unsubscribe
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Create and Send attributes
Hello!!! I want to send from my radius server several attributes to the client, but I've been looking at the documenation. I can do that if my attribute-ID is between 1 and 100 (I guess, maybe is it 256), but also the documentation says that a new attribute has to have an ID greater than 3000. So, are not "the attributes between 100 (256) and 3000" sent to the client radius? (I guess, they could be used for local management) If it is not, how can I create an attribute with id grater that 3000 and send to the radius client? Thank in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Use of Service type attribute
Hi, I am developing a RADIUS client for our embedded product. I would like the Radius client implementation to support the association of privilege level with individual accounts, e.g. the account "normal_user" has a privilege that allows read-only access while account "admin_user" has a privilege that allows read-write access(can changes our system configuration). Is it possible to use "Service-Type" attribute for this purpose, with "Login" value for normal_user and "Administrative" for admin_user. Please clarify. Thanks -Chandra __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm question..
On Tuesday 25 April 2006 01:43, TS wrote: > > What does debugging mode say? > > Exactly what you'd expect it to say if the realm isn't in proxy.conf: > > # > rad_recv: Access-Request packet from host 127.0.0.1:33499, id=115, > length=68 User-Name = "[EMAIL PROTECTED]" > User-Password = "acc355" > ... > > The user doesn't exist as the entry in users just has the username as > "user1" and the request is sending [EMAIL PROTECTED] The original users example you posted had the username of "[EMAIL PROTECTED]" with a password of "secret". Here you say the users file has just "user1". Which is correct? > I want radius to first check to see if the request needs to be proxied. It will do this if you have a realm module listed in the authorize section. The suffix realm module is listed in the default config. > If not then authenticate it locally no matter what the realm is but before > authenticating it strip off the realm and just use everything before the @ > sign as the username. Alan's hint to use LOCAL is still correct. If you know the realms people will be using, you can list them in the proxy.conf file. If you want to catch any realm not already defined and send that to local auth, that is pretty easy to accomplish. Please read doc/proxy for a better understanding of how realms work with proxying, and also how the 2 special realms work. If you're still stumped, post back with your questions. Kevin Bonner pgpQo5jKw4rh6.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius & ldap with two trees
> Try this in your radiusd.conf: > > basedn = "ou=%{Huntgroup-Name},ou=radius,dc=mtaonline,dc=net" > > You will need to either rename your "dial" huntgroup to "people" to > match your ldap structure or you can change the profile OU to be dial. > Either way, this setup is working for me. > > Ben this works! thanks Ben t- -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius & ldap with two trees
Try this in your radiusd.conf: basedn = "ou=%{Huntgroup-Name},ou=radius,dc=mtaonline,dc=net" You will need to either rename your "dial" huntgroup to "people" to match your ldap structure or you can change the profile OU to be dial. Either way, this setup is working for me. Ben On Tue, 2006-04-25 at 11:30 -0800, Terry J Fike Jr wrote: > Okay, i want radius to look at two trees in ldap, one tree for dial-up > one tree for dsl (so a user with a static ip in dsl gets a dynamic ip in > dial-up). > > my huntgroup is like this: > > dial ip1 > dial ip2 > dial ip on local box for testing > > dsl ip3 > dsl ip4 > dsl ip on local box for testing > > with the ip on local box commented out on the one i'm not testing. > > my users file is like so (at least, the two lines i'm testing with): > > DEFAULT Huntgroup-Name == dial, Ldap-Group == dial, User-Profile := > "uid=dial,ou=profiles,ou=radius,dc=mtaonline,dc=net", Ldap-UserDN := > `uid=%{User-Name},ou=people,dc=mtaonline,dc=net` > Fall-Through = no > > DEFAULT Huntgroup-Name == dsl, Ldap-Group == dsl8m, User-Profile := > "uid=dsl8m,ou=profiles,ou=radius,dc=mtaonline,dc=net", Ldap-UserDN := > `uid=%{User-Name},ou=dsl,dc=mtaonline,dc=net` > Fall-Through = no > > DEFAULT Auth-Type := Reject > Reply-Message = "Please call the help desk." > > my ldap config in the radiusd.conf is as follows: > > ldap { > server = "private ip" > identity = "cn=Manager,dc=mtaonline,dc=net" > password = somepassword > basedn = "ou=people,dc=mtaonline,dc=net" > #basedn = "dc=mtaonline,dc=net" > > filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" > base_filter = "(objectclass=radiusprofile)" > start_tls = no > tls_mode = no > #this maps ldap attributetypes to radius attributes > dictionary_mapping = ${raddbdir}/ldap.attrmap > ldap_cache_timeout = 120 > ldap_cache_size = 0 > ldap_connections_number = 10 > #password_header = {clear} > password_attribute = userPassword > groupname_attribute = radiusGroupName > groupmembership_filter = > (&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile)) > groupmembership_attribute = radiusGroupName > timeout = 3 > timelimit = 5 > net_timeout = 1 > compare_check_items = no > > if i test with a user on the tree listed in basedn, it works. if i try > to test with a user in a different tree, it fails. if i try a basedn > one level up (so i can try to go down both trees) both users receive an > Auth-Reject please call the help desk. in radiusd -X the reason is > because ldap is finding multiple entries for the user (in two plus trees). > > i've gone through the documentation multiple times (and feel like i'm > missing something). what am i doing wrong? or is there no way to do > what i'm trying to do? > > i suppose it comes down to; is there a way to re-define the basedn in > either huntgroups, or on a default line in the users file so the search > comes up with a single user. > > thanks for your help > t- > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius & ldap with two trees
Okay, i want radius to look at two trees in ldap, one tree for dial-up one tree for dsl (so a user with a static ip in dsl gets a dynamic ip in dial-up). my huntgroup is like this: dialip1 dialip2 dialip on local box for testing dsl ip3 dsl ip4 dsl ip on local box for testing with the ip on local box commented out on the one i'm not testing. my users file is like so (at least, the two lines i'm testing with): DEFAULT Huntgroup-Name == dial, Ldap-Group == dial, User-Profile := "uid=dial,ou=profiles,ou=radius,dc=mtaonline,dc=net", Ldap-UserDN := `uid=%{User-Name},ou=people,dc=mtaonline,dc=net` Fall-Through = no DEFAULT Huntgroup-Name == dsl, Ldap-Group == dsl8m, User-Profile := "uid=dsl8m,ou=profiles,ou=radius,dc=mtaonline,dc=net", Ldap-UserDN := `uid=%{User-Name},ou=dsl,dc=mtaonline,dc=net` Fall-Through = no DEFAULT Auth-Type := Reject Reply-Message = "Please call the help desk." my ldap config in the radiusd.conf is as follows: ldap { server = "private ip" identity = "cn=Manager,dc=mtaonline,dc=net" password = somepassword basedn = "ou=people,dc=mtaonline,dc=net" #basedn = "dc=mtaonline,dc=net" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" start_tls = no tls_mode = no #this maps ldap attributetypes to radius attributes dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_cache_timeout = 120 ldap_cache_size = 0 ldap_connections_number = 10 #password_header = {clear} password_attribute = userPassword groupname_attribute = radiusGroupName groupmembership_filter = (&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile)) groupmembership_attribute = radiusGroupName timeout = 3 timelimit = 5 net_timeout = 1 compare_check_items = no if i test with a user on the tree listed in basedn, it works. if i try to test with a user in a different tree, it fails. if i try a basedn one level up (so i can try to go down both trees) both users receive an Auth-Reject please call the help desk. in radiusd -X the reason is because ldap is finding multiple entries for the user (in two plus trees). i've gone through the documentation multiple times (and feel like i'm missing something). what am i doing wrong? or is there no way to do what i'm trying to do? i suppose it comes down to; is there a way to re-define the basedn in either huntgroups, or on a default line in the users file so the search comes up with a single user. thanks for your help t- -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Making WinXP + WPA + Freeradius +LDAP work easily?
