FreeRADIUS and MySQL+SSL
Hey guys, we would like to implement the following setup: - FreeRADIUS radiusd on machine A - MySQL mysqld on machine B FreeRADIUS should use the MySQL database on machine A over an SSL secured connection. Does FreeRADIUS support SSL for MySQL connections? -- Wolfram Schlich pgp1kF3OmAIVR.pgp Description: PGP signature
Using Freeradius +Dhcp +ippool
Greeting, I know that many of you are thinking that using the Great feature og ippool in Freeradius to provided the ipaddress to the users. However when your NAS don't support that, you can forget about it and use a dhcpd server to do tha jobs. Here is the script to still using the freeradius ippool function but with the help of dhcpd server. In the dhcpd server you have to open the omshell port define the subnet the range and deny unknow. (Security is still another issue, I don't know much about dhcpd key and blah blah blah) Then this script will work as a bridge to communicate with the dhcpd server. I'm not sure if this is a good idea but seem to be is what I'm looking for. please feel free to modified them. The best of all is to send me a copy back. p.s when I write this, I didn't think of multiple instance, if so, please add in a random number generator and append it into the files name. This is a Hack not a solution... Regards Chan Min Wai dhcpctrl.tar.gz Description: Unix tar archive
Re: FreeRADIUS for VLAN-assignment auth. via WinNT-PDC
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am Dienstag, 15. März 2005 23:02 schrieb Mark Wasmer: Hello FreeRADIUS-users, I have to set up a FreeRADIUS-server to authenticate notebooks and PCs (Win2000, WinXP, Linux) via the existing Windows-NT PDC (will be replaced with Server2003 sometimes) and add them to their matching VLAN (using HP 2524-switches). Can someone give me a few hints what might be the best way to do this ? Through the lack of consistent documentation i can't see how to move on. The urgent questions in detail : 1. The Windows-NT server is not allowed to deliver plaintext-passwords, so which authentication-protokol should be used ? EAP-MD5 would be fine, but does it work without plaintext-passwords ? EAP/MD5 is the only way for WinNT as far as I know. MD5 hash is transferred over the net, so no plaintext passwords on the line. 2. How to get the passwords from the PDC at all ? I've read about rlm_smb (but is not included in the used Debian-Sarge-packet), ntlm_auth, winbindd, PAM_winbind and the SMB-Method described in the experimental.conf *puh* ??? SMB experimental yes. 3. If the things above work, how to define which user belongs to which VLAN and get RADIUS to tell this to the authenticator ? Well, I could not imagine how WinNT could deliver VLANs since these information is not stored in WinNT user profiles. Perhaps you have to use realms to link user groups to VLANs. Only the username part is forwarded to WinNT. The username could look like [EMAIL PROTECTED] 4. And finally - how to set up a centralized/convenient administration method for the whole thing which makes it easy to add/delete users ? No chance since dialupadmin does not work with SMB. You always hace to set up two admins systems: One for WinNT, one for Radius. The better was would be to use directly the AD from Win2003. It should be possible to store VLAN information in AD with a scheme extension. Freeradius can operate together with AD. Management from AD. private Ich bin unter u.g. Adresse auch direkt zu erreichen ! /private - -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn misch at multinet punkt de Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCN+yxqndXpO3Yl5sRAskpAKCRy91N5pY+jfeJXrp1dPQGmO3BGwCgi28L 1JpLerb/KjnJypWy6/0aepg= =ot06 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
not executing the external program
hi all, i have install freeradius-1.0.1 on CentOS-4.0. I want to execute a program after a user get authenticate. i had gone thru the documentation but radius is not executing the program. i want to execute the external program when user connect and disconnect. pls guide me. can anybody tell me the configuration parameters Thanks in Advance -- Khushal Singh Narooka +919828020909 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: aqua gatekeeper sql
Hi, Apu. Apu wrote 15 2005 ., 20:15:56: you want to place the columns frequently changes on your index if you are creating 'Unique' index. The existing indexing scheme will work just fine, since you have a multiple column index. The likelihood of being all those similar is close to none. So, do not change it. -apu It seems like I MUST to change this index, because unique index works like constraint and NAS server can send stop records for caller and callee with the same h323setuptime, NASIpaddress, and callid. But one of them is answer and other is originate. If index looks like create UNIQUE index stopvoipcombo on stopvoip(h323SetupTime, nasipaddress, CallID); it is impossible to insert the second Accounting-Stop row. And it seem to me developers should change index by adding h323callorign field to index or the other way is to make this index not unique and add constraint for fields h323SetupTime, nasipaddress, CallID, h323callorign to make impossible duplicate records in database in case of duplicate sending Accounting packets by NASServer (that is the ordinar case in radius protocol) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: user list, update and get user info
Hi, Please let me know, if it is possible or not. Thanks, From: A Bera [EMAIL PROTECTED] Reply-To: freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: user list, update and get user info Date: Sat, 12 Mar 2005 04:30:56 +0530 Hi, I have configured the freeRADIUS server on a box B. and I have configured pam on another box A, so that all logins to the box A will be authenticated by the radius server (running on box B). 1) I want to get the list of all users configured in a radius server. may be using pam or some other scripts running on B. Is it possible? if so how to do that? 2) Can I add/delete/modify a radius user from my module running on A? 3) I am running an application on box A, which needs authentication and authorization (which will be sent to radius server running on B). Now for a particular user, my module on A sends a request to radius server running on B. radius server on B should authenticate the user and send back the credential (information like if the user has admin privilege or not etc etc) to my module A. Is it possible. If so, how can I do that? Thanks in advance, _ Screensavers unlimited! http://www.msn.co.in/Download/screensaver/ Download now! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Undefined symbol with eaptls / freeradius 1.0.1 (debian)
