Re: Freeradius VLANID Question
Am Mittwoch, 17. August 2005 19:46 schrieb Armin Krämer: > Hi, at the moment i´m planing to build a Network based out of 20 VLAN over > 8 Nortel switches. Depending on the given Layout of the Network I need to > add some PC´s to more than one Port based VLAN. Is it posible to give the > VLAN ID over the Radius Server, and is it possible to send more than one > VLAN ID for one Client to the Switch? Does this work? > > Armin hi, I does work. I tried it with switches from HP and Cisco and I see no reason why it should not work with nortel. I wrote an article in the German Linux Magazin 12/2004 with the details. Please mail me direct if you are interested in further details. There are also a lot of good HOWTOs, especially one from Vladimir Vuksan under: http://vuksan.com/linux/dot1x/802-1x-LDAP.html -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 pgpH8H6SHhNZH.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
about authentication with PAP
hi,all, I wanna use PAP to authenticate the users.But I don't know how to change the radiusd.conf. Can any one help me? Bobby from Beijing. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius values
Hello all, I am developing a web system that authenticates users to a web site through free radius using the mod_auth_radius module for apache. It all works fine, but I would like to get the username of the user that has authenticated for use on pages once they have authenticated. I am not sure how to go about this. I guess that the values are set in a cookie or in the HTTP Headers by mod_auth_radius? Does anyone know a way I could retrieve the values, either through HTML or PHP? Thanks, Gareth. - - - - - - - - - - - - - - - - Gareth Ayres Wireless Network Officer Library & Information Services University of Wales Swansea, Singleton Park, Wales, UK SA2 8PP e-mail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RadZap Still given (negative Port)
I compiled the cvs update and still get [EMAIL PROTECTED] root]# radiusd -v radiusd: FreeRADIUS Version 1.0.4, for host , built on Aug 17 2005 at 23:01:39 Copyright (C) 2000-2003 The FreeRADIUS server project. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. [EMAIL PROTECTED] root]# radwho -r 1291,1291,shell,S2148532295,Thu 09:27,192.116.123.117,10.10.11.250 [EMAIL PROTECTED] root]# radwho -RZ -u 1291 User-Name = "1291" Acct-Session-Id = "80100047" Acct-Status-Type = Stop NAS-IP-Address = 192.116.123.117 NAS-Port = -2146435001 Service-type = Login-User Framed-IP-Address = 10.10.11.250 Acct-Session-Time = 21400 Calling-Station-Id = "00:11:5B:38:1F:" Thanks Sarky Alan DeKok wrote: "Sarkis Gabriel" <[EMAIL PROTECTED]> wrote: After installing the CVS although not the latest one as of today but it was suppose to have the fix for the Negative port. cvs update Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dial-up admin
Hi All, I have freeradius operational on a new X86 dell server platform running LINUX ES. I am having issues with Dialup-admin and PHP. Has anyone installed this interface successfully on LINUX ES. Is there any docs on this. I have read the docs that comes with Dialup-admin. Any help is appreciated in advance. Best Regards, Allan Borman. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius values
"Ayres G.J." <[EMAIL PROTECTED]> wrote: > I am developing a web system that authenticates users to a web site > through free radius using the mod_auth_radius module for apache. It all > works fine, but I would like to get the username of the user that has > authenticated for use on pages once they have authenticated. It's in the HTTP headers. The username & password are sent in every request. > I am not sure how to go about this. I guess that the values are set in a > cookie or in the HTTP Headers by mod_auth_radius? Does anyone know a way I > could retrieve the values, either through HTML or PHP? Not HTML. Maybe PHP, if it allows you to get HTTP headers. See the module source code for where the headers are, and the PHP docs for how to get at them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: General Question..
