Cisco-AVPair SQL accounting (attr. not duplicated)
G'day, Sorry if this has been covered already, as I imagine it's a common issue, but I haven't been able to rustle any working answers up after a long time googling and grepping $FR/src. I've got an AS5300 that sends a few attributes, with accounting stop, encapsulated in Cisco-AVPair eg: Cisco-AVPair = "nas-tx-speed=53300" and the VSA hack doesn't appear to let me refer to that value in my SQL statements with either the %{nas-tx-speed} or %{Cisco-AVPair[index]} syntaxes I've seen suggested for Cisco VSAs in various places. rlm_sql complains of an unknown xlat function or non-existent attribute. Has anyone managed to do this? If so, what is the correct syntax to use these in SQL accounting statements? Cheers, -- James Wakefield Systems Administrator +61 03 5227 6888 We have now moved head office to 8-12 Pakington Street, Geelong West. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Flexible clients' addresses?
Hi Martin, > > reply from "Mitchell, Michael J" <[EMAIL PROTECTED]>: > > I've actually been looking at this over the weekend. Have > written some > > code, but haven't tested it yet. I'm hoping to get to that today > > sometime. I based it largely on what was done in the sql > module, so it > > may need a bit of refinement. > > > > I believe Kostas has it on his todo list also. I'm happy to > submit a > > "draft patch" for review and comment if it helps get this completed. > > Has there been any progress on that? I quick look at > src/main/client.c has revealed nothing so far. > I don't think I ever submitted a formal patch. I think I gave Kostas a patch of what I had done though. The patch is to the ldap module itself though, and is similar to the way the sql module reads the clients. I still haven't run this code in a production type environment to date, so I'm not sure how reliable or stable it is. I may be able to easily produce a diff against the latest code - I'm not sure how much the LDAP module has changed since version 1.0.1. regards, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Forwarding Accounting Requests
Hi, I am looking to have FreeRadius forward accounting stop/start packets to a third party device. I understand this can be done by configuring the proxy .conf. The problem has to do with how the accounting requests are forwarded. In other versions of Radius it is possible to forward accounting packets with an attribute setting that ensures the forwarding server doesn't listen for a response. I would like to set this same configuration in FreeRadius but it doesn't appear that this functionality. Is there a way to forward accounting request packets (start/stop) without requiring the forwarding server to listen for responses? Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help on rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Hi, I removed "@domain", but still the same error. I also run an AEGIS v.2.0.5 (a very old version though) with same supplicant configuration, which also gave me the same error. It seems to me there might be something wrong at the server side. But I don't know where. my freeradius version is 1.0.1. thanks for your suggestion though. Jie On 12/14/05, Phil Mayers <[EMAIL PROTECTED]> wrote: Jie Yang wrote:> Hi, All,> When I tried to develop PEAP at client side, i found I am always rejected by > the server. The following is the log. what might be wrong?You almost certainly need to strip the "@domain" off the username beforemschap sees it - the username is used in calculating the challenge response. See the "realms" module, specifically you'll want the "suffix" instancein authorize, "spirentcom.com" as a LOCAL realm in proxy.conf andproxying turned on. -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple Home Servers
Hello, I have a 0.9.2 server working as a proxy to three ISPs. Since they've just decided to work together, they still have some dial-up users. Their new users will be generated with a proper prefix, but all of the old users (with no prefix/suffix) will go through NULL realm. Although I can have multiple NULL realms, but only if one server replies with reject, it will not go through other realms (it will fail-over if no answer). How can I tell freeradius to go to next server if the username was not found in the previous home server? It is possible with modules as mentioned in configurable_failover and changing "action on results". How about in proxy? Thanks. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP : to be continued
<[EMAIL PROTECTED]> wrote: > rlm_ldap: Adding userPassword as User-Password, value { & op=11 That's better. > modcall: group authorize returns ok for request 0 > rad_check_password: Found Auth-Type LDAP Yuck. My quick answer is to edit rlm_ldap.c to have it *never* set Auth-Type to LDAP. That would solve a lot of problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP: Variables in "identity" setting
