate fine, but I am not getting any group information back to the Aventail. tcpdump confirms no info being passed. The group info is primarily in NIS, but I have even tried putting some in the local /etc/group for testing without success. There are no standard RADIUS attributes to send group information in a RADIUS packet. I do not know if it is standard (eg, RFC defined) but it is possible. See discussion below. As of recently in the CVS snapshots, there is a dictionary.unix file, with Unix group related attributes. However... if the NAS documentation doesn't say it understands those attributes, then it won't use them. The NAS understands the Attribute value pairs information, in this case either Class(25) or FilterId(11) labeling, with the returned value being the group name(s). See discussion below. I'm using Unix authentication (system uses NIS) and I'm attempting to access this from an Aventail EX1500. Uh, no. The Aventail is authenticating via RADIUS. FreeRADIUS can be configured to do authentication against /etc/passwd, but the Aventail NAS doesn't know that this is happening. Merely a grammatical slip. I know the Aventail is using Radius. FreeRadius is using the system's Unix-based authentication, which in this case is NIS-based. I do not totally (obviously) grasp the intricacies of the radiusd.conf file, multiple authentication schemes, etc. It has nothing to do with radiusd.conf. Why are you trying to send Unix group information to the NAS? Why does it not have to do with radiusd.conf? The section I posted previously labeled passwd etc_group, and is directly FROM the default radiusd.conf, is described as doing exactly what I expect/hope. The radius server, upon positive authentication, should also then parse the group directory (/etc/group, in this case, including its NIS extension) and return in the Authenticator additional information labeled as Attribute value pairs that would, in this case, be the groups the user belongs to. I am trying to get this for it allows me to use 'predefined' groupings of people (in this case, people within certain unix-based groups) as another criteria in my ACLs on the Aventail. -- John Duino [EMAIL PROTECTED] National Engineering Technology - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius GUI admin headaches
Can you point me to, or do you have an example MySQL query I could use for gathering unique user/month count data from the totacct/mtotacct tables? There doesn't seem to be anything in the stock dialupadmin program that does anything with these tables, though I know next to nothing about MySQL or PHP for that matter. Thanks for any help you can provide. Kostas Kalevras wrote: Regarding my additional functionality requirement, I need a report that shows the number of unique users who had sessions during the month. So if I had 347 individual accounts (User-Name attribute) access the system for the input time period, the system would report 347. This is independent of/in addition to the count of sessions, time or MB downloaded. You can easily use the totacct/mtotacct tables. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to config to get group attributes
John Duino [EMAIL PROTECTED] wrote: The NAS understands the Attribute value pairs information, in this case either Class(25) or FilterId(11) labeling, with the returned value being the group name(s). See discussion below. It would have helped if you said this at the start. Talking about why your solution doesn't do what you expect is often a waste of time. Instead, talk about what you want to do. In this case, it's: - send a Class or Filter-Id attribute to the NAS, with the content being the names of the Unix groups to which the user belongs. Why does it not have to do with radiusd.conf? The issue is that your problem was poorly defined. No amount of editing radiusd.conf will cause your problem to become well-defined. The section I posted previously labeled passwd etc_group, and is directly FROM the default radiusd.conf, is described as doing exactly what I expect/hope. No, it's not. It adds a Group-Name attribute, not a Class or Filter-Id. If you edit it to add Class, or Filter-Id, it will be a little better. The radius server, upon positive authentication, should also then parse the group directory (/etc/group, in this case, including its NIS extension) The passwd module doesn't read directories. It reads files. It's documented as reading files. It's not documented as interacting with NIS. So the passwed module won't read directories, with NIS extensions. You've got to point it to each and every group file you want it to read. To do this, you probably need multiple instances of the module, one for each file you want it to read. and return in the Authenticator additional information labeled as Attribute value pairs that would, in this case, be the groups the user belongs to. If you return them in the correct attributes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openssl
I'm using this HOWTO http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm to configure eap/tls over freeradius. I'm trying to install openssl as it's explained there but when I have to verify the sym link between some files I'm not very sure about how to do this. Should the linked files be in the lib directory where I've installed openssl (/usr/local/...)?if that is the case they're not there, or should I check the Makefile to see that there is a line with the link? I'm newbie too and I use Mdk9.2 and freeradius snapshot 22-004-2004, then I use slocate command to find files I need . I install all soft needed from /usr/local/ and I add /usr/local/bin and /usr/local/sbin to my $PATH then it works...maybe it can help you Fred. thanks a lot, I'm not LINUX administrator so I'm a bit lost with these issues. bfr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to config to get group attributes
