Radius Access PB
Hi I have freeradius launched and working great on my server, for ADSL authentication, with one NAS, but I am trying to use the same radius with another RAS configured on another DSP, I'm getting always this message: RADIUS, Accounting Request With no reply from my server, even though, in the same time, everything is working great with the other DSP, and if I make radtest locally, I can get on my radius (using radiusd -x) the access request and the reply. I tried to do the same configuration with the other DSP, ignoring the postgresql Flags, and still getting the request but no reply from my side. Any idea?? Thanks Best regards, Elie Hani - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wrong behaviour of rlm_ldap module + users file
On Fri, 2007-07-27 at 13:25 +0200, inverse wrote: Hi, I tried the suggestion and it didn't work, here are the involved radiusd.conf sections. Ok. I quick glance at the code shows that the Ldap-Group compare function will do an LDAP search to find the users LDAP DN. You can set it, and it should skip the search - however, the attribute needs to go in the request pairs (grr) so put these lines in hints DEFAULT Ldap-UserDn = `cn=%{User-Name},ou=whatever,...` Note that the DN need not be real - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius Juniper
Hi, small question I know my version is old but I didn't had any problem until recently ! I'm using freeradius 0.9.3 (mandrake 10) to authenticate pppoe users ! When a juniper equipment try to authenticate it fails! (most other brand succed) They told me the field order are not send in the good order... Here is the detail reason juniper gave me : Root cause found, it is caused by that peer side modifies the options order in REJ packet. RFC1661 requires we keep the order so we think the REJ packet is invalid and drop it. So PPP can not be brought UP. Could we contact the ISP to check how they software work? sending order : [DNS_S]--[NBNS_P]--[NBNS_S] : SEND DECODE:(ethernet0/0) ***[IPCP ConfReq ID=0x1 ADDR 0.0.0.0 DNS_P 0.0.0.0 DNS_S 0.0.0.0 NBNS_P 0.0.0.0 NBNS_S 0.0.0.0]*** --- Receiving order, [NBNS_P]--[DNS_S]--[NBNS_S] RECV DECODE:(ethernet0/0) ***[IPCP ConfRej ID=0x1 NBNS_P 0.0.0.0 DNS_S 0.0.0.0 NBNS_S 0.0.0.0]*** Can I do something about this rapidely Thanks for your help _ Soyez parmi les premiers à essayer Windows Live Mail. http://ideas.live.com/programpage.aspx?versionId=5d21c51a-b161-4314-9b0e-4911fb2b2e6d- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Juniper
Hi! I'm using freeradius 0.9.3 (mandrake 10) to authenticate pppoe users ! When a juniper equipment try to authenticate it fails! (most other brand succed) They told me the field order are not send in the good order... First of all, I have no idea what you are doing from your explanation... you are authenticating the PPPoE users, so I would think that you are the ISP yourself. - What is the role of the Juniper device? (The device that is requesting the connection? The device that is receiving the connection?) - Exactly what kind of equipment is on the other end of the line? - Which device is communicating with FreeRADIUS? : SEND DECODE:(ethernet0/0) ***[IPCP ConfReq ID=0x1 ADDR 0.0.0.0 DNS_P 0.0.0.0 DNS_S 0.0.0.0 NBNS_P 0.0.0.0 NBNS_S 0.0.0.0]*** RECV DECODE:(ethernet0/0) ***[IPCP ConfRej ID=0x1 NBNS_P 0.0.0.0 DNS_S 0.0.0.0 NBNS_S 0.0.0.0]*** Can I do something about this rapidely This does not look like a RADIUS problem. One of your PPP peers (the one on the other end of the line) is mangling its responses and the device from which you posted the logs is not accepting that (as it should, like you already indicated yourself). This is a PPPoE problem. Gtnx Marcel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wrong behaviour of rlm_ldap module + users file
Hi, I tried the suggestion and it didn't work, here are the involved radiusd.conf sections. You will also notice mschap and similars, that's because we also have dialup users who need an ldap lookup for their belonging to a dialup group and the password. I also need to check if chap still works with this configuration... instantiate { exec ldap files expr } authorize { preprocess auth_log chap mschap suffix eap files pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } eap } And this is the users file line: [EMAIL PROTECTED] Cleartext-Password := a, Ldap-Group == wifi I also used this one: [EMAIL PROTECTED] Ldap-Group == wifi with EAP-TLS. No way. Both first perform a user-existence check in the ldap_groupcmp() call. Meaning these both work if user exists in the LDAP tree. In the meanwhile I'm looking at the source code for this call... it sounds like this search is hardcoded somewhere. Forgive my suckage. T_T Bye, Inverse On 7/26/07, inverse [EMAIL PROTECTED] wrote: users file line: [EMAIL PROTECTED] Auth-Type := EAP, User-Password == a, Ldap-Group == wifi Totally wrong. You want: [EMAIL PROTECTED] Cleartext-Password := a, Ldap-Group == wifi Thanks, I owe you one Bye, Inverse. -- In a sea of glass shards, I hear you screaming --icchan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adding a NAS via SQL