Derrick Woo wrote: Hello Phil, I've removed "ldap" from the authorize section now, but now it's not even connecting to the ldap server. Am I overlooking something? Weee... I must be honest, I've never actually used it myself (ducks :o) but that's certainly what the source and docs imply. (goes off to try) Ah, the users file *actually* needs to be: DEFAULT Auth-Type := LDAP, Ldap-UserDN := `uid=%{User-Name},RESTOFDN` ...because the authenticate section has ldap as a conditional module: authenticate { Auth-Type LDAP { ldap } } With the final above fixe, this definitely works for me. However, you should be aware of the implications of setting (forcing) Auth-Type in the users file - by forcing it to LDAP unconditionally you will prevent e.g. mschap, eap, etc. working at a later date (this is why it's generally not recommended, but for specific and limited circumstances where you're sure this is what you want, I guess it's ok) You could put the "files" module last in the authorize section, and use: DEFAULT Auth-Type = LDAP, Ldap-... ...which will only set the Auth-Type if it's not already set - then if e.g. mschap or eap match first, ldap won't attempt to sieze the request. [Perhaps someone else could chip in with info about the implications of putting the "ldap" module as a non-conditional in "authenticate" - I was under the impression that all the modules in authenticate should be conditional because only one was ever called, but e.g. digest, pam, unix, eap don't seem to be?] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP : to be continued
> Christophe Gravier <[EMAIL PROTECTED]>wrote: >> Removing the ldap entry, radtest no longer works of course. > > Did you put "ldap" in the "authorize" section? That would allow > radtest to work, as I said. Yes, I did like we said: - did put ldap (it was already indeed) in authorize section. - did remove ldap from authenticate (since ldap will only be a "password storage"). > >> rlm_ldap: looking for check items in directory... > > Can you say which LDAP server you're using? ist-guizay:/root# /usr/sbin/slapd -V @(#) $OpenLDAP: slapd 2.2.26 (Oct 31 2005 09:10:53) $ This is slapd package on current debian testing tree. This is a v3 openldap server, if I am right. If I make slapd log things and then observe I've got on a freeradius request: Dec 14 21:48:03 ist-guizay slapd[31741]: conn=2 fd=10 ACCEPT from IP=161.3.50.125:1490 (IP=0.0.0.0:389)Dec 14 21:48:03 ist-guizay slapd[31741]: conn=2 op=0 BIND dn="" method=128 Dec 14 21:48:03 ist-guizay slapd[31741]: conn=2 op=0 RESULT tag=97 err=0 text=Dec 14 21:48:03 ist-guizay slapd[31741]: conn=2 op=1 SRCH base="ou=person,o=istase,c=fr" scope=2 deref=0 filter="(uid=gravier.christophe)"Dec 14 21:48:03 ist-guizay slapd[31741]: conn=2 op=1 SRCH attr=radiusExpiration acctFlags ntPassword lmPassword radiusCallingStationId radiusCalledStationId radiusSimultaneousUse eap userPassword radiusCheckItem radiusLoginLATPort radiusPortLimit radiusFramedAppleTalkZone radiusFramedAppleTalkNetwork radiusFramedAppleTalkLink radiusLoginLATGroup radiusLoginLATNode radiusLoginLATService radiusTerminationAction radiusIdleTimeout radiusSessionTimeout radiusClass radiusFramedIPXNetwork radiusCallbackId radiusCallbackNumber radiusLoginTCPPort radiusLoginService radiusLoginIPHost radiusFramedCompression radiusFramedMTU radiusFilterId radiusFramedRouting radiusFramedRoute radiusFramedIPNetmask radiusFramedIPAddress radiusFramedProtocol radiusServiceType radiusReplyItem userPasswordDec 14 21:50:47 ist-guizay slapd[31741]: <= bdb_equality_candidates: (uid) index_param failed (18)Dec 14 21:50:47 ist-guizay slapd[31741]: conn=2 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Whaou .. person doesn't have all those attributes on my schema. (note that this search got a result: nentries = 1 !) I edited /etc/freeradius/ldap.attr, so that now the trace is a little more correct: Dec 14 21:55:27 ist-guizay slapd[31741]: conn=76 op=2 SRCH base="ou=person,o=istase,c=fr" scope=2 deref=0 filter="(uid=gravier.christophe)"Dec 14 21:55:27 ist-guizay slapd[31741]: conn=76 op=2 SRCH attr=userPassword Dec 14 21:55:27 ist-guizay slapd[31741]: <= bdb_equality_candidates: (uid) index_param failed (18)Dec 14 21:55:27 ist-guizay slapd[31741]: conn=76 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= (please ignore the bdb_equality_candidates). I thought this has to do with the policy regarding access to userPassword field, so I gave full rights for a test via slapd.access.con: still not good. (that sounds ok since if it was a read/write/search/auth problem, I would had seen it in the slapd logging). I think it is OK with ldap because "nentries = 1" for the search (it finnds me). The problem should be for freeradius to use that password to match it against the one given by the user. For autorize and authenticate I have: authorize { preprocess chap mschap suffix files ldap } authenticate { Auth-Type PAP { pap } unix eap } As I said, I think this is freeradius related since openldap log that it finds the userPassword for the given user and scope. But I can't set freeradius in a more verbose mode to understand the problem. I still receive: (...) rlm_ldap: - authorize rlm_ldap: performing user authorization for gravier.christophe radius_xlat: '(uid=gravier.christophe)' radius_xlat: 'ou=person,o=istase,c=fr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ist-guizay.univ-st-etienne.fr:389, authentication 0 rlm_ldap: bind as / to ist-guizay.univ-st-etienne.fr:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=person,o=istase,c=fr, with filter (uid=gravier.christophe)rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding userPassword as User-Password, value { & op=11 rlm_ldap: user gravier.christophe authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" ERROR: Unknown value specified for Auth-Type. Cannot perform requested action.auth: Failed to validate the user. When running /usr/sbin/freeradius -X -f > > It is NOT returning the User-Password attribute. My previous > message said that the goal was for the ldap module to return the > password in the "authorize" section. > > Make that work. rad
Re: bandwidth per user (pppoe)
Julius Igugu írta: http://underlinux.com.br/modules.php?name=News&file=article&sid=4447 oh, that looks great! I don't speak brasilian, but this doc is almost self explanatory... :) thx a lot!! TM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: bandwidth per user (pppoe)
Seferovic Edvin írta: Do you talk about current bandwidth like 1 MBit/sec or are you refering to traffic limitations i.e. 20 GB per month ??? I mean the current bandwidth, no more and no less then eg. 1MBit/sec TM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: bandwidth per user (pppoe)
http://underlinux.com.br/modules.php?name=News&file=article&sid=4447 --- TwoMan <[EMAIL PROTECTED]> wrote: > Hi All, > > I have successfully set up freeradius with mysql backend, rp-pppoe > concentrator, and pppd. Bandwidth control also working, but every pppd > connection have the same bandwidth, because I cannot determine which > user has benn connected. I use the ppp/ip-up script to control the > bandwidth. The desired bandwidth is in the mysql database too, for each > user. > Could You help me find a way how to use different badwidth to each user? > > thx in advance > > TM > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > Julius Igugu SouthWork Co. Ltd. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP : to be continued
Christophe Gravier <[EMAIL PROTECTED]>wrote: > Removing the ldap entry, radtest no longer works of course. Did you put "ldap" in the "authorize" section? That would allow radtest to work, as I said. > rlm_ldap: looking for check items in directory... Can you say which LDAP server you're using? It is NOT returning the User-Password attribute. My previous message said that the goal was for the ldap module to return the password in the "authorize" section. Make that work. radtest will work, and then everything else will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: bandwidth per user (pppoe)
Do you talk about current bandwidth like 1 MBit/sec or are you refering to traffic limitations i.e. 20 GB per month ??? Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TwoMan Sent: Mittwoch, 14. Dezember 2005 18:43 To: freeradius-users@lists.freeradius.org Subject: bandwidth per user (pppoe) Hi All, I have successfully set up freeradius with mysql backend, rp-pppoe concentrator, and pppd. Bandwidth control also working, but every pppd connection have the same bandwidth, because I cannot determine which user has benn connected. I use the ppp/ip-up script to control the bandwidth. The desired bandwidth is in the mysql database too, for each user. Could You help me find a way how to use different badwidth to each user? thx in advance TM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP : to be continued
Alan DeKok wrote: Christophe Gravier <[EMAIL PROTECTED]> wrote: auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. Cannot use "CHAP-Password". You're using LDAP as an authentication server. Don't do that. Use LDAP to store passwords. i.e. remove the "ldap" entry from the "authenticate" section. Get radtest to work. Once that works, Chillispot will work, too. Alan DeKok. That makes sense indeed. Removing the ldap entry, radtest no longer works of course. But as you already said there : http://lists.cistron.nl/pipermail/freeradius-users/2004-October/037625.html and there: http://lists.cistron.nl/pipermail/freeradius-users/2004-September/036629.html : List "ldap" in the "authorize" section. It's already there, just un-comment it. And DON'T set "Aut-Type := LDAP". So I did # The ldap module will set Auth-Type to LDAP if it has not # already been set ldap and comment set "Aut-Type := LDAP" But it's just not working ! The trace interesting: [...] rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ist-guizay.univ-st-etienne.fr:389, authentication 0 rlm_ldap: bind as / to ist-guizay.univ-st-etienne.fr:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=person,o=istase,c=fr, with filter (uid=gravier.christophe) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user gravier.christophe authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "gravier.christophe", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 157 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for gravier.christophe radius_xlat: '(uid=gravier.christophe)' radius_xlat: 'ou=person,o=istase,c=fr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=person,o=istase,c=fr, with filter (uid=gravier.christophe) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user gravier.christophe authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 [...] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Christophe Gravier Laboratoire DIOM, groupe SATIn - Doctorant ISTASE - Ingénieur d'études Perso: http://perso.univ-st-etienne.fr/gravchri/ SATIn: http://www.istase.com/satin Tel : 04 7748 5034 A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
bandwidth per user (pppoe)
Hi All, I have successfully set up freeradius with mysql backend, rp-pppoe concentrator, and pppd. Bandwidth control also working, but every pppd connection have the same bandwidth, because I cannot determine which user has benn connected. I use the ppp/ip-up script to control the bandwidth. The desired bandwidth is in the mysql database too, for each user. Could You help me find a way how to use different badwidth to each user? thx in advance TM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP: Variables in "identity" setting
Hello Phil, I've removed "ldap" from the authorize section now, but now it's not even connecting to the ldap server. Am I overlooking something? Thank you for your help. It's greatly appreciated. DerrickOn 12/13/05, Phil Mayers <[EMAIL PROTECTED]> wrote: Derrick Woo wrote:> Hello Phil,>> Thanks for your response. However as I had mentioned in my post, this> particular LDAP server uses a person's username and password for> binding. There is no service account and anonymous binds are not > allowed. Commenting out identity and password did not work.>> Am I out of luck here?Ah, you don't want to search *at all*. Remove "ldap" from the authorizesection, leave it in the "authenticate" section, and set: DEFAULT Ldap-UserDN := `uid=%{User-Name},ou=people,dc=company,dc=com`...in the users file. (Adding the Ldap-UserDN is basically what the ldapmodule *does* in the authorize section). This is documented in doc/rlm_ldap -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP : to be continued
Christophe Gravier <[EMAIL PROTECTED]> wrote: > auth: type "LDAP" > Processing the authenticate section of radiusd.conf > modcall: entering group Auth-Type for request 0 > rlm_ldap: - authenticate > rlm_ldap: Attribute "User-Password" is required for authentication. > Cannot use "CHAP-Password". You're using LDAP as an authentication server. Don't do that. Use LDAP to store passwords. i.e. remove the "ldap" entry from the "authenticate" section. Get radtest to work. Once that works, Chillispot will work, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and LDAP : to be continued
Hello, From the last things settled today about ldap support for freeradius on the list, I succeeded in configuring the ldap backend for freeradius. At least, radtest provides me an Accept response ! Nevertheless, with the front chillispot, I can't login, freeradius tells: rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ist-guizay.univ-st-etienne.fr:389, authentication 0 rlm_ldap: bind as / to ist-guizay.univ-st-etienne.fr:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=person,o=istase,c=fr, with filter (uid=gravier.christophe) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user gravier.christophe authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. Cannot use "CHAP-Password". modcall[authenticate]: module "ldap" returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. That's pretty strange since it does work with radtest (But I see a plain text password being sent to openldap :s). Anyway, the problem comes from : rlm_ldap: Attribute "User-Password" is required for authentication. Cannot use "CHAP-Password". But I DO have told: password_attribute = "userPassword" for my ldap server in /etc/freeradius/radiusd.conf I mean, there's no configuration in chillispot expect the radius server IP to match users against. What's the difference between a radtest and a authentification via chillispot ? Apart from this chilli-freeradius problem (towards radtest), how can I make freeradius sent a hash as password ? (my userPassword is hash using SHA). There is a porposal here : http://lists.cistron.nl/pipermail/freeradius-users/2002-October/012169.html, but I don't want to use CHAP since my userPassword in SHA encrypted. I tried to comment in authorize section the chap and mschap part (I'll never use it). (same error). (I must say I followed http://www.linuxhomenetworking.com/linux-adv/ldap.htm#_Toc92561284 howto for configuring ldap for freeradius). Please, feel free to point me some directions to search. Best regards, Christophe. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: allowed characters in User-Password?
