CHAP, LDAP and MS AD
I just wanted to confirm what I have researched and found to be 'not feasible'. Using CHAP authentication with Microsoft Active Directory is not possible without modifying the Active Directory to store a plain-text version of the password. MS-CHAP is an option but must be supported on the client end, using ntlm_auth. I ask as I am trying to persue the path of getting the end client to use PAP, but wanted to get my facts straight first. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local groups in FreeRadius ?
Alan,
I'm using the man rlm_passwd examples and the examples within
radiusd.conf and still I can't manage to make User-Group membership to
work.
Here's my config:
in radiusd.conf :
passwd MyGroup {
filename = /etc/MyGroup
format = ~Group-Name:::*,User-Name
hashsize = 50
ignoreislike = yes
allowmultiplekeys = yes
delimiter = :
}
# Similar configuration, for the /etc/group file. Adds a Group-Name
# attribute for every group that the user is member of.
#
#passwd etc_group {
# filename = /etc/group
# format = =Group-Name:::*,User-Name
# hashsize = 50
# ignorenislike = yes
# allowmultiplekeys = yes
# delimiter = :
#}
My /etc/MyGroup file :
FIGrp:::*,Ami
FIGrp:::*,John
My users file :
Ami Auth-Type := Local, Pool-Name := FITest, User-Password == ami123
Reply-Message = Hello, %u,
Service-Type = Framed-User,
Framed-Protocol = PPP
FIGrp Auth-Type := Local
Reply-Message = Hello from Group, %u
My dictionary file:
#ATTRIBUTE
My-Local-String
3000 string
#ATTRIBUTE
My-Local-IPAddr
3001 ipaddr
#ATTRIBUTE
My-Local-Integer
3002 integer
ATTRIBUTE
My-Group
3003 string
When I start radiusd -X :
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /usr/local/var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /usr/local/etc/raddb/huntgroups
preprocess: hints = /usr/local/etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /usr/local/etc/raddb/users
files: acctusersfile = /usr/local/etc/raddb/acct_users
files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded
freeRADIUS doc
Hi all, I'm trying to access freeRaDIUS doc section (http://www.freeradius.org/radiusd/doc/), but I got a Forbidden access message. Is this section accessible to normal users? Best regards, Carlo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
A few clarifications on EAP-TTLS
Hello,
I'am using freeradius 1.1.2 with eap-ttls.
I have read that I can use Eap-Ttls in trasparent way for the Client, that
is without using Client side certificates and without installing other
software since that eap-ttls support legacy authentication system (I'am
using a wall garden and I'can't install nothing on the clients).
So i've configured eap.conf (I've just decommented this few lines in default
configuration)
tls {
private_key_password = whatever
private_key_file = /etc/mycerts/cert-srv.pem
certificate_file = /etc/mycerts/cert-srv.pem
CA_file = /etc/mycerts/root.pem
dh_file = /etc/mycerts/dh
random_file = /etc/mycerts/random
fragment_size = 1024
include_length = yes
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
}
And this is the output of radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /usr/local/var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded LDAP
ldap: server = localhost
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = cn=Manager,dc=valug,dc=it
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = (null)
ldap: tls_cacertdir = (null)
ldap: tls_certfile = (null)
ldap: tls_keyfile = (null)
ldap: tls_randfile = (null)
ldap: tls_require_cert = allow
ldap: password = mypass
ldap: basedn = ou=homewifi,dc=valug,dc=it
ldap: filter = (uid=%{Stripped-User-Name:-%{User-Name}})
ldap: base_filter = (objectclass=radiusprofile)
ldap: default_profile = (null)
ldap: profile_attribute = (null)
ldap: password_header = (null)
ldap: password_attribute = userPassword
ldap: access_attr = userPassword
ldap: groupname_attribute = cn
ldap: groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
ldap: groupmembership_attribute = radiusGroupName
ldap: dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap-radius mappings from file
/usr/local/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP userPassword
Re: CHAP, LDAP and MS AD
Hi, MS-CHAP is an option but must be supported on the client end, using ntlm_auth. ntlm_auth needs to run on the server that also runs FreeRADIUS, because FreeRADIUS passes the credentials to ntlm_auth, which will then do the job (i.e. talk to AD and verify the credentials). The client does not have to know anything about ntlm_auth. It just needs to talk MS-CHAP. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and accounting
On Wednesday 23 August 2006 20:25, Alan DeKok wrote: Peter Nixon [EMAIL PROTECTED] wrote: That would seem like th logical way to do it, and would certainly make the perl code clearer.. Ok. Unless Boian Jordanov has concerns, I'll commit a patch in a few days. Please i have no concerns :-) -- Best Regards, Boian Jordanov SNE Orbitel - Next Generation Telecom tel. +359 2 4004 723 tel. +359 2 4004 002 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: A few clarifications on EAP-TTLS
luigi natalino wrote: Hello, I'am using freeradius 1.1.2 with eap-ttls. I have read that I can use Eap-Ttls in trasparent way for the Client, that is without using Client side certificates and without installing other software since that eap-ttls support legacy authentication system (I'am using a wall garden and I'can't install nothing on the clients). Windows XP does not support EAP-TTLS. You would have to install extra software e.g. SecureW2 MacOS X does I belive. Sorry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local groups in FreeRadius ?
