Re: How to send reply for some client ip groups
kevin J <[EMAIL PROTECTED]> wrote: > I want to send some reply attributes based on client's ip and its nas type. > For example, I want to add some filters to the reply packet which will > be sent to usr nas. > I also want to add some special attributes to the reply packet for > level3's ip-addresses . > How can I configure it? Read the "users" file, and follow the examples there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: to use different basedn and filter for one user
Set up 3 ldap module instances, then see the doc/configurable-failover file for information on how to set this up. --Mike On Fri, 2004-08-13 at 17:48, kevin J wrote: > I want to use ldap for authentication. > > What I want tot do is > first > do ldapsearch with (basedn: ou=part1,ou=users,o=mycom) (filter: > 'uid=%{User-Name}) > if this fails then > do ldapsearch with (basedn: ou=part2,ou=users,o=mycom)(filters: > 'uid=%{Stripped-User-Name:-%{User-Name}) > if this fails then > do ldapsearch with (basedn: ou=part3,ou=users,o=mycom) (filter: > 'uid=%{User-Name}) > > Is there a way to configure this? > > Kevin > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
to use different basedn and filter for one user
I want to use ldap for authentication. What I want tot do is first do ldapsearch with (basedn: ou=part1,ou=users,o=mycom) (filter: 'uid=%{User-Name}) if this fails then do ldapsearch with (basedn: ou=part2,ou=users,o=mycom)(filters: 'uid=%{Stripped-User-Name:-%{User-Name}) if this fails then do ldapsearch with (basedn: ou=part3,ou=users,o=mycom) (filter: 'uid=%{User-Name}) Is there a way to configure this? Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to send reply for some client ip groups
Hi all, I want to send some reply attributes based on client's ip and its nas type. For example, I want to add some filters to the reply packet which will be sent to usr nas. I also want to add some special attributes to the reply packet for level3's ip-addresses . How can I configure it? Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [OT] Router with Radius Auth on the users site???
On Sat, 14 Aug 2004, Chan Min Wai (System Administrator) wrote: > Greeting, > > I'm thinking of something, Everyone is talking on AAA and radius right > now and there might be a time where ISP will require users to auth with > Radius instate of PPPoE or PPTP or anything... > I suggest you go back and review how RADIUS works. RADIUS never talks to the end-user directly. The RADIUS client is the Network Access Server. Its a matter of configuration what your Frame Protocol is, if you even have one. PPPoE is still using PPP frames. That's the point -- Ethernet doesn't provide the frames for handling AAA info itself, but PPP does. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: freeRADIUS and Microsoft Active Directory
Hello Chris, We use users in different ou's and it works fine. You have to use a basedn at the top of your ad. Markus -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Kellogg, Chris Gesendet: Freitag, 13. August 2004 18:03 An: [EMAIL PROTECTED] Betreff: RE: freeRADIUS and Microsoft Active Directory This is great information, thanks! By the way, I found that 'UserPrincipalName' did not work; I used 'sAMAccountName' with success. It leads to a couple new questions, however. What about people who have users broken into multiple OUs in their Active Directory? The BaseDN option in radiusd.conf appears to focus the username search to the particular OU container indicated; nothing underneath that OU will be checked. It's also apparently not possible to just give the top container and have it search. I'm not an AD expert, so I might be missing a simple solution. I am also trying to verify membership in a specific group; LDAP can't find it, and I'm wondering if anyone has enountered this before. I verified the Group was in the same OU as indicated by basedn, and the user is a member of that group. What have other people done in these situations? Chris. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, August 12, 2004 4:30 PM To: [EMAIL PROTECTED] Subject: AW: freeRADIUS and Microsoft Active Directory Hello Hugo, there is no problem to use FR with AD. here is an example: ldap { server = your.ad.server.org identity = "(some user, you dosnt need a special one, i createt one only for asking ad. I have choosen the user principal name)" password= (the password) basedn = "dc=your,dc=company,dc=org" # here you have to choose the filter, i use the UserPrincipalName but you can choose something else to filter = "(UserPrincipalName=%u)" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 #if you want to check if the user is in a special group you can use this groupmembership_filter = "(member=%{Ldap-UserDn})" timeout = 4 timelimit = 3 net_timeout = 1 } in the authorize and the authentication section you have to uncomment the ldap entry. Your usersfile shold look like this: DEFAULT Ldap-Group == (groupname to check for), Auth-Type := LDAP Fall-Through = no Good Luck Markus -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Hugo Sousa Gesendet: Donnerstag, 12. August 2004 10:44 An: [EMAIL PROTECTED] Betreff: freeRADIUS and Microsoft Active Directory Hi all, Did any of you guys already configured a freeRADIUS with Microsoft Active Directory? I know that is possibile to configure "FR" with LDAP, so, I think that it's also possible to do it with AD. If you could reply me with some example of the .conf files to this particular situation, that would be just great! :-) Thanls. Best regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius log format issues
in a nutshell I would like to flatten the log file entrys to a single comma delimited line. ie: FROM: Fri Aug 13 11:37:28 2004 User-Name = "[EMAIL PROTECTED]" NAS-IP-Address = 192.168.243.244 Client-IP-Address = 192.168.243.244 Timestamp = 1092422248 TO: datestamp,[EMAIL PROTECTED],192.168.243.244,192.168.243.244,1092422248 is this possible in the config file someplace, or must I change the source. and does anyone know where in the source ;-) much thanks! -- Patrick Luke - Composition must have its own inevitability about it " --- HCB, 1952 - 2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation Fault (freeradius-1.0.0-pre3)
