UltaMonkey 3 and FreeRadius
I all, I want to build a high availability radius plateform based on OpenSource software. To do so I've patched /usr/sbin/ldirectod with Matteo Bertato Horms' patch found here http://lists.community.tummy.com/pipermail/linux-ha-dev/2005-September/011662.html It works fine, I make the load balancing for both auth [1812] and accounting [1813]. But I've a strange behavior when freeradius started as daemon, server are nerver enabled for auth by ipvsadm. I must start freeradius in debug mode (-X) on the radius server to be enabled by the load-balancers. Even if I can make some successfull radtest from the load-balancers, and the log of ldirectord seems to be ok. I'm not sure it's UlraMonkey fault, I have tested with the last freeradius version and it the same :( Does any one have anye idea for where it can come from ? Best regards, hugues Distrib Debian sarge Freeradius 1.0.2-4 and 1.0.5 from source ultramonkey 3-1um.1 ipvsadm 1.24+1.21-1 Kernel 2.6.13.4 -- Hugues Lepesant -- Ingénieur Exploitation VeePee Tel : +33 1 73 02 68 02 119 rue de Paris 92772 Boulogne Cedex FRANCE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segmentation fault in 1.1.0-pre0
freeradius-1.1.0-pre0 crashes, when sending an Sending Access-Accept: Program received signal SIGSEGV, Segmentation fault. 0x4027ae77 in memset () from /lib/i686/libc.so.6 (gdb) bt #0 0x4027ae77 in memset () from /lib/i686/libc.so.6 #1 0x0020 in ?? () #2 0x401f83eb in rad_vp2attr (packet=0x0, original=0x0, secret=0x0, vp=0x0, ptr=0x0) at radius.c:256 #3 0x in ?? () (gdb) The complete output of radiusd -AX is available at: http://www.wegener-net.de/fr/typescript Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius cannot Authenticate to Windows AD
A little modification of that patch seems to be neccessary, as the patch
applies, but compiling fails:
Compiling this patch gives:
rlm_ldap.c: In function `ldap_groupcmp':
rlm_ldap.c:879: warning: initialization discards qualifiers from pointer
target type
rlm_ldap.c:1010: warning: comparison between signed and unsigned
rlm_ldap.c: In function `ldap_xlat':
rlm_ldap.c:1135: warning: comparison between signed and unsigned
rlm_ldap.c: In function `ldap_authenticate':
rlm_ldap.c:1625: warning: initialization discards qualifiers from
pointer target type
rlm_ldap.c: In function `ldap_rebind':
rlm_ldap.c:1924: error: `dn' undeclared (first use in this function)
rlm_ldap.c:1924: error: (Each undeclared identifier is reported only once
rlm_ldap.c:1924: error: for each function it appears in.)
rlm_ldap.c:1924: error: `passwd' undeclared (first use in this function)
rlm_ldap.c: In function `ldap_connect':
rlm_ldap.c:2009: warning: implicit declaration of function
`ldap_int_tls_config'
rlm_ldap.c: In function `ldap_rebind':
rlm_ldap.c:1920: warning: unused parameter `request'
rlm_ldap.c:1920: warning: unused parameter `msgid'
rlm_ldap.c:1920: warning: unused parameter `params'
rlm_ldap.c: In function `ldap_groupcmp':
rlm_ldap.c:870: warning: unused parameter `request'
rlm_ldap.c:871: warning: unused parameter `check_pairs'
rlm_ldap.c:871: warning: unused parameter `reply_pairs'
gmake[6]: *** [rlm_ldap.o] Error 1
gmake[6]: Leaving directory
`/home/radius/freeradius-1.0.5/src/modules/rlm_ldap'
gmake[5]: *** [common] Error 2
gmake[5]: Leaving directory `/home/radius/freeradius-1.0.5/src/modules'
gmake[4]: *** [all] Error 2
gmake[4]: Leaving directory `/home/radius/freeradius-1.0.5/src/modules'
gmake[3]: *** [common] Error 2
gmake[3]: Leaving directory `/home/radius/freeradius-1.0.5/src'
gmake[2]: *** [all] Error 2
gmake[2]: Leaving directory `/home/radius/freeradius-1.0.5/src'
gmake[1]: *** [common] Error 2
gmake[1]: Leaving directory `/home/radius/freeradius-1.0.5'
make: *** [all] Error 2
diff -Nru rlm_ldap.patch.org rlm_ldap.patch
--- rlm_ldap.patch.org 2005-12-19 13:45:03.0 +0100
+++ rlm_ldap.patch 2005-12-19 13:18:21.0 +0100
@@ -34,7 +34,7 @@
+{
+ if (DN != NULL PASSWD != NULL){
+ DEBUG(rlm_ldap: rebind to URL: %s,url);
-+ return ldap_bind_s( ld, dn, passwd, LDAP_AUTH_SIMPLE);
++ return ldap_bind_s( ld, DN, PASSWD, LDAP_AUTH_SIMPLE);
+ }
+}
+
With the above changes rlm_ldap.c compiles and runs (at least for me).