On Wed, 2004-05-05 at 09:21, Alan DeKok wrote: John Duino [EMAIL PROTECTED] wrote: The NAS understands the Attribute value pairs information, in this case either Class(25) or FilterId(11) labeling, with the returned value being the group name(s). See discussion below. It would have helped if you said this at the start. Talking about why your solution doesn't do what you expect is often a waste of time. Well, as I stated, I am a newbie at Radius and FreeRadius, and thus, do not know all the 'proper' terms. And if I knew how to completely phrase my question I would probably know how to solve it! Instead, talk about what you want to do. In this case, it's: - send a Class or Filter-Id attribute to the NAS, with the content being the names of the Unix groups to which the user belongs. The section I posted previously labeled passwd etc_group, and is directly FROM the default radiusd.conf, is described as doing exactly what I expect/hope. No, it's not. It adds a Group-Name attribute, not a Class or Filter-Id. If you edit it to add Class, or Filter-Id, it will be a little better. Well, again, if I knew exactly of which I speak, I would not be asking for help. The passwd module doesn't read directories. It reads files. It's documented as reading files. It's not documented as interacting with NIS. I'm a bit confused then: if it doesn't read directories (as in a directory server, eg NIS) how is it currently authenticating me via NIS? So the passwed module won't read directories, with NIS extensions. You've got to point it to each and every group file you want it to read. To do this, you probably need multiple instances of the module, one for each file you want it to read. Okay, but at this point for me that's like saying, To get to the moon you simply have to build a rocket. I am asking for help in configuring freeradius; what do I need to do? Is module example passwd etc_group the correct place to start? If so, and since I thought I already did that and it did not work for me, what am I doing wrong? -- John Duino [EMAIL PROTECTED] National Engineering Technology - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Covad Telesurfer Resale
From: Alan DeKok [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: Covad Telesurfer Resale
Date: Tue, 04 May 2004 09:57:30 -0400
Reply-To: [EMAIL PROTECTED]
Walter Schulze [EMAIL PROTECTED] wrote:
...
Please follow list etiquette and edit your quotes.
okay. sorry.
the problem I am having is there is not someone in the Covad NOC who can
explain the configuration in the FreeRADIUS file they are trying to test
for. They ask me for user/pw shared secret. With that and my server
address, they run authentication tests from their POP sites. Each
attempt
has failed because I do not know exactly what they are looking for to
successfully complete their tests.
Let me ask another question, first: Are you at all familiar with RADIUS?
My familiarity with RADIUS and FreeRADIUS comes from reading. (web-site,
comments in files, O'Reilly book). I have no professional experience to
draw on. I do have both an undergraduate degree and graduate degree in IT
and about nine years of industry experience to draw on.
I assume something along the lines of
the below, but I am not sure. Does it look right?
client 64.105.202.137 {
secret = donttellanyone
shortname = Covad_POP-1
vendor = I do not know what to put here
There is no vendor field. I don't know where you got the idea
that there was one.
The above is from page 102 of the O'Reilly book.
type = tc
login = !root
password = changeme
Those three fields are for controlling simultaneous login access.
You probably don't need them.
Also, I am not clear on the difference between using a client
entry and
using a nas entry.
I have no idea where you got the idea that there was a nas entry.
...page 103 of the O'Reilly book.
I think at least part of the problem is that you're confusing
yourself by inventing configurations the server doesn't understand.
If you're at all familiar with RADIUS, the clients.conf file
should be easily understood.
If you're not familiar with RADIUS, I suggest buying reading the
O'Reilly book, and also reading the clients.conf file. It contains
a wealth of documentation describing what fields exist, what they
mean, and what they're used for.
Alan DeKok.
I have read the book and files. Still have not passed the Covad NOC test.
Getting errors on the radiusd -X screen like the below when the test is run.
Thx for any help anyone can provide.
rad_recv: Access-Request packet from host 64.105.179.137:55324, id=82,
length=99
User-Name = [EMAIL PROTECTED]
User-Password = test
NAS-IP-Address = 192.168.7.6
NAS-Port = 99
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Identifier = sfldmidn-rb1
modcall: entering group authorize for request 14
modcall[authorize]: module preprocess returns ok for request 14
modcall[authorize]: module chap returns noop for request 14
modcall[authorize]: module eap returns noop for request 14
rlm_realm: Looking up realm national-tel.com for User-Name =
[EMAIL PROTECTED]
rlm_realm: No such realm national-tel.com
modcall[authorize]: module suffix returns noop for request 14
users: Matched DEFAULT at 152
users: Matched DEFAULT at 171
users: Matched DEFAULT at 183
modcall[authorize]: module files returns ok for request 14
modcall[authorize]: module mschap returns noop for request 14
modcall: group authorize returns ok for request 14
rad_check_password: Found Auth-Type System
auth: type System
modcall: entering group authenticate for request 14
modcall[authenticate]: module unix returns notfound for request 14
modcall: group authenticate returns notfound for request 14
auth: Failed to validate the user.