Paul, While checking out why my patch to add a function to rlm_preprocces causes freeradius to bomb with undefined symbol I came across this post. Just wanted to ask that you incorporate dpatch support even if you dont migrate your patches to thatIts how I make my private deb builds. It was incredibly easy to do yet...I simply added an include line in debian/rules and added the patch/unpatch targets. But I am sure you know how to use dpatch...Anyways if you do it its one less thing for me to worry about building private debs! Thanks, Joe Paul Hampson wrote: On Wed, Feb 23, 2005 at 10:24:45AM +1100, Tom wrote: Thanks very much for your reply I appreciate your help and I've just got a couple of followup questions. Just upgrading libtool won't work, as libtool 1.5 requires a more recent version of autoconf than is used in FreeRADIUS 1.0.1. As the above post suggests, try 1.1.0 (eg. CVS head) which builds with By 1.1.0 does that mean I should download the radiusd module using CVS? (Not sure if you're referring to that or 1.1.0 of something else?). Yeah. 'eg' should have been 'ie' libtool 1.5 and autoconf 2.57 and where PEAP and TTLS _should_ work. (Although I've not tested them myself) So the hypothesis is download the CVS head, re-package+compile it and try again? Sorry about the relatively simple questions but I didn't know there was a version of freeradius higher than 1.0.1 - I guess looking at the CVS tree there are a number of files updated there but I'm not sure if that constitutes v1.1.0 so I'm a bit lost as to what I'm looking for. Sorry. Yes, FreeRADIUS 1.1.0 doesn't exist per se, I meant the head branch of CVS. You should be able to just grab it from CVS or a snapshot, and dpkg-buildpackage -us -uc -rfakeroot -b and get a whole bunch of packages out. I'm considering going to dpatch in the CVS version, to make it easier to support in Debian, but I've not got the time to convert yet, and have to upload 1.0.2 to Debian first. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
configurating freeRADIUS
Hi,
I have recently downloaded and installed the latest version
(freeradius-1.0.2) at freeRADIUS.org
I have configurated server as I want it to be but i fail to check the
configuration (for example with check-radiusd-config). I get an error
that says:
15654:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:632:Expecting: CERTIFICATE
15654:error:0200100E:system library:fopen:Bad
address:bss_file.c:259:fopen('','r')
15654:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:261:
15654:error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system
lib:ssl_rsa.c:513:
rlm_eap_tls: Error reading certificate file
rlm_eap: Failed to initialize type tls
radiusd.conf[9]: eap: Module instantiation failed.
The system is running on a LINUX machine, fedora 3.0
I appreciate any tips and ideas about how the error can be solved.
Thanks in advance!
Vicky
This message was sent using IMP, the Internet Messaging Program.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configurating freeRADIUS
Hello,
15654:error:0200100E:system library:fopen:Bad
address:bss_file.c:259:fopen('','r')
The system calls is supposed to open a file, but no filename was given. That
is not going to work.
Stefan Winter
--
Stefan WINTER
Fondation RESTENA - Rseau Tlinformatique de l'Education Nationale et de
la Recherche
Ingnieur rseau et systme
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
email: [EMAIL PROTECTED] tl.: +352 424409-33
http://www.restena.lu fax: +352 422473
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Variables defined from radiusd.conf used in included files from CVS head
Produced an error on startup.
Specificaly ${logdir} in sql.conf
Thanks,
Joe
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Undefined symbol in rlm_preproccess
Hello All, I am trying to rebuild a deb package on sarge for 1.0.2 - 1.1.0pre0 that includes a patch that adds a function to rlm_preproccess.c (This patch available to any who wish it adds the attribute Client-Short-Name with the value as defined from the clients.conf file. It is used to match stanzas to all clients that share a common portion of the Client-Short-Name so that requests from similar NAS's may be dealt with in a similar fashion. I prefer this approach than working off the IP address.) static int add_client_attr(REQUEST *request); Which is used in the same manner as add_nas_attr() and in the same places. Running the build gives me Undefined symbol when freeradius hits that point of execution during authentication requests and it exits. grepping for add_nas_attr shows no extra work done in the source than that I had done for add_client_attr. Is there something I am missing? Thanks for any help, Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compiling freeradius 1.0.2 with mssql support
Hello, I'm stoill trying to compile freeradius-1.0.2 with mssql support and without mysql. Freetds is installed and working. What i've done. ./configure --with-freetds-include-dir=/usr/local/include --with-freetds-lib-dir=/usr/local/lib --without-rlm_sql_mysql --with-rlm_sql_freetds make works fine so far. But the make is not bulding the module: rlm_sql_freetds.so and i still get following message st start: Wed Mar 16 12:24:58 2005 : Error: rlm_sql (sql): Could not link driver rlm_sql_freetds: rlm_sql_f reetds.so: cannot open shared object file: No such file or directory Wed Mar 16 12:24:58 2005 : Error: rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. I cant find that the lib is builded in the make run. Also i'm missing an other file. If I look into the source-tree of the freeradius, in subdir: src/modules/rlm_sql/drivers/rlm_sql_freetds I saw a only a Makefile. In this there is a reference to a file called sql_freetds.c But I cant find that file at all. It also not included into the tgz file of the latest freeradius. And: yes - I downloaded the file from ftp.freeradius.org today ... so it should by the original dist. could anybody help me to get this running ? thx rgds As -- Achim Schmidt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to configure radiusd.conf , clients.conf and sql.conf
my NAS and freeradius will run at one machine. how to configure these .conf s ? is there a guider? thanx. shenwei
Re: configurating freeRADIUS
Hello,
That is not my code. Didn't touch that file. Do you have any ideas about
how to go around it?