"Mark D. Montgomery II" <[EMAIL PROTECTED]> wrote: > Basically, we want ANYONE to be able to hit connect on the access point > and get a WPA connection (with minimal tweaking to windows settings to > make it work and without them having to enter their username and pass). They still need a username & password for PEAP to work. > Is there a way to have freeradius take any incoming wireless auth > request and change the username and password to the wireless user on > the ldap server? I don't see why you would do that. Why not just allow anyone? But you can't do that, because PEAP requires the server to know the users password. > Is there an way to have it strip the computername\\username that > windows sends down to just the username? Yes. See the "realms" module, and "ndomain". Or, write a regex in the "hints" file that re-writes the name. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap.conf - eap-tls CA_file =
These aren't lists to my knowledge. Each takes a single filename. If you need multiple CA certificates, you can concatenate each of the PEM files into a single file and use that as your CA_file. --Mike Sochacki, Kevin wrote: Hi All, In eap.conf under the tls section the comments for ‘CA_file =’ says it’s a list. Can someone tell me what the separator is? I’m assuming it’s a space, I have looked around but have not found any reference. Also, are the ‘private_key_file’ and ‘certificate_file’ parameters list too? Thanks, Kevin Sochacki - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Making WinXP + WPA + Freeradius +LDAP work easily?
We are trying to setup a hotspot-type system on campus for easy wireless access since we are planning to go all laptops in the near future. Right now, we are trying to get a braindead WPA setup working (couple hundred students + wep key or passkey + 2 IT people = pain). Basically, we want ANYONE to be able to hit connect on the access point and get a WPA connection (with minimal tweaking to windows settings to make it work and without them having to enter their username and pass). We will be using other methods to then authenticate valid system users so they can actually do stuff. Is there a way to have freeradius take any incoming wireless auth request and change the username and password to the wireless user on the ldap server? We tried setting up a hints file and such, but it only used the user and pass for the authentication authorization request and not for the actual authentication request. OR Is there an way to have it strip the computername\\username that windows sends down to just the username? (This is our less preferred method, as it still requires us to have all users setup their systems with their network username and pass for login) Thanks. Mark II - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allowed and forbitten users in a NAS.
Santiago Balaguer García wrote: > I have a freeradius 1.1.0 and a DB with all my users. I have two kinds > of users: > * users who can connect to all hotspots > * user who can only connect to one or some hotspots. > Actually I can use a script in Exec-Program-Wait property to > differenciate, but I don't seem a very clean method. > However, I don't know another method for diferenciating users. Any idea??? Huntgroups should work: huntgroup file: hotspot1Client-IP-Address == SQL-Group == hotspot1 hotspot2Client-IP-Address == SQL-Group == hotspot2 SQL - radcheck: 1 user1 User-Password := password1 2 user2 User-Password := password2 SQL - usergroup: 1 user1 hotspot1 2 user1 hotspot2 3 user2 hotspot2 That should allow user1 access to both and user2 just access to hotspot2. If you have multiple access points in a single hotspot just do this: hotspot1Client-IP-Address == SQL-Group == hotspot1 hotspot1Client-IP-Address == SQL-Group == hotspot1 hotspot2Client-IP-Address == SQL-Group == hotspot2 -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap.conf - eap-tls CA_file =
Hi All, In eap.conf under the tls section the comments for ‘CA_file =’ says it’s a list. Can someone tell me what the separator is? I’m assuming it’s a space, I have looked around but have not found any reference. Also, are the ‘private_key_file’ and ‘certificate_file’ parameters list too? Thanks, Kevin Sochacki - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm question..