Ami Schieber wrote:
passwd MyGroup {
filename = /etc/MyGroup
format = ~Group-Name:::*,User-Name
hashsize = 50
ignoreislike = yes
allowmultiplekeys = yes
My /etc/MyGroup file :
FIGrp:::*,Ami
FIGrp:::*,John
No. The , prefixing the key in the format means that more than one
value exists in that field, separated by commas, like the /etc/group
file. The man page is quite specific. Your file would need to read:
FIGrp:::Ami,John
The man rlm_passwd docs are pretty specific about that example:
Parse a file similar to the /etc/group file.
If you're generating the file yourself, you can use a simpler format:
passwd mygroup {
filename = /etc/mygroup
format = ~Group-Name:*User-Name
hashsize = 50
allowmultiplekeys = yes
}
...ands
group:user1
group:user2
othergroup:user3
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: A few clarifications on EAP-TTLS
Windows XP does not support EAP-TTLS. You would have to install extra software e.g. SecureW2 MacOS X does I belive. Sorry And linux support it ? _ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local groups in FreeRadius ?
Phil,
Thanks for your help.
Can you also explain what format should the users file use ?
Currently, I've tried :
Ami User-Password == ami123
Service-Type = Framed-User,
Framed-Protocol = PPP,
Fall-Through = Yes
FIGrp Auth-Type := Local, MyGroup-Name := FIGrp
Reply-Message = Hello from Group FIGrp, %u
DEFAULT Pool-Name := main_pool, Auth-Type := Local
Fall-Through = Yes
and my dictionary file has :
ATTRIBUTE
MyGroup-Name
3003 string
while my /etc/FIGroup file has the following :
FIGrp:Ami
and my radiusd.conf has :
passwd MyGroup {
filename = /usr/local/etc/raddb/FIGroup
format = ~MyGroup-Name:*User-Name
hashsize = 50
ignoreislike = yes
allowmultiplekeys = yes
delimiter = :
}
I'm still unable to see a match to the Group entry when I run radiusd -X but only to the user and to DEFAULT entries :
users: Matched entry Ami at line 1
users: Matched entry DEFAULT at line 20
Thanks again,
Ami
On 8/28/06, Phil Mayers [EMAIL PROTECTED] wrote:
Ami Schieber wrote:passwd MyGroup { filename = /etc/MyGroup
format = ~Group-Name:::*,User-Name hashsize = 50 ignoreislike = yes allowmultiplekeys = yes My /etc/MyGroup file :
FIGrp:::*,Ami FIGrp:::*,JohnNo. The , prefixing the key in the format means that more than onevalue exists in that field, separated by commas, like the /etc/groupfile. The man page is quite specific. Your file would need to read:
FIGrp:::Ami,JohnThe man rlm_passwd docs are pretty specific about that example:Parsea file similar to the /etc/group file.If you're generating the file yourself, you can use a simpler format:
passwd mygroup { filename = /etc/mygroup format = ~Group-Name:*User-Name hashsize = 50 allowmultiplekeys = yes}...andsgroup:user1group:user2othergroup:user3
-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP PEAP, unable to load certificate
Nick Larsen [EMAIL PROTECTED] wrote: Now I'm trying to authenticate users via wireless PDA's, but I now get auth: No User-Password or CHAP-Password attribute in the request in Access-Request, I guess it's the Linksys WAG54g now, so I better start trawling through the net again. No. Run the server in debugging mode, and post the output here. That message happens ONLY if you forcibly set Auth-Type = Local when it doesn't make sense to do so. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_sqlippool
Hi; I was reading this email, and I've followed the steps. I have created the postgresql database, but what should I do to make the radius get the authentication from the postgresql database? And where should I add the configuration if I want to declare the username and the password in the database, and what changes should I do in the radiusd.conf and the users file? Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Nixon Sent: Sunday, August 27, 2006 5:05 PM To: Chris Knipe; FreeRadius users mailing list Subject: Re: rlm_sqlippool On Sat 26 Aug 2006 23:09, Chris Knipe wrote: Hi, I know this is new, and not yet documented, but I saw some good posts about it being stable, so I'm looking at implementing it at the moment... But alas, I'm confused and the lack of documentation is not helping. doc/rlm_sqlippool states: The only required fields are, pool_name and ip_address. A pool consists of one or more rows in the table with the same pool_name and a different ip_address. The is no restriction on which ip addresses/ranges may be in the same pool, and addresses do not need to be concurrent. Yet, raddb/sqlippool.conf, makes absolutely NO sense to me at the moment at all, and there is WAY more than merely a pool name and a IP address referenced in the queries... I understand that there is some unique elements required in the table to indicate that a IP is allocated, and to know where the IP is allocated (and obviously to release that IP once the session terminates). it is really not that complex :-) As the docs state put one or more records in the