DNS non reachable
Hi people, I noticed a possible error in freeradius 1.0.5 running in a Debian Server. I use clients.conf file to list my NAS clients. What happens if one DNS entry in clients.conf is not reachable by the RADIUS server? My experience is when you re-launch the radiusd process, this process can not continue if you don't erase this wrong entry.Busca a la vez en Internet, en directorios, en enciclopedias... Atrévete con el nuevo MSN Search - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DNS non reachable
Santiago Balaguer García <[EMAIL PROTECTED]> writes: > I noticed a possible error in freeradius 1.0.5 running in a Debian > Server. I use clients.conf file to list my NAS clients. What happens > if one DNS entry in clients.conf is not reachable by the RADIUS > server? My experience is when you re-launch the radiusd process, > this process can not continue if you don't erase this wrong entry. Use IP addresses in clients.conf if you can't guarantee that DNS never will fail. I.e. always use IP addresses in clients.conf. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CiscoAP->Freeradius->AD->ISA(ntlm authentication)
hi yes i know they have to authenticate two times. but in my case its not so easy. we have more than 400 pc connected to the domain (wired), so they will be authenticated transparently through the ISA. then a lot they arent in the domain (also wired). they are only authenticating against the ISA because they need only to surf the internet. now we need accesspoints. what would be the best way. we need also some filtering service (websense) which is installed on the ISA. so the new clients (wireless) have to surf through the ISA. so it isnt possible to omit the ISA authentication. i would omit the chilli authentication. whats the best and secure way to authenticate my wirelessclients. they will be MacOS, *nix, Windows2000/XP EAP-TTLS/mschapv2 ??? if its too difficult i would leave out the ISA, so the would authenticate only against the AD. thx Alan DeKok schrieb: Konne <[EMAIL PROTECTED]> wrote: Freeradius looks in the ActiveDirectory if the user exists and has the rights to connect to the internet. if the authentication is ok, the user must surf over a ISA because there is installed websense. That's not helpful. You're saying that even though you know only authenticated users access your net, you still make them authenticate again? is it possible to have a transparent authentication through the isa-server. i mean if the client is in the condition that he can send the ntlm authentication, that he doestn't have to authenticate twice times. one time on the chillispot and the second on the isa server. is there any possibilty? The only way to do that is if the RADIUS server can tell the isa that the user is OK, and they don't have to be authenticated. See the isa docs for if this is possible, and if possible, how. Then write a script on FreeRADIUS to send the information isa needs. In general, what you want to do is difficult, because most people don't do it. And most people don't do it because authenticating people twice is pointless/ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doc's?
Hi, > I am wanting to replace radiator radius with freeradius, but I can not find > any documentation on how to setup and configure freeradius. I have visited > the wiki page but do not see any howto's or anything. Can someone send me a > link to the documentation on how to setup and configure freeradius and > dialup_admin? either download the archive and read the docs int he docs directory , download the archive and buy the OReilly book or download the archive and read the docs at http://www.freeradius.org/usage.html (linked as' installation guide' from the download page alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Roaming with WPA-Enterprise/Radius
Hello, I have freeRadius version 1.0.5 on gentoo Linux (r3). I am using three Linksys WAP54G access points. I've managed to roam seamlessly both with Broadcom and Intel wireless laptops. However, this is true for open APs or with WEP encryption. If I use WPA-Enterprise with a Radius server, there's a long delay when switching between APs (10 seconds). The test environment is as follows: freeRadius.org Gentoo Linux server --- 3 Linksys WAP54G APs configured with WPA-Enterprise w/Radius --- 1 roaming laptop The delay seems to be due to re-authentication with the freeRadius server and that seems to be "expensive". Is there a way of "caching" or "pre-authenticating" or "propagating authentication between APs"? Has anyone found a solution to this roaming problem in case one uses WPA-Enterprise/Radius? Regards, Vieri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Roaming with WPA-Enterprise/Radius
On Wednesday 04 January 2006 07:07, DI PAOLA ., VIERI wrote: > > Is there a way of "caching" or "pre-authenticating" or "propagating > authentication between APs"? > > Has anyone found a solution to this roaming problem in case one uses > WPA-Enterprise/Radius? > IAPP - IEEE 802.11F Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Roaming with WPA-Enterprise/Radius
hmmm, seriously though: - does anyone know of any APs on the market which support 802.11f? - has anyone ever seen a reasonable non-proprietary definition of the container content for the context transfer? - has anyone ever thought of implementing the support for 802.11f into freeradius? (i know alan hates its double-nested attributes :-) ) - what about the preauthentication definitions in 802.11i? ciao artur On 4 Jan 2006, at 14:07, Zoltan Ori wrote: On Wednesday 04 January 2006 07:07, DI PAOLA ., VIERI wrote: Is there a way of "caching" or "pre-authenticating" or "propagating authentication between APs"? Has anyone found a solution to this roaming problem in case one uses WPA-Enterprise/Radius? IAPP - IEEE 802.11F Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x, WinXP and LDAP
Hello:
I am trying to get an HP Procurve 2650 Ethernet switch to use Freeradius
1.0.5 for 802.1x auth. The backend is Sun's directory server with all
the necessary SambaNTPassword attributes, etc. to make Samba work.