Not mine either :-) I'd suffest to first look into eap.conf in the tls {}
stanza. It should contain file links to certificate files like
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
Make sure these entries exist and that they point to an existing file.
Greetings,
Stefan
--
Stefan WINTER
Fondation RESTENA - Rseau Tlinformatique de l'Education Nationale et de
la Recherche
Ingnieur rseau et systme
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
email: [EMAIL PROTECTED] tl.: +352 424409-33
http://www.restena.lu fax: +352 422473
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compiling freeradius 1.0.2 with mssql support
On Wed, Mar 16, 2005 at 01:46:09PM +0100, Achim Schmidt wrote: Hello, I'm stoill trying to compile freeradius-1.0.2 with mssql support and without mysql. Freetds is installed and working. I cant find that the lib is builded in the make run. Also i'm missing an other file. If I look into the source-tree of the freeradius, in subdir: src/modules/rlm_sql/drivers/rlm_sql_freetds I saw a only a Makefile. In this there is a reference to a file called sql_freetds.c You'd have to pull it from the CVS Attic, it's been removed for over two years for causing problems. FreeTDS was (according to upstream advice at the time) an internal API and it was a moving target, so it got dropped. http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_sql/drivers/rlm_sql_freetds/ -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using IP Pools
On Sat, 12 Mar 2005 15:15:58 +0200 (EET), Kostas Kalevras [EMAIL PROTECTED] wrote: --users-- DEFAULT NAS-IP-Address == $RAS-IP Framed-IP-Address = 255.255.255.254 DEFAULT NAS-IP-Address == $OTHER-NAS-IP, Pool-Name := pool1 DEFAULT NAS-IP-Address == $OTHER-NAS-IP2, Pool-Name := pool2 I haven't found a way to represent this in the mysql database. Am I correct in that these must be in the users file and cannot be placed in the database? If not, how do I represent this in the database? -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf Thanks! -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
HELP:
I need to configure FreeRADIUS to authenticate/authorize off LDAP (I have this working). And if that fails (incorrect password, user unknown) to send an Accept packet back to the NAS. In other words, I want to allow everyone into the NAS but if they are in LDAP use their specific LDAP information for the connection. -Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP:
Perhaps you would put the files section after ldap and have a DEFAULT for allow in the users file? Matthew Crocker wrote: I need to configure FreeRADIUS to authenticate/authorize off LDAP (I have this working). And if that fails (incorrect password, user unknown) to send an Accept packet back to the NAS. In other words, I want to allow everyone into the NAS but if they are in LDAP use their specific LDAP information for the connection. -Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[2]: aqua gatekeeper sql
the callid should not be the same even if the other ones are. The chances are very very low. You can change it (add another column to index), there is no harm but you will increase your index size and therefore increasing insert/delete/update operation time on that database. -apu --- Dmitriy Milashenko [EMAIL PROTECTED] wrote: Hi, Apu. Apu wrote 15 ìàðòà 2005 ã., 20:15:56: you want to place the columns frequently changes on your index if you are creating 'Unique' index. The existing indexing scheme will work just fine, since you have a multiple column index. The likelihood of being all those similar is close to none. So, do not change it. -apu It seems like I MUST to change this index, because unique index works like constraint and NAS server can send stop records for caller and callee with the same h323setuptime, NASIpaddress, and callid. But one of them is answer and other is originate. If index looks like create UNIQUE index stopvoipcombo on stopvoip(h323SetupTime, nasipaddress, CallID); it is impossible to insert the second Accounting-Stop row. And it seem to me developers should change index by adding h323callorign field to index or the other way is to make this index not unique and add constraint for fields h323SetupTime, nasipaddress, CallID, h323callorign to make impossible duplicate records in database in case of duplicate sending Accounting packets by NASServer (that is the ordinar case in radius protocol) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- Before God we are all equally wise - and equally foolish. -Albert Einstein __ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP and proxying
Hi My XP client is using PEAP to authenticate. It connects to a Freeradius server that I want to proxy the requests to another Freeradius server with a list of username/passwords to authenticate against. I've configured a realm in proxy.conf and it all works fine. The problem is that I need access to the real username in the PEAP tunnel on the proxy server. So I would like to establish the tunnel using the local server and only once the tunnel has been created (and I have access to the username in it) do the requests get sent to the remote server so that I can authenticate against the user data on the remote server. I have seen the comment in the proxy.conf file about adding a DEFAULT EAP-Type == PEAP, Proxy-ToRealm := LOCAL. If I added this line no PEAP requests were forwarded to the remote server. But the authentication failed before the TLS tunnel was set up on the proxy server. I have attahced the radius logs and config files. Thanks in advance, Mark radius_logs.tgz Description: GNU Zip compressed data
rlm_sql_mysql core dumped in FreeBSD
I am getting a segmentation fault when I tried to run freeradius with mysql support (rlm_sql_mysql) in FreeBSD 4.11. I built freeradius from ports and out of ports too, and the result is always the same. I've searched the list for similar reports, and the only workaround i found to this problem is building freeradius statically. I'll try and see if it works in this case. Any other suggestions to solve this ? The debug output is listed below : # gdb /usr/local/sbin/radiusd GNU gdb 4.18 (FreeBSD) Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as i386-unknown-freebsd... (no debugging symbols found)... (gdb) set args -X (gdb) run Starting program: /usr/local/sbin/radiusd -X (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /var main: logdir = /var/log main: libdir = /usr/local/lib main: radacctdir = /var/log/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib (no debugging symbols found)...(no debugging symbols found)... Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) (no debugging symbols found)...(no debugging symbols found)... Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) (no debugging symbols found)...(no debugging symbols found)... Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) (no debugging symbols found)...(no debugging symbols found)... Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) (no debugging symbols found)...(no debugging symbols found)... Module: Loaded SQL sql: driver = rlm_sql_mysql sql: server = localhost sql: port = sql: login = radius sql: password = sql: radius_db = radius sql: acct_table = radacct sql: acct_table2 = radacct sql: authcheck_table = radcheck sql: authreply_table = radreply sql: groupcheck_table = radgroupcheck sql: groupreply_table = radgroupreply sql: usergroup_table = usergroup sql: nas_table = nas sql: dict_table = dictionary sql: sqltrace = no sql: sqltracefile =