Will the patch mentioned at
http://bugs.freeradius.org/show_bug.cgi?id=183 become part of the next
official release?
Norbert Wegener
Alan DeKok wrote:
In addition to Dusty's comments:
Michael Calizo [EMAIL PROTECTED] wrote:
rlm_ldap: ldap_search() failed: Operations error
http://bugs.freeradius.org/show_bug.cgi?id=183
You're running into two issues:
- the OpenLDAP client libraries don't use the
authentication credentials they're given when following references.
- Active Directory is following references because your domain
controller has two domains, and the user isn't found in one, so it's
being referred to the other domain.
The patch might help, but your LDAP queries should be made more
specific.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Plain text password file
Can somebody explain howto use rlm_passwd and a textfile with this setup: name:password:group and so on the order can be any way around, spaces can also be present. Any pointers will be gladly excepted. A sweet tutorial will result in a free night out in Borås, Sweden /Alex-- When there is no solution, there is no problem. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DialupAdmin gives Blank Pages
I've been fighting with this problem for a couple of days. Searched everywhere I can think of on the net. According to the docs it should just work. Anyway, I've installed the latest, MySQL, seams to be working. FreeRadius, No errors with the -X option. Made a link from the dialupadmin htdocs to my web server directory. When I click on: Accounting, I get a blank screen. Statistics, I get a green page, nothing on it. User Stats, Blank Find User, seams to work, but I don't have any users entered to actually test this. New User, Blank Show Groups, Seams to work but Again I have no data in the database. New Group, Blank Check Server gives me this: Monday, 19 December 2005, 10:13:04 EST Server: 127.0.0.1:1812 (test user test) Any help would be great. Thanks. Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization
Let's say I have 2 groups: students and faculty.
I want to authorize authenticated members of the LDAP group
cn=students,ou=Groups IFF their Access-Request Called-Station-ID =~
/:StudentWLAN$/
I want to authorize authenticated members of the LDAP group
cn=faculty,ou=Groups IFF their Access-Request Called-Station-ID =~
/:FacultyWLAN$/
You left out your ldap part? Anyway it should look something like this.
groupname_attribute = cn
groupmembership_filter = ((objectclass=GroupOfNames)(member=%{Ldap-UserDN}))
Of course you'll have to change that to fit with how your directory is
structured. Once you've got that part down, then in the users file you
could do something like this.
DEFAULT Called-Station-ID =~ /:StudentWLAN$/, Ldap-Group == students
DEFAULT Called-Station-ID =~ /:FacultyWLAN$/, Ldap-Group == faculty
DEFAULT Auth-Type := Reject
That would look to see if Called-Station-ID matches that regex. If so, it
would look to see if they are in the Ldap-Group of students. Your
groupmembership filter and groupname_attribute should look for a group
named cn=students and then see if the DN of the user is in it.
If not, it would fall through to the Reject statement. Now, there are
other things going on outside of ldap that I don't really know about, so a
copy/paste of what I wrote might not work. But, it should help lead you
in the right direction.
I'd give it a shot running in debug mode (radiusd -X) and then you can see
the exact queries that are taking place and what is happening. You can
then go back and modify those ldap group statements and the users file to
fit what you need.
Once you've got it started if you need more help, please post debug output
and what you would expect vs what you got and we can probably help sort it
out.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: (no subject)
yes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of debik Sent: Wednesday, December 14, 2005 1:15 AM To: FreeRadius users mailing list Subject: (no subject) Isit posible to authenicate users on LAN with freeradius, without any Access Point ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization
Stefan Adams [EMAIL PROTECTED] wrote: I have read all the man pages and /docs and am having a difficult time understanding the authorization. I keep wanting to write if...elseif...else stuff but I'm pretty sure that doesn't apply to FreeRADIUS config files. Unfortunately, yes. How would I configure the checkval module? Is it even necessary to use the checkval module? How would I conifgure the users file? Is the users file even necessary? I wouldn't configure the checkval module. Just the users module, something like: DEFAULT LDAP-Group == faculty, Called-Station-Id != faculty, Auth-Type := Reject DEFAULT LDAP-Group == students, Called-Station-Id != students, Auth-Type := Reject P.S. I don't know who to direct compliments to, but the FreeRADIUS code is probably the most beautifully structured source code I have ever read. It is SO easy to read and extremely consistent! It's phenomenal! You can thank everyone who contributed so far. :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault in 1.1.0-pre0
Norbert Wegener [EMAIL PROTECTED] wrote: freeradius-1.1.0-pre0 crashes, when sending an Sending Access-Accept: Program received signal SIGSEGV, Segmentation fault. 0x4027ae77 in memset () from /lib/i686/libc.so.6 (gdb) bt #0 0x4027ae77 in memset () from /lib/i686/libc.so.6 #1 0x0020 in ?? () #2 0x401f83eb in rad_vp2attr (packet=0x0, original=0x0, secret=0x0, vp=0x0, ptr=0x0) at radius.c:256 I can't *believe* it's the same dumb bug you reported before, but in different code. The passwd array should be (AUTH_STRING_LEN + 3) bytes long. I'll commit a fix to CVS in a bit. Dang, we really need a test suite. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: (no subject)
Yes (using 802.1x or some other protocol) Chad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of debik Sent: Tuesday, December 13, 2005 6:15 PM To: FreeRadius users mailing list Subject: (no subject) Isit posible to authenicate users on LAN with freeradius, without any Access Point ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Plain text password file
On 19/12/05, Phil Mayers [EMAIL PROTECTED] wrote:
Alexander Lund wrote: Can somebody explain howto use rlm_passwd and a textfile with this setup: name:password:group and so on the order can be any way around, spaces can also be present.