The client is a WinXP system. I am using the builtin
supplicant. I can get it to work with the "Automatically use my
Windows login..." box _unchecked_, but not with it checked. I would
like to use the checked mode as then the user does not need to
"click here to select a certificate or credentials for
connection to the network".
When the box is not checked, I get to type any value I want for the
user ID and password. I can then get authenticated and the switch
connects me to the proper VLAN.
When the box is checked, I cannot get authenticated and the switch
puts me on the "guest" VLAN. I should be able to authenticate,
but the ID comes across as something like "MALACHITE\gaa". The
first part is the netbios hostname and the second is the real ID.
I have setup the hints, users and radiusd.conf files with:
--
hints:
...
DEFAULT NAS-IP-Address == 172.25.16.9, User-Name =~ "^(.*)(.*)"
Hint = "8021XUSER",
Stripped-User-Name = `${2}`
...
users:
...
DEFAULT Hint == "8021XUSER"
Fall-Through = 1
...
radiusd.conf:
...
ldap {
server = "ldap.ulticom.com"
basedn = "dc=ulticom,dc=com"
filter =
"(&(objectclass=person)(uid=%{Stripped-User-Name:-%{User-Name}}))"
do_xlat = yes
base_filter = "(objectclass=*)"
start_tls = no
access_attr = "uid"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
...
--
The problem seems to be that the hostname is not always stripped. If I compare
the
output of "radiusd -X" between the two scenarios I see that the "unchecked"
configuration
does a lot of ldap lookups like:
--
rad_recv: Access-Request packet from host 172.25.16.9:1025, id=208, length=193
Framed-MTU = 1480
NAS-IP-Address = 172.25.16.9
NAS-Identifier = "hp-50-9"
User-Name = "gaa"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = "1"
Called-Station-Id = "00-11-85-40-71-ff"
Calling-Station-Id = "00-14-22-dc-9b-16"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "50"
EAP-Message = 0x0201000801676161
Message-Authenticator = 0x29393306cb95a1c78586d546cf5eb462
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for gaa
radius_xlat: '(&(objectclass=person)(uid=gaa))'
radius_xlat: 'dc=ulticom,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.ulticom.com:389, authentication 0
rlm_ldap: bind as / to ldap.ulticom.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=ulticom,dc=com, with filter
(&(objectclass=person)(uid=gaa))
rlm_ldap: checking if remote access for gaa is allowed by uid
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding sambaAcctFlags as SMB-Account-CTRL-TEXT, value [U & op=21
rlm_ldap: Adding sambaNTPassword as NT-Password, value
ABABABABABABABABABABABABABABABAB & op=21
rlm_ldap: Adding sambaLMPassword as LM-Password, value
CDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCD & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user gaa authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
rlm_eap: EAP packet type response id 1 length 8
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched entry DEFAULT at line 153
users: Matched entry DEFAULT at line 176
users: Matched entry DEFAULT at line 188
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for reques
TLS Athentifikation before Domain Logon XP
Hi, i searched the whole archive about this Problems but can not find an real answert to my Problem. I want Windows XP to authenticate to Freeradius when before the user Logs on the domain otherwise he would have no network connection to reach the PDC and the logon fails. It should be possible wit the XP Client and no other additional software. I tried out the registry patch AuthMode with a value of 2 whch causes windows to authenticate with the machine certificate only. Then I generated a client certificate with openssl with the special OID 1.3.6.1.4.1.311.17.2 which was posted in the mailing list some time ago. But with this certificate authentification fails. Is there anybody who successfully managed that problem and can describe me how he solved this problem step by step. I think the problem is the machine certificate. Greetings Armin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Roaming with WPA-Enterprise/Radius
802.11f is different than most IEEE 802 standards, in that it's a "Recommended Practice" not a standard. I'm not aware of any implementations, but I'd like to hear of them. Anyways, the IEEE 802 SA has withdrawn 802.11F as an RP as of 12/08/2005. Dave. - Original Message - From: "Artur Hecker" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED], "FreeRadius users mailing list" Subject: Re: Roaming with WPA-Enterprise/Radius Date: Wed, 4 Jan 2006 14:16:08 +0100 > > hmmm, seriously though: > > - does anyone know of any APs on the market which support 802.11f? > - has anyone ever seen a reasonable non-proprietary definition of the > container content for the context transfer? > - has anyone ever thought of implementing the support for 802.11f into > freeradius? (i know alan hates its double-nested attributes :-) ) > - what about the preauthentication definitions in 802.11i? > > > ciao > artur > > > On 4 Jan 2006, at 14:07, Zoltan Ori wrote: > > > On Wednesday 04 January 2006 07:07, DI PAOLA ., VIERI wrote: > >> > >> Is there a way of "caching" or "pre-authenticating" or "propagating > >> authentication between APs"? > >> > >> Has anyone found a solution to this roaming problem in case one uses > >> WPA-Enterprise/Radius? > >> > > > > IAPP - IEEE 802.11F > > > > > > Zoltan Ori > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ > > users.html > > - List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: wireless - freeradius - MS ldap