Delaying request 14 for 1 seconds
Finished request 14
Going to the next request
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Covad Telesurfer Resale
rad_recv: Access-Request packet from host 64.105.179.137:55324, id=82, length=99 User-Name = [EMAIL PROTECTED] User-Password = test So it looks like the username that the Covad NOC sends you includes an @domain portion, which is interpreted as a realm by FreeRADIUS. rlm_realm: Looking up realm national-tel.com for User-Name = [EMAIL PROTECTED] rlm_realm: No such realm national-tel.com But there's no realm configuration. You'll need to deal with this. Depending on your situation, you can configure it to strip the realm before trying to authenticate the user, or do something else... modcall: group authorize returns ok for request 14 rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate for request 14 modcall[authenticate]: module unix returns notfound for request 14 modcall: group authenticate returns notfound for request 14 auth: Failed to validate the user. If you have added a user test to your passwd filer, it doesn't match [EMAIL PROTECTED] because they're not the same. And that would explain the notfound message. -- __ Mike Ockenga, CCNP [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Confused by doc/variables.txt
On Wed, 5 May 2004, Craig Huckabee wrote:
Kostas Kalevras wrote:
The above won't work. You can't just add the User-Name line in the rlm_ldap
configuration and expect it to work.
I didn't expect it to just work, but I wanted to at least try something
before posting a question. The documentation isn't as clear as your
answer so I was grasping at straws.
You can either use rlm_attr_rewrite to strip the 'host/' part, or probably add
a Hint variable in the users file and use that as the filter:
--users--
DEFAULT User-Name =~ ^([^/]+)/(.*), Hint := `%{2}`
--radiusd.conf--
ldap {
filter = (cn=%{check:Hint})
...
}
I tried adding the expression to the users file as you suggest - that
doesn't appear to work either. I still end up with a cn='' filter. Any
other ideas are greatly appreciated.
The other idea is to use attr_rewrite as already suggested. In any case, make
sure that the files module comes before ldap in the authorize section for the
above to work.
Thanks,
Craig
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
bind clients with users
Hi, i am using freeradius with postgres sql and my question is: i want bind clients with users, is this possible and how i should do this? history: we have some cafes and restaurants with there own wlan stations and the costumers get a voucher for this cafe.. and we dont wont that the costumer can use this voucher by an another cafe or restaurant . Our freeradius is running and costumers with there vouchers can login Best regards an many thanks for help traix - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: bind clients with users
On Wed, 5 May 2004 [EMAIL PROTECTED] wrote: Hi, i am using freeradius with postgres sql and my question is: i want bind clients with users, is this possible and how i should do this? history: we have some cafes and restaurants with there own wlan stations and the costumers get a voucher for this cafe.. and we dont wont that the costumer can use this voucher by an another cafe or restaurant . Our freeradius is running and costumers with there vouchers can login Best regards an many thanks for help Check the checkval module. Basically, you add a NAS-IP-Address check item in each user entry (radcheck table) containing the NAS-IP-Address of the cafe the user is about to connect and then you use checkval to reject the corresponding user if he connects through a different cafe. traix - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to config to get group attributes
On Wed, 2004-05-05 at 13:13, Alan DeKok wrote: Now one more question: is there any way to get FreeRadius to look at the NIS information, directly or indirectly? NIS supplies a lot of information. Are you looking to have it read group information from NIS? If so, there's no built-in way to do it. You can, however, run an external shell script to do it. See the groups command. Run the groups command from a shell script(see scripts/exec-program-wait), and turn the output into a list of Class += group attributes. The server will do the rest. Brilliant, now we're talkin'! I added the following Exec-Program-Wait to the raddb/users file: DEFAULT Auth-Type = System Exec-Program-Wait = /usr/local/System/bin/nis-group-list.sh, Fall-Through = 1 And the nis-group-list.sh script is: #!/bin/bash export UN=`echo $USER_NAME|tr -d \` for FF in `/usr/bin/groups $UN | cut -d: -f2` do echo Class += \$FF\, done echo Framed-IP-Address = 255.255.255.255 exit 0 One strange side-effect was encountered that the export line is used to overcome. The environment variable $USER_NAME includes quotes around the name (e.g., if the username is 'joe' the string translates literally as joe including the quotes). 'groups' takes the quotes literally and errors (cuz the user joe doesn't exist, only joe does). So I strip the quotes. No biggie. Thanks again for the help! I wouldn't have found the script example without you as it appears RedHat/Fedora doesn't include them in the install, only with the source. -- John Duino [EMAIL PROTECTED] National Engineering Technology - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Covad Telesurfer Resale
do you know the trick of stripping the realm before trying to authenticate? read /raddb/proxy.conf -- __ Mike Ockenga, CCNP [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius-mysql schema
The tables in the FreeRadius MySQL schema are quite confusing. How are (clients/NAS) implemented in this schema? Is there any tutorial available or some sort of data dictionary to help explain the table's functionality as well as the fields? Any help is appreciated. Thanks, Jared Jones P.S. For those of you that helped me with the 'failed to open stream' post Thank you, it was a permissions thing. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