Nils-Henner Krueger <[EMAIL PROTECTED]> wrote: > I miss something obvious, but although I printed out variables.txt > and read it several times I still don't get the point. '%' is a special character. > From variables.txt I understand that variables are referred to > by %{name}. Or, % followed by one character. > Do I get it right, I put "34fgT\%45" instead of "34fgT%45" > in the users file? Yes. > Which other special chars need to be treated this way? None. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help me configure freeradius
This is what i whant to do: I have a wireless AP and and a linux server connected with a cat5 cable. I then have a number of diffrenet wireless users that should be able to talk to the linux server But they should not be able to listen in on each other. they should not need a password or certificates So what i was thinking about was to get freeradius to just allow all users to connect without checking for passwords and such. Any tips on how to do this? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 8, Issue 57
Hi, I have written written a howto that explains how to setup FreeRadius and Chillispot here http://swarmhotspots.com/faq.html. If you need any help you will find contact details on the site. Regards, Sean Bracken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying based on substring in username
I am currently knee deep in an Active Directory domain collapse and need to figure out how to get FreeRADIUS to authenticate users as they are moved between domains. During the AD migration process users accounts are disabled in the source domain(where FreeRADIUS currently points) and enabled in the target domain. What I need to do is figure out a way to determine if a user has been moved and if they have, proxy the requests to the new domain. I see two possible ways to do this - 1 - If the user is in AD group "X" proxy the request 2 - If the username has string "m_", then remove the "m_" string and proxy the request My questions are these: which is the easiest to implement and how do I implement each? I have looked at rlm_attr_rewrite a bit and think this may be the module for the second situation. I have googled and searched the lists, unable to find anything of much help. CONFIDENTIALITY NOTICE: This e-mail may contain trade secrets or privileged, undisclosed or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying or distribution of this message in whole or in part is strictly prohibited. Please inform the sender immediately and destroy the original transmittal. Thank you for your cooperation.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authenticate users for a hotel through webpage?
mfred wrote: > maybe someone can point me to the right direction as it seems I use > wrong keywords for my search in the list and on google. > I am trying to use freeradius with wlan to authenticate hotel guests > that need i-net access. > > They would prefer that the customer could visit a webpage entering the > username / password combination they got at hotel-reception. Would > this be a authentication methode which freeradius can handle or do I > have to use other authentication modules for such a purpose? > > The most important thing is: Easy to use for the hotel staff at > registering / deleting guests and easy to use for the guests at login. > > TIA and br, > > mfred Hi, we build a complete solution for Internet access for hotel guests, marinas etc. using FreeRadius. With a web-based control panel, different staff permission levels, custom defined access packages etc. No server at the hotel required, we operate them centrally on the Internet ... www.pointHotspot.com Individual hotel login page pops up when guest/user goes to any website, they type in username and password and can then use the Internet as long as they are allowed. Gunther - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate users for a hotel through webpage?