Here is the output of my RADIUS server. I verfied the account on the LDAP server as a domain admin rad_recv: Access-Request packet from host 10.1.1.27:32773, id=254, length=59 --- Walking the entire request list --- Waking up in 31 seconds... Threads: total/active/spare threads = 5/0/5 Thread 1 got semaphore Thread 1 handling request 0, (1 handled so far) User-Name = "radtest" User-Password = "Passw0rd" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "radtest", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for radtest radius_xlat: '(uid=radtest)' radius_xlat: 'ou=Local Users,dc=name,dc=serverdm,dc=domain,dc=edu' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to name.serverdm.domain.edu:389, authentication 0 rlm_ldap: bind as powerful/userspass to name.serverdm.domain.edu:389 rlm_ldap: waiting for bind result ... rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns fail for request 0 modcall: group authorize returns fail for request 0 There was no response configured: rejecting request 0 Server rejecting request 0. Finished request 0 Going to the next request Thread 1 waiting to be assigned a request rad_recv: Access-Request packet from host 10.1.1.27:32773, id=254, length=59 Sending Access-Reject of id 254 to 10.1.1.27:32773 --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 254 with timestamp 43bbea42 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
huntgroups
Hi,
I have a dial-up authentication and a ADSL authentication in my
freeradius.
the configuration is something like that:
/etc/raddb/clients.conf
# for the dial-up authentication:
client xxx.xxx.xx.x {
secret = secret
shortname = server0.example.com
nastype = other
}
client xxx.xxx.xx.x {
secret = secret
shortname = server1.example.com
nastype = other
}
# for the adsl authentication:
client yyy.yyy.yy.y {
secret = secret
shortname = server00.example.com
nastype = other
}
client yyy.yyy.yy.y {
secret = secret
shortname = server01.example.com
nastype = other
}
client yyy.yyy.yy.y {
secret = secret
shortname = server02.example.com
nastype = other
}
client yyy.yyy.yy.y {
secret = secret
shortname = server03.example.com
nastype = other
}
I also have 2 groups, the dialup group and the adsl group. I would like
to make adsl user to connect in both services and dial-up groups to
connect only in dialup.
I've tryed somethings in /etc/raddb/huntgroups:
dialup NAS-IP-Address == xxx.xxx.xx.x
Group = dialup
adsl NAS-IP-Address == xxx.xxx.xx.x
Group = adsl
adsl NAS-IP-Address == yyy.yyy.yy.y
Group = adsl
but it seems not to work. Any ideia?
TIA,
Joao Reis.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: wireless - freeradius - MS ldap
> >-Original Message- > >From: > >[EMAIL PROTECTED] > >org > >[mailto:[EMAIL PROTECTED] > >eradius.org] On Behalf Of Dickson, John > >Sent: January 4, 2006 9:27 AM > >To: FreeRadius users mailing list > >Subject: RE: wireless - freeradius - MS ldap > > > >Here is the output of my RADIUS server. I verfied the > >account on the LDAP server as a domain admin > > > >rad_recv: Access-Request packet from host 10.1.1.27:32773, id=254, > >length=59 > >--- Walking the entire request list --- > >Waking up in 31 seconds... > >Threads: total/active/spare threads = 5/0/5 Thread 1 got > >semaphore Thread 1 handling request 0, (1 handled so far) > >User-Name = "radtest" > >User-Password = "Passw0rd" > >NAS-IP-Address = 255.255.255.255 > >NAS-Port = 0 > > Processing the authorize section of radiusd.conf > >modcall: entering group authorize for request 0 > > modcall[authorize]: module "preprocess" returns ok for request 0 > > modcall[authorize]: module "chap" returns noop for request 0 > > modcall[authorize]: module "mschap" returns noop for request 0 > >rlm_realm: No '@' in User-Name = "radtest", looking up realm NULL > >rlm_realm: No such realm "NULL" > > modcall[authorize]: module "suffix" returns noop for request 0 > > rlm_eap: No EAP-Message, not doing EAP > > modcall[authorize]: module "eap" returns noop for request 0 > >users: Matched entry DEFAULT at line 152 > > modcall[authorize]: module "files" returns ok for request 0 > >rlm_ldap: - authorize > >rlm_ldap: performing user authorization for radtest > >radius_xlat: '(uid=radtest)' > >radius_xlat: 'ou=Local Users,dc=name,dc=serverdm,dc=domain,dc=edu' > >rlm_ldap: ldap_get_conn: Checking Id: 0 > >rlm_ldap: ldap_get_conn: Got Id: 0 > >rlm_ldap: attempting LDAP reconnection > >rlm_ldap: (re)connect to name.serverdm.domain.edu:389, Can you resolve name.serverdm.domain.edu successfully? Please verify that too. > >authentication 0 > >rlm_ldap: bind as powerful/userspass to name.serverdm.domain.edu:389 > >rlm_ldap: waiting for bind result ... > >rlm_ldap: LDAP login failed: check identity, password Verify