"TS" <[EMAIL PROTECTED]> wrote: > The object is to not to have to configure any realms as local. That conflicts directly with your requirement to allow users to log in as "user" or "[EMAIL PROTECTED]". > If I have a user whose username is [EMAIL PROTECTED] I can easily specify > arealm.com as local. But if by mistake the user types the username as > [EMAIL PROTECTED] auth will just fail because the realm isn't specified in > proxy.conf. Then you can't use realms. You've got to configure a module to strip out everything after the "@" sign. The 'realms" module, and proxy.conf are meant to deal with known realms. If you want to deal with unknown realms, you have to use something else. > If not then authenticate it locally no matter what the realm is but before > authenticating it strip off the realm and just use everything before the @ > sign as the username. Then configure it to do that, but you can't use realms. You'll have to use another module to re-write the username for the packets that aren't proxied. The simplest thing for you to do might be to create a wildcard realm by modifying rlm_realm. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and mysql
quick, very short and uncomplete answer :) *check tables:information which have to be checked from freeRADIUS, like user & password *reply tables:information which freeRADIUS sends back to your NAS (e.g. IP-pool, data rate etc.) *acct tables: here are the accounting information stored by freeRADIUS usergroup: assigning users to groups nas: for your NAS information (IP, secret, snmp community etc.) regards, Olaf -- Olaf Schaefer <[EMAIL PROTECTED]> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certificate with mschapv2 in peap
[EMAIL PROTECTED] wrote: > i have added > > DEFAULT EAP-TLS-Require-Client-Cert := Yes > > in the users file > > but the supplicant (windows XP) do not send the certificate ... That configuration tells the server to reject the clinet UNLESS it sends the certificate. It doesn't tell the client to send the certificate. You still have to manually create a client cert, add it to the client, and then tell the client to use it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LNS (Tunnel-Server-Endpoint) round robin
Francois-Xavier GAILLARD <[EMAIL PROTECTED]>wrote: > Let's say I have 10 LNS, but I can only push 2 at a time using > Tunnel-Server-Endpoint. Does anyone know of an easy way of dynamically > assigning the Tunnel-Server-Endpoint ? (just the way ippool does for the > Framed-IP-address) Use an external script, or rlm_perl. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allowed and forbitten users in a NAS.
=?iso-8859-1?B?U2FudGlhZ28gQmFsYWd1ZXIgR2FyY+1h?= <[EMAIL PROTECTED]> wrote: > I have a freeradius 1.1.0 and a DB with all my users. I have two kinds of > users: >* users who can connect to all hotspots >* user who can only connect to one or some hotspots. > Actually I can use a script in Exec-Program-Wait property to differenciate, > but I don't seem a very clean method. > However, I don't know another method for diferenciating users. Any idea??? Put them into groups. See "man rlm_passwd" for an example of creating groups. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius request to DHCP
"Philippe Bacquaert" <[EMAIL PROTECTED]> wrote: > I'm searching how to make freeradius (when receiving a request > from a radius client) request itself a dynamic IP address to a > dhcp server and write it in the attribute Framed-IP-Address. You write a scipt around dhclient, which might work. Or, use the ISC libdhcp, and integrate that into a FreeRADIUS module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and mysql
"Mario Casola" <[EMAIL PROTECTED]> wrote: > Hello, I've installed freeradius and I've configured it to comunicate with > mysql...all work fine, but I don't understand the meaning of the mysql > database structure and all the possible values I can put in the database...if > someone could illuminate me. doc/rlm_sql Run the server in debugging mode, and send it packets. The text it prints out "foo = bar" is pretty much what you put into SQL. if you need to know what the text is, buy the O'Reilly book. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authentification with: login, pwd, SSID and Ldap
hi My authentifacation, with the users freeradius files, start and run perfectly. But now I would like to use Ldap. What is the configuration for it? Please Thanks a lot for your help. Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel. Cliquez ici.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and mysql
Hello, I've installed freeradius and I've configured it to comunicate with mysql...all work fine, but I don't understand the meaning of the mysql database structure and all the possible values I can put in the database...if someone could illuminate me. Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