tabe with a pool_name and ip_address and then use the pool_name the same way you do with the standard ippool module. Thats it. Can someone perhaps please just take a moment to explain what exactly is going on in those queries?? I'm not referring to the SQL as such, but rather as to what is updated, and why. A table structure accompanying those queries in sqlippool.conf may help significantly as well, as I'm guessing at the moment what needs to go where :( The table structure is in the same file as all the rest of the database schema at doc/examples/postgresql.sql For reference it is: CREATE TABLE radippool ( id BIGSERIAL PRIMARY KEY, pool_name text NOT NULL, FramedIPAddress INET, NASIPAddresstext NOT NULL, CalledStationId VARCHAR(64), CallingStationIdtext DEFAULT ''::text NOT NULL, expiry_time TIMESTAMP(0) without time zone NOT NULL, usernametext DEFAULT ''::text, pool_keyVARCHAR(30) NOT NULL ); I have only tested this with Postgresql, although I will probably be testing on Oracle at some point. If you want to test it on some other database you are welcome. Please report the results :-) Regards -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local groups in FreeRadius ?
Ami Schieber [EMAIL PROTECTED] wrote: I'm still unable to see a match to the Group entry when I run radiusd -X but only to the user and to DEFAULT entries : users: Matched entry Ami at line 1 users: Matched entry DEFAULT at line 20 You're not trying to match the group name. See man users FIGrpAuth-Type := Local, MyGroup-Name := FIGrp Reply-Message = Hello from Group FIGrp, %u ':=' is not a comparison operator. Read the man page. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to send to a switch Port Priority ?
hello I have the following users file and I wold like to send to the switch on authentification PortPriority ... a auth-Type := Local, User-Password == a Service-Type = Administrative-User, Reply-Message = Salut user:A! b Auth-Type := EAP, User-Password == b Service-Type = Administrative-User, Reply-Message = Hi :B!, Port-Priority = Platinum, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 256, Vendor-Specific = 562 ... -- Cu respect, George Comanescu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Report Generator
Hi Sean, Please may I get a copy of this. Thanks, Andre van der Walt -Original Message- From: [EMAIL PROTECTED] s.org [mailto:[EMAIL PROTECTED] reeradius.org] On Behalf Of Sean Sent: 23 August 2006 09:58 PM To: freeradius-users@lists.freeradius.org Subject: Report Generator Hi, Ive written a report generator in PHP and HTML that will allow your clients to generate usage reports from the FreeRadius log files. When the user logs in he/she is asked for their IP address and the Month that they want to display. If anyone wants a copy let me know. If there is enough interest I'll make it available for public download. Regards, Sean Bracken http://swarmhotspots.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Please note: This email and its content are subject to the disclaimer as displayed at the following link http://www.is.co.za/disc.asp. Should you not have Web access, send a mail to [EMAIL PROTECTED] and a copy will be emailed to you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlippool
Hi Elie My instructions assume that you already know how to setup rlm_sql. If you do not, you first need to read doc/rlm_sql Alternatively you can read the wiki: http://wiki.freeradius.org/index.php/Rlm_sql Regards Peter On Mon 28 Aug 2006 18:04, Elie Hani wrote: Hi; I was reading this email, and I've followed the steps. I have created the postgresql database, but what should I do to make the radius get the authentication from the postgresql database? And where should I add the configuration if I want to declare the username and the password in the database, and what changes should I do in the radiusd.conf and the users file? Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Nixon Sent: Sunday, August 27, 2006 5:05 PM To: Chris Knipe; FreeRadius users mailing list Subject: Re: rlm_sqlippool On Sat 26 Aug 2006 23:09, Chris Knipe wrote: Hi, I know this is new, and not yet documented, but I saw some good posts about it being stable, so I'm looking at implementing it at the moment... But alas, I'm confused and the lack of documentation is not helping. doc/rlm_sqlippool states: The only required fields are, pool_name and ip_address. A pool consists of one or more rows in the table with the same pool_name and a different ip_address. The is no restriction on which ip addresses/ranges may be in the same pool, and addresses do not need to be concurrent. Yet, raddb/sqlippool.conf, makes absolutely NO sense to me at the moment at all, and there is WAY more than merely a pool name and a IP address referenced in the queries... I understand that there is some unique elements required in the table to indicate that a IP is allocated, and to know where the IP is allocated (and