"Hugo Sousa" <[EMAIL PROTECTED]> wrote: > After I enable TLS on eap.conf there is a segmentation fault when I try to > iniate the radius deamon. You have two copies of OpenSSL installed. See messages earlier today to this list. See also scripts/rc.radiusd. Look for "openssl", and follow the instructions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segmentation Fault (freeradius-1.0.0-pre3)
Title: Segmentation Fault (freeradius-1.0.0-pre3) Hi. After I enable TLS on eap.conf there is a segmentation fault when I try to iniate the radius deamon. Here is my eap.conf: eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } gtc { auth_type = PAP } leap { } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 } peap { default_eap_type = mschapv2 } mschapv2 { } mschap { authtype = MS-CHAP } } Regards. Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal
Re: Freeradius 1.0 PRE3 and PAM
=?iso-8859-1?q?deborah=20malka?= <[EMAIL PROTECTED]> wrote: > Is there a way, with the Pam-radius module to use an other password > encryption than PAP ? Source code modifications. > Is it possible not to have to store the shared secret in clear on > the pam client ? It can be a lack of security ! You MUST store the shared secret in the clear. You have no other choice. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeRADIUS and Microsoft Active Directory
Hi. You only need the "Ldap-Group == " portion if you want to restrict authentication to those who are a member of "". Otherwise, you just leave that option out. Chris. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Hugo Sousa > Sent: Friday, August 13, 2004 12:01 PM > To: [EMAIL PROTECTED] > Subject: RE: freeRADIUS and Microsoft Active Directory > > > In the users file, what should I place so that all users > trying to auth go to my ldap (active directory) ? > > DEFAULT Ldap-Group == (??), Auth-Type := LDAP > Fall-Through = no > > I'm trying to make my final project in my university. > > The thing is: > > I want to allow/deny wireless users (using windows XP) using > an Access Point, passing to Radius and querying the active directory. > > What should I do? > > Do I have to use certificates? > > > Thanks and regards, > > Hugo Sousa > SysAdmin / NetworkAdmin > http://www.netsystems.pt > Portugal > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Kellogg, Chris > Sent: sexta-feira, 13 de Agosto de 2004 17:03 > To: [EMAIL PROTECTED] > Subject: RE: freeRADIUS and Microsoft Active Directory > > This is great information, thanks! > > By the way, I found that 'UserPrincipalName' did not work; I > used 'sAMAccountName' with success. > > It leads to a couple new questions, however. What about > people who have users broken into multiple OUs in their > Active Directory? The BaseDN option in radiusd.conf appears > to focus the username search to the particular OU container > indicated; nothing underneath that OU will be checked. It's > also apparently not possible to just give the top container > and have it search. > > I'm not an AD expert, so I might be missing a simple solution. > > I am also trying to verify membership in a specific group; > LDAP can't find it, and I'm wondering if anyone has > enountered this before. I verified the Group was in the same > OU as indicated by basedn, and the user is a member of that group. > > What have other people done in these situations? > > Chris. > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of [EMAIL PROTECTED] > Sent: Thursday, August 12, 2004 4:30 PM > To: [EMAIL PROTECTED] > Subject: AW: freeRADIUS and Microsoft Active Directory > > > Hello Hugo, > > there is no problem to use FR with AD. > > here is an example: > > ldap { > server = your.ad.server.org > identity = "(some user, you dosnt need a > special one, i createt one only for asking ad. I have choosen > the user principal name)" > password= (the password) > basedn = "dc=your,dc=company,dc=org" > # here you have to choose the filter, i use > the UserPrincipalName but you can choose something else to > filter = "(UserPrincipalName=%u)" > > # set this to 'yes' to use TLS encrypted connections > # to the LDAP database by using the StartTLS extended > # operation. > # The StartTLS operation is supposed to be > used with normal > # ldap connections instead of using ldaps > (port 689) connections > start_tls = no > > # Mapping of RADIUS dictionary attributes to LDAP > # directory attributes. > dictionary_mapping = ${raddbdir}/ldap.attrmap > > ldap_connections_number = 5 > #if you want to check if the user is in a > special group you can use this > groupmembership_filter = "(member=%{Ldap-UserDn})" > timeout = 4 > timelimit = 3 > net_timeout = 1 > } > in the authorize and the authentication section you have to > uncomment the ldap entry. > > > Your usersfile shold look like this: > > DEFAULT Ldap-Group == (groupname to check for), > Auth-Type := LDAP > Fall-Through = no > > > Good Luck > > Markus > > > -Ursprüngliche Nachricht- > Von: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Im > Auftrag von Hugo Sousa > Gesendet: Donnerstag, 12. August 2004 10:44 > An: [EMAIL PROTECTED] > Betreff: freeRADIUS and Microsoft Active Directory > > > Hi all, > Did any of you guys already configured a freeRADIUS with > Microsoft Active Directory? > I know that is possibile to configure "FR" with LDAP, so, I > think that it's also possible to do it with AD. > If you could reply me with some example of the .conf files to > this particular situation, that would be just great! :-) Thanls. > > Best regards, > > Hugo Sousa > SysAdmin / NetworkAdmin > http://www.netsystems.pt > Portugal > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > -
Re: EAP + LDAP...