Hi all, I think I might be being a little dense but when I add a NAS to my SQL database, it doesn't appear to be enabled until I restart my radius server. Is there a way to automatically activate a new NAS device that I add to the SQL database? Kind regards, Paul. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Juniper
Have you tested if the current version of FreeRADIUS solves your problem? (Maybe you can help me figure out why my copy of Windows 3.1 is not working properly with my new webcam...) -Peter On Fri 27 Jul 2007, J-P Raymond wrote: Hi, small question I know my version is old but I didn't had any problem until recently ! I'm using freeradius 0.9.3 (mandrake 10) to authenticate pppoe users ! When a juniper equipment try to authenticate it fails! (most other brand succed) They told me the field order are not send in the good order... Here is the detail reason juniper gave me : Root cause found, it is caused by that peer side modifies the options order in REJ packet. RFC1661 requires we keep the order so we think the REJ packet is invalid and drop it. So PPP can not be brought UP. Could we contact the ISP to check how they software work? sending order : [DNS_S]--[NBNS_P]--[NBNS_S] : SEND DECODE:(ethernet0/0) ***[IPCP ConfReq ID=0x1 ADDR 0.0.0.0 DNS_P 0.0.0.0 DNS_S 0.0.0.0 NBNS_P 0.0.0.0 NBNS_S 0.0.0.0]*** --- Receiving order, [NBNS_P]--[DNS_S]--[NBNS_S] RECV DECODE:(ethernet0/0) ***[IPCP ConfRej ID=0x1 NBNS_P 0.0.0.0 DNS_S 0.0.0.0 NBNS_S 0.0.0.0]*** Can I do something about this rapidely Thanks for your help _ Soyez parmi les premiers à essayer Windows Live Mail. http://ideas.live.com/programpage.aspx?versionId=5d21c51a-b161-4314-9b0e-4 911fb2b2e6d -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Auth-Type in post-auth SQL insert
I'm pretty new to FreeRADIUS so I apologize if this is a really basic question. I've searched around quite a bit and have been unable to locate an answer. I've successfully configured FreeRADIUS to use a SQL driver for authentication checks as well as inserting records via the post-auth query. Is there a runtime variable that I can reference to save the Auth-Type used for authenticating the user during post-auth? I've tried what I thought to be the obvious (e.g. %{Auth-Type}) but that doesn't seem to be available (just inserts an empty string). Essentially, I'd like to catalog the type of authentication that was used for authorizing a user (assuming it was successful, of course). For example, user Joe authenticated via PAP. -brad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Openldap - Freeradius - auto vlan
Alan, ok, sorry... i configured the radius to get the users from LDAP, but i have some problems in configure the users file, i never install freeradius, i need to configure freeradius to authentic users using the 802.1x and then assign a vlan to that user... i didnt find documentation about it... anybody has anything like this ? Regards, On 7/26/07, Alan DeKok [EMAIL PROTECTED] wrote: Fabio Silva wrote: Hi all, i need to configure a system that works with openldap + freeradius and that assign the vlan automatic to the users... does anybody has any howto to do it? Read your NAS documentation on what attributes it needs to assign a VLAN. Then, make FreeRADIUS send them. I read this one: http://www.freeradius.org/radiusd/doc/ldap_howto.txt but, the versions of the softwares is very old, and in some parts of the howto some options does not work. The server includes that document, along with doc/rlm_ldap. The comments in the radiusd.conf file document the configuration items, and are up to date. Do you have a *specific* question? i.e. Saying it doesn't work doesn't help. What did you do? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Fabio S. Silva Mail: [EMAIL PROTECTED] CCNA / LPIC-2 / MCP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding a NAS via SQL
On 7/27/07, Paul Lambert [EMAIL PROTECTED] wrote: Hi all, I think I might be being a little dense but when I add a NAS to my SQL database, it doesn't appear to be enabled until I restart my radius server. Is there a way to automatically activate a new NAS device that I add to the SQL database? NAS adding should be realtime i belive i dont think you need to restart radius for that ram - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL read_group patch - please apply!