Re: FreeRADIUS for VLAN-assignment auth. via WinNT-PDC
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 | EAP/MD5 is the only way for WinNT as far as I know. MD5 hash is transferred | over the net, so no plaintext passwords on the line. Seems i misunderstood the method - so EAP-MD5 will work fine for me :-) | SMB experimental yes. I'll give it a try. | Well, I could not imagine how WinNT could deliver VLANs since these | information is not stored in WinNT user profiles. Perhaps you have to use | realms to link user groups to VLANs. Only the username part is forwarded to | WinNT. The username could look like [EMAIL PROTECTED] Would'nt this be insecure ? The users would be able to define themselves which VLAN they join - if i understand you correctly. This is not intended. Even though, how do i tell FreeRADIUS to strip the @vlan-group-part of the username and use it as VLAN-Identifier ? Greetings ~ Mark Wasmer -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: GnuPT-Light 0.2 by EQUIPMENTE.DE Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD4DBQFCOHdNrUtz+gVmmXsRAvHuAJjAmW+Q5eI7fQ5bznB0IAoZqujjAJ9hpxyB h5FmlRmsEt7qpmJLYQfCTw== =x9RK -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
vlan and ldap
hi i have two freeradius servers , the first which proxies request to the second i have a user in the second server users file and all works fine and it take the vlan that is indicate in second server users file i have a DEFAULT entry in the second server users file and users can authenticate but they have the vlan of the first server DEFAULT entry users file and not of the second server DEFAULT entry users file Is it because second server search vlan attribute in ldap , doesn t find it and take vlan attribute of the first server ? thanks for help and explanation basile -- bmathieu [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS: limiting client certs to a select group
On Wed, 16 Mar 2005 00:27:03 -0600, Jon Franklin [EMAIL PROTECTED] wrote:
On Wed, 16 Mar 2005 00:09:09 -0600, David Duchscher [EMAIL PROTECTED] wrote:
I am a little behind you at the moment so really hoping this helps you.
Have you set CA_path in the configuration file to point somewhere else?
From the code, it looks like CA_path is set to default if you don't
set it in the configuration file.
I haven't. I may have misunderstood the comments in the eap.conf
file, but my take on it was that CA_path is used for crl checking. So
the only time I had that variable set to something meaningful was when
I also set check_crl = yes. And that caused all client certificate
validation to die horribly.
I'll definitely check it out tomorrow, though, and post here with the results.
Looks like this was exactly what I needed. I set CA_path to the
directory where my CA cert is, and only certificates issued by my
local CA are accepted. Here's that portion of the eap.conf:
tls {
private_key_password = dont-you-wish
private_key_file =
${raddbdir}/certs/radiusSrvprivkey.pem
certificate_file =
${raddbdir}/certs/radiusSrvprivkey.pem
CA_file = ${raddbdir}/certs/demoCA/radiusRootcert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
CA_path=${raddbdir}/certs/demoCA
#check_crl = no
check_cert_cn = %{User-Name}
}
Thank you so much for the tip!
--
Jon Franklin
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stripped-User-Name
Can Stripped-User-Name be used for ldap authorization and pap authentication? What I want to do is something like filter = ([EMAIL PROTECTED]). But, I got @aliasdomain only. It really stripped the full username. Thanks in advance. Kevin _ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type == EAP-MD5
Chan Min Wai [EMAIL PROTECTED] wrote: I'm forcing Auth-Type == EAP-MD5 in my LDAP default profiles attribute otherwise the switch auth will not pass. There is no Auth-Type EAP-MD5. What should I provided so that the auth-type will be automated? To do what? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Variables defined from radiusd.conf used in included files from CVS head
Joe Maimon [EMAIL PROTECTED] wrote:
Produced an error on startup.
Specificaly ${logdir} in sql.conf
Can you say what the error is, or should we guess?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can I use the value of Class as the realm ?
My NAS allows for multiple groups, whose name is sent as the value of the Class attribute. I would like to rewrite the username from 'user' to 'user@value of Class attribute' before the realm and/or proxy modules get ahold of the request. This is so I can proxy to various other auth servers based on the value of Class I received from the NAS, without having to make users start typing in '[EMAIL PROTECTED]' as their user name. Can I do that with FreeRadius ? Thanks, Gabriel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP and proxying
Mark [EMAIL PROTECTED] wrote: The problem is that I need access to the real username in the PEAP tunnel on the proxy server. So I would like to establish the tunnel using the local server and only once the tunnel has been created (and I have access to the username in it) do the requests get sent to the remote server so that I can authenticate against the user data on the remote server. That should work. I have seen the comment in the proxy.conf file about adding a DEFAULT EAP-Type == PEAP, Proxy-ToRealm := LOCAL. Under certain circumstances. If I added this line no PEAP requests were forwarded to the remote server. Did you tell FreeRADIUS to proxy *anything* to the remote server? I think you're not clear on what you want. a) establishing the tunnel on the local server means that the remote server NEVER sees PEAP b) establishing the tunnel on the local server means that you have to tell the local server to NOT proxy the PEAP session c) having the home server perform the authentication means that you have to configure the local server to proxy the tunneled portion of the PEAP session. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name
You didn't get a Stripped-User-Name. You need in the radiusd.conf
authorize {
...
suffix
files
...