Wait: Are you saying that the file you *supply* freeradius may havespaces in it? That won't work, fix the file (it's not hard). Assumingthat's not what you mean, and a format of:username:unixCryptPassword:ASingleGroupName
...then this should suffice:modules { passwd user_pass_group { filename = /path/to/file format = *User-Name:~Crypt-Password:~Group } pap { encryption_scheme = crypt
}}authorize { preprocess user_pass_group}authenticate { Auth-Type PAP { pap }}...it's so trivial I assume you need more than this. Are you having a
specific problem? If you want to use other schemes such as chap, you mayneed the plaintext password, for example:for username:plaintextPassword:ASingleGroupmodules { passwd u_g_p { filename = /path/to/file
format = *User-Name:~User-Password:~Group } pap { encryption_scheme = clear } chap { }}authorize { preprocess u_g_p chap pap}
authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap }}-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No, the file I supply could have spaces if you needed it to solve my problem.
This is just the thing I need:
username:plaintextPassword:ASingleGroup
Its perfect, but I´d like to know exactly what Im doing so heres another question,
The passwordfile. If Im not thinking completly wrong it shouldn´t have any headers or a fileextension
And do I have to use Chap? or can I use PAP with plain text passwords.
Thanks for the help. If you come to sweden I will buy you enough beers to make you regret coming here ;)
-- When there is no solution, there is no problem.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Client-IP-Address in detail files
hello, I have recently upgraded from CVS version as of 2005-02-19 with the one from 2005-12-17 and I no longer get the Client-IP-Address attribute in the files produced by the detail module. on the other hand the Client-IP-Address attribute is expanded correctly in sql querys. is there something different ? how can I add Client-IP-Address attribute back to the detail files ? and something else. where can I find the syntax of the listen directive ? (to remove bind_address and port directives) thanks, Razvan Radu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 8, Issue 82
Hey, guys! Thanks for the great replies!! I like what you suggested
better than what I've come up with in the mean time. I think what I
came up with will work, it just seems messy/wrong/inefficient. What
do you think?
modules {
ldap {
:
filter =
((uid=%{Stripped-User-Name:-%{User-Name}})(radiusGroupName=%{Called-Station-ID}))
:
}
attr_rewrite getssid {
attribute = Called-Station-Id
searchin = packet
searchfor = .:
replacewith =
ignore_case = yes
new_attribute = no
}
}
authorize {
# for WinXP, 802.1x, EAP-PEAP, MS-CHAPv2
preprocess
eap
getssid
ldap
}
This cuts off the first 17 bytes and then a colon of the
Called-Station-ID (My AP transmits a dash separated MAC followed by a
colon and then the SSID). Then it uses this rewritten
Called-Station-ID and uses that as a filter in the LDAP search.
Therefore, if the SSID a user tries to connect to is not listed as an
attribute of the user's LDAP object, the user is denied.
Does that make sense?
But I am definitely going to try implementing the suggestions from
Dusty and Alan (below).
Thanks, guys!!
Stefan
Date: Mon, 19 Dec 2005 11:02:33 -0500 (EST)
From: Dusty Doris [EMAIL PROTECTED]
Subject: Re: Authorization
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID: [EMAIL PROTECTED]
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Let's say I have 2 groups: students and faculty.
I want to authorize authenticated members of the LDAP group
cn=students,ou=Groups IFF their Access-Request Called-Station-ID =~
/:StudentWLAN$/
I want to authorize authenticated members of the LDAP group
cn=faculty,ou=Groups IFF their Access-Request Called-Station-ID =~
/:FacultyWLAN$/
You left out your ldap part? Anyway it should look something like this.
groupname_attribute = cn
groupmembership_filter =
((objectclass=GroupOfNames)(member=%{Ldap-UserDN}))
Of course you'll have to change that to fit with how your directory is
structured. Once you've got that part down, then in the users file you
could do something like this.