"Chan Min Wai (System Administrator)" <[EMAIL PROTECTED]> wrote: > > Please READ the comments in "eap.conf". > > > > Do NOT set "Auth-Type := LDAP" for EAP requests. > > I have no idea how to get ldap + Eap work in this way. What part of my message was unclear? > But just something in my mind... Should I put the ldap configuration inside: > > md5 { > } No. > Sorry for asking something like this but I've no idea how tow of the > (LDAP + EAP) working together. You configure the LDAP module to get clear-text passwords from the LDAP database. That's it. The server comes configured to work properly by default. Please go back and READ what I wrote. READ the comments in "eap.conf" that I told you to read. FOLLOW my instructions. If you're not going to believe anything I say on this list, then there's no point in asking questions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [OT] Router with Radius Auth on the users site???
have you heard of router to router authentication using cisco routers? AS53xx can do that. //milver - Original Message - From: "Chan Min Wai (System Administrator)" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, August 13, 2004 6:50 PM Subject: [OT] Router with Radius Auth on the users site??? Greeting, I'm thinking of something, Everyone is talking on AAA and radius right now and there might be a time where ISP will require users to auth with Radius instate of PPPoE or PPTP or anything... Well that is not a problem for the client if he is running an OS. But what happen when he is running a router/ Gateway router... There seem to be no broadband router that have radius Auth capability. Anyone have any though about that? Thank you Chan Min Wai - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP + LDAP...
Alan DeKok wrote: > "Chan Min Wai (System Administrator)" <[EMAIL PROTECTED]> wrote: > >>Ok I've done this, putting clear-text password to the server, although I >>think that this is not a good way. But for the time being let follow >>your instruction ;) > > > If you don't store clear-text passwords, then EAP WILL NOT WORK. > Ok That is fine :) > >>rad_recv: Access-Request packet from host 192.168.0.16:8021, id=11, >>length=182 > > ... > >>EAP-Message = 0x0202000b0165656c6f636b > > > Ok, you are doing EAP. > > >>rlm_ldap: Adding radiusAuthType as Auth-Type, value ldap & op=21 > > > That's your problem. > > >>modcall: entering group Auth-Type for request 2 >>rlm_ldap: - authenticate >>rlm_ldap: Attribute "User-Password" is required for authentication. >> modcall[authenticate]: module "ldap" returns invalid for request 2 > > > LDAP doesn't know how to do EAP. > > Please READ the comments in "eap.conf". > > Do NOT set "Auth-Type := LDAP" for EAP requests. > > Alan DeKok. I have no idea how to get ldap + Eap work in this way. But just something in my mind... Should I put the ldap configuration inside: md5 { } So when they know it is eap and md5 mode it will refer back to the ldap to check the password? Am I correct or wrong. Sorry for asking something like this but I've no idea how tow of the (LDAP + EAP) working together. Thank you Chan Min Wai > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[OT] Router with Radius Auth on the users site???