first that you can infact query Active Directory with this username/password combination. There is a utility called ldapsearch. I believe it comes with OpenLDAP. Use that to directly query AD for verification. Here is an example: ldapsearch -LLL -h name.serverdm.domain.edu -x -b 'dc=domain,dc=com''(samaccountname=powerful)' -D powerful -w userspass What does your "ldap" section in radiusd.conf look like? Can you please provide copy? This will make sure that the credentials are correct or not. > >settings in ldap section of radiusd.conf > >rlm_ldap: (re)connection attempt failed > >rlm_ldap: search failed > >rlm_ldap: ldap_release_conn: Release Id: 0 > > modcall[authorize]: module "ldap" returns fail for request 0 > >modcall: group authorize returns fail for request 0 There > >was no response configured: rejecting request 0 Server > >rejecting request 0. > >Finished request 0 > >Going to the next request > >Thread 1 waiting to be assigned a request > >rad_recv: Access-Request packet from host 10.1.1.27:32773, id=254, > >length=59 > >Sending Access-Reject of id 254 to 10.1.1.27:32773 > >--- Walking the entire request list --- > >Waking up in 3 seconds... > >--- Walking the entire request list --- > >Cleaning up request 0 ID 254 with timestamp 43bbea42 Nothing > >to do. Sleeping until we see a request. > > > > > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: huntgroups
Is your FreeRADIUS using an SQL backend? If so you will need to change
the Group == "adsl" to SQL-Group == "adsl" in the huntgroup file.
joao reis - cyberweb wrote:
Hi,
I have a dial-up authentication and a ADSL authentication in my
freeradius.
the configuration is something like that:
/etc/raddb/clients.conf
# for the dial-up authentication:
client xxx.xxx.xx.x {
secret = secret
shortname = server0.example.com
nastype = other
}
client xxx.xxx.xx.x {
secret = secret
shortname = server1.example.com
nastype = other
}
# for the adsl authentication:
client yyy.yyy.yy.y {
secret = secret
shortname = server00.example.com
nastype = other
}
client yyy.yyy.yy.y {
secret = secret
shortname = server01.example.com
nastype = other
}
client yyy.yyy.yy.y {
secret = secret
shortname = server02.example.com
nastype = other
}
client yyy.yyy.yy.y {
secret = secret
shortname = server03.example.com
nastype = other
}
I also have 2 groups, the dialup group and the adsl group. I would like
to make adsl user to connect in both services and dial-up groups to
connect only in dialup.
I've tryed somethings in /etc/raddb/huntgroups:
dialup NAS-IP-Address == xxx.xxx.xx.x
Group = dialup
adsl NAS-IP-Address == xxx.xxx.xx.x
Group = adsl
adsl NAS-IP-Address == yyy.yyy.yy.y
Group = adsl
but it seems not to work. Any ideia?
TIA,
Joao Reis.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Richard Marriner IIMaingear.Net
Sr. Network Consultant I.T. Consulting
[EMAIL PROTECTED] www.maingear.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dialupadmin and FreeRADIUS communication issues
Hello,I've installed Ubuntu Linux 5.10 on a machine. I compiled the latest version of OpenSSL and FreeRADIUS and installed Apache on the machine via the XAMPP package (which has PHP5, MySQL). Everything seemed to be going good but whenever I configured Dialupadmin to begin inputting users into FreeRADIUS, Dialupadmin complains about not being able to find the table 'radius.userinfo'. I've tried installing the schema found in the FreeRADIUS package and tried the one in the Dialupadmin package and neither seem to work. Is this a Dialupadmin error or FreeRADIUS error? I've tried looking on the net concerning this error but have not seen anything regarding it. I'm not very proficient in MySQL but I've been using phpmyadmin to view the radius table. If anyone has any solutions to this problem, it would be greatly appreciated. I'm looking to setup a Free WISP in my area and this would have me ready to go. Should I use a different setup? Should I try and use source for everything? I had bad luck installing the needed software from the packages provided by the Ubuntu repositories. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: wireless - freeradius - MS ldap
Here is my ldap section:
ldap {
server = "10.1.1.29"
identity = dmadmin1
password = [EMAIL PROTECTED]
basedn = "dc=ssotest,dc=mccsso,dc=mccneb,dc=edu"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
# base_filter = "(objectclass=radiusprofile)"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with
normal
# ldap connections instead of using ldaps (port 689)
connections
start_tls = no
# tls_cacertfile= /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My
Org,c=UA"
# profile_attribute = "radiusProfileDn"
access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#
# NOTICE: The password_header directive is NOT case
insensitive
#
# password_header = "{clear}"
#
# Set:
# password_attribute = nspmPassword
#
# to get the user's password from a Novell eDirectory
# backend. This will work *only if* freeRADIUS is
# configured to build with --with-edir option.
#
#
# The server can usually figure this out on its own,
and pull
# the correct User-Password or NT-Password from the
database.
