reject some users from radius - ldap ?
Hello I use freeradius with ldap to manage wi-fi users ( thru chillispot ) everything works well but I would like to know if it is possible to exclude some users with radius ? My purpose is to forbid wi-fi access BUT let use the wired LAN access to the considered users. Thanks a lot. -- Cordialement/Regards Frank Bonnet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
difference between Acct-Session-Id and Acct-Unique-Session-Id
what is the difference between Acct-Session-Id and Acct-Unique-Session-Id? thanks in advance. regards, marc -- Get Firefox! http://tinyurl.com/cocg2 The browser you can trust. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
can not link to oracle DB
system:RH9 DB:oracle9i freeradius0.9.3 I have complied the freeradius on RH9 and have setup the DB.But the failed to connect oracle9i the error codes are below: .. rlm_sql (/tmp/bobby//var/log/radius/sqltrace.sql): Ignoring unconnected handle 0.. rlm_sql (/tmp/bobby//var/log/radius/sqltrace.sql): There are no DB handles to use! skipped 1, tried to connect 0 modcall[authorize]: module "sql" returns fail for request 0 modcall: group authorize returns fail for request 0 .. I am confirmed that the radius.conf and oraclesql.conf is right: the right DB user and password,the right DB server address. I am really confused,Can anyone help me? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 5, Issue 17
Please note that as of the 1st August 2005 my email address changed to [EMAIL PROTECTED] Your email has been forwarded onto my new address but please update your address book for future use. Thank you. David Barker 4D Internet Limited http://www.4dtechnologygroup.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reject some users from radius - ldap ?
Frank Bonnet wrote:
> I use freeradius with ldap to manage wi-fi users ( thru chillispot )
> everything works well but I would like to know if it is possible
> to exclude some users with radius ?
>
> My purpose is to forbid wi-fi access BUT let use the wired LAN access
> to the considered users.
I'm doing this with MySQL on my site, but perhaps the following
approach may work with LDAP:
1. Define huntgroups "wifi" and "wired" in raddb/huntgroups.
2. In LDAP, provision the attribute "radiusHuntgroupName" with the
values "wifi" or "wired" (or both) in all the "radiusprofile"
entries.
3. In the section ldap{} of raddb/radiusd.conf, modify the filter
like that:
filter = (&(uid=%{User-Name})(radiusHuntgroupName=%{Huntgroup-Name}))
--
Nicolas Baradakis
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Encrypted passwords in the users file
Hi, I've got a SUSE 9.3 with FreeRadius 1.0.2, and at the moment I have my user registered in the users file such as: usernameAuth-Type := Local, User-Password == "password" Service-Type = "Callback Framed", ... I would like to know how to encrypt the passwords. I would like to know if I need to install any package. Also, I would like to know how I can create this encrypted passwords. I hope somebody can help me. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
huntgroups and bad_logins
Hello, I bought the radius book from O’Reilly and its a good book except when you want to use freeradius mainly with an SQL backend. (default users profiles in SQL) Also the principle of huntgroups isn’t very well explained. What I want to do is the following: NAS1: 10.1.1.1 NAS2: 10.1.1.2 SQL usergroups: patients, it IT may connect to NAS1&2, patients only to NAS2. I’ve been looking on the internet how to do this but didn’t found it. I also have problems with the bad_login perlscript. When I run this script, it doesn't do anything (just hangs with no given output) Kind Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reject some users from radius - ldap ?
Nicolas Baradakis wrote:
I'm doing this with MySQL on my site, but perhaps the following
approach may work with LDAP:
1. Define huntgroups "wifi" and "wired" in raddb/huntgroups.
2. In LDAP, provision the attribute "radiusHuntgroupName" with the
values "wifi" or "wired" (or both) in all the "radiusprofile"
entries.
3. In the section ldap{} of raddb/radiusd.conf, modify the filter
like that:
filter = (&(uid=%{User-Name})(radiusHuntgroupName=%{Huntgroup-Name}))
Thanks a lot Nicolas , I'm going to try this way.