DEFAULT Called-Station-ID =~ /:StudentWLAN$/, Ldap-Group == students
DEFAULT Called-Station-ID =~ /:FacultyWLAN$/, Ldap-Group == faculty
DEFAULT Auth-Type := Reject
That would look to see if Called-Station-ID matches that regex. If so, it
would look to see if they are in the Ldap-Group of students. Your
groupmembership filter and groupname_attribute should look for a group
named cn=students and then see if the DN of the user is in it.
If not, it would fall through to the Reject statement. Now, there are
other things going on outside of ldap that I don't really know about, so a
copy/paste of what I wrote might not work. But, it should help lead you
in the right direction.
I'd give it a shot running in debug mode (radiusd -X) and then you can see
the exact queries that are taking place and what is happening. You can
then go back and modify those ldap group statements and the users file to
fit what you need.
Once you've got it started if you need more help, please post debug output
and what you would expect vs what you got and we can probably help sort it
out.
--
Message: 6
Date: Mon, 19 Dec 2005 11:47:24 -0500
From: Alan DeKok [EMAIL PROTECTED]
Subject: Re: Authorization
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID: [EMAIL PROTECTED]
Stefan Adams [EMAIL PROTECTED] wrote:
I have read all the man pages and /docs and am having a difficult time
understanding the authorization. I keep wanting to write
if...elseif...else stuff but I'm pretty sure that doesn't apply to
FreeRADIUS config files.
Unfortunately, yes.
How would I configure the checkval module? Is it even necessary to use the
checkval module? How would I conifgure the users file? Is the users file
even necessary?
I wouldn't configure the checkval module. Just the users module,
something like:
DEFAULT LDAP-Group == faculty, Called-Station-Id != faculty, Auth-Type :=
Reject
DEFAULT LDAP-Group == students, Called-Station-Id != students, Auth-Type
:= Reject
P.S. I don't know who to direct compliments to, but the FreeRADIUS code is
probably the most beautifully structured source code I have ever read. It
is SO easy to read and extremely consistent! It's phenomenal!
You can thank everyone who contributed so far. :)
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth All but only for those in my clients.conf
sorry. why don't you post a debug output of the client attempt so we all
have something to look at?
OK, here we go.. I changes my IPs and realm names to text similar to this
##MyRealmWasHere##
Again, I did want to mention that only CHAP request fail, others go through
fine with an Accept.
#
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host ##MyIPwasHere##:3457, id=0,
length=57
User-Name = [EMAIL PROTECTED]
CHAP-Password = 0x7e842a573cd6363e06fe53a93a7b8d9e94
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
radius_xlat:
'/var/log/radius/radacct/##ClientIPwasHere##/auth-detail-20051219'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/##ClientIPwasHere##/auth-detail-20051219
modcall[authorize]: module auth_log returns ok for request 0
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module chap returns ok for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: Looking up realm ##MyDomainWasHere##/ for User-Name =
[EMAIL PROTECTED]/.com
rlm_realm: No such realm ##MyDomainWasHere##/.com
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
users: Matched entry DEFAULT at line 156
modcall[authorize]: module files returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type CHAP
auth: type CHAP
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_chap: login attempt by [EMAIL PROTECTED] with CHAP
password
rlm_chap: Could not find clear text password for user
[EMAIL PROTECTED]
modcall[authenticate]: module chap returns invalid for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.
Login incorrect (rlm_chap: Clear text password not available):
[EMAIL PROTECTED]/CHAP-Password] (from client ToddHome port 0)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 0 to ##ClientIPwasHere##:3457
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 0 with timestamp 43a70341
Nothing to do. Sleeping until we see a request.