On Wed, 2005-03-16 at 11:02, Kevin Jeoung wrote:
Can Stripped-User-Name be used for ldap authorization and pap
authentication?
What I want to do is something like
filter = ([EMAIL PROTECTED]).
But, I got @aliasdomain only. It really stripped the full username.
Thanks in advance.
Kevin
_
Dont just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name
Can Stripped-User-Name be used for ldap authorization and pap authentication? If it exists, yes. When does it exist? I used suffix in radiusd.conf but [EMAIL PROTECTED] became @myds.com. filter = ([EMAIL PROTECTED]). But, I got @aliasdomain only. It really stripped the full username. If there's no Stripped-User-Name attribute, no, it didn't strip the full username. Again, when does this attribute exist? I set suffix and dictionary correctly. Kevin Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Is your PC infected? Get a FREE online computer virus scan from McAfee® Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name
You didn't get a Stripped-User-Name. You need in the radiusd.conf
authorize {
...
suffix
files
...
I already did so.
Kevin
On Wed, 2005-03-16 at 11:02, Kevin Jeoung wrote:
Can Stripped-User-Name be used for ldap authorization and pap
authentication?
What I want to do is something like
filter = ([EMAIL PROTECTED]).
But, I got @aliasdomain only. It really stripped the full username.
Thanks in advance.
Kevin
_
Dont just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
_
Is your PC infected? Get a FREE online computer virus scan from McAfee®
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name
Stripped-User-Name is created either by using realms or in the hints
file used by the preprocess module.
--Mike
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
Kevin Jeoung wrote:
You didn't get a Stripped-User-Name. You need in the radiusd.conf
authorize {
...
suffix
files
...
I already did so.
Kevin
On Wed, 2005-03-16 at 11:02, Kevin Jeoung wrote:
Can Stripped-User-Name be used for ldap authorization and pap
authentication?
What I want to do is something like
filter = ([EMAIL PROTECTED]).
But, I got @aliasdomain only. It really stripped the full username.
Thanks in advance.
Kevin
_
Dont just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
_
Is your PC infected? Get a FREE online computer virus scan from McAfee®
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: LDAP Platypus configurable_failover
I'm trying to merge two user databases with overlapping usernames. One
database is stored in OpenLDAP with Freeradius doing the auth. The
other is stored in MS-SQL/Platypus with Radiator. Ideally I would like
to run everything through a single FreeRADIUS server which would hit my
LDAP server first then fail over to MS-SQL. Right now I can't get the
MS-SQL stuff to work properly and I'm hitting a time crunch. The
numbers will be ported next week which means the userbase/modem pool
will collide next week. As a short term measure I would like to
configure something like
authentication {
ldap {
fail = 1
}
accept-everyone
}
I would then like to work on something like:
ldap {
fail = 1
}
proxy (to the radiator RADIUS server which hits MS-SQL)
Ultimately I would like:
ldap {
fail=1
}
mssql {
fail = 1
}
I need to figure out the correct auth_sql_query stuff to work with
Platypus. I already have FreeRADIUS configured to using unixODBC -
FreeTDS - MS-SQL. I can run queries against the MS-SQL database, just
don't have the correct query.
At this stage in the game I don't have time to figure out the ultimate
(read correct) solution and I just want to hit LDAP and fail over to
accept everyone.
On Mar 16, 2005, at 10:35 AM, Joe Maimon wrote:
Perhaps you would put the files section after ldap and have a DEFAULT
for allow in the users file?
Matthew Crocker wrote:
I need to configure FreeRADIUS to authenticate/authorize off LDAP (I
have this working). And if that fails (incorrect password, user
unknown) to send an Accept packet back to the NAS. In other words, I
want to allow everyone into the NAS but if they are in LDAP use their
specific LDAP information for the connection.
-Matt
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name
Kevin Jeoung [EMAIL PROTECTED] wrote: When does it exist? I used suffix in radiusd.conf but [EMAIL PROTECTED] became @myds.com. The Stripped-User-Name is added by the realms module, and it says this in debug mode. Again, when does this attribute exist? I set suffix and dictionary correctly. As always, run the server in debugging mode and read the output. If you see Stripped-User-Name, then your question is answered. If not, then the server isn't configured to create Stripped-User-Name. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name
radiusd.conf
...
group {
redundant {
...
fail = 1
}
suffix
...
notfound = return
}
files
radiusd -X
...
Exec-Program-Wait: plaintext: Reply-Message = Remove (@lanl.gov) from
username ([EMAIL PROTECTED])
Exec-Program: returned: 0
modcall[authorize]: module ip_check returns ok for request 6
rlm_realm: Looking up realm lanl.gov for User-Name =
[EMAIL PROTECTED]
rlm_realm: Found realm lanl.gov
rlm_realm: Adding Stripped-User-Name = klg
rlm_realm: Proxying request from user klg to realm lanl.gov
rlm_realm: Adding Realm = lanl.gov
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 6
modcall: entering group redundant for request 6
rlm_ldap: - authorize
rlm_ldap: performing user authorization for klg
radius_xlat:
'((objectClass=posixAccount)(description=remote)(uid=klg))'
radius_xlat: 'dc=lanl,dc=gov'
...
with radiusd.conf
...
#suffix
...
Exec-Program-Wait: plaintext: Reply-Message = Remove (@lanl.gov) from
username ([EMAIL PROTECTED])
Exec-Program: returned: 0
modcall[authorize]: module ip_check returns ok for request 6
modcall: entering group redundant for request 6
rlm_ldap: - authorize
rlm_ldap: performing user authorization for [EMAIL PROTECTED]
radius_xlat:
'((objectClass=posixAccount)(description=remote)([EMAIL PROTECTED]))'
radius_xlat: 'dc=lanl,dc=gov'
rlm_ldap: ldap_get_conn: Checking Id: 0
...