Greeting, I'm thinking of something, Everyone is talking on AAA and radius right now and there might be a time where ISP will require users to auth with Radius instate of PPPoE or PPTP or anything... Well that is not a problem for the client if he is running an OS. But what happen when he is running a router/ Gateway router... There seem to be no broadband router that have radius Auth capability. Anyone have any though about that? Thank you Chan Min Wai - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeRADIUS and Microsoft Active Directory
In the users file, what should I place so that all users trying to auth go to my ldap (active directory) ? DEFAULT Ldap-Group == (??), Auth-Type := LDAP Fall-Through = no I'm trying to make my final project in my university. The thing is: I want to allow/deny wireless users (using windows XP) using an Access Point, passing to Radius and querying the active directory. What should I do? Do I have to use certificates? Thanks and regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kellogg, Chris Sent: sexta-feira, 13 de Agosto de 2004 17:03 To: [EMAIL PROTECTED] Subject: RE: freeRADIUS and Microsoft Active Directory This is great information, thanks! By the way, I found that 'UserPrincipalName' did not work; I used 'sAMAccountName' with success. It leads to a couple new questions, however. What about people who have users broken into multiple OUs in their Active Directory? The BaseDN option in radiusd.conf appears to focus the username search to the particular OU container indicated; nothing underneath that OU will be checked. It's also apparently not possible to just give the top container and have it search. I'm not an AD expert, so I might be missing a simple solution. I am also trying to verify membership in a specific group; LDAP can't find it, and I'm wondering if anyone has enountered this before. I verified the Group was in the same OU as indicated by basedn, and the user is a member of that group. What have other people done in these situations? Chris. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, August 12, 2004 4:30 PM To: [EMAIL PROTECTED] Subject: AW: freeRADIUS and Microsoft Active Directory Hello Hugo, there is no problem to use FR with AD. here is an example: ldap { server = your.ad.server.org identity = "(some user, you dosnt need a special one, i createt one only for asking ad. I have choosen the user principal name)" password= (the password) basedn = "dc=your,dc=company,dc=org" # here you have to choose the filter, i use the UserPrincipalName but you can choose something else to filter = "(UserPrincipalName=%u)" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 #if you want to check if the user is in a special group you can use this groupmembership_filter = "(member=%{Ldap-UserDn})" timeout = 4 timelimit = 3 net_timeout = 1 } in the authorize and the authentication section you have to uncomment the ldap entry. Your usersfile shold look like this: DEFAULT Ldap-Group == (groupname to check for), Auth-Type := LDAP Fall-Through = no Good Luck Markus -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Hugo Sousa Gesendet: Donnerstag, 12. August 2004 10:44 An: [EMAIL PROTECTED] Betreff: freeRADIUS and Microsoft Active Directory Hi all, Did any of you guys already configured a freeRADIUS with Microsoft Active Directory? I know that is possibile to configure "FR" with LDAP, so, I think that it's also possible to do it with AD. If you could reply me with some example of the .conf files to this particular situation, that would be just great! :-) Thanls. Best regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE : Conditional statement
Can you post what you found, or a link to where you found the answer? I'm interested in what you've found... Thanks! Chris. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of MINODIER David RD-RESA-LAN > Sent: Friday, August 13, 2004 4:35 AM > To: [EMAIL PROTECTED] > Subject: RE : Conditional statement > > > I found the solution. > Sorry for bothering. > Yours, > David. > > > -Message d'origine- > > De : [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] De la > > part de MINODIER David RD-RESA > > Envoyé : vendredi 13 août 2004 11:02 > > À : [EMAIL PROTECTED] > > Objet : Conditional statement > > > > > > Hi, > > I would like to authorize a given user to some services > > depending on the NAS he is connected to. Basically I would > > like to have something like that : > > > > userAuth-Type :=EAP > > if > > NAS-IP-Addr == 10.10.10.10 > > then > > AUTHORIZATION_AVP1 = x1, > > AUTHORIZATION_AVP2 = y1 > > else > > AUTHORIZATION_AVP1 = x2, > > AUTHORIZATION_AVP2 = y2 > > endif > > > > I tried the following syntax : > > > > userAuth-Type := EAP > > NAS-IP-Addr == 10.10.10.10, Tunnel-Type = VLAN, > > Tunnel-Medium-Type = dot1q, Tunnel-Private-Group-ID = MyVlan > > Fall-Through = 1 > > NAS-IP-Addr != 10.10.10.10, Tunnel-Type = VLAN, > > Tunnel-Medium-Type = dot1q, Tunnel-Private-Group-ID = MyOtherVlan > > > > I get the error : Parse error (reply) for entry user: > > expecting '=' at the first line where I have DEFAULT > > NAS-IP-Addr == 10.10.10.10 . > > > > Please, can you help ? > > > > In a more general case, is there a doc on the various > > operators (==, =, :=, +=, etc) we can use une the "users" > > file ? any *complex* examples somewhere ? > > > > Many thanks > > David. > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeRADIUS and Microsoft Active Directory
