RE: Mulitple sql groups or User in Multiple groups
DEFAULT Auth-Type := Local, NAS-IP-Address == 10.0.0.1 Exec-Program-Wait = /program for nas1 You don't need to set Auth-Type. In the SQL database I am not setting it, its merely the NAS IP. And if the per-NAS configuration is fairly static, you can use rlm_passwd to map NAS to Exec-Program-Wait. Users should still go into SQL, as their information will change a fair bit. Doesn't this mean that we need to list every username in this file, so it can associate a user with a nas and with a Exec-Program? Then doesn't that mean every user is repeated for each NAS. I don't see the relationship? PS; What happened to the new website? What do you mean by that? Ok, maybe its just my browser. Yesterday I was getting the new website, this morning I was getting the old webite, and now I'm seeing the new one again :) Time to clear out IE cache! Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compile problem on tru64
is no one able to help me with my compiler problem ? :-( Am Mittwoch, 6. Dezember 2006 09:02 schrieb Matthias Henze: hi, i try to build freeradius 1.1.3 on tru64. at first every thing worked as expected. near the end of the buildprocess i get the following message i'm unable to interpret: creating .libs/radiusdS.c (cd .libs gcc -pthread -c -fno-builtin radiusdS.c) rm -f .libs/radiusdS.c .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT gcc .libs/radiusdS.o -o .libs/radiusd .libs/acct.o .libs/auth.o .libs/client.o .libs/conffile.o .libs/exec.o .libs/files.o .libs/log.o .libs/mainconfig.o .libs/modules.o .libs/modcall.o .libs/nas.o .libs/proxy.o .libs/radiusd.o .libs/radius_snmp.o .libs/request_list.o .libs/session.o .libs/smux.o .libs/threads.o .libs/util.o .libs/valuepair.o .libs/version.o .libs/timestr.o .libs/xlat.o -lresolv ../lib/.libs/libradius.so /usr/local/lib/libltdl.so __pthread_cancel sem_post pthread_sigmask sem_wait sem_init collect2: ld returned 1 exit status make[4]: *** [radiusd] Error 1 i'm using gcc 3.4.6. please help. TIA -- Matthias Henze [EMAIL PROTECTED] Use PGP!! http://www.mhcsoftware.de/MatthiasHenze.asc - - - - - - - - - - - - - - - - - - - - - - - - - - - MHC SoftWare GmbH voice: +49-(0)9533-92006-0 Fichtera 17 fax: +49-(0)9533-92006-6 96274 Itzgrund/Germanye-Mail: [EMAIL PROTECTED] - - - - - - - - - - - - - - - - - - - - - - - - - - - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging into MySQL doesnt work, how enable MAC address control on MySQL
Hello everybody I have a problem in setting up my freeradius to log all querries into database. The radacct is still empty. I read some messages from this mailing group and I found that the NAS server is not sending anything about Start time or Stop time. My naslist looks like: # NAS Name Short Name Type # -- localhost local other and in clients.conf I have nastype = other So maybe I donnot know how to setup NAS on my server or maybe I donnot understand what does the NAS means. I am sure that we do not have any cisco or something like that so I want to authenticate only on the machine where freeradius is running. And second question. Does anybody know how to setup MAC address control from MySQL database. My idea is that when user wants to login it will need his username, password and MAC address to authenticate succesfully. Thank you for any ideas! AnDY - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius + Ldap + EAP-TTLS + WPA - Need your help
Hello Everyone,
I am trying to configure our system to authenticate through LDAP. I
have hard time to figure out what cause my system not working. Please
view the log and let me know what I can fix. Thanks very much for your
help in advance.