FreeRadius users mailing list on August 17, 2005 at 15:47 -0800 wrote: >Can we use Radius/LDAP to do this. >What I was hope we can do is as follow: >everyone will get one user-id/password But for every service we will >create >a boolean attribute. All services, dialup/wireless/vpn/etc will use one >radius server for both Auth(authenticate/authorize). >The question is can FreeRadius(or any radius) be configured to as the >LDAP >for the correct service attribute and give access both base on the >user-id/password and what the value of the services? Sort of. The best bet is to use the LDAP "posixgroup" objectclass -- then you can force certain radius clients to require a specific group membership. Let me know when you get closer to implementation and I can help you with some config files. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues authenticating vs 2003 AD
Ok using these settings it seems to authenticate with radtest > Radius.conf > ldap { > server = "domcon.company.org" > basedn = "dc=company,dc=org" > filter = > "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})" > password_attribute = "userPassword" > identity = "cn=administrator,cn=Users,dc=company,dc=org" > password = password [EMAIL PROTECTED] ~]# radtest user userpass localhost:1812 1 radiussecret Sending Access-Request of id 201 to 127.0.0.1:1812 User-Name = "user" User-Password = "userpass" NAS-IP-Address = redguard.company.net NAS-Port = 1 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=201, length=20 And the output of radius -X -A shows rlm_ldap: - authorize rlm_ldap: performing user authorization for tporritt radius_xlat: '(sAMAccountName=tporritt)' radius_xlat: 'dc=gtdsolutions,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=gtdsolutions,dc=org, with filter (sAMAccountName=tporritt) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user tporritt authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 1 rlm_ldap: - authenticate rlm_ldap: login attempt by "tporritt" with password "pantera" rlm_ldap: user DN: CN=Tim Porritt,CN=Users,DC=gtdsolutions,DC=org rlm_ldap: (re)connect to gtds-domcon.gtdsolutions.org:389, authentication 1 rlm_ldap: bind as CN=Tim Porritt,CN=Users,DC=gtdsolutions,DC=org/pantera to gtds-domcon.gtdsolutions.org:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user tporritt authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 1 modcall: group Auth-Type returns ok for request 1 Sending Access-Accept of id 201 to 127.0.0.1:32770 Finished request 1 These two look to me like they authenticated the user successfully. I have l2tp handling authentication which puts it to pppd In /etc/ppp/options.l2tpd I have # added for radius auth with radius refuse-chap refuse-mschap require-mschap-v2 require-mppe lcp-echo-failure 30 lcp-echo-interval 5 plugin radius.so Is it possible that this will work? I tried using ntlm_auth with no luck from pppd as it gave me Aug 18 10:13:56 redguard pppd[2260]: WINBIND plugin initialized. Aug 18 10:13:56 redguard pppd[2260]: In file /etc/ppp/options.l2tpd: unrecognized option '--helper-protocol=ntlm-server-1' The line I had was # winbind auth plugin winbind.so ntlm_auth-helper /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 Just looking for a way (and preferably and example) of the authentication vs AD since I don't seem to understand how to do it. I have looked in radius.conf and enabled the ntlm authentication but it seems to insist upon using chap and not mschap-v2, is there a difference? It still complains about the "no cleartext password" an example would be greatly apprecated! Thanks Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues authenticating vs 2003 AD
Tim P <[EMAIL PROTECTED]> wrote: > Ok using these settings it seems to authenticate with radtest ... > [EMAIL PROTECTED] ~]# radtest user userpass localhost:1812 1 radiussecret i.e. clear-text password. > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... i.e. NO PASSWORD WAS RETURNED BY AD. > rlm_ldap: bind as CN=Tim > Porritt,CN=Users,DC=gtdsolutions,DC=org/pantera to > gtds-domcon.gtdsolutions.org:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: user tporritt authenticated succesfully i.e. You're binding to AD as the user. You are using AD as an "authentication oracle". You hand it bits of information, and it returns yes/no. You are NOT using AD as a database. > These two look to me like they authenticated the user successfully. Yes. Now try MSCHAP. > In /etc/ppp/options.l2tpd I have .. > Is it possible that this will work? Yes. But you're not getting the password from AD. As I said: AD will not supply the password. Nothing in what you've posted contradicts that. > Just looking for a way (and preferably and example) of the > authentication vs AD since I don't seem to understand how to do it. I > have looked in radius.conf and enabled the ntlm authentication but it > seems to insist upon using chap and not mschap-v2, is there a > difference? The client asks for CHAP, so that's what the RADIUS server sees. The RADIUS server DOES NOT, and CAN NOT change the authentication method the client uses. > It still complains about the "no cleartext password" Because, as I've said repeatedly, AD doesn't supply the password to you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius values
Try the environment variable REMOTE_USER #!/usr/bin/perl print "Content-type: text/html\n\n"; foreach $key (keys %ENV) { print "$key --> $ENV{$key}"; } Ken Alan DeKok wrote: "Ayres G.J." <[EMAIL PROTECTED]> wrote: I am developing a web system that authenticates users to a web site through free radius using the mod_auth_radius module for apache. It all works fine, but I would like to get the username of the user that has authenticated for use on pages once they have authenticated. It's in the HTTP headers. The username & password are sent in every request. I am not sure how to go about this. I guess that the values are set in a cookie or in the HTTP Headers by mod_auth_radius? Does anyone know a way I could retrieve the values, either through HTML or PHP? Not HTML. Maybe PHP, if it allows you to get HTTP headers. See the module source code for where the headers are, and the PHP docs for how to get at them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius values