This is great information, thanks! By the way, I found that 'UserPrincipalName' did not work; I used 'sAMAccountName' with success. It leads to a couple new questions, however. What about people who have users broken into multiple OUs in their Active Directory? The BaseDN option in radiusd.conf appears to focus the username search to the particular OU container indicated; nothing underneath that OU will be checked. It's also apparently not possible to just give the top container and have it search. I'm not an AD expert, so I might be missing a simple solution. I am also trying to verify membership in a specific group; LDAP can't find it, and I'm wondering if anyone has enountered this before. I verified the Group was in the same OU as indicated by basedn, and the user is a member of that group. What have other people done in these situations? Chris. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, August 12, 2004 4:30 PM To: [EMAIL PROTECTED] Subject: AW: freeRADIUS and Microsoft Active Directory Hello Hugo, there is no problem to use FR with AD. here is an example: ldap { server = your.ad.server.org identity = "(some user, you dosnt need a special one, i createt one only for asking ad. I have choosen the user principal name)" password= (the password) basedn = "dc=your,dc=company,dc=org" # here you have to choose the filter, i use the UserPrincipalName but you can choose something else to filter = "(UserPrincipalName=%u)" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 #if you want to check if the user is in a special group you can use this groupmembership_filter = "(member=%{Ldap-UserDn})" timeout = 4 timelimit = 3 net_timeout = 1 } in the authorize and the authentication section you have to uncomment the ldap entry. Your usersfile shold look like this: DEFAULT Ldap-Group == (groupname to check for), Auth-Type := LDAP Fall-Through = no Good Luck Markus -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Hugo Sousa Gesendet: Donnerstag, 12. August 2004 10:44 An: [EMAIL PROTECTED] Betreff: freeRADIUS and Microsoft Active Directory Hi all, Did any of you guys already configured a freeRADIUS with Microsoft Active Directory? I know that is possibile to configure "FR" with LDAP, so, I think that it's also possible to do it with AD. If you could reply me with some example of the .conf files to this particular situation, that would be just great! :-) Thanls. Best regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Install challenge on RH 7.3
Alan - Thank you for taking the time to respond and for all you do for FreeRadius! Bob Dehn Message: 3 From: "Alan DeKok" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: Install challenge on RH 7.3 Date: Thu, 12 Aug 2004 19:46:14 -0400 Reply-To: [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: > I am trying to install FreeRadius 1.0.0 on a RH 7.3 system and noticed > that rc.radiusd-redhat, radiusd-logrotate, and radiusd-pam do not get > installed. You have to install those by hand. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP LDAP
How-to configure I 've ever configured password's users in LDAP. I stored my password in clear-text but is not enought!! What can i do ? Thanks for your help Alexandre. - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, August 09, 2004 11:06 PM Subject: Re: PEAP LDAP > "Alexandre Durand" <[EMAIL PROTECTED]> wrote: > > I want to make an authentication PEAP between Win XP, openldap, and > > freeradius. I ve a problem between mschapv2 and openldap. Indeed, I make a > > test with PEAP without openldap and its works. But if i want to use openldap > > + freeradius with peap i get an error in eap-mschap module of freeradius. > > > > error is : > > > > rlm_mschap: No User-Password configured. Cannot create LM-Password. > > So... configure a password. > > > So, In my Openldap i precised a clear password for my users. > > I'm not sure what you mean by that. > > In any case, stop trying to use PEAP. Instead, test your existing > configuration with PAP requests, sent in via "radtest". If you can > get clear-text passwords from OpenLDAP && do PAP, you can do PEAP. > > Alan DeKok. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VoIP Implementation
Run your server in debug mode radiusd -X This way you will see all the details Kafui Amedzekor. --- "Motovilov A.V." <[EMAIL PROTECTED]> wrote: > Hello freeradius-users-request, > > How can i know in Accounting Request Packet if user > logins like DialUP > or VoIP customer if NAS-IPAddress and > Called-Station-ID is the same in > any case? > > -- > Best regards, > Motovilov mailto:[EMAIL PROTECTED] ICQ# > 136392666 > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > __ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 1.0 PRE3 and PAM
Hello, Is there a way, with the Pam-radius module to use an other password encryption than PAP ? Is it possible not to have to store the shared secret in clear on the pam client ? It can be a lack of security ! Am I on the right mailling list ? If not, please telle me where I can ask these questions . Sorry if it's not clear, Thank you for advance, =Déborah Malka Créez gratuitement votre Yahoo! Mail avec 100 Mo de stockage ! Créez votre Yahoo! Mail Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. Téléchargez GRATUITEMENT ici !