#
# Note that NT-Passwords MUST be stored as a 32-digit
hex
# string, and MUST start off with "0x", such as:
#
# 0x000102030405060708090a0b0c0d0e0f
#
# Without the leading "0x", NT-Passwords will not work.
# This goes for NT-Passwords stored in SQL, too.
#
# password_attribute = userPassword
#
# Un-comment the following to disable Novell eDirectory
account
# policy check and intruder detection. This will work
*only if*
# FreeRADIUS is configured to build with --with-edir
option.
#
# edir_account_policy_check=no
#
# groupname_attribute = cn
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gr
oupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
}
Verify first that you can infact query Active Directory with this
username/password combination.
There is a utility called ldapsearch. I believe it comes with OpenLDAP.
Use that to directly query AD for verification.
Here is an example:
ldapsearch -LLL -h name.serverdm.domain.edu -x -b
'dc=domain,dc=com''(samaccountname=powerful)' -D powerful -w userspass
This seeems to work:
[EMAIL PROTECTED] ~]$ ldapsearch -LLL -h name.serverdm.domain.edu -x -b
'ou=Users,dc=name,dc=serverdm,dc=domain,dc=edu' -D
[EMAIL PROTECTED] -w Passw0rd
No such object (32)
Matched DN: DC=serverdm,DC=domain,DC=edu
Additional information: 208D: NameErr: DSID-031001CD, problem 2001
(NO_OBJECT), data 0, best match of:
'DC=serverdm,DC=domain,DC=edu'
What does your "ldap" section in radiusd.conf look like? Can you please
provide copy?
This will make sure that the credentials are correct or not.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: huntgroups
Hi,
It "kinda" work.
NAS-IP-Address == xxx.xxx.xx.x -> where xxx.xxx.xx.x is a client ip,
right?
people in dialup group still can log in the adsl service, did I miss
somthing?
my groups are:
dialup Auth-Type := Accept
adsl Auth-Type := Local
the new rules in huntgruops are:
dialup NAS-IP-Address == xxx.xxx.xx.x
SQL-Group == dialup,
SQL-Group == adsl
dialup NAS-IP-Address == xxx.xxx.xx.y
SQL-Group == dialup,
SQL-Group == adsl
adsl NAS-IP-Address == yyy.yyy.yy.y
SQL-Group == adsl
adsl NAS-IP-Address == yyy.yyy.yy.x
SQL-Group == adsl
adsl NAS-IP-Address == xyx.yyy.yy.y
SQL-Group == adsl
adsl NAS-IP-Address == xyx.yyy.yy.x
SQL-Group == adsl
adsl NAS-IP-Address == xxx.yyy.yy.y
SQL-Group == adsl
adsl NAS-IP-Address == xxx.yyy.yy.x
SQL-Group == adsl
TIA,
Joao Reis.
On Wed, 2006-01-04 at 10:10 -0800, Richard Marriner II wrote:
> Is your FreeRADIUS using an SQL backend? If so you will need to change
> the Group == "adsl" to SQL-Group == "adsl" in the huntgroup file.
>
>
> joao reis - cyberweb wrote:
>
> >Hi,
> >
> >I have a dial-up authentication and a ADSL authentication in my
> >freeradius.
> >
> >the configuration is something like that:
> >
> >/etc/raddb/clients.conf
> >
> ># for the dial-up authentication:
> >
> >client xxx.xxx.xx.x {
> >secret = secret
> >shortname = server0.example.com
> >nastype = other
> >}
> >
> >client xxx.xxx.xx.x {
> >secret = secret
> >shortname = server1.example.com
> >nastype = other
> >}
> >
> ># for the adsl authentication:
> >
> >
> >client yyy.yyy.yy.y {
> >secret = secret
> >shortname = server00.example.com
> >nastype = other
> >}
> >
> >client yyy.yyy.yy.y {
> >secret = secret
> >shortname = server01.example.com
> >nastype = other
> >}
> >
> >client yyy.yyy.yy.y {
> >secret = secret
> >shortname = server02.example.com
> >nastype = other
> >}
> >
> >client yyy.yyy.yy.y {
> >secret = secret
> >shortname = server03.example.com
> >nastype = other
> >}
> >
> >
> >I also have 2 groups, the dialup group and the adsl group. I would like
> >to make adsl user to connect in both services and dial-up groups to
> >connect only in dialup.
> >
> >I've tryed somethings in /etc/raddb/huntgroups:
> >
> >dialup NAS-IP-Address == xxx.xxx.xx.x
> > Group = dialup
> >adsl NAS-IP-Address == xxx.xxx.xx.x
> > Group = adsl
> >adsl NAS-IP-Address == yyy.yyy.yy.y
> > Group = adsl
> >
> >
> >but it seems not to work. Any ideia?
> >
> >TIA,
> >
> >Joao Reis.