###
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth All but only for those in my clients.conf
You want to allow any client that matches what is in the clients.conf file in, correct? Well, sort of.. I want to allow any authentication request which comes in from a client which is contained in the clients.conf file. The secret in your clients.conf file is used to encrypt and sign packets between the clients and the server. It is not used for authentication. Based on what you mention here and what someone else on the list mentioned earlier, I think the reason the secret is ignored is because it is used to encrypt the auth info which is basically non existant in an Auth All situation. Am I getting this correct now? Have you tried adding the IPs to some type of backend? For example, if you used the users file and huntgroups file. In huntgroups. allow Client-IP-Address == 1.1.1.1 allow Client-IP-Address == 1.1.1.2 allow Client-IP-Address == 1.1.1.3 Then in users file DEFAULT Huntgroup-Name == allow, Auth-Type := Accept DEFAULT Auth-Type := Reject Well, I don't understand the huntgroups and all just yet, I am new to FreeRadius (not to Radius in general, just FreeRadius). So, will this fix my issue where only CHAP request are rejected? I am only having trouble with CHAP request at this time, all other request from allowed clients in the clients.conf file are getting an Accept back just as I want. Since we use Qwest dialup as one of our wholesale solutions, they send CHAP and these are getting rejected still, all other vendors are working fine. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client-IP-Address in detail files
and something else. where can I find the syntax of the listen directive ? (to remove bind_address and port directives) It's in radiusd.conf.. Or maybe you are asking for an explanation of the syntax? If so, sorry I can't help with that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault in 1.1.0-pre0
Norbert Wegener [EMAIL PROTECTED] wrote: freeradius-1.1.0-pre0 crashes, when sending an Sending Access-Accept: The branch_1_1 cvs should be fixed now. I pulled the fix from the CVS head. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius cannot Authenticate to Windows AD
Norbert Wegener [EMAIL PROTECTED] wrote: With the above changes rlm_ldap.c compiles and runs (at least for me). Will the patch mentioned at http://bugs.freeradius.org/show_bug.cgi?id=183 become part of the next official release? Something like it, perhaps. The patch as-is isn't thread-safe. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client-IP-Address in detail files
[EMAIL PROTECTED] [EMAIL PROTECTED] wrote: is there something different ? how can I add Client-IP-Address attribute back to the detail files ? For now, source code patches. and something else. where can I find the syntax of the listen directive ? (to remove bind_address and port directives) Huh? What do you mean by that? Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 8, Issue 82
On Mon, 19 Dec 2005, Stefan Adams wrote:
Hey, guys! Thanks for the great replies!! I like what you suggested
better than what I've come up with in the mean time. I think what I
came up with will work, it just seems messy/wrong/inefficient. What
do you think?
modules {
ldap {
:
filter =
((uid=%{Stripped-User-Name:-%{User-Name}})
(radiusGroupName=%{Called-Station-ID}))
:
}
attr_rewrite getssid {
attribute = Called-Station-Id
searchin = packet
searchfor = .:
replacewith =
ignore_case = yes
new_attribute = no
}
}
authorize {
# for WinXP, 802.1x, EAP-PEAP, MS-CHAPv2
preprocess
eap
getssid
ldap
}
This cuts off the first 17 bytes and then a colon of the
Called-Station-ID (My AP transmits a dash separated MAC followed by a
colon and then the SSID). Then it uses this rewritten
Called-Station-ID and uses that as a filter in the LDAP search.
Therefore, if the SSID a user tries to connect to is not listed as an
attribute of the user's LDAP object, the user is denied.
Does that make sense?
That's a pretty neat idea. The benefit of that is if you had multiple
ldap instances and wanted to implement fail-over within freeradius. To do
it the traditional way, you would need this for fail-over with ldap-group
checks if say you had two ldap instances.
DEFAULT Called-Station-Id =~ /studentregex/, ldap1-Ldap-Group ==
students
DEFAULT Called-Station-Id =~ /studentregex/, ldap2-Ldap-Group ==
students
That is so it will check with ldap1 instance first. If that fails, then
check ldap2.
By doing it your way, you won't need to do that anymore. Instead a
redundant block in authorize would get you what you need already since the
radiusGroupname inside your search filter takes care of the Ldap-Group
check.
I wonder if you could use regex matches of Called-Station-ID in the
huntgroups file. You'll have to test this out, I doubt it would work, but
its another interesting idea. I don't know if huntgroups excepts regex
and if it can use things like Called-Station-Id
in huntgroups
studentsCalled-Station-Id =~ /studentregex/
faculty Called-Station-Id =~ /facultyregex/
Then in users file.
DEFAULT Ldap-Group == %{Huntgroup-Name}
Or you're way.
((uid=%{Stripped-User-Name:-%{User-Name}})(radiusGroupName=%{Huntgroup-Name}))
See doc/configurable_failover and doc/rlm_ldap to see what I'm talking
about with the failover. If you have a load balancer in front of that
ldap server, you won't need to worry about it. But if you don't and you
want to add redundancy, then its something you'll need to think about some
day. Freeradius can do the redundancy for you w/out a load balancer or
shared IP using configurable failover. Actually in the upcoming 1.1
release it will also do load balancing for you in addition to failover
inside your ldap blocks.
Hope I'm not too confusing. My point is I like your idea and if its
working for you, it doesn't sound like a bad one to me. You might want to
try hitting it hard to see if the rewrite slows anything down, but I would
bet it doesn't.
I'd also make sure to add an eq index to radiusgroupname, since you'll be
using that as part of your search filter.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth All but only for those in my clients.conf
The secret in your clients.conf file is used to encrypt and sign packets
between the clients and the server. It is not used for authentication.
Based on what you mention here and what someone else on the list mentioned
earlier, I think the reason the secret is ignored is because it is used to
encrypt the auth info which is basically non existant in an Auth All
situation.
Am I getting this correct now?
Yep
Well, I don't understand the huntgroups and all just yet, I am new to
FreeRadius (not to Radius in general, just FreeRadius). So, will this fix my
issue where only CHAP request are rejected? I am only having trouble with
CHAP request at this time, all other request from allowed clients in the
clients.conf file are getting an Accept back just as I want.