obviously to release that IP once the session terminates). it is really not that complex :-) As the docs state put one or more records in the tabe with a pool_name and ip_address and then use the pool_name the same way you do with the standard ippool module. Thats it. Can someone perhaps please just take a moment to explain what exactly is going on in those queries?? I'm not referring to the SQL as such, but rather as to what is updated, and why. A table structure accompanying those queries in sqlippool.conf may help significantly as well, as I'm guessing at the moment what needs to go where :( The table structure is in the same file as all the rest of the database schema at doc/examples/postgresql.sql For reference it is: CREATE TABLE radippool ( id BIGSERIAL PRIMARY KEY, pool_name text NOT NULL, FramedIPAddress INET, NASIPAddresstext NOT NULL, CalledStationId VARCHAR(64), CallingStationIdtext DEFAULT ''::text NOT NULL, expiry_time TIMESTAMP(0) without time zone NOT NULL, usernametext DEFAULT ''::text, pool_keyVARCHAR(30) NOT NULL ); I have only tested this with Postgresql, although I will probably be testing on Oracle at some point. If you want to test it on some other database you are welcome. Please report the results :-) Regards -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpNuM29n6kbA.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to send to a switch Port Priority ?
George Comanescu [EMAIL PROTECTED] wrote: hello I have the following users file and I wold like to send to the switch on authentification PortPriority ... Port-Priority = Platinum, Does the NAS documentation say you can do this? In most situations like this, you just have to tell the NAS the right information. And the only place that documentation exists is the NAS vendor... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local groups in FreeRadius ?
On 8/28/06, Alan DeKok [EMAIL PROTECTED] wrote: Ami Schieber [EMAIL PROTECTED] wrote: I'm still unable to see a match to the Group entry when I run radiusd -X but only to the user and to DEFAULT entries : users: Matched entry Ami at line 1 users: Matched entry DEFAULT at line 20You're not trying to match the group name.See man users man users doesn't show me anything I find related to users file of FreeRadius : NAME users - print the user names of users currently logged in to the current host SYNOPSIS users [OPTION]... [ FILE ] DESCRIPTION Output who is currently logged in according to FILE. If FILE is not specified, use /var/run/utmp. /var/log/wtmp as FILE is common. --help display this help and exit --version output version information and exit AUTHOR Written by Joseph Arceneaux and David MacKenzie. REPORTING BUGS Report bugs to bug-coreutils@gnu.org. COPYRIGHT Copyright 2004 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. SEE ALSO The full documentation for users is maintained as a Texinfo manual. If the info and users pro- grams are properly installed at your site, the command info coreutils users should give you access to the complete manual. FIGrpAuth-Type := Local, MyGroup-Name := FIGrp Reply-Message = Hello from Group FIGrp, %u':=' is not a comparison operator.Read the man page. I've changed the ':=' operator to '==' , so my file looks like : FIGrp Auth-Type := Local, MyGroup-Name == FIGrp Reply-Message = Hello from Group, %u Is my comparison correct ? Am I right to try and match the attribute name (MyGroup-Name) with the actual group name (FIGrp) ? Should it be in the users file ? Thanks, Ami Alan DeKok.--http://deployingradius.com - The web site of the bookhttp://deployingradius.com/blog/ - The blog-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: A few clarifications on EAP-TTLS
Hi, Windows XP does not support EAP-TTLS. You would have to install extra software e.g. SecureW2 MacOS X does I belive. Sorry And linux support it ? with a supplicant such as Xsupplicant or wpa_supplicant. MacOSX EAP-TTLS works out of the box. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Account lockout enforcement and min lengh reqs
Title: Account lockout enforcement and min lengh reqs Hello everyone, I am running freeradius v1.0.1 in a Redhat linux environment. Does there exist a mechanism to enforce account lockout after 3 tries and strong passwords? The environment is Cisco routers and switches. If there exists some kind of post-auth script, that would be nice. Thanks, Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding memory leaks
Ravi S M [EMAIL PROTECTED] wrote: I am integrating my rlm_otp module with freeradius code . if I run radiusd server with the purify it is giving leaks sigh The information you provided doesn't help to determine where the bugs are located. There's one mention of a C file, and tons of other issues that aren't related to any C file. Can you convince purify to give useful information, and then post that here? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local groups in FreeRadius ?