> >
> >
> >
> >-
> >List info/subscribe/unsubscribe? See
> >http://www.freeradius.org/list/users.html
> >
> >
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialupadmin and FreeRADIUS communication issues
Hi 2006/1/4, [EMAIL PROTECTED] <[EMAIL PROTECTED]>: > version of OpenSSL and FreeRADIUS and installed Apache on the machine via What Apache Version? AFAIK DialAdmin works only with Apache 1.3.x and not with 2.0.x but don't maybe I'm wrong. Cheers Marco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: wireless - freeradius - MS ldap
> >-Original Message-
> >From:
> >[EMAIL PROTECTED]
> >org
> >[mailto:[EMAIL PROTECTED]
> >eradius.org] On Behalf Of Dickson, John
> >Sent: January 4, 2006 11:32 AM
> >To: FreeRadius users mailing list
> >Subject: RE: wireless - freeradius - MS ldap
> >
> > Here is my ldap section:
> >
> >ldap {
> > server = "10.1.1.29"
> > identity = dmadmin1
> > password = [EMAIL PROTECTED]
> > basedn = "dc=ssotest,dc=mccsso,dc=mccneb,dc=edu"
> > filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> > # base_filter = "(objectclass=radiusprofile)"
> >
> > # set this to 'yes' to use TLS encrypted connections
> > # to the LDAP database by using the StartTLS extended
> > # operation.
> > # The StartTLS operation is supposed to be used with
> >normal
> > # ldap connections instead of using ldaps (port 689)
> >connections
> > start_tls = no
> >
> > # tls_cacertfile= /path/to/cacert.pem
> > # tls_cacertdir = /path/to/ca/dir/
> > # tls_certfile = /path/to/radius.crt
> > # tls_keyfile = /path/to/radius.key
> > # tls_randfile = /path/to/rnd
> > # tls_require_cert = "demand"
> >
> > # default_profile = "cn=radprofile,ou=dialup,o=My
> >Org,c=UA"
> > # profile_attribute = "radiusProfileDn"
> > access_attr = "dialupAccess"
> >
> > # Mapping of RADIUS dictionary attributes to LDAP
> > # directory attributes.
> > dictionary_mapping = ${raddbdir}/ldap.attrmap
> >
> > ldap_connections_number = 5
> >
> > #
> > # NOTICE: The password_header directive is NOT case
> >insensitive
> > #
> > # password_header = "{clear}"
> > #
> > # Set:
> > # password_attribute = nspmPassword
> > #
> > # to get the user's password from a Novell eDirectory
> > # backend. This will work *only if* freeRADIUS is
> > # configured to build with --with-edir option.
> > #
> > #
> > # The server can usually figure this out on its own,
> >and pull
> > # the correct User-Password or NT-Password from the
> >database.
> > #
> > # Note that NT-Passwords MUST be stored as a 32-digit
> >hex
> > # string, and MUST start off with "0x", such as:
> > #
> > # 0x000102030405060708090a0b0c0d0e0f
> > #
> > # Without the leading "0x", NT-Passwords will not work.
> > # This goes for NT-Passwords stored in SQL, too.
> > #
> > # password_attribute = userPassword
> > #
> > # Un-comment the following to disable Novell eDirectory
> >account
> > # policy check and intruder detection. This will work
> >*only if*
> > # FreeRADIUS is configured to build with --with-edir
> >option.
> > #
> > # edir_account_policy_check=no
> > #
> > # groupname_attribute = cn
> > # groupmembership_filter =
> >"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(obj
> >ectClass=Gr
> >oupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
> > # groupmembership_attribute = radiusGroupName
> > timeout = 4
> > timelimit = 3
> > net_timeout = 1
> > # compare_check_items = yes
> > # do_xlat = yes
> > # access_attr_used_for_allow = yes
> > }
> >
> >
> >Verify first that you can infact query Active Directory with this
> >username/password combination.
> >
> >There is a utility called ldapsearch. I believe it comes
> >with OpenLDAP.
> >Use that to directly query AD for verification.
> >
> >Here is an example:
> >
> >ldapsearch -LLL -h name.serverdm.domain.edu -x -b
> >'dc=domain,dc=com''(samaccountname=powerful)' -D powerful
> >-w userspass
> >
> >This seeems to work:
> >
> >[EMAIL PROTECTED] ~]$ ldapsearch -LLL -h name.serverdm.domain.edu -x -b
> >'ou=Users,dc=name,dc=serverdm,dc=domain,dc=edu' -D
> >[EMAIL PROTECTED] -w Passw0rd
> >No such object (32)
> >Matched DN: DC=serverdm,DC=domain,DC=edu
> >Additional information: 208D: NameErr: DSID-031001CD,
> >problem 2001
> >(NO_OBJECT), data 0, best match of:
> >'DC=serverdm,DC=domain,DC=edu'
Nope. That didn't work.
Please read up on ldapsearch "man ldapsearch". Until you can CAN verify
that the username/password is correct, it won't do you any good messing
with FreeRADIUS
> >
> >
> >What does your "ldap" section in radiusd.conf look like? Can
> >you please
> >provide copy?