or even easier, if apache is setup for SSI, you can just plunk this into your web page where you want the authenticated username: Ken Alan DeKok wrote: "Ayres G.J." <[EMAIL PROTECTED]> wrote: I am developing a web system that authenticates users to a web site through free radius using the mod_auth_radius module for apache. It all works fine, but I would like to get the username of the user that has authenticated for use on pages once they have authenticated. It's in the HTTP headers. The username & password are sent in every request. I am not sure how to go about this. I guess that the values are set in a cookie or in the HTTP Headers by mod_auth_radius? Does anyone know a way I could retrieve the values, either through HTML or PHP? Not HTML. Maybe PHP, if it allows you to get HTTP headers. See the module source code for where the headers are, and the PHP docs for how to get at them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues authenticating vs 2003 AD
Sorry to keep asking but can you post an example (using mschap) to authenticate from freeradius to AD using the ntlm_auth method? On 8/18/05, Alan DeKok <[EMAIL PROTECTED]> wrote: > Tim P <[EMAIL PROTECTED]> wrote: > > Ok using these settings it seems to authenticate with radtest > ... > > [EMAIL PROTECTED] ~]# radtest user userpass localhost:1812 1 radiussecret > > i.e. clear-text password. > > > rlm_ldap: looking for check items in directory... > > rlm_ldap: looking for reply items in directory... > > i.e. NO PASSWORD WAS RETURNED BY AD. > > > rlm_ldap: bind as CN=Tim > > Porritt,CN=Users,DC=gtdsolutions,DC=org/pantera to > > gtds-domcon.gtdsolutions.org:389 > > rlm_ldap: waiting for bind result ... > > rlm_ldap: Bind was successful > > rlm_ldap: user tporritt authenticated succesfully > > i.e. You're binding to AD as the user. > > You are using AD as an "authentication oracle". You hand it bits of > information, and it returns yes/no. You are NOT using AD as a database. > > > These two look to me like they authenticated the user successfully. > > Yes. Now try MSCHAP. > > > In /etc/ppp/options.l2tpd I have > .. > > Is it possible that this will work? > > Yes. But you're not getting the password from AD. > > As I said: AD will not supply the password. Nothing in what you've > posted contradicts that. > > > Just looking for a way (and preferably and example) of the > > authentication vs AD since I don't seem to understand how to do it. I > > have looked in radius.conf and enabled the ntlm authentication but it > > seems to insist upon using chap and not mschap-v2, is there a > > difference? > > The client asks for CHAP, so that's what the RADIUS server sees. > The RADIUS server DOES NOT, and CAN NOT change the authentication > method the client uses. > > > It still complains about the "no cleartext password" > > Because, as I've said repeatedly, AD doesn't supply the password to > you. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues authenticating vs 2003 AD
Tim P <[EMAIL PROTECTED]> wrote: > Sorry to keep asking but can you post an example (using mschap) to > authenticate from freeradius to AD using the ntlm_auth method? What's wrong with reading radiusd.conf? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR suddenly doesn't respond any more and eats all cpu
Hello everyone, I've configured here a FreeRADIUS 1.0.4 and I'm running it now to handle test requests. First, everything looked ok. FR responded all requests correctly. But suddenly it didn't respond any more to RADIUS requests and I saw it used 1 of my 2 cpus completly. Before it took between 1-2 percent of the cpu. FreeRADIUS even could not be killed by a normal kill, I needed kill -9 to terminate it. It's very strange to me that happend after half an hour normal behavior. Then I started FreeRADIUS in debugging mode (-X) but then the error didn't occur until I stopped it 1 day later. Just now I ran it again in not-debugging mode and again after about half an hour the same strange error: processor load about 99% and no responses to any requests. And at the moment there are really few RADIUS requests. As I wrote, I don't have any debugging output before the error occured. The error doesn't occur when running in debugging mode. It doesn't want to be caught ;-) Nevertheless, has anyone yet seen such a behavior or has an idea where to look or a guest for the reason? Thanks a lot, Benedikt -- Benedikt PanzerAbteilung Ausbildung Rechenzentrum Universität Stuttgart Allmandring 30 70550 Stuttgartwww.rus.uni-stuttgart.de - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MPPE/PEAP support not in anything but CVS snapshots?
I have a quick question, I ran across a note in a document about 0.97 stating that MPPE support was only in the nightly snapshots and not in the normal releases. (http://www.alphacore.net/contrib/nantes-wireless/eap-tls-HOWTO.html) If this changed since 2002, could someone let me know when? Otherwise I'm chasing my tail using a RHEL ES RPM which starts, runs but won't start the EAP piece, but a freshly compiled version works fine. I have a client who's a stickler for using the "vendor"-blessed versions and I've been trying to figure out why this has been more difficult to set up than most of my out-of-the-box configs. Thanks a bunch! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MPPE/PEAP support not in anything but CVS snapshots?
"Bill Carr" <[EMAIL PROTECTED]> wrote: > I have a quick question, I ran across a note in a document about > 0.97 stating that MPPE support was only in the nightly snapshots and > not in the normal releases. > > (http://www.alphacore.net/contrib/nantes-wireless/eap-tls-HOWTO.html) > > If this changed since 2002, could someone let me know when? When 1.0.0 was released. > Otherwise I'm chasing my tail using a RHEL ES RPM which starts, runs > but won't start the EAP piece, but a freshly compiled version works > fine. Since you won't say what (if any) error message is produced, it's a little difficult to help you. > I have a client who's a stickler for using the "vendor"-blessed > versions and I've been trying to figure out why this has been more > difficult to set up than most of my out-of-the-box configs. You're also not saying which version you're trying to install. Try giving information which will help people understand what you're doing. And if you're installing 0.9.x, the official answer is "don't". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html