--
Cordialement/Regards
Frank Bonnet
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LEAP Protocol
Hi everyone, is me again!! I have a question about freeradius 1.0.4. With LEAP protocol, the last packet sent by the server has a "leap-session-key". Does anybody knows how this key is generated? Thank you very much!!! Juan Daniel MORENO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LEAP Protocol
Juan Daniel Moreno <[EMAIL PROTECTED]> wrote: > I have a question about freeradius 1.0.4. With LEAP protocol, the last > packet sent by the server has a "leap-session-key". Does anybody knows how > this key is generated? Thank you very much!!! doc/rfc/leap.txt Or, the source code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mixed-mode authentication enviornment
Hello, I have a FreeRADIUS server authenticating against an LDAP back-end. Some of my applications (such as my SIP proxy server) currently require DIGEST-MD5 authentication and others (such as my E-Mail server, and my Cisco routers) do not. Ideally I'd like everything to work harmoneously. Since the SIP server requires DIGEST authentication, the Auth-Type attribute is present and it is set to DIGEST which forces FreeRADIUS to attempt a digest authentication. Once this fails an Access-Reject packet is sent back to the RADIUS client Is there a way to configure FreeRADIUS so it first attempts a DIGEST authentication, and when that fails, we go ahead and attempt normal authentication? Thanks. -Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mixed-mode authentication enviornment
Daniel Corbe <[EMAIL PROTECTED]> wrote: > Since the SIP server requires DIGEST authentication, the Auth-Type > attribute is present and it is set to DIGEST which forces FreeRADIUS > to attempt a digest authentication. Once this fails an Access-Reject > packet is sent back to the RADIUS client You don't say who's setting Auth-Type. In the example config, the "digest" module sets it. If you're setting it yourself, there's a high likelihood that something will go wrong. > Is there a way to configure FreeRADIUS so it first attempts a DIGEST > authentication, and when that fails, we go ahead and attempt normal > authentication? No. That doesn't make sense. There IS a way to configure the server to try digest authentication only when the RADIUS packet contains digest attributes. Uncomment the lines referring to "digest" in radiusd.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
different EAP type
Hi all, I want to control my WLAN whit authorization based on LDAP and authenticathion based on EAP-TLS. But on the same WLAN there is a VLAN for the voip. The mobile phones don't support TLS but only LEAP. it is possible to insert this in users file? DEFAULT Auth-Type := EAP Fall-Through = 1 "phone" EAP-Type := LEAP, User-Password == "123456" Fall-Through = 1 whit this I have: Unexpected trailing comma in check item list for entry phone. it's wrong the attribute eap-type or it'impossible to do? Thanks, Felice - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: can not link to oracle DB
On Wednesday 07 September 2005 12:39, Lee Bobby wrote: > system:RH9 > DB:oracle9i > freeradius0.9.3 > > I have complied the freeradius on RH9 and have setup the DB.But the > failed to connect oracle9i > > the error codes are below: > .. > rlm_sql (/tmp/bobby//var/log/radius/sqltrace.sql): Ignoring unconnected > handle 0.. > rlm_sql (/tmp/bobby//var/log/radius/sqltrace.sql): There are no DB > handles to use! skipped 1, tried to connect 0 > modcall[authorize]: module "sql" returns fail for request 0 > modcall: group authorize returns fail for request 0 > .. > > I am confirmed that the radius.conf and oraclesql.conf is right: the > right DB user and password,the right DB server address. > > I am really confused,Can anyone help me? Please post the output of running radiusd -X My guess is that FreeRADIUS cannot find your Oracle libraries.. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mixed-mode authentication enviornment
I'm manually setting Auth-Type to DIGEST on the LDAP Server.
This is all radiusd.conf has to say about digest:
#
# The 'digest' module currently has no configuration.
#
# "Digest" authentication against a Cisco SIP server.
# See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details
# on performing digest authentication for Cisco SIP servers.
#
digest {
}
and
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authenticate' section.
digest
Which does not help me much. Both entries aren't commented.
-Daniel
On 9/7/05, Alan DeKok <[EMAIL PROTECTED]> wrote:
> Daniel Corbe <[EMAIL PROTECTED]> wrote:
> > Since the SIP server requires DIGEST authentication, the Auth-Type
> > attribute is present and it is set to DIGEST which forces FreeRADIUS
> > to attempt a digest authentication. Once this fails an Access-Reject
> > packet is sent back to the RADIUS client
>
> You don't say who's setting Auth-Type. In the example config, the
> "digest" module sets it. If you're setting it yourself, there's a
> high likelihood that something will go wrong.
>
> > Is there a way to configure FreeRADIUS so it first attempts a DIGEST
> > authentication, and when that fails, we go ahead and attempt normal
> > authentication?
>
> No. That doesn't make sense.
>
> There IS a way to configure the server to try digest authentication
> only when the RADIUS packet contains digest attributes. Uncomment the
> lines referring to "digest" in radiusd.conf.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mixed-mode authentication enviornment
Daniel Corbe <[EMAIL PROTECTED]> wrote: > I'm manually setting Auth-Type to DIGEST on the LDAP Server. As I said, DON'T. > This is all radiusd.conf has to say about digest: ... No. You missed one "digest" entry, in the "authenticate" section. The text you quoted tells you this: > # If you have a Cisco SIP server authenticating against > # FreeRADIUS, uncomment the following line, and the 'digest' > # line in the 'authenticate' section. Follow those instructions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