Ami Schieber wrote: man users doesn't show me anything I find related to users file of FreeRadius : NAME users - print the user names of users currently logged in to the current host Try man 5 users. Man page names are only unique within section numbers. Alternatively, man -a users will show you all the pages calles users from each section in turn. You want to read and understand man 5 users carefully else you'll get nowhere with FreeRadius. Additionally I'd point out since you didn't know how to use man properly, you might need to check a basic primer on unix else your time with FreeRadius will be EXTREMELY frustrating. You said you had tried: Ami User-Password == ami123 Service-Type = Framed-User, Framed-Protocol = PPP, Fall-Through = Yes FIGrpAuth-Type := Local, MyGroup-Name := FIGrp Reply-Message = Hello from Group FIGrp, %u DEFAULT Pool-Name := main_pool, Auth-Type := Local Fall-Through = Yes ...which is virtually all wrong. You want: Ami User-Password := ami123 Fall-Through = yes DEFAULT MyGroup-Name == FIGrp Reply-Message = Hello from group FIGrp, Fall-Through = yes DEFAULT Pool-Name := main_pool With the server properly configured, you should not need to set Auth-Type and will ALMOST CERTAINLY break things if you do. You don't use == to compare passwords, but use := to *set* the server-side copy. You don't use := to compare, you use ==, and group names never go on the left-hand-side - either usernames or DEFAULT. Hope that helps - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Report Generator
Hi Andre, You can download the work to date here http://swarmhotspots.com/phpreports.tar.gz I'm integrating phpMyPrepaid and Dialup Admin into it at the moment, so there are a lot of redundant files included in the tar file. You can have a look at how it works at http://topup.ie/reports username testuser, password testuser. Some reports ask for a client user name use seanb52, some reports ask for a NAS ID use palm1 and some reports request the NAS IP use 82.153.112.235 Please give me some feedback. I'd like to know if any of this would be useful or worth putting onto Sourceforge when it's ready for release. There is no documentation ready yet but if you need help send me an email. Don't tie up the FreeRadius list with private correspondence. Regards, Sean Bracken http://swarmhotspots.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Suggestions about captive portal
Hi all, I would like to know what Captive Portal you advise to use and in particular what supports better Freeradius. For the moment I'am using Chillispot. My problem is always the same: set the NAS to accept the IP address, assigned by IP pool, from FreeRADIUS. I have searched documentation related to my NAS (Doc, forum, mailing list, ecc.ecc.) but I haven't find nothing of useful for my problem. Fort this reason i would to use another captive portal (that support freeradius) that can solve my problem. Thanks in advance for every advice or help. Best regards. Giusy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Report Generator
Thank you, Sean. Have a great day. Edward -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Sean Sent: Monday, August 28, 2006 10:45 AM To: freeradius-users@lists.freeradius.org Subject: RE: Report Generator Hi Andre, You can download the work to date here http://swarmhotspots.com/phpreports.tar.gz I'm integrating phpMyPrepaid and Dialup Admin into it at the moment, so there are a lot of redundant files included in the tar file. You can have a look at how it works at http://topup.ie/reports username testuser, password testuser. Some reports ask for a client user name use seanb52, some reports ask for a NAS ID use palm1 and some reports request the NAS IP use 82.153.112.235 Please give me some feedback. I'd like to know if any of this would be useful or worth putting onto Sourceforge when it's ready for release. There is no documentation ready yet but if you need help send me an email. Don't tie up the FreeRadius list with private correspondence. Regards, Sean Bracken http://swarmhotspots.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please help !!!