> >
> >
> >This will make sure that the credentials are correct or not.
> >
> >
> >-
> >List info/subscribe/unsubscribe
Re: Dialupadmin and FreeRADIUS communication issues
Dialup_admin requires additional tables in the mysql database that FreeRADIUS alone does not require. This is stated in the HOWTO under ./dialup_admin/doc HOWTO EXCERPT At dialup_admin/sql there are four files containg the SQL command to create the required tables. This is done as follows: shell> mysql -h mysql.host.com -u username -p radius < badusers.sql shell> mysql -h mysql.host.com -u username -p radius < mtotacct.sql shell> mysql -h mysql.host.com -u username -p radius < totacct.sql shell> mysql -h mysql.host.com -u username -p radius < userinfo.sql END HOWTO EXCERPT The error you are recieving is stating that it cannot find the "userinfo" table in the database "radius". By changing directories to ./dialup_admin/sql and running the four lines above you should be able to cure this problem and get it working. Good Luck! Richard [EMAIL PROTECTED] wrote: Hello, I've installed Ubuntu Linux 5.10 on a machine. I compiled the latest version of OpenSSL and FreeRADIUS and installed Apache on the machine via the XAMPP package (which has PHP5, MySQL). Everything seemed to be going good but whenever I configured Dialupadmin to begin inputting users into FreeRADIUS, Dialupadmin complains about not being able to find the table 'radius.userinfo'. I've tried installing the schema found in the FreeRADIUS package and tried the one in the Dialupadmin package and neither seem to work. Is this a Dialupadmin error or FreeRADIUS error? I've tried looking on the net concerning this error but have not seen anything regarding it. I'm not very proficient in MySQL but I've been using phpmyadmin to view the radius table. If anyone has any solutions to this problem, it would be greatly appreciated. I'm looking to setup a Free WISP in my area and this would have me ready to go. Should I use a different setup? Should I try and use source for everything? I had bad luck installing the needed software from the packages provided by the Ubuntu repositories. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Richard Marriner IIMaingear.Net Sr. Network Consultant I.T. Consulting [EMAIL PROTECTED] www.maingear.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wireless - freeradius - MS ldap
"Dickson, John" <[EMAIL PROTECTED]> wrote:
> Here is my ldap section:
>
> ldap {
> server = "10.1.1.29"
> identity = dmadmin1
> password = [EMAIL PROTECTED]
...
> This seeems to work:
>
> [EMAIL PROTECTED] ~]$ ldapsearch -LLL -h name.serverdm.domain.edu -x -b
> 'ou=Users,dc=name,dc=serverdm,dc=domain,dc=edu' -D
> [EMAIL PROTECTED] -w Passw0rd
Hmm... did you use the same user/password information as the ldap
config to do the ldapsearch?
Nope.
Are you surprised that the results are different from what
FreeRADIUS sees? If so, why?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: huntgroups
Hmm.. this looks like it should work. I am comparing it with my configuration and it looks similar. I am checking for a Called-Station-ID instead of NAS-IP-Address, but it should have similar functionality. Try running radiusd -X and posting the results after you try to login as a dialup user. This might sound pretty common sense but you do have users with the proper group in the "usergroup" table right? > > dialup Auth-Type := Accept > adsl Auth-Type := Local > Try changing dialup to := Local ??? Here is my configuration that IS working properly for us; huntgroups; --- dialbb Called-Station-ID =~ ".*0804" SQL-Group == DBB radcheck table; --- idUserNameAttributeopValue 1 testuserPassword ==passwd123 2 nodbbuser Password ==passwd321 usergroup table; idUserNameGroupName 1 testuserDBB 2 nodbbuser DIAL Maybe if somebody else sees something I am missing they can point it out. I am not an expert so it is likely "I am" missing something. Good Luck! my groups are: dialup Auth-Type := Accept adsl Auth-Type := Local the new rules in huntgruops are: dialup NAS-IP-Address == xxx.xxx.xx.x SQL-Group == dialup, SQL-Group == adsl dialup NAS-IP-Address == xxx.xxx.xx.y SQL-Group == dialup, SQL-Group == adsl adsl NAS-IP-Address == yyy.yyy.yy.y SQL-Group == adsl adsl NAS-IP-Address == yyy.yyy.yy.x SQL-Group == adsl adsl NAS-IP-Address == xyx.yyy.yy.y SQL-Group == adsl adsl NAS-IP-Address == xyx.yyy.yy.x SQL-Group == adsl adsl NAS-IP-Address == xxx.yyy.yy.y SQL-Group == adsl adsl NAS-IP-Address == xxx.yyy.yy.x SQL-Group == adsl TIA, Joao Reis. On Wed, 2006-01-04 at 10:10 -0800, Richard Marriner II wrote: Is your FreeRADIUS using an SQL backend? If so you will need to change the Group == "adsl" to SQL-Group == "adsl" in the huntgroup file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: wireless - freeradius - MS ldap
Sorry, it was a failed attempt at not sending the REAL data. I have
verified that the ldapsearch credentials are the credentials used in the
radiusd.conf. The user has been verified.