Re: Problem with NAS Client and clients.conf
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, yes , your clients.conf must known all NAS (you can use netmask) NAS-IP-Address is not used in clients.conf regards thomas Alejandro Galue wrote: | Hello All, | | I have a NAS with multiple IP Addreses, all RADIUS request use the | same value for NAS-IP-Address attribute; but physically auth | request use one IP Address and acct request use other IP address; | BUT all use same value for NAS-IP-Address. | | For auth request the physical IP address is the same as | NAS-IP-Address attribute, and request is processed perfect because | this address is defined on clients.conf file. | | But accounting requests use a physical IP address different as | NAS-IP-Address, and freeradius reject this requests because this | physical address is not on clients.conf | | My question is: clients.conf must contain ALL physical IP address | for every NAS or the value for NAS-IP-Address ?? | | Thanks, Alejandro. | | | | - List info/subscribe/unsubscribe? See | http://www.freeradius.org/list/users.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBHM0meaeXUhW9Ri4RAvspAJ46pSwC03Vdl8dXSesccBEPLE8ZPgCg3xls nVvZi/sFMcVB7sZeH7kyh+4= =gzgd -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with NAS Client and clients.conf
"Alejandro Galue" <[EMAIL PROTECTED]> wrote: > My question is: clients.conf must contain ALL physical IP address for every > NAS Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building FreeRADIUS on solaris 9
=?iso-8859-1?q?Geoffroy=20Arnoud?= <[EMAIL PROTECTED]> wrote: > I currently use FreeRADIUS on Solaris 8/32 bits, and > we plan to upgrade to Solaris 9 / 64 bits. > I wonder if FreeRADIUS sources are safe for 64 bits > compilation? Yes. > Does anyone run FreeRADIUS on a 64 bits environement? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with NAS Client and clients.conf
Hello All, I have a NAS with multiple IP Addreses, all RADIUS request use the same value for NAS-IP-Address attribute; but physically auth request use one IP Address and acct request use other IP address; BUT all use same value for NAS-IP-Address. For auth request the physical IP address is the same as NAS-IP-Address attribute, and request is processed perfect because this address is defined on clients.conf file. But accounting requests use a physical IP address different as NAS-IP-Address, and freeradius reject this requests because this physical address is not on clients.conf My question is: clients.conf must contain ALL physical IP address for every NAS or the value for NAS-IP-Address ?? Thanks, Alejandro. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help
"iferial1 (Corinna Atzmueller)" <[EMAIL PROTECTED]> wrote: > The situation is very difficult. The computer sends an EAPOL-Start = > before registration. Afterwards the communication between the switch and = > the servers grows very quick. I think they are sending EAP-Requests and = > EAP-Responds all the time. You think? Why not try running it in debugging mode, to see what it's really doing. This is suggested in so many places that everyone SHOULD be doing it. > The problem is that it doesn't work! See the FAQ about asking useless questions like "it doesn't work". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius, PAM and RH Enterprise Linux 3
"Mike Bickham" <[EMAIL PROTECTED]> wrote: > I have installed pam_radius_auth (version 1.3.16) on RHEL3 and > authentication doesn't work. I have run radtest from RHEL3 and this > works fine (Accept packet received). I then put the Radius Server and > secret into the /etc/raddb/server file and now the login screen just > hangs. I get no output in any logs at all. I type the user name at the > prompt and the name just disappears. I suggest putting debug "fprintf" statements into pam_radius_auth, to see when/where it hangs. > The results of radtest show that freeRadius is working, the issue > appears to be with pam_radius_auth. Am I on the right list? Yes. It's one of the pieces of software supported by FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple data information in attribute Class
"Lopez, A." <[EMAIL PROTECTED]> wrote: > Does anybody know if it is possible to send multiple 'sub-attributes' > inside the Class attribute?? The Class attribute has whatever format you want. It's just a string/ > I cannot find the way to separate those attributes when the request > arrives. Regular expressions. See 'doc/variables.txt' in the 1.0.0 release. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP + LDAP...
"Chan Min Wai (System Administrator)" <[EMAIL PROTECTED]> wrote: > Ok I've done this, putting clear-text password to the server, although I > think that this is not a good way. But for the time being let follow > your instruction ;) If you don't store clear-text passwords, then EAP WILL NOT WORK. > rad_recv: Access-Request packet from host 192.168.0.16:8021, id=11, > length=182 ... > EAP-Message = 0x0202000b0165656c6f636b Ok, you are doing EAP. > rlm_ldap: Adding radiusAuthType as Auth-Type, value ldap & op=21 That's your problem. > modcall: entering group Auth-Type for request 2 > rlm_ldap: - authenticate > rlm_ldap: Attribute "User-Password" is required for authentication. > modcall[authenticate]: module "ldap" returns invalid for request 2 LDAP doesn't know how to do EAP. Please READ the comments in "eap.conf". Do NOT set "Auth-Type := LDAP" for EAP requests. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MySql Database