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 2560
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /usr/local/var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
main: user = nobody
main: group = nobody
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = before
main: nospace_pass = before
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = clear
Module: Instantiated pap (pap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = yes
mschap: passwd = (null)
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded LDAP
ldap: server = 134.29.247.4
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = cn=ldapbs,o=mctc
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = (null)
ldap: tls_cacertdir = (null)
ldap: tls_certfile = (null)
ldap: tls_keyfile = (null)
ldap: tls_randfile = (null)
ldap: tls_require_cert = allow
ldap: password = blue
ldap: basedn = o=mctc
ldap: filter = (uid=%{Stripped-User-Name:-%{User-Name}})
ldap: base_filter = (objectclass=radiusprofile)
ldap: default_profile = (null)
ldap: profile_attribute = (null)
ldap: password_header = (null)
ldap: password_attribute = userPassword
ldap: access_attr = (null)
ldap: groupname_attribute = cn
ldap: groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
ldap: groupmembership_attribute = memberUid
ldap: dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap-radius mappings from file
/usr/local/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS
Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS
Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP
Freeradius and biometric devices
Hi, I am trying to setup a biometric authentication using freeradius, first the user gives his/her password and then uses fingerprint information. On positive matches the user is authenticated. Can it be implemented? Is there literature that I need to have a look at? Thanks in advance Kenneth Need a quick answer? Get one in minutes from people who know. Ask your question on www.Answers.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP-RADIUS Attribute Mapping
I have an environment where I am already using LDAP for AAA for a number of things. We have historically used the AuthorizedService attribute in LDAP to control the level of access available to the user. We would like to continue to do so. However, in order for that to work, I need to map AuthorizedService to different RADIUS attributes in the response depending on the authentication client. Ideally, I'd like to be able to map RADIUS clients into groups and have a mapping of AuthorizedService values for each group. The client groups would, ideally, be defined by matching the client IP address. An example of what I'd like that mapping to look like is below: Client GroupAuthorizedService RADIUS Attribute in Reply == == === PIX Group 1 Pix1Auth1 cisco-avpair=shell:priv-lvl=1 PIX Group 1 Pix1Auth7 cisco-avpair=shell:priv-lvl=7 PIX Group 1 Pix1Auth15 cisco-avpair=shell:priv-lvl=15 PIX Group 2 Pix2auth1 cisco-avpair=shell:priv-lvl=1 ... Router Grp 1Rtr1Auth1 cisco-avpair=shell:priv-lvl=1 ... LB Group 1 LBAdmin Service-Type=Authenticate-Only ... etc. Is there any way to do this kind of dynamic mapping in FreeRadius? As near as I can tell, all I can do is statically map the contents of a particular LDAP attribute to a single RADIUS attribute. I'd also like to avoid mapping values of AuthorizedService which don't apply to the particular RADIUS client. I'm assuming I probably need to use something like rlm_perl to do this, and, I have no problem doing that, but, I have been unable to decipher the documentation to rlm_perl enough to have any confidence in creating a working solution. If anyone could provide a configuration example or a pointer to documentation that actually describes the various pieces of solving this problem, I'd be very grateful. Alan, your flames and RTFM comments are welcome, but, please understand, I've done my best to RTFM before posting this. Owen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + Ldap + EAP-TTLS + WPA - Need your help
Tho Nguyen wrote: I am trying to configure our system to authenticate through LDAP. I have hard time to figure out what cause my system not working. Please view the log and let me know what I can fix. Thanks very much for your help in advance. .. Sending Access-Challenge of id 24 to 134.29.241.113 port 1645 EAP-Message = 0x010600061900 Message-Authenticator = 0x State = 0xcd5e9afceeb8c7e9157b88cd7da19719 Finished request 3 Going to the next request Waking up in 6 seconds... See the FAQ, it mentions PEAP. And see the comments in eap.conf. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and biometric devices
Kenneth Penza wrote: I am trying to setup a biometric authentication using freeradius, first the user gives his/her password and then uses fingerprint information. On positive matches the user is authenticated. Can it be implemented? Is there literature that I need to have a look at? Almost anything can be implemented. The question is how does the fingerprint information get to the RADIUS server? And what does the RADIUS server do with it? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging into MySQL doesnt work, how enable MAC address control on MySQL
