add realm to user based on NAS-IP
Hi all, i wonder if it is possible to add a realm to a username based on the NAS-IP the request come from. For instance: - user abc logs on router 10.0.0.1 - router 10.0.0.1 asks a freeradius proxy for user abc - freeradius-proxy recognize the ip and add @realm to the username and proxy the request to another freeradius-server based on realm-entry in proxy.conf Unfortunatly I found many solutions in the past 2 hours (like proxy-to-realm, attr_rewrite, hints...), I cant't decide which is the right one for me. %) So help would be much appreciated. Thanks in advance Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization/SER problems
On 2007-03-30, at 23:28, Dariusz Dwornikowski wrote: HI, I managed to do password checking for user, it works. Now i would like to return soem things in Access-Accept when SER sends packet : rad_recv: Access-Request packet from host 10.240.0.144:35694, id=160, length=64 User-Name = [EMAIL PROTECTED] Service-Type = SIP-Caller-AVPs NAS-Port = 0 NAS-IP-Address = 10.240.0.144 but i get Access-Reject : modcall: leaving group authorize (returns ok) for request 3 auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED]/no User-Password attribute] (from client openser2 port 0) I juest ant to return some parameters. for the future: a resolved the problem. I am checking whether client can access the requested resource ( in my case, dialed destination, etc), and If he is, i return: SIP-AVP+=#number:value and Auth-Type+=Accept. In that case radius auth can find the Auth-Type, which is autimatically granted if i want to grant it. -- Dariusz Dwornikowski [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeBSD FreeRADIUS port updated to 1.1.5, with various enhancements
Hi Nicolas, Alan and everyone, In message [EMAIL PROTECTED], Nicolas Baradakis [EMAIL PROTECTED] writes David Wood wrote: The second group of patches that remain I'm going to post below - because I think they might be candidates for committing to FreeRADIUS itself. It was clearly felt by previous contributors to the port that the Makefiles don't always contain $(CFLAGS) when they would be expected to. snip The patch adds $(CFLAGS) during the *link*. (not during compile) The linker doesn't need options such as -O3 or -I/path/to/include therefore I'd like to know the reasons why you believe this patch would be useful. I can't think of a reason why it was useful, and I really can't figure out why it was ever added. As you say, all three of these patches relate to link steps, not compilation ones. I've deleted these three patches from the version of the port in my local Subversion repository. There's one patch I wrote, which I think is a bug in a Makefile for 1.1.4 and 1.1.5 (hence the file name of patch-raddb-Makefile-1.1.4_bug): [...] otppasswd.sample seems to have disappeared from 1.1.4 onwards - is this a bug in that Makefile as I believe? If so, can that be fixed in CVS? Indeed it looks like a bug. I've fixed it in CVS. Thanks for the confirmation - that's another patch I look forward to throwing away. There's two other things I'm currently modifying the source to achieve, on which I'd appreciate comments. patch-doc::Makefile surrounds the contents of the install target in doc/Makefile with #ifndef NOPORTDOCS ... #endif. FreeBSD ports have to respect this flag. Is a neater way to pass --with-docdir=/dev/null to configure if NOPORTDOCS is defined (which I haven't tried) and abandon the patch. Has anyone any other suggestions? Every downstream distribution has its own mechanism to mark the files as documentation. --with-docdir=/dev/null results in mkdir: /dev/null: File exists It looks like the patch (or some other way of modifying doc/Makefile) will have to stay. I will continue to modify the source in some suitable way to achieve this. To install the sample raddb files in the correct location, I'm running sed across all Makefile and Makefile.in files, replacing $(R)$(raddbdir) with the appropriate location. I'd rather do this via configure, but if I use --with-raddbdir, that changes the install location of the files *and* the default location the server looks for those files. The latter change isn't wanted. Every downstream distribution has its own mechanism to handle the config files. I don't know the opinion of the others, but I'm unsure about a configure option that's useful for the FreeBSD port only. We have a consensus on this - Alan suggests a sed script. I have tidied up the way I'm doing this in my local version of the port. It's now a couple of find commands with explanatory comments. The first runs sed across each Makefile and Makefile.in, whilst the second removes the .bak files (so that the one in doc/ isn't installed as documentation). That will do fine. With the changes outlined above, I've got one patch which should be unnecessary in 1.1.6 and onwards (because the underlying problem in the source has been fixed), one patch that I believe is only needed for FreeBSD 4.x compatibility (which I expect to remove when that is discontinued), and one patch that's needed to support NOPORTDOCS. That's much more maintainable than the nine patches the port had when I first took the FreeRADIUS FreeBSD port over. Thanks for your comments and support, David -- David Wood [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Anyone using dd-wrt for AP?
I am trying to set up dd-wrt to use freeradius for authentication with EAP-TLS, however, I have run into a problem: there doesn't seem to be an option under the WPA encryption system for entering the freeradius secret. If anyone has got this working, can you let me know the where and how? The dd-wrt forums have been pretty silent on the issue. -- Ian Truelsen s/v Sting Email: [EMAIL PROTECTED] AIM: ihtruelsen MSN: [EMAIL PROTECTED] Google Talk: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Anyone using dd-wrt for AP?
Ian Truelsen wrote: I am trying to set up dd-wrt to use freeradius for authentication with EAP-TLS, however, I have run into a problem: there doesn't seem to be an option under the WPA encryption system for entering the freeradius secret. If anyone has got this working, can you let me know the where and how? The dd-wrt forums have been pretty silent on the issue. If the box is sending RADIUS requests from itself to itself, the secret should probably be hard-coded to something static, like testing123. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Anyone using dd-wrt for AP?
On Sun, 2007-04-01 at 07:19 +0200, Alan DeKok wrote: Ian Truelsen wrote: I am trying to set up dd-wrt to use freeradius for authentication with EAP-TLS, however, I have run into a problem: there doesn't seem to be an option under the WPA encryption system for entering the freeradius secret. If anyone has got this working, can you let me know the where and how? The dd-wrt forums have been pretty silent on the issue. If the box is sending RADIUS requests from itself to itself, the secret should probably be hard-coded to something static, like testing123. Hopefully that is not the case. The freeradius server is on an external machine. I am trying to get the AP to authenticate against that server, but I am having trouble sorting out how to get it to do this. -- Ian Truelsen s/v Sting Email: [EMAIL PROTECTED] AIM: ihtruelsen MSN: [EMAIL PROTECTED] Google Talk: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html