When i try to execute the radtest command with AD user logon credentials it rejects the packet and here is the output. rad_recv: Access-Request packet from host 127.0.0.1:32874, id=81, length=61 User-Name = "test" User-Password = "test123" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: [test]: invalid password modcall[authenticate]: module "unix" returns reject for request 0 modcall: leaving group authenticate (returns reject) for request 0 auth: Failed to validate the user. using wbinfo -u and wbinfo -g command, able to pull the users and groups from AD. Also I have linux nis server running under same subnet. This machine is binded to linux NIS domain and joined to windows 2003 domain. Here is my nsswitch.conf file. passwd: files winbind nis dns shadow: files nis dns group: files winbind nis dns #hosts: db files nisplus nis dns hosts: files dns winbind nis In users.conf its default configuration: DEFAULT Auth-Type = System Fall-Through = 1 Also i tried removing it from linux nis domain and running only with winbind service, it didnt help me. Here is the log file i found about winbind service. winbindd[16208]: [2006/08/28 10:57:31, 0] nsswitch/winbindd_util.c:winbindd_param_init(560) winbindd[16208]: winbindd: idmap uid range missing or invalid winbindd[16208]: [2006/08/28 10:57:31, 0] nsswitch/winbindd_util.c:winbindd_param_init(561) winbindd[16208]: winbindd: cannot continue, exiting. winbind: winbindd startup succeeded I have another linux machine running good with the same error message. could someone throw some light to resolve my issue. Thanks, Kartthik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please help !!!
Kartthik [EMAIL PROTECTED] wrote: When i try to execute the radtest command with AD user logon credentials it rejects the packet and here is the output. ... rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: [test]: invalid password The user isn't in /etc/passwd. What, exactly did you do to configure the server to check the user against the AD login credentials? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP PEAP, unable to load certificate
Hi,I have forcibly set Auth-Type to Local, so perhaps that's the problem.Here's my debug output anyway...rad_recv: Access-Request packet from host 10.10.1.199:1812, id=1, length=73 User-Name = nick Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02010009016e69636b NAS-IP-Address = 10.10.1.199 Message-Authenticator = 0xa2632b22341f08798a0fca4aa0f457c9 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 160 modcall[authorize]: module preprocess returns ok for request 160 modcall[authorize]: module chap returns noop for request 160 modcall[authorize]: module mschap returns noop for request 160 rlm_realm: No '@' in User-Name = nick, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 160 rlm_eap: EAP packet type response id 1 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 160 radius_xlat: 'nick'rlm_sql (sql): sql_set_user escaped user -- 'nick' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'nick' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'nick' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'nick' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute ,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'nick' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok for request 160modcall: leaving group authorize (returns updated) for request 160 rad_check_password: Found Auth-Type Local auth: type Localauth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user.Login incorrect: [nick] (from client Finc-Wireless port 0) Delaying request 160 for 1 seconds Finished request 160Going to the next request --- Walking the entire request list ---Waking up in 1 seconds... --- Walking the entire request list ---Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 1 to 10.10.1.199 port 1812Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 160 ID 1 with timestamp 44f357bfNothing to do. Sleeping until we see a request.Cheers for your help, Nick LarsenOn 8/29/06, Alan DeKok [EMAIL PROTECTED] wrote: Nick Larsen [EMAIL PROTECTED] wrote: Now I'm trying to authenticate users via wireless PDA's, but I now get auth: No User-Password or CHAP-Password attribute in the request in Access-Request, I guess it's the Linksys WAG54g now, so I better start trawling through the net again.No.Run the server in debugging mode, and post the output here.That message happens ONLY if you forcibly set Auth-Type = Local when it doesn't make sense to do so.Alan DeKok.--http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards,Nick LarsenWellingtonNEW ZEALAND - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP and authenticating via AD
Hi,
(don't write HTML mails please)
(please use a more descriptive subject line instead of Please help !!!)
(0 or 1 exclamation mark will do, preferably 0)
first off: if you will stay with PAP later (user's password comes in in clear
text), just treat the AD server like a plain ldap server, i.e. configure and
activate ldap {} in both authorize and authenticate sections of radiusd.conf.
No sign of AD specialties here.