FOR THE SAKE OF MY SANITY!!! Please apply the patch from http://readlist.com/lists/lists.freeradius.org/freeradius-users/2/10462. html, which was posted 3 and a half months ago! PLEASE, pretty please, with sugar on top! Thanks, Roy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authorize after checking an LDAP attribute value
Dear Freeradius users: I am trying to set up my authentication to allow only users with a particular value of a particular LDAP attribute to login. I am using freeradius 1.1.7 and I have the authentication going against Kerberos but I do not know how to have the radius server check the value of the attribute before allow access. If they are not in the group, it should send back the reject packet. Does anyone know how to perform a check item check against a particular LDAP attribute? Here is how I can set an attribute to the value and it works correctly: DEFAULT Auth-Type = Kerberos, NAS-IP-Address == 1.2.3.4, NAS-Port == 10 Connect-Info = %{ldap:ldap:///dc=test,dc=com?testValue?sub?uid=%u}; Any suggestions would be appreciated. Regards, Ken Marshall - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL read_group patch - please apply!
Roy Walker wrote: Please apply the patch from http://readlist.com/lists/lists.freeradius.org/freeradius-users/2/10462. html, which was posted 3 and a half months ago! This is a coincidence, but the read_groups patch was checked in CVS earlier today. You can run a cvs update or dowload a new snapshot from the website tomorrow. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CalledStationID
I'm trying to solve a design issue and wonder if anyone has done something similar with hotspots. I would like to send back different values in the VSAs when a user logs in from one calledStationID vs another. For example. User joe logs in from hotspot1. the calledStationID is sent. FreeRADIUS takes that and sends back the local DNS server IP address (or whatever is specific to that region) instead of the one tied to, say, hotspot100. The goal is to allow me to setup different regions in FreeRADIUS with region-specific parameters. I had some things that I thought would work, but I'm wondering how others have solved this problem. Jeffrey - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius Juniper
I'm using freeradius 0.9.3 (mandrake 10) to authenticate pppoe users ! When a juniper equipment try to authenticate it fails! (most other brand succed) They told me the field order are not send in the good order... First of all, I have no idea what you are doing from your explanation... you are authenticating the PPPoE users, so I would think that you are the ISP yourself. As a mather of fact I'm working for an ISP ! - What is the role of the Juniper device? (The device that is requesting the connection? The device that is receiving the connection?) - Exactly what kind of equipment is on the other end of the line? - Which device is communicating with FreeRADIUS? Our equipment ISP is a Xedia router (Lucent AP) The authentication is done via Freeradius 0.9.3 running on mdk 10 The juniper equipment is on one of our client side, and it's the only equipment that won't authenticate at all In the radius users file we have the following: [EMAIL PROTECTED] Auth-Type := Local, User-Password == edc852 Service-Type = Login,Framed-Protocol = PPP,Framed-Address = 200.100.50.25,Xedia-DNS-Server = 175.200.225.250, XEDIA-PPP-ECHO-INTERVAL = 30 To answer the other question : No I didn't try with the latest version I'm having problems installing it (1.1.6) on this distribution (mdk 10) Thanks for your reply : SEND DECODE:(ethernet0/0) ***[IPCP ConfReq ID=0x1 ADDR 0.0.0.0 DNS_P 0.0.0.0 DNS_S 0.0.0.0 NBNS_P 0.0.0.0 NBNS_S 0.0.0.0]***RECV DECODE:(ethernet0/0) ***[IPCP ConfRej ID=0x1 NBNS_P 0.0.0.0 DNS_S 0.0.0.0 NBNS_S 0.0.0.0]***Can I do something about this rapidely This does not look like a RADIUS problem. One of your PPP peers (the one on the other end of the line) is mangling its responses and the device from which you posted the logs is not accepting that (as it should, like you already indicated yourself). This is a PPPoE problem. Gtnx Marcel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Soyez parmi les premiers à essayer Windows Live Mail. http://ideas.live.com/programpage.aspx?versionId=5d21c51a-b161-4314-9b0e-4911fb2b2e6d- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CalledStationID
users file: DEFAULT Called-Station-Id == hotspot1 reply 