The huntgroups file is pretty easy to understand. Just read the comments
in it.
But, now that you mention it. Your Auth-Type := Accept is still working
with chap. Perhaps what I told you won't make a difference. Do you have
anything in your authorize and authenticate section? Perhaps you ought to
just try this.
Comment out everything in authorize except for preprocess and files, so it
would look like this w/out the comments.
authorize {
preprocess
files
}
authenticate {
}
That way the only thing that is touched is the users file. I'd be willing
to bet that you have chap listed in authorize right now and its before
the files section.
So, its hitting the chap section of authorize and doesn't see a chap
passwd and fails which causes a reject before it even gets to the files
section.
Just a guess?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth All but only for those in my clients.conf
Again, I did want to mention that only CHAP request fail, others go through
fine with an Accept.
#
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host ##MyIPwasHere##:3457, id=0,
length=57
User-Name = [EMAIL PROTECTED]
CHAP-Password = 0x7e842a573cd6363e06fe53a93a7b8d9e94
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
radius_xlat:
'/var/log/radius/radacct/##ClientIPwasHere##/auth-detail-20051219'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/##ClientIPwasHere##/auth-detail-20051219
modcall[authorize]: module auth_log returns ok for request 0
I think this is the problem. Try commenting out chap in the authorize
section.
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module chap returns ok for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: Looking up realm ##MyDomainWasHere##/ for User-Name =
[EMAIL PROTECTED]/.com
rlm_realm: No such realm ##MyDomainWasHere##/.com
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
users: Matched entry DEFAULT at line 156
I'd have to assume this matches line (156) matches your Auth-Type :=
Accept. However, for some reason its not overriding the Auth-Type :=
Chap, that was set earlier by the chap section of authorize.
modcall[authorize]: module files returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type CHAP
auth: type CHAP
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_chap: login attempt by [EMAIL PROTECTED] with CHAP password
rlm_chap: Could not find clear text password for user
[EMAIL PROTECTED]
modcall[authenticate]: module chap returns invalid for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.
Login incorrect (rlm_chap: Clear text password not available):
[EMAIL PROTECTED]/CHAP-Password] (from client ToddHome port 0)
Delaying request 0 for 1 seconds
Finished request 0
Try commenting out chap in authorize and authenticate and see what
happens.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client-IP-Address in detail files
see in line comments please. Alan DeKok wrote: [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: is there something different ? how can I add Client-IP-Address attribute back to the detail files ? For now, source code patches. I am interested to know if this is the intended functionality, or it will revert to the way it was in the past. I have an application that processes this files and depends of the Client-IP-Address attribute. I want to prepare for 1.1.0 release. and something else. where can I find the syntax of the listen directive ? (to remove bind_address and port directives) Huh? What do you mean by that? I am searching for a doc or example, currently I have bind_address = * and port = 0 and I do not know how to convert them to listen :) thanks, Razvan Radu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: UltaMonkey 3 and FreeRadius
Hugues Lepesant wrote: I all, I want to build a high availability radius plateform based on OpenSource software. To do so I've patched /usr/sbin/ldirectod with Matteo Bertato Horms' patch found here http://lists.community.tummy.com/pipermail/linux-ha-dev/2005-September/011662.html It works fine, I make the load balancing for both auth [1812] and accounting [1813]. But I've a strange behavior when freeradius started as daemon, server are nerver enabled for auth by ipvsadm. I must start freeradius in debug mode (-X) on the radius server to be enabled by the load-balancers. Even if I can make some successfull radtest from the load-balancers, and the log of ldirectord seems to be ok. I'm not sure it's UlraMonkey fault, I have tested with the last freeradius version and it the same :( Does any one have anye idea for where it can come from ? I have a redundant setup with no patches using freeradius 1.0.5 mysql cluster 4.1.14max no patches required. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius_auth
The pam_radius_auth README says It allows ... password change requests. But the USAGE file says Password changing is not implemented. That sounds contradictory. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth All but only for those in my clients.conf
Comment out everything in authorize except for preprocess and files, so it
would look like this w/out the comments.
authorize {
preprocess
files
}
authenticate {
}
Cool, it worked! I didn't do exactly what you said but close.
I found this section:
###
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
#chap
##
I just commented out the chap line and that did the trick!
Thanks a ton for your help and thanks to the others that offered advice.
--Todd
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization
Dusty,
Thanks for your fine input and the reminder on the index (I completely
forgot about that). I'll give the ldap module filter a go with the
attr_rewrite. I like keeping attributes with the user object, rather
than spreading usernames around to various other objects. With this
implementation, to me, the extra benefit is that I can just add a
radiusGroupName attribute = X to each user object.