I did have to add the details after the @ sign (using ldap search).
Applying the same details in the radiusd.conf file and I still do not
pass auth to the Windowz ldap. My thoughts are that it has something to
do with "realm" section.
John
Using the credentials under the ldap settings for the radiusd.conf and
cli with ldapsearch, ldapsearch produces results
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
rg] On Behalf Of Alan DeKok
Sent: Wednesday, January 04, 2006 3:36 PM
To: FreeRadius users mailing list
Subject: Re: wireless - freeradius - MS ldap
"Dickson, John" <[EMAIL PROTECTED]> wrote:
> Here is my ldap section:
>
> ldap {
> server = "10.1.1.29"
> identity = dmadmin1
> password = [EMAIL PROTECTED]
...
> This seeems to work:
>
> [EMAIL PROTECTED] ~]$ ldapsearch -LLL -h name.serverdm.domain.edu -x -b
> 'ou=Users,dc=name,dc=serverdm,dc=domain,dc=edu' -D
> [EMAIL PROTECTED] -w Passw0rd
Hmm... did you use the same user/password information as the ldap
config to do the ldapsearch?
Nope.
Are you surprised that the results are different from what FreeRADIUS
sees? If so, why?
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: wireless - freeradius - MS ldap
Can you send the results of your success login using ldapsearch?
Alhagie Puye - Network Engineer
Datawave Group of Companies
(604)295-1817
> >-Original Message-
> >From:
> >[EMAIL PROTECTED]
> >org
> >[mailto:[EMAIL PROTECTED]
> >eradius.org] On Behalf Of Dickson, John
> >Sent: January 4, 2006 2:20 PM
> >To: FreeRadius users mailing list
> >Subject: RE: wireless - freeradius - MS ldap
> >
> >Sorry, it was a failed attempt at not sending the REAL data.
> >I have verified that the ldapsearch credentials are the
> >credentials used in the radiusd.conf. The user has been verified.
> >
> >I did have to add the details after the @ sign (using ldap search).
> >Applying the same details in the radiusd.conf file and I
> >still do not pass auth to the Windowz ldap. My thoughts are
> >that it has something to do with "realm" section.
> >
> >John
> >
> >Using the credentials under the ldap settings for the
> >radiusd.conf and cli with ldapsearch, ldapsearch produces results
> >
> >-Original Message-
> >From:
> >[EMAIL PROTECTED]
> >[mailto:[EMAIL PROTECTED]
> >reeradius.o
> >rg] On Behalf Of Alan DeKok
> >Sent: Wednesday, January 04, 2006 3:36 PM
> >To: FreeRadius users mailing list
> >Subject: Re: wireless - freeradius - MS ldap
> >
> >"Dickson, John" <[EMAIL PROTECTED]> wrote:
> >> Here is my ldap section:
> >>
> >> ldap {
> >>server = "10.1.1.29"
> >>identity = dmadmin1
> >>password = [EMAIL PROTECTED]
> > ...
> >
> >> This seeems to work:
> >>
> >> [EMAIL PROTECTED] ~]$ ldapsearch -LLL -h
> >name.serverdm.domain.edu -x -b
> >> 'ou=Users,dc=name,dc=serverdm,dc=domain,dc=edu' -D
> >> [EMAIL PROTECTED] -w Passw0rd
> >
> > Hmm... did you use the same user/password information as
> >the ldap config to do the ldapsearch?
> >
> > Nope.
> >
> > Are you surprised that the results are different from what
> >FreeRADIUS sees? If so, why?
> >
> > Alan DeKok.
> >
> >-
> >List info/subscribe/unsubscribe? See
> >http://www.freeradius.org/list/users.html
> >
> >-
> >List info/subscribe/unsubscribe? See
> >http://www.freeradius.org/list/users.html
> >
This message (including any attachments) is confidential, may be privileged and
is only intended for the person to whom it is addressed. If you have received
it by mistake please notify the sender by return e-mail and delete this message
from your system. Any unauthorized use or dissemination of this message in
whole or in part is strictly prohibited. E-mail communications are inherently
vulnerable to interception by unauthorized parties and are susceptible to
change. We will use alternate communication means upon request.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Failed to link to module 'rlm_exec': /usr/local/lib/rlm_exec.a: invalid ELF header
Good morning, Look at this: --- # radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib radiusd.conf[1383] Failed to link to module 'rlm_exec': /usr/local/lib/rlm_exec.a: invalid ELF header Running mandrake with mysql. Second question: How to add users in the mysql table ? I see "UserName, value, etc." but where to put the password, and which format (md5 ? sha1 ? cleared-text ?) Thank you in advance, Have a good day. Mathieu --- avast! Antivirus: message Sortant propre. Base de donnÚes des virus (VPS): 0601-1, 03/01/2006 Test du: 05/01/2006 02:47:50 avast! - copyright (c) 1988-2004 ALWIL Software. http://www.avast.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