On Wed, 2005-03-16 at 11:48, Kevin Jeoung wrote:
Can Stripped-User-Name be used for ldap authorization and pap
authentication?
If it exists, yes.
When does it exist? I used suffix in radiusd.conf but
[EMAIL PROTECTED] became @myds.com.
filter = ([EMAIL PROTECTED]).
But, I got @aliasdomain only. It really stripped the full username.
If there's no Stripped-User-Name attribute, no, it didn't strip the
full username.
Again, when does this attribute exist? I set suffix and dictionary
correctly.
Kevin
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
_
Is your PC infected? Get a FREE online computer virus scan from McAfee
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: LDAP Platypus configurable_failover
Matthew Crocker [EMAIL PROTECTED] wrote:
As a short term measure I would like to
configure something like
authentication {
ldap {
fail = 1
}
accept-everyone
}
See the always module. You want to use always OK
e.g.
authenticate {
Auth-Type foo {
ldap {
fail = 1
}
ok
}
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Variables defined from radiusd.conf used in included files from CVS head
Alan DeKok wrote:
Joe Maimon [EMAIL PROTECTED] wrote:
Produced an error on startup.
Specificaly ${logdir} in sql.conf
Can you say what the error is, or should we guess?
Alan DeKok.
IIRC it was an error about the variable being undefined or something to
that effect while I was testing debian CVS head packages. I was trying
out other items and I hadn't made a note of it. Sorry. Anyways, I cant
seem to reproduce it now. Never mind. Sorry for the interruption.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is it possible to select the auth module by NAS or huntgroup?
Is it possibly to use different SQL authorize check queries based on the NAS the request is coming from? If so, can someone point me to some documentation or an example? Thanks! -- Omniflux - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
POPTOP + RADIUS + LDAP
I am trying to install this: PPTP Client (Linux/Win XP/Win 2k) RADIUS --- LDAP I have problem with user authentication with RADIUS and LDAP. Does someone could help me? My RADIUS already can do user authentication by GNUGK (VOIP/H.323). Help me please. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: POPTOP + RADIUS + LDAP
This topic has already been on list, remember, if you try to do CHAP it wont work because crypted passwords. Le Mercredi 16 Mars 2005 14:50, Anderson Alves de Albuquerque a écrit : I am trying to install this: PPTP Client (Linux/Win XP/Win 2k) RADIUS --- LDAP I have problem with user authentication with RADIUS and LDAP. Does someone could help me? My RADIUS already can do user authentication by GNUGK (VOIP/H.323). Help me please. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: POPTOP + RADIUS + LDAP
Hi What's your problem? Can you specify your problem? All you need is the ppp-radius plugin, a installed radius client and a radiusserver with ldap as backend. I had to install an identical configuration recently and after a lot of different problem it's finally works, yeah! :-) If you specify your problem, maybe I can help you! regards peda - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: LDAP Platypus configurable_failover
See the always module. You want to use always OK
e.g.
authenticate {
Auth-Type foo {
ldap {
fail = 1
}
ok
}
}
Will that work on the authorization section as well?
-Matt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco ACS export
Sorry for a bit OT.. While (still, grumble..) doing the migration from Cisco ACS 3.1 to FreeRADIUS, I encountered one small problem: it seems to be somewhat impossible to export the user passwords from this piece of crap. googling for 1 hour now I found nothing, expect other users asking and that commercial radius vendors offer import as a service after buying their radius... The dump looks being some hex encoded but only converting to ascii-chars isn't enough obviously; anybody any hint on how to get the cleartext-password out of this box ? I expect it's quite simple with knowing how to read, the dump looks like this: --- cut --- Password : 0x0020 01 1a b1 e8 4a 13 71 ad d5 f7 af bf b2 ad 4e 85 76 39 51 e6 53 20 43 e1 fa 39 16 ce 7c bf 45 ee Chap password : 0x0020 d7 09 e9 29 3a 7d a6 fc 72 46 51 de 93 bb de dc 8e 32 e1 d1 49 38 f6 48 4f aa e0 60 22 84 f8 b3 --- cut --- it's: a4327rv2 TIA, Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Is it possible to select the auth module by NAS or huntgroup?
Is it possibly to use different SQL authorize check queries
based on the NAS the request is coming from?
Yep, sure is.
What you need to do is define multiple sql module instances in the
modules section of radiusd.conf (eg include multiple sql.conf files):
sql sql1 {
blah = ...
}
sql sql2 {
blah = ...
}
In the authorize section of radiusd.conf you need to specify the
Autz-Type to use to call each of the sqlx modules, eg:
preprocess
files
...
Autz-Type SQL1 {
sql1
}
Autz-Type SQL2 {
sql2
}
Finally, in the users file define the conditions that will cause each of
the Autz-Types to be set, eg:
DEFAULT Client-IP-Address == 123.123.123.123, Autz-Type := sql1
DEFAULT Huntgroup == dsl, Autz-Type := sql12
etc...