When you extract the tarball, preferably matching the version you have (I haven't compares across versions, and I doubt they are different, but its usually safer that way), there should be a doc/README-SQL.schema that points you to which file that is included with the tarball that you can dump into MySQL to create your table. For instance. I'm looking at the source for freeradius-1.0.0-pre3. In doc/README-SQL.schema it points me to src/modules/rlm_sql_drivers/rlm_sql_mysql/db_mysql.sql as the structure file I can use to create my tables. -Greg -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donald Layson Sent: Thursday, August 12, 2004 19:03 To: [EMAIL PROTECTED] Subject: MySql Database Hi everybody, Would someone help me restore the structure of my radius table and all other related tables? I accidentally dropped all the databases related to the Freeradius. Can somebody show me how to restore it from the installer or if you could send me the structure so that I can reconstruct it manually? Thanks, Don -- This message has been scanned by MailScanner and is believed to be clean. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Building FreeRADIUS on solaris 9
Hello, I currently use FreeRADIUS on Solaris 8/32 bits, and we plan to upgrade to Solaris 9 / 64 bits. I wonder if FreeRADIUS sources are safe for 64 bits compilation? Does anyone run FreeRADIUS on a 64 bits environement? Thanks for your answers. Best Regards, Geoffroy Vous manquez despace pour stocker vos mails ? Yahoo! Mail vous offre GRATUITEMENT 100 Mo ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur http://fr.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VoIP Implementation
Hello freeradius-users-request, How can i know in Accounting Request Packet if user logins like DialUP or VoIP customer if NAS-IPAddress and Called-Station-ID is the same in any case? -- Best regards, Motovilov mailto:[EMAIL PROTECTED] ICQ# 136392666 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help
Dear Freeradius Users! I have a problem with my network. The assignment is to integrate Freeradius, because of Port-Security. The plan is to wire the Freeradius-Server 093-103 with a Cisco Catalyst 2950 Switch, and going then through the ports to each computer. When a computer want to have access on the network, it must make an authentication (802.1x) to get it first. When he is allowed to, he comes in his LAN; when not, he comes in an own Guest-LAN! The situation is very difficult. The computer sends an EAPOL-Start before registration. Afterwards the communication between the switch and the servers grows very quick. I think they are sending EAP-Requests and EAP-Responds all the time. The problem is that it doesn't work! Could it be, that the Freeradius-Server has a problem? Or is any other fact the reason? What shell we do? It will be very nice, if you could help us! Thanks a lot! Corinna Atzmüller [EMAIL PROTECTED] KEBA AG Linz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Conditional statement
I found the solution. Sorry for bothering. Yours, David. > -Message d'origine- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] De la > part de MINODIER David RD-RESA > Envoyé : vendredi 13 août 2004 11:02 > À : [EMAIL PROTECTED] > Objet : Conditional statement > > > Hi, > I would like to authorize a given user to some services > depending on the NAS he is connected to. Basically I would > like to have something like that : > > user Auth-Type :=EAP > if > NAS-IP-Addr == 10.10.10.10 > then > AUTHORIZATION_AVP1 = x1, > AUTHORIZATION_AVP2 = y1 > else > AUTHORIZATION_AVP1 = x2, > AUTHORIZATION_AVP2 = y2 > endif > > I tried the following syntax : > > user Auth-Type := EAP > NAS-IP-Addr == 10.10.10.10, Tunnel-Type = VLAN, > Tunnel-Medium-Type = dot1q, Tunnel-Private-Group-ID = MyVlan > Fall-Through = 1 > NAS-IP-Addr != 10.10.10.10, Tunnel-Type = VLAN, > Tunnel-Medium-Type = dot1q, Tunnel-Private-Group-ID = MyOtherVlan > > I get the error : Parse error (reply) for entry user: > expecting '=' at the first line where I have DEFAULT > NAS-IP-Addr == 10.10.10.10 . > > Please, can you help ? > > In a more general case, is there a doc on the various > operators (==, =, :=, +=, etc) we can use une the "users" > file ? any *complex* examples somewhere ? > > Many thanks > David. > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius, PAM and RH Enterprise Linux 3
Hi, Newbie to the list (and linux) so bear with me. I have FreeRadius 0.9.3 Release 1 running on RedHat 7.2. I am using pam_radius_auth to authenticate from other RH7.2 boxes with the Radius Server. The problems have arisen when I put Red Hat Enterprise Linux 3 on the network. I have installed pam_radius_auth (version 1.3.16) on RHEL3 and authentication doesn't work. I have run radtest from RHEL3 and this works fine (Accept packet received). I then put the Radius Server and secret into the /etc/raddb/server file and now the login screen just hangs. I get no output in any logs at all. I type the user name at the prompt and the name just disappears. The results of radtest show that freeRadius is working, the issue appears to be with pam_radius_auth. Am I on the right list? Can anyone help as this is causing some major headaches :( Best Regards, Mike Bickham This E-mail message, including any attachments, is intended only for the person or entity to which it is addressed, and may contain confidential information. If you are not the intended recipient, any review, retransmission, disclosure, copying, modification or other use of this E-mail message or attachments is strictly forbidden. If you have received this E-mail message in error, please contact the author and delete the message and any attachments from your computer. You are also advised that the views and opinions expressed in this E-mail message and any attachments are the author's own, and may not reflect the views and opinions of Digital Interactive Television Group. This E-mail message, including any attachments, is intended only for the person or entity to which it is addressed, and may contain confidential information. If you are not the intended recipient, any review, retransmission, disclosure, copying, modification or other use of this E-mail message or attachments is strictly forbidden. If you have received this E-mail message in error, please contact the author and delete the message and any attachments from your computer. You are also advised that the views and opinions expressed in this E-mail message and any attachments are the author's own, and may not reflect the views and opinions of Digital Interactive Television Group. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No Acctsessiontime on radacct table