This is in fact the recommended way: configure the ldap {} section, activate
it and be happy. It will work.
If you will change to MS-CHAP later, only then will you need the AD way of
authenticating users. This is what I describe below.
users: Matched entry DEFAULT at line 152
modcall[authorize]: module files returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type System
auth: type System
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_unix: [test]: invalid password
modcall[authenticate]: module unix returns reject for request 0
modcall: leaving group authenticate (returns reject) for request 0
auth: Failed to validate the user.
That line 152 in the users file sets the Auth-Type System if no other
Auth-Type has previously been set. This is quite okay when authenticating
users locally with PAP logins (i.e. password is on the FreeRADIUS server
*system*). If you configure ldap {} as said above, Auth-Type will be set to
LDAP and things will work.
If you want to use MS-CHAP login later, things will magically work out of the
box (the mschap module is by default active in authorize and will set
Auth-Type to MS-CHAP by itself *if* the request is indeed an MS-CHAP request
and later authenticate users via the mschap module (in which you have to
activate the ntlm_auth line)).
using wbinfo -u and wbinfo -g command, able to pull the users and groups
from AD.
This is great, you've already done the bulk of the work then. If you'll stick
with PAP later, this work was unnecessary (ldap module will do). If you want
to switch to MS-CHAP: uncomment the ntlm_auth line in the mschap module to
tell the FreeRADIUS server to actually use this connection.
Greetings,
Stefan Winter
--
Stefan WINTER
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche - Ingénieur de recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP authentication
A general question that I have not seen in the forum.I want to authenticate against LDAP... BUT I don't want to use the LDAP password as the password in every case.In a remote connectivity solution I want to check the remotepassword attribute for authentication. Problem is (as I see it), that the real LDAP password is not passed in with the remote connectivity request, so the request seems to be failing.If I make the request with the LDAP password, it succeeds. So my question, and I know that there is a caveat about a cleartext password being required for LDAP authentication, is:Can I make a request to freeradius that gets passed to LDAP but only requires the password to be checked against an attribute of the username, NOT the real LDAP password. Any insight/experience or pointers to helpful doc sources would be appreciated.Regards,Lin Richardson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1.1.3 on Solaris 10 (sparc)
I am quite pleased to report I have, with minimal discomfort, version 1.1.3 running on Solaris 10.The source actually compiles perfectly once OS dependencies etc. are met.I will share a few tips here for any who may be attempting the same. My main goal was LDAP functionality. Other bells and whistles might require additional steps.Please forgive the Solaris info here, it is dangerously close to being off-topic... except that you need it to install freeradius. ---Solaris System HeadersSolaris 10 will likely require you to fix the system headers.http://sunfreeware.com/indexsparc10.html . Commands as root: cd /usr/local/lib/gcc-lib/sparc-sun-solaris2.10/3.3.2/install-tools/vi mkheaders.conf - Then put the line SHELL=/bin/sh on the first line of the mkheaders.conf file. - It should look something like the following: SHELL=/bin/sh SYSTEM_HEADER_DIR=/usr/include OTHER_FIXINCLUDES_DIRS= FIXPROTO_DEFINES= STMP_FIXPROTO=stmp-fixproto STMP_FIXINC=stmp-fixinc Then you run the following command as root. It may take several minutes to rebuild the headers. ./mkheaders---Solaris PackagesSolaris 10 has versions of openssl and openLDAP installed I believe with the system. They do not fulfill the compile requirements for freeradius functionality. you should go to http://sunfreeware.com/ and get the packages there, and also resolve any unmet dependencies.If you have other modules you are concerned with that are not building correctly, don't trust the OS packages. Look for equiv packages and try the build with them installed as well. download packagegunzip packagename.gzsudo pkgadd -d packagename--- Installing FreeRadiusInstalling actually went off without a hitch. ./configure, make, sudo make installNo problems except I needed the packages so rlm_ldap would compile properly.--- RunTime EnvironmentIn order for the ldap queries to work, the following needs to be set as an environmental variable, OR if you're handy with compiler flags you can take care of it during the compile with the `-RLIBDIR' linker flag. export LD_LIBRARY_PATH=/usr/local/lib/;/usr/local/freeradius-1.1.3/lib The two locations in the above path are for access to the libgcc_s.so.1 libraries and the rlm_ldap libraries respectively. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and accounting
Hi
I've noticed this comment in the cvs log (for rlm_perl.c):
Over-write existing vp's with new ones.
This means that the Perl module works more like the other modules,
which have absolute power over the VP's, and less like the users
file, which updates the VP's via operators, etc
So I've compiled the source and gave it a try, but it behaved exactly
as the stable version - didn't replace nor removed any attributes. Is
this supposed to work?
I tested the pre and post proxy methods:
rad_recv: Access-Request packet from host 127.0.0.1 port 32785, id=96, length=62
User-Password = test
User-Name = test
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-IP-Address = a.b.c.d
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
rlm_realm: No '@' in User-Name = test, looking up realm NULL
rlm_realm: No such realm NULL
perl_pool: item 0x82013e0 asigned new request. Handled so far: 1
found interpetator at address 0x82013e0
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair User-Name = test
rlm_perl: Added pair User-Password = test
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair NAS-IP-Address = a.b.c.d
rlm_perl: Added pair Proxy-To-Realm = quik
rlm_perl: Added pair Stripped-User-Name = test
perl_pool total/active/spare [32/0/32]
Unreserve perl at address 0x82013e0
modcall: group authorize returns ok for request 0
Processing the pre-proxy section of radiusd.conf
modcall: entering group pre-proxy for request 0
perl_pool: item 0x840f4e0 asigned new request. Handled so far: 1
found interpetator at address 0x840f4e0
rlm_perl: entering pre-proxy
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair User-Name = testuser
rlm_perl: Added pair User-Password = test
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Realm = quik
rlm_perl: Added pair NAS-IP-Address = a.b.c.d
rlm_perl: Added pair Stripped-User-Name = test
rlm_perl: Added pair Proxy-To-Realm = quik
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair User-Name = test
rlm_perl: Added pair User-Password = test
rlm_perl: Added pair Proxy-State = 0x3936
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Realm = quik
rlm_perl: Added pair NAS-IP-Address = a.b.c.d
perl_pool total/active/spare [32/0/32]
Unreserve perl at address 0x840f4e0
modcall: group pre-proxy returns updated for request 0
Sending Access-Request of id 197 to x.y.z.103 port 1812
Framed-Protocol = PPP
User-Name = test
User-Password = test
Proxy-State = 0x3936
Service-Type = Framed-User
NAS-IP-Address = a.b.c.d
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Accept packet from host x.y.z.103 port 1812, id=197, length=30
Framed-IP-Address = 192.168.1.65
Proxy-State = 0x3936
Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 0
perl_pool: item 0x85f6b88 asigned new request. Handled so far: 1
found interpetator at address 0x85f6b88
rlm_perl: entering post-proxy
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair User-Name = testuser
rlm_perl: Added pair User-Password = test
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Realm = quik
rlm_perl: Added pair NAS-IP-Address = a.b.c.d
rlm_perl: Added pair Framed-IP-Address = 10.10.1.1
rlm_perl: Added pair Proxy-To-Realm = quik
rlm_perl: Added pair Stripped-User-Name = test
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair User-Name = test
rlm_perl: Added pair User-Password = test
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Proxy-State = 0x3936
rlm_perl: Added pair Realm = quik
rlm_perl: Added pair NAS-IP-Address = a.b.c.d
rlm_perl: Added pair Proxy-State = 0x3936
rlm_perl: Added pair Framed-IP-Address = 192.168.1.65
perl_pool total/active/spare [32/0/32]
Unreserve perl at address 0x85f6b88
modcall: group post-proxy returns updated for request 0
authorize: Skipping authorize in post-proxy stage
rad_check_password: Found Auth-Type
rad_check_password: Auth-Type = Accept, accepting the user
Sending Access-Accept of id 96 to 127.0.0.1 port 32785
Framed-IP-Address = 10.10.1.1
Framed-IP-Address = 192.168.1.65
Finished request 0
Going to the next request
Waking up in 1 seconds...
It looks like the content of the original hashes is still being kept.
perl code:
#add attributes to the request
sub sanitise {
my ($login,$realm) = split(/\@/, $RAD_REQUEST{'User-Name'});
$RAD_CHECK{'REALM'} = $realm;
$RAD_CHECK{'Stripped-User-Name'} = $login;
}
# Function to handle pre_proxy
sub pre_proxy {
radiusd::radlog(1, entering pre-proxy);
$RAD_REQUEST{'User-Name'} = 'testuser';
return RLM_MODULE_OK;
}
# Function to handle post_proxy
sub post_proxy {
radiusd::radlog(1, entering post-proxy);