BTW, on the attr_rewrite, can I use more advanced regex than just
: ? It works and always will work, but it would be
more clear in the config file if I could say
([A-F0-9]{2})-([A-F0-9]{2})-([A-F0-9]{2})-([A-F0-9]{2})-([A-F0-9]{2})-([A-F0-9]{2}):
or something to that effect... I couldn't get ANY regex to work
except the . Does that seem right?
Stefan
Message: 4
Date: Mon, 19 Dec 2005 14:52:10 -0500 (EST)
From: Dusty Doris [EMAIL PROTECTED]
Subject: Re: Freeradius-Users Digest, Vol 8, Issue 82
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID: [EMAIL PROTECTED]
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
On Mon, 19 Dec 2005, Stefan Adams wrote:
Hey, guys! Thanks for the great replies!! I like what you suggested
better than what I've come up with in the mean time. I think what I
came up with will work, it just seems messy/wrong/inefficient. What
do you think?
modules {
ldap {
:
filter =
((uid=%{Stripped-User-Name:-%{User-Name}})
(radiusGroupName=%{Called-Station-ID}))
:
}
attr_rewrite getssid {
attribute = Called-Station-Id
searchin = packet
searchfor = .:
replacewith =
ignore_case = yes
new_attribute = no
}
}
authorize {
# for WinXP, 802.1x, EAP-PEAP, MS-CHAPv2
preprocess
eap
getssid
ldap
}
This cuts off the first 17 bytes and then a colon of the
Called-Station-ID (My AP transmits a dash separated MAC followed by a
colon and then the SSID). Then it uses this rewritten
Called-Station-ID and uses that as a filter in the LDAP search.
Therefore, if the SSID a user tries to connect to is not listed as an
attribute of the user's LDAP object, the user is denied.
Does that make sense?
That's a pretty neat idea. The benefit of that is if you had multiple
ldap instances and wanted to implement fail-over within freeradius. To do
it the traditional way, you would need this for fail-over with ldap-group
checks if say you had two ldap instances.
DEFAULT Called-Station-Id =~ /studentregex/, ldap1-Ldap-Group ==
students
DEFAULT Called-Station-Id =~ /studentregex/, ldap2-Ldap-Group ==
students
That is so it will check with ldap1 instance first. If that fails, then
check ldap2.
By doing it your way, you won't need to do that anymore. Instead a
redundant block in authorize would get you what you need already since the
radiusGroupname inside your search filter takes care of the Ldap-Group
check.
I wonder if you could use regex matches of Called-Station-ID in the
huntgroups file. You'll have to test this out, I doubt it would work, but
its another interesting idea. I don't know if huntgroups excepts regex
and if it can use things like Called-Station-Id
in huntgroups
studentsCalled-Station-Id =~ /studentregex/
faculty Called-Station-Id =~ /facultyregex/
Then in users file.
DEFAULT Ldap-Group == %{Huntgroup-Name}
Or you're way.
((uid=%{Stripped-User-Name:-%{User-Name}})(radiusGroupName=%{Huntgroup-Name}))
See doc/configurable_failover and doc/rlm_ldap to see what I'm talking
about with the failover. If you have a load balancer in front of that
ldap server, you won't need to worry about it. But if you don't and you
want to add redundancy, then its something you'll need to think about some
day. Freeradius can do the redundancy for you w/out a load balancer or
shared IP using configurable failover. Actually in the upcoming 1.1
release it will also do load balancing for you in addition to failover
inside your ldap blocks.
Hope I'm not too confusing. My point is I like your idea and if its
working for you, it doesn't sound like a bad one to me. You might want to
try hitting it hard to see if the rewrite slows anything down, but I would
bet it doesn't.
I'd also make sure to add an eq index to radiusgroupname, since you'll be
using that as part of your search filter.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Plain text password file
Alexander Lund wrote:
No, the file I supply could have spaces if you needed it to solve my
problem.
Ok that's fine then
This is just the thing I need:
username:plaintextPassword:ASingleGroup
Its perfect, but I´d like to know exactly what Im doing so heres another
question,
The passwordfile. If Im not thinking completly wrong it shouldn´t have
any headers or a fileextension
It definitely shouldn't have any headers. The actual name of the file is
irrelevant, including extension - FreeRadius doesn't care.
And do I have to use Chap? or can I use PAP with plain text passwords.
No, PAP is easy to do - the first example can be trivially modified to:
modules {
passwd user_pass_group {
filename = /path/to/file
format = *User-Name:~User-Password:~Group
}
pap {
encryption_scheme = clear
}
}
authorize {
preprocess
user_pass_group
}
authenticate {
Auth-Type PAP {
pap
}
}
...the only different is you put User-Password in the file format,
telling it the cleartext password is there, and tell PAP not to bother
recrypting (encryption_scheme = clear)
One final thing to note - FreeRadius does NOT see changes to the file
after it has started up. You will need to HUP the server for the file to
be reloaded into memory.