hello, I am using freeradius-1.0.0 and mysql.It is able to send an authentication request and getting back the reply using mysql. I am trying to use rlm_sqlcounter module so as to allow the user time limit to some 10 hours.So i am trying to use noreset counter . I have followed all the steps involved in /usr/local/freeradius-1.0.0/doc/rlm_sqlcounter file . Now if i send an accounting request initially with Acct-Status-Type=1 and after some time with Acct-Status-Type=2 the RADIUS server sends back the reply for both without any error.The Actstarttime and Acctstoptime are stored on radacct table but Acctsessiontime is stored as zero on radacct table. Here are the steps that i followed 1)configured freeradius with make clean ./configure --with-experimental-modules make make install 2)Created a text file called sqlcounter.conf under raddb and i included following things sqlcounter noresetcounter { counter-name = Max-All-Session-Time check-name = Max-All-Session sqlmod-inst = sql key = User-Name reset = never query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}'" } sqlcounter dailycounter { driver = "rlm_sqlcounter" counter-name = Daily-Session-Time check-name = Max-Daily-Session sqlmod-inst = sqlcca3 key = User-Name reset = daily query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session sqlmod-inst = sqlcca3 key = User-Name reset = monthly query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } 3) In radiusd.conf modules { $INCLUDE ${confdir}/sql.conf $INCLUDE ${confdir}/sqlcounter.conf } 4)In radiusd.conf authorize { ...some entries here... ...some entries here... ...some entries here... ...some entries here... noresetcounter dailycounter monthlycounter } 5) In mysql INSERT into radcheck VALUES ('2','test0002','Max-All-Session','10800',':='); Now can anyone tell me how to get this Acctsessiontime on radacct table? and please highlight where i have gone wrong in my configuration? Thanks in advance regards, manjunath This message was sent using IMP, the Internet Messaging Program. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Conditional statement
Hi, I would like to authorize a given user to some services depending on the NAS he is connected to. Basically I would like to have something like that : userAuth-Type :=EAP if NAS-IP-Addr == 10.10.10.10 then AUTHORIZATION_AVP1 = x1, AUTHORIZATION_AVP2 = y1 else AUTHORIZATION_AVP1 = x2, AUTHORIZATION_AVP2 = y2 endif I tried the following syntax : userAuth-Type := EAP NAS-IP-Addr == 10.10.10.10, Tunnel-Type = VLAN, Tunnel-Medium-Type = dot1q, Tunnel-Private-Group-ID = MyVlan Fall-Through = 1 NAS-IP-Addr != 10.10.10.10, Tunnel-Type = VLAN, Tunnel-Medium-Type = dot1q, Tunnel-Private-Group-ID = MyOtherVlan I get the error : Parse error (reply) for entry user: expecting '=' at the first line where I have DEFAULT NAS-IP-Addr == 10.10.10.10 . Please, can you help ? In a more general case, is there a doc on the various operators (==, =, :=, +=, etc) we can use une the "users" file ? any *complex* examples somewhere ? Many thanks David. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenSSL library linking question...
Larry LeBlanc schrieb: > Hello, > > I've installed OpenSSL 0.9.7d in /usr/local/ssl/ on my > system and have configured freeRADIUS 1.0.0pre3 with: > --with-openssl-include=/usr/local/ssl/include > --with-openssl-libraries=/usr/local/ssl/libraries > > However after building I end up with radiusd having a > dependency on /lib/libssl.so.2 which just happens to > point to the original OpenSSL 0.9.6b library LIBS="-L/usr/local/ssl -lssl -lcrypto" ./configure, additionally using your above --with-openssl-something flags might be more successful. HTH, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.0.0. pre3 - CRL howto - DIY
On Fri, 2004-08-06 at 17:15, Zdenek Pizl wrote: > Hallo all, > > does exist any howto about CRL configuration. The two line notice in > eap.conf is indeed unsufficient for me ... > > - what name has to have the CRL? > - in what directory has to be located? In the same as certificates are? > - how the freeradius will know what file is the CRL and will it use it? OK, for everybody who needs it - and everybody really has to have CRL checking enabled. - get the CRL file - it must be in PEM format, so if it is in DER, just convert it by openssl crl -inform DER -in crl.der -outform PEM -out crl.pem - copy the crl.pem into direcotry with the rest of certificates frerradius uses - run in that directory c_rehash. If you do not have installed this program, it could be in openssl or openssl-perl package in accordnig to kind of distribution KEYWORDS: freeradius radius CRL howto Regards z.p. -- Zdenek Pizl Systinet Corporation Vinohradska 190 130 00 Praha 3 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple data information in attribute Class
Hello all, Does anybody know if it is possible to send multiple ‘sub-attributes’ inside the Class attribute?? Something like: Class = “title=Reservoir Dogs, event=pause, service=video on demand” And split them afterwards using FreeRADIUS before storing in MySQL?? I cannot find the way to separate those attributes when the request arrives. Any help would be really appreciated! Thanks, Alex