Christophe Gravier wrote: Hello mfred, It is just the same things I want to achieve here in my university. This is captive portal (hope this is good translation) For that, I had to use chillispot, apache2, freeradius and ldap. I think, please correct me if freeradius is only able to do the whole thing ..., Freeradius is just a piece of the puzzle. - apache2 host the webpage for authentification (a cgi script) (using ssl) - chilispot use vtun in order to take control of your network interface plug to your wireless area (and thus redirect you to the apache page for authentification if you're not !) - freeradius handle the authentification and accounting using our pre-existing ldap directory listing all the users (teachers, students ...). I have written a complete howto that I'll post this afternoon or tomorrow (needs typo correction) to chillispot forum. I can send you the draft if you need. (I hope freeradius can't do the stuff so that I'm not making ads for anotyher system :D). Don't forget the wiki.freeradius.org site. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap.so not found, Freeradius 1.0.5
Nicolas Baradakis wrote: Christophe Gravier wrote: I installed freeradius on a fresh debian etch (testing) machine. ( FreeRADIUS Version 1.0.5 as it is package in debian etch tree ). I want my radius being able to authenticate users against an external LDAP source. apt-get install freeradius-ldap I have no excuse, apologize. (writing this reply from deep under my desk). Thank you for pointing it to me ! -- Christophe Gravier Laboratoire DIOM, groupe SATIn - Doctorant ISTASE - Ingénieur d'études Perso: http://perso.univ-st-etienne.fr/gravchri/ SATIn: http://www.istase.com/satin Tel : 04 7748 5034 A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap.so not found, Freeradius 1.0.5
Christophe Gravier wrote: > I installed freeradius on a fresh debian etch (testing) machine. > ( FreeRADIUS Version 1.0.5 as it is package in debian etch tree ). > > I want my radius being able to authenticate users against an external > LDAP source. apt-get install freeradius-ldap -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate users for a hotel through webpage?
>how do you do accounting in this case? Does the user has to go to the same web >site again and to say good-bye? Or don't you do time-based accounting? What >else? Accounting flat per room number, per traffic? I think there are better >solutions than that. AFAIK they only sell it in daily units but sure the accounting would be a nice thing. Open to any better suggestions (as far as they stay simple for the guests). br & grüsse nach D mfred - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate users for a hotel through webpage?
Hello mfred, It is just the same things I want to achieve here in my university. This is captive portal (hope this is good translation) For that, I had to use chillispot, apache2, freeradius and ldap. I think, please correct me if freeradius is only able to do the whole thing ..., Freeradius is just a piece of the puzzle. - apache2 host the webpage for authentification (a cgi script) (using ssl) - chilispot use vtun in order to take control of your network interface plug to your wireless area (and thus redirect you to the apache page for authentification if you're not !) - freeradius handle the authentification and accounting using our pre-existing ldap directory listing all the users (teachers, students ...). I have written a complete howto that I'll post this afternoon or tomorrow (needs typo correction) to chillispot forum. I can send you the draft if you need. (I hope freeradius can't do the stuff so that I'm not making ads for anotyher system :D). HTH, Regards, Christophe. mfred wrote: Hi, maybe someone can point me to the right direction as it seems I use wrong keywords for my search in the list and on google. I am trying to use freeradius with wlan to authenticate hotel guests that need i-net access. They would prefer that the customer could visit a webpage entering the username / password combination they got at hotel-reception. Would this be a authentication methode which freeradius can handle or do I have to use other authentication modules for such a purpose? The most important thing is: Easy to use for the hotel staff at registering / deleting guests and easy to use for the guests at login. TIA and br, mfred - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Christophe Gravier Laboratoire DIOM, groupe SATIn - Doctorant ISTASE - Ingénieur d'études Perso: http://perso.univ-st-etienne.fr/gravchri/ SATIn: http://www.istase.com/satin Tel : 04 7748 5034 A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate users for a hotel through webpage?
Am Mittwoch, 14. Dezember 2005 12:30 schrieb mfred: > Hi, > > maybe someone can point me to the right direction as it seems I use wrong > keywords for my search in the list and on google. > I am trying to use freeradius with wlan to authenticate hotel guests that > need i-net access. > > They would prefer that the customer could visit a webpage entering the > username / password combination they got at hotel-reception. Would this be > a authentication methode which freeradius can handle or do I have to use > other authentication modules for such a purpose? > > The most important thing is: Easy to use for the hotel staff at registering > / deleting guests and easy to use for the guests at login. > > TIA and br, > > mfred hi, how do you do accounting in this case? Does the user has to go to the same web site again and to say good-bye? Or don't you do time-based accounting? What else? Accounting flat per room number, per traffic? I think there are better solutions than that. Greetings, -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 pgpy8rqhCx0S1.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ldap.so not found, Freeradius 1.0.5
First, Hello to the mailing ! ;-) I installed freeradius on a fresh debian etch (testing) machine. ( FreeRADIUS Version 1.0.5 as it is package in debian etch tree ). I want my radius being able to authenticate users against an external LDAP source. So I think I've made the right changes (in particular, I modified the /etc/freeradius/radiusd.conf), but when I launch the freeradius server, I received: Wed Dec 14 14:23:36 2005 : Info: Using deprecated naslist file. Support for this will go away soon. Wed Dec 14 14:23:36 2005 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Wed Dec 14 14:23:36 2005 : Error: radiusd.conf[724] Failed to link to module 'rlm_ldap': rlm_ldap.so: cannot open shared object file: No such file or directory Hummm, I don't think it'll work as it is :) I have search for rlm_ldap.so, I have no such library in my /usr/lib/freeradius/ directory (there I've got stuff for mysql and so on). I have try the achieve mailing list and googling, but there's just questions and so few answers Does anyone could enventually point me a clue please ? Or a link to the howto he followed for freeradius using ldap ? Best regards, -- Christophe Gravier Laboratoire DIOM, groupe SATIn - Doctorant ISTASE - Ingénieur d'études Perso: http://perso.univ-st-etienne.fr/gravchri/ SATIn: http://www.istase.com/satin Tel : 04 7748 5034 A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate users for a hotel through webpage?
Hi! > it seems I use wrong keywords for my search in the list and on google. Have you tried the keyword "Captive Portal" yet? It leads for example to a very nice Wikipedia entry: http://en.wikipedia.org/wiki/Captive_portal Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ldap.so not found, Freeradius 1.0.5
First, Hello to the mailing ! ;-) I installed freeradius on a fresh debian etch (testing) machine. ( FreeRADIUS Version 1.0.5 as it is package in debian etch tree ). I want my radius being able to authenticate users against an external LDAP source. So I think I've made the right changes (in particular, I modified the /etc/freeradius/radiusd.conf), but when I launch the freeradius server, I received: Wed Dec 14 14:23:36 2005 : Info: Using deprecated naslist file. Support for this will go away soon. Wed Dec 14 14:23:36 2005 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Wed Dec 14 14:23:36 2005 : Error: radiusd.conf[724] Failed to link to module 'rlm_ldap': rlm_ldap.so: cannot open shared object file: No such file or directory Hummm, I don't think it'll work as it is :) I have search for rlm_ldap.so, I have no such library in my /usr/lib/freeradius/ directory (there I've got stuff for mysql and so on). I have try the achieve mailing list and googling, but there's just questions and so few answers Does anyone could enventually point me a clue please ? Or a link to the howto he followed for freeradius using ldap ? Best regards, -- Christophe Gravier Laboratoire DIOM, groupe SATIn - Doctorant ISTASE - Ingénieur d'études Perso: http://perso.univ-st-etienne.fr/gravchri/ SATIn: http://www.istase.com/satin Tel : 04 7748 5034 A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticate users for a hotel through webpage?
Hi, maybe someone can point me to the right direction as it seems I use wrong keywords for my search in the list and on google. I am trying to use freeradius with wlan to authenticate hotel guests that need i-net access. They would prefer that the customer could visit a webpage entering the username / password combination they got at hotel-reception. Would this be a authentication methode which freeradius can handle or do I have to use other authentication modules for such a purpose? The most important thing is: Easy to use for the hotel staff at registering / deleting guests and easy to use for the guests at login. TIA and br, mfred - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help on rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Jie Yang wrote: Hi, All, When I tried to develop PEAP at client side, i found I am always rejected by the server. The following is the log. what might be wrong? You almost certainly need to strip the "@domain" off the username before mschap sees it - the username is used in calculating the challenge response. See the "realms" module, specifically you'll want the "suffix" instance in authorize, "spirentcom.com" as a LOCAL realm in proxy.conf and proxying turned on. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Flexible clients' addresses?
Hi, I have some 150 new radius clients waiting at my doorstep. Unfortuantely their IP addresses are _not_ within a single Subnet. Most of them are, however grouped into a bunch of 25 pseudo-subnets of the following kind: client 192.168..240/28 { secret = somesecret shortname = somename } with n between 0 and 254. Rather than putting 25+ entries of this kind into clients.conf, I am looking for a more flexible way of client specification. I have two ways in mind to approach the problem: Approach 1: Specify a subnet mask with a "hole": client 192.168.0.240/255.255.0.28 { secret = somesecret shortname = somename } describes what I need when interpreted with bitwise netmask semantics. This is currently not supported, but for what reason -- considererd insane or simply not desired by anyone yet? Approach 2 (more general): Store the property of being a radius client in my LDAP database. I found some older postings related to this: On Jan 30, 2005, Alan walters wrote: > > We have free radius working with ldap I have been looking for a way > > to add our clients files o our ldap has anyone had any success with this reply from "Mitchell, Michael J" <[EMAIL PROTECTED]>: > I've actually been looking at this over the weekend. Have written some > code, but haven't tested it yet. I'm hoping to get to that today > sometime. I based it largely on what was done in the sql module, so it > may need a bit of refinement. > > I believe Kostas has it on his todo list also. I'm happy to submit a > "draft patch" for review and comment if it helps get this completed. Has there been any progress on that? I quick look at src/main/client.c has revealed nothing so far. Thanks, Martin -- Dr. Martin Pauly Fax:49-6421-28-26994 HRZ Univ. MarburgPhone: 49-6421-28-23527 Hans-Meerwein-Str. E-Mail: [EMAIL PROTECTED] D-35032 Marburg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: allowed characters in User-Password?
Alan DeKok wrote: > Nils-Henner Krueger <[EMAIL PROTECTED]> wrote: > >>At first sight everything worked fine but after following the >>log for a while it turns out that (too) many users were rejected. >> >>All the rejected accounts have a "%" sign in the User-Password. > > See doc/variables.txt I don't do freeradius administration on a regular basis, so maybe I miss something obvious, but although I printed out variables.txt and read it several times I still don't get the point. >From variables.txt I understand that variables are referred to by %{name}. But what I think I observe are acocunts like this [EMAIL PROTECTED] Password = "34fgT%45" which seem to be rejected because of the "%" beeing part of the password value. >>How can I get around this problem? There are a few thousand >>dialin accounts, out of them about 300 have a "%" in the password >>so I can't simply call them and solve that directly, not speaking >>about other chars that might make trouble, too. > > Escape the % via \%. Do I get it right, I put "34fgT\%45" instead of "34fgT%45" in the users file? Which other special chars need to be treated this way? Thanks for your help! nils-henner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Two routers using the same Radius server?
Client ip adres in combination with huntgroups if you work with a mysql db and usergroups -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Mark Tunnell Verzonden: woensdag 14 december 2005 1:59 Aan: FreeRadius users mailing list Onderwerp: Re: Two routers using the same Radius server? Nice! That gets me almost all the way there. I'm able to authenticate using Auth-Type := Local. Now I just need to figure out how to authenticate that type of user name ([EMAIL PROTECTED]) using Auth-Type := System. Any ideas how to go about that? Thanks, Mark Lewis Bergman wrote: > Mark Tunnell wrote: > >> Suppose I have two Cisco routers both configured to authenticate to >> the same radius server. How do I allow a particular user access to >> one router but not the other? Is there a place in the clients.conf or >> users file to configure this? >> > Oh yea, Alan gave me a trick with the hints file that adds a realm to a > client if one is not present that could also help. > DEFAULT User-Name !~ ".*@", NAS-IP-Address == "ip of client" > User-Name := "[EMAIL PROTECTED]" > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: anybody installed freeradius-1.0.5 on Solaris 8 successfully?
Yes, yesterday, and it works fine... - Original Message - From: Qin Zhen To: freeradius-users@lists.freeradius.org Sent: Wednesday, December 14, 2005 7:57 AM Subject: anybody installed freeradius-1.0.5 on Solaris 8 successfully? Hello All, seems solaris 8 and freeradius-1.0.5 dont like each other.. after i installed it, it gave segmentation fault when i tried to run it. anybody has installed and run it successfully on solaris 8? cheers, QZ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segmentation fault on solaris,unable to call modules
"Qin Zhen" <[EMAIL PROTECTED]> wrote: > installing freeradius on Solaris is already a big headache, afterwards i > encountered Segmentation fault as well. i am using Freeradius-1.0.5 Please read doc/bugs, and follow it's instructions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
anybody installed freeradius-1.0.5 on Solaris 8 successfully?
Hello All, seems solaris 8 and freeradius-1.0.5 dont like each other.. after i installed it, it gave segmentation fault when i tried to run it. anybody has installed and run it successfully on solaris 8? cheers, QZ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html