The authorize section is possibly parsed twice, once with Autz-Type not
set, and the second time with Autz-Type set (if required I think)
Hope that helps,
Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap edirectory mschap config help
Hello Using ver 1.01. Upon ldap lookup we see requests like the following.. rad_recv: Access-Request packet from host 10.1.5.102:6001 id=202 length=168 User-Name = COMPUTERAMYUSER We are trying to strip the COMPUTERA so that only the username is passed. We dont have domain so the computer names are based on unique asset ids. I have searched for a couple of hours and tried different things nothing so far has worked. Any suggestions on how to strip everything before the
Re: Stripped-User-Name
Kenneth Grady [EMAIL PROTECTED] wrote: rlm_ldap: performing user authorization for klg radius_xlat: '((objectClass=posixAccount)(description=remote)(uid=klg))' This appears to be OK. Earlier, you said: filter = ([EMAIL PROTECTED]). But, I got @aliasdomain only. It really stripped the full username. Can you explain the discrepancy? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: LDAP Platypus configurable_failover
Matthew Crocker [EMAIL PROTECTED] wrote: Will that work on the authorization section as well? Read doc/configurable_failover Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap edirectory mschap config help
James Kelly [EMAIL PROTECTED] wrote: rad_recv: Access-Request packet from host 10.1.5.102:6001, id=202, length=168 User-Name = COMPUTERA\\MYUSER We are trying to strip the COMPUTERA so that only the username is passed. We don't have domain so the computer names are based on unique asset id's. Create realms which are named for the computers. Make them LOCAL. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and MySQL+SSL
* Wolfram Schlich [EMAIL PROTECTED] [2005-03-16 09:05]: Hey guys, we would like to implement the following setup: - FreeRADIUS radiusd on machine A - MySQL mysqld on machine B FreeRADIUS should use the MySQL database on machine A over an SSL secured connection. Does FreeRADIUS support SSL for MySQL connections? I'm not a C coder, but! :) I had a look at the sql_mysql.c file as well as the mysql sources (/usr/include/mysql/mysql.h). It looks like you need to call mysql_ssl_set() with the needed parameters (mysql socket connection, ssl key file, ssl cert file, ssl ca file, ssl ca path and ssl cipher) right after the mysql_init() call, which is located in line 76 of the sql_mysql.c file (at least in the FreeRADIUS-1.0.2 distribution source tarball, subdirectory src/modules/rlm_sql/drivers/rlm_sql_mysql). Any volunteers for coding a test implementation? :) -- Wolfram Schlich pgpmM6VwKGHEe.pgp Description: PGP signature
Re: ldap edirectory mschap config help
Thanks for the reply Alan I did some searching and that was one of the conclusions I came to. However with approx 3000 workstatations it is going to be a nightmare maintaining these realms. Can a forced default realm be used and then strip that name out [EMAIL PROTECTED] 03/17 11:47 am James Kelly [EMAIL PROTECTED] wrote: rad_recv: Access-Request packet from host 10.1.5.102:6001 id=202 length=168 User-Name = COMPUTERAMYUSER We are trying to strip the COMPUTERA so that only the username is passed.We dont have domain so the computer names are based on unique asset ids. Create realms which are named for the computers.Make them LOCAL. Alan DeKok. - List info/subscribe/unsubscribe See http://www.freeradius.org/list/users.html
Re: ldap edirectory mschap config help
James Kelly [EMAIL PROTECTED] wrote: I did some searching and that was one of the conclusions I came to. However with approx 3000 workstatations it is going to be a nightmare maintaining these realms. Can a forced default realm be used and then strip that name out? You can use regular expressions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is it possible to select the auth module by NAS or huntgroup?
This works great, thanks!
And here's a note for anyone searching the archives...
Add localhost with different ports to the huntgroups used to select
Autz-Types, and you have testing made easy!
dialup NAS-IP-Address == 127.0.0.1, NAS-Port == 0
dsl NAS-IP-Address == 127.0.0.1, NAS-Port == 1
--
Omniflux
Mitchell, Michael J wrote:
Is it possibly to use different SQL authorize check queries
based on the NAS the request is coming from?
Yep, sure is.
What you need to do is define multiple sql module instances in the
modules section of radiusd.conf (eg include multiple sql.conf files):
sql sql1 {
blah = ...
}
sql sql2 {
blah = ...
}
In the authorize section of radiusd.conf you need to specify the
Autz-Type to use to call each of the sqlx modules, eg:
preprocess
files
...
Autz-Type SQL1 {
sql1
}
Autz-Type SQL2 {
sql2
}
Finally, in the users file define the conditions that will cause each of
the Autz-Types to be set, eg:
DEFAULT Client-IP-Address == 123.123.123.123, Autz-Type := sql1
DEFAULT Huntgroup == dsl, Autz-Type := sql12
etc...
The authorize section is possibly parsed twice, once with Autz-Type not
set, and the second time with Autz-Type set (if required I think)
Hope that helps,
Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radutmp doesnt show any users.....