certificate with mschapv2 in peap
hi i have tested eap-tls authentication method and it works i have tested peap authentication method and ot works but i would like to FORCE the supplicant to send the certificate in the peap authentication i have added DEFAULT EAP-TLS-Require-Client-Cert := Yes in the users file but the supplicant (windows XP) do not send the certificate ... does any one try to do it? alfonso - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_attr_rewrite doesn't read the regexp in searchfor
Hi Freeradius friends! I am programming a proxyRadius (FreeRadius v1.88.2.3 in Debian) in order to write a Session-Tiemout attribute with a value =3600 if the attribute doesn't exist yet. I have defined an instance of attr_rewirte called setSessionTimeout3600 with append=no, new_attribute=no, searchfor= NULL, searchin =reply and replacewith = "3600" I call then it in post-proxy stage, but i found that it doesn't do nothing. The only thing it works is to set new_attribute to yes, but then i have 2 attributes Session-Tiemout, there is no rewriting and no parsing of regexp. Help please, thank you all, Marc _ Horóscopo, tarot, numerología... Escucha lo que te dicen los astros. http://astrocentro.msn.es/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LNS (Tunnel-Server-Endpoint) round robin
Hi list, I'm using freeradius 1.1.1 (debian Sarge) that has all user stored in a MySQL database. Let's say I have 10 LNS, but I can only push 2 at a time using Tunnel-Server-Endpoint. Does anyone know of an easy way of dynamically assigning the Tunnel-Server-Endpoint ? (just the way ippool does for the Framed-IP-address) Let me know if I'm not clear enough :) Regards, Fox. signature.asc Description: Digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Special characters in users file
On 4/25/06, sumi thra <[EMAIL PROTECTED]> wrote: On 4/25/06, Alan DeKok < [EMAIL PROTECTED]> wrote: "sumi thra" <[EMAIL PROTECTED]> wrote:> Please find my users file configuration & error message below ...> /var/etc/raddb/users[2]: Unexpected trailing comma in check item list for > entry DEFAULT Ok...> DEFAULT ldap_primary-Ldap-Group == "group1",Wlan-Index =~> \_rad\_test1\{,Login-Time := "Any-2359" Why are you trying to use bare text as the value of Wlan-Index? Im specifying the ssid name instead of wlan-idx. Why not a double-quoted string? You got it right for the other attributes... Yes. I tried with DEFAULT ldap_primary-Ldap-Group == "group1",Wlan-Index =~ " \_rad\_test1\{",Login-Time := "Any-2359" Still im getting the same error message. Alan DeKok. -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Allowed and forbitten users in a NAS.
I have a freeradius 1.1.0 and a DB with all my users. I have two kinds of users: * users who can connect to all hotspots * user who can only connect to one or some hotspots. Actually I can use a script in Exec-Program-Wait property to differenciate, but I don't seem a very clean method. However, I don't know another method for diferenciating users. Any idea??? _ Moda para esta temporada. Ponte al día de todas las tendencias. http://www.msn.es/Mujer/moda/default.asp - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxy RADIUS problem
My problem with the configuration above described is my RADIUS proxy doesn't active fallover. It means the first entry falis, freeradius doesn't verify the following entry of domain1. I test putting the label: ldflag = fail_over in the description os a realm entry. Whay can I do??? Hi people, I have a LINUX machine with freeradius 1.1.10. I do proxy RADIUS correctly with one remote server, but if I add in my proxy.conf file a redundant one because the primary RADIUS fails, it doesn't work correctly. I want to do roaming with two remote RADIUS servers to the domain1 since my RADIUS. However, I get only do roaming with the first one, because withe the first fails, my RADIUS doesn't ask to the second remote RADIUS server. Could you tell me where is the configuration bug? I attached my proxy.conf file: *** proxy server { synchronous = no retry_delay = 5 retry_count = 3 dead_time = 120 default_fallback = yes post_proxy_authorize = yes } realm domain1 { type= radius authhost = 123.123.123.123:11812 accthost = 123.123.123.123:11813 secret = secret ldflag = fail_over nostrip } realm domain1 { type= radius authhost= 123.123.123.124:11812 accthost= 123.123.123.124:11813 secret = secret ldflag = fail_over nostrip } _ ¿Estás pensando en cambiar de coche? Todas los modelos de serie y extras en MSN Motor. http://motor.msn.es/researchcentre/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html