Andrej Simko wrote: I have a problem in setting up my freeradius to log all querries into database. The radacct is still empty. I read some messages from this mailing group and I found that the NAS server is not sending anything about Start time or Stop time. My naslist looks like: The contents of the naslist don't matter. See the NAS documentation for how it handles accounting. So maybe I donnot know how to setup NAS on my server or maybe I donnot understand what does the NAS means. I am sure that we do not have any cisco or something like that so I want to authenticate only on the machine where freeradius is running. So... which client are you using? pam_radius? pppd? And second question. Does anybody know how to setup MAC address control from MySQL database. My idea is that when user wants to login it will need his username, password and MAC address to authenticate succesfully. Run the server in debugging mode to see what the NAS sends, for a start. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP+MSCHAP+AD (please help)
[EMAIL PROTECTED] wrote: Hi there, this is an old issue, but AFAIAC hasn't been solved yet, that's why I'm asking for help with this problem which is driving me crazy. In the first attempt the user has checked the option Automatically use my Windows logon name and password (and domain if any), user account is valid in the domain and is not locked out, however user authentication fails. In the next attempt the user has unchecked this option, so everytime he connects to the network he has to type his credentials in. After clicking Connect he gets access. Why if Windows sends the same user information only in the latter case user is able to get in? Exec-Program: /opt/samba/bin/ntlm_auth --request-nt-key --domain=DOMAIN --username=testuser --challenge=c61ad7019723b68d --nt-response=70fb1b0438208667d0bac6eb895ea8644b413566785d5785 Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 7 It failed because the client returned the wrong challenge Exec-Program: /opt/samba/bin/ntlm_auth --request-nt-key --domain=DOMAIN --username=testuser --challenge=aea3ef9fe78f8ac2 --nt-response=8c6a735e29ed7cddb8c02ae601424aca79d115544324731d Exec-Program output: NT_KEY: 12047FA4AC9D0AA0F53475F2FA2D03AF Exec-Program-Wait: plaintext: NT_KEY: 12047FA4AC9D0AA0F53475F2FA2D03AF Exec-Program: returned: 0 modcall[authenticate]: module mschap returns ok for request 16 modcall: leaving group MS-CHAP (returns ok) for request 16 MSCHAP Success Whereas that worked. It looks to me as if you've edited the debug output so I can't be sure, but I'd suggest looking at the client - the radius server is configured correctly. Perhaps the client is not in fact logging on to the laptop with the correct username and password. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to pass information between modules?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi!
Let's say I have the following authorize {} section:
authorize {
ldap
sql
}
What would be the best way to pass information between ldap and sql?
For example, if I were to extract a group name from ldap and pass it
to sql to get all the RADIUS attributes associated to this group, what
would be the strategy to acheive that?
In other words, how to configure those modules if the ldap contains
the group info, but sql the actual RADIUS attribute per group?
Thanks!
- --
== +--+
Martin Gadbois | Windows might take you from 0 to 60 faster, |
S/W Developer | but to go to 100 you need Unix.|
Colubris Networks Inc. +--+
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFebbM9Y3/iTTCEDkRAlbtAJ9xef4aCw0IGd5SIJXXn7UxLtUwEACZAf/e
hPg7eJ53Xt+PgxSYPpFecPM=
=K9c0
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to pass information between modules?
Martin Gadbois wrote: What would be the best way to pass information between ldap and sql? In the same way that all of the other modules do it: Put the information into attributes. That's what the config item list is for. For example, if I were to extract a group name from ldap and pass it to sql to get all the RADIUS attributes associated to this group, what would be the strategy to acheive that? Put it into an attribute in the config items. In other words, how to configure those modules if the ldap contains the group info, but sql the actual RADIUS attribute per group? You can use the LDAP-Group attribute, see the rlm_ldap documentation. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP-RADIUS Attribute Mapping
Owen DeLong wrote: We have historically used the AuthorizedService attribute in LDAP to control the level of access available to the user. We would like to continue to do so. However, in order for that to work, I need to map AuthorizedService to different RADIUS attributes in the response depending on the authentication client. Do it in two steps. Map the AuthorisedService LDAP attribute to a RADIUS attribute (invent a local one, see the dictionary docs), and then depending on the NAS, map that to another attribute. The reason for doing it this way is that the LDAP - RADIUS attribute mapping is simple, and should be kept simple. Ideally, I'd like to be able to map RADIUS clients into groups and have a mapping of AuthorizedService values for each group. The client groups would, ideally, be defined by matching the client IP address. An example of what I'd like that mapping to look like is below: Use rlm_passwd to map clients to groups (see it's documentation), and then the users file to map AuthorizedService to another RADIUS attribute, as described above. Alan, your flames and RTFM comments are welcome, but, please understand, I've done my best to RTFM before posting this. As I tell my co-workers, Remember, there are no stupid questions. There are only stupid people.. And they still speak to me after that. :) Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to pass information between modules?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Alan DeKok wrote:
What would be the best way to pass information between ldap and sql?