Thanks for your reply for Simultaneous-Use -Issue But i am still having some problems radcheck tabled in mysql has the following entries for a certain user. 2496 | [EMAIL PROTECTED] | Auth-Type| := | Local | 2497 | [EMAIL PROTECTED] | Simultaneous-Use | := | 1 | 2498 | [EMAIL PROTECTED] | User-Password| == | seesa | I have Simultaneous-Use enabled in my radius configuration and still i dont see it working. It accepts multiple logins at the same time. Basiaclly the NAS doesnt keep any record of logins and i am ( have to ) only rely on radius accounting. On radius accounting , i do see two sessions started . I am at a situation where Radius Accounting is able to log two sessions but Radius is not limiting loggings based on the Simultaneous-Use restrictions. Note: I read the documentation Simultaneous-Use ( in installation documentation ) and it explains the concept making an assumption that NAS should have the list of logged in users against which radius can verify its list of logged in users. Is it possible to just implement Sim-Use based on what radius has without worrying about what NAS has. ( If so .. please guide me in the right direction ) ... Thanks On Mon, 14 Mar 2005 09:20:53 -0500 (EST), Dustin Doris [EMAIL PROTECTED] wrote: You can use sql. Notice in the radiusd.conf file under the session section it lists radutmp and sql, with a note that says See Simultaneous Use Checking Querie in sql.conf. It even says that the rlm_sql module is *much* faster at it. On Sat, 12 Mar 2005, Rad Adm wrote: Thanks for the reply. The problem is that the NAS ( can not ) send NAS-Port Attribute and that is not changeable at the moment . So that eliminates the options of using radutmp. Basically i am trying to implement concurrency and while trying to do that i wanted to get radutmp going so that radius can figure out the list of users who have active sessions in radius. Now knowing that radutmp can not work .. do you have any suggestion as to how i am implement User Concurrency. Here some info as to what info is available from the NAS. Each time a user connects to my NAS , it send a Accounting Start packet and on user disconnect a Accounting Stop packet. In my Radius 's mysql database the table radacct gets a data record based on each user as he/she logs in. The record on start of the session looks as follow. ( The end time of the record gets modified in the same record. ) | 1129 | 481 | d5612d46b9cb2657 | [EMAIL PROTECTED] | | 10.45.0.45 | 0 | | 2005-03-12 00:51:45 | -00-00 00:00:00 | 0 | | | | 0 | 0 | | | | || | 0 | 0 | and At the end of the session the record gets modified to | 1129 | 481 | d5612d46b9cb2657 | [EMAIL PROTECTED] | | 10.45.0.45 | 0 | | 2005-03-12 00:51:45 | 2005-03-12 01:04:59 | 0 | | | | 0 | 0 | | | | || | 0 | 0 | Given this information what would you suggest is the best way to go about and implement user concurrency . Table Description of radacct ++-+--+-+-++ | Field | Type| Null | Key | Default | Extra | ++-+--+-+-++ | RadAcctId | bigint(21) | | PRI | NULL | auto_increment | | AcctSessionId | varchar(32) | | MUL | || | AcctUniqueId | varchar(32) | | MUL | || | UserName | varchar(64) | | MUL | || | Realm | varchar(64) | YES | | || | NASIPAddress | varchar(15) | | MUL | || | NASPortId | int(12) | YES | | NULL || | NASPortType| varchar(32) | YES | | NULL || | AcctStartTime | datetime| | MUL | -00-00 00:00:00 || | AcctStopTime | datetime| | MUL | -00-00 00:00:00 || | AcctSessionTime| int(12) | YES | | NULL || | AcctAuthentic | varchar(32) | YES | | NULL || | ConnectInfo_start | varchar(32) | YES | | NULL || | ConnectInfo_stop | varchar(32) | YES | | NULL || | AcctInputOctets| bigint(12) | YES | | NULL || | AcctOutputOctets | bigint(12) | YES
radwho
Hi all I'm using EAP with freeradius which work well. but when EAP customer are authenticated, radwho command doesn't show any. Any idea ? Thanks Jacques - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type == EAP
Alan DeKok wrote: Chan Min Wai [EMAIL PROTECTED] wrote: I'm forcing Auth-Type == EAP-MD5 in my LDAP default profiles attribute otherwise the switch auth will not pass. There is no Auth-Type EAP-MD5. Sorry Auth-Type = EAP What should I provided so that the auth-type will be automated? To do what? Alan DeKok. To switch to EAP or normal... auth method. Regards, Thank You Chan Min Wai - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radutmp doesnt show any users.....
Hi Have you edit sql.conf? Uncoment Simultaneous-Checking. Regards Ery On Wed, 16 Mar 2005 21:08:25 -0800, Rad Adm [EMAIL PROTECTED] wrote: Thanks for your reply for Simultaneous-Use -Issue But i am still having some problems radcheck tabled in mysql has the following entries for a certain user. 2496 | [EMAIL PROTECTED] | Auth-Type| := | Local | 2497 | [EMAIL PROTECTED] | Simultaneous-Use | := | 1 | 2498 | [EMAIL PROTECTED] | User-Password| == | seesa | I have Simultaneous-Use enabled in my radius configuration and still i dont see it working. It accepts multiple logins at the same time. Basiaclly the NAS doesnt keep any record of logins and i am ( have to ) only rely on radius accounting. On radius accounting , i do see two sessions started . I am at a situation where Radius Accounting is able to log two sessions but Radius is not limiting loggings based on the Simultaneous-Use restrictions. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Locking user accounts
Hi Alan,
thanks for your answer. I'm using the following setup in the users file for my
needs:
DEFAULT Auth-Type := Accept
Exec-Program-Wait = /path/to/chkauth config %{User-Name}
%{User-Password}
DEFAULT Proxy-To-Realm := TokenServer
The first entry runs my own application (chkauth) that checks authentication,
counts login tries and locks accounts if needed. It returns a Filter-Id on
successful authentication. If a valid account but a wrong password is detected
it returns Fall-Through = No and if no valid account was found Fall-Through
= Yes is given back.
I need to proxy requests for user accounts that are not in the database that
chkauth uses. But it seems as if the radiusd does not honer that returned
pseudo attribute Fall-Through. Is that correct? What can I do to achieve this
configuration?
I have not followed your suggestion to use the exec module because I use an
older version of freeradius that my distribution offers (0.8.1 - really old I
know) and I haven't found that module. I'm just in development of my
application, in the production version I think about using a newer version of
freeradius for security reasons.
Greets
Daniel
-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Auftrag von Alan
DeKok
Gesendet: Montag, 14. März 2005 16:44
An: freeradius-users@lists.freeradius.org
Betreff: Re: Locking user accounts
Fiederling, Daniel [EMAIL PROTECTED] wrote:
One more general question: how can I extend freeradius with shell
scripts etc.?
See radiusd.conf, look for the 'exec' module.
What config directives do I have to set to run an scripta after a
failed auth?
Run the 'exec' module in the 'Reject' subsection of 'postauth'.
This may only work in the CVS snapshot, I don't recall if it's in
1.0.2.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