Hope that helps.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization
Thanks for your fine input and the reminder on the index (I completely
forgot about that). I'll give the ldap module filter a go with the
attr_rewrite. I like keeping attributes with the user object, rather
than spreading usernames around to various other objects. With this
implementation, to me, the extra benefit is that I can just add a
radiusGroupName attribute = X to each user object.
You can also use the ldap-group variable that I showed you before on the
user level by defining the groupmembership_attribute. By default its
radiusGroupname, so that should already work for you. So either way
should work for you, personally, I like having it in the filter as your
example showed. I am doing that now in a little different way. I'll
write it up someday.
BTW, on the attr_rewrite, can I use more advanced regex than just
: ? It works and always will work, but it would be
more clear in the config file if I could say
([A-F0-9]{2})-([A-F0-9]{2})-([A-F0-9]{2})-([A-F0-9]{2})-([A-F0-9]{2})-([A-F0-9]{2}):
or something to that effect... I couldn't get ANY regex to work
except the . Does that seem right?
Stefan
Unfortunately, I don't know too much about attr_rewrite, but I'm sure some
others on this list could help with that one. It looks about right to me.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Propel - unknown-vendor 14895, size 6 =
I have an issue I want to ask for a little help with. We need our secondary to authenticate Propel users and I have made sure this is in my dictionary.propel file: ### VENDOR Propel 14895 BEGIN-VENDOR Propel ATTRIBUTE Propel-Accelerate 1 integer ATTRIBUTE Propel-Dialed-Digits 2 string ATTRIBUTE Propel-Client-IP-Address3 ipaddr ATTRIBUTE Propel-Client-NAS-IP-Address4 ipaddr ATTRIBUTE Propel-Client-Source-ID 5 integer ATTRIBUTE Propel-Content-Filter-ID 6 integer END-VENDOR Propel ### Also, the dictionary.propel is included correctly in the main dictionary file. I have added this line to my default user setup in the users file: ### Propel-Accelerate = 1, ### For some reason instead of getting this back when testing with my test client: # Propel-Accelerate = 1 # I get this: unknown-vendor 14895, size 6 = Any idea why? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Propel - unknown-vendor 14895, size 6 =
Just wanted to add to this that I find it strange that when I look at this at the debug console, it shows that it's sending the info correctly. The error appears only when testing from a remote client test utility called NT radping. #Debug output## Sending Access-Accept of id 0 to ##MyClientIPhere##:4117 Service-Type = Framed-User Framed-Protocol = PPP Session-Timeout = 86400 Idle-Timeout = 1200 Port-Limit = 2 Ascend-Data-Filter += ip in forward tcp est Ascend-Data-Filter += ip in forward dstip ##MyMailIPrangeHere## 0 Ascend-Data-Filter += ip in forward dstip ##MyMailIPrangeHere## 0 Ascend-Data-Filter += ip in drop tcp dstport = 25 Ascend-Data-Filter += ip in drop tcp srcport = 80 Ascend-Data-Filter += ip in forward 0 Propel-Accelerate = 1 Finished request 0 Going to the next request - Original Message - From: Mojo Jojo [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Monday, December 19, 2005 8:53 PM Subject: Propel - unknown-vendor 14895, size 6 = I have an issue I want to ask for a little help with. We need our secondary to authenticate Propel users and I have made sure this is in my dictionary.propel file: ### VENDOR Propel 14895 BEGIN-VENDOR Propel ATTRIBUTE Propel-Accelerate 1 integer ATTRIBUTE Propel-Dialed-Digits 2 string ATTRIBUTE Propel-Client-IP-Address3 ipaddr ATTRIBUTE Propel-Client-NAS-IP-Address4 ipaddr ATTRIBUTE Propel-Client-Source-ID 5 integer ATTRIBUTE Propel-Content-Filter-ID 6 integer END-VENDOR Propel ### Also, the dictionary.propel is included correctly in the main dictionary file. I have added this line to my default user setup in the users file: ### Propel-Accelerate = 1, ### For some reason instead of getting this back when testing with my test client: # Propel-Accelerate = 1 # I get this: unknown-vendor 14895, size 6 = Any idea why? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authorize a group by multivalued Service-Type (in MySql)
Hello, We have a problem using mysql. We have defined a group (e.g. admin) in mysql and wanted to assign it a multivalue attribute (e.g. Service-Type) inorder to have different services but it does not work properly. it only accepts requests with smaller id (i.e. 12) and rejects the other one (i.e. 13). ++-+---+--+--+ | id | GroupName | Attribute| op | Value | ++-+---+--+--+ | 5 | user | Auth-Type | := | Local | | 4 | admin| Auth-Type | :=! ; | Local | | 12 | admin | Service-Type | == | Login-User | | 13 | admin| Service-Type | == | Framed-User | ++-++--+--+ Is there any solution? (We have already inserted "Fall-Through" in radgrouprelpy table and radgroupcheck table and turned it to "Yes" - in XOR manner - but it does not work). Thanks in advance, Amin and Hamzeh __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