In the same way that all of the other modules do it: Put the
information into attributes. That's what the config item list is for.
My subconscious FreeRADIUS mind was saying that as well; but how to use
config items and what makes them different from RADIUS Reply attributes?
An theoritical example:
modules {
file users {
...
}
file groups {
...
}
}
authorized {
users
groups
}
file users:
martin User-Password == gadbois
Group = staff
file groups:
DEFAULT Group == staff
Reply-Message = Hello Staff!
I expect this to set martin into the staff group, and a RADIUS
request returns Reply-Message Hello Staff!!
This does not work:
[/etc/raddb/users]:223 WARNING! Check item Group ?found in reply item
list for user martin. ?This attribute MUST go on the first line with
the other check items
Some explaination, a C function or a URL would greatly help!
In other words, how to configure those modules if the ldap contains
the group info, but sql the actual RADIUS attribute per group?
You can use the LDAP-Group attribute, see the rlm_ldap documentation.
I got it now; LDAP-Group is like a callback into the ldap module,
where the LDAP group is going to be checked to the value.
I'll go update the FR LDAP Wiki.. ;-)
Thanks Alan for the quick reply.
- --
== +--+
Martin Gadbois | Windows might take you from 0 to 60 faster, |
S/W Developer | but to go to 100 you need Unix.|
Colubris Networks Inc. +--+
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFec349Y3/iTTCEDkRAsgfAJ45vsoHrRKwsPkITrUBuPsFgbGBXACgm1yU
gjlFYOPYrcMsN80odSYfAWA=
=6TFA
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Choosing The best replication system.
Anyone out there with some guide or atleast some pitfalls i should try and avoid on Replicating the radius server ? Sarky -- Original Message --- From: Sarkis Gabriel [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thu, 7 Dec 2006 17:29:22 +0100 Subject: Choosing The best replication system. Hello all, With the way work is and the pops are growing looks like i need to start centralising the database. At the moment i have 4 pops around the country and all are feeding from a satellite links, as the company is growing it is becoming very hard to maintain and we are looking to have a central MySQL DB in the UK which feeds the slave machines with the updated info. Each pop will have a live radius / mysql db feeding info back to a master machine in the UK and that would replicate the info down to the slaves on the other pops, this is the wishfull thinking i have :). I have read about Replication with MySQL (One-Way) and radrelay, then i noticed there is rlm_slq_log and radsqlrelay. One thing I must mention there is a lot of LAG on satellite connection looking at approx 650ms and because of BW cost we do rely on proxies which makes BW usage during the day very expensive, so i would like to be able to replicate maybe once a night lets say at midnight being less busy and cheaper. Any one out there with some ideas they can send my way.. Thanks Sarky - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- End of Original Message --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TTLS : where to indicate User/Password ?
On Monday 04 December 2006 22:21, Alan DeKok wrote: Bruno Costacurta wrote: I'm trying to configure FreeRadius using TTLS (certificate on server side only) and MySQL. Client is a Linux laptop using wpa_supplicant. I'm in a learning curve regarding 802.1x and FreeRadius and especially TTLS. That should work without too much effort. Questions: - TTLS available authentications are: CHAP,PAP,MS-CHAP,EAP (correct ?) Yes. - 'Auth-Type=local' means CHAP,PAP and MS-CHAP (correct ?) No, just CHAP and PAP. You shouldn't be using it at all. - for the learning curve : --- which is the easiest authentications to start with ? PAP. --- MySQL will be removed at the first stage to ease debugging / setup of the config (good idea ?) Yes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Dear Alan, thanks for your answers. Indeed starting from a fresh FreeRadius install, following instructions http://deployingradius.com/documents/configuration/ I'm now able to authenticate via TTLS. Thanks again for attention. Bye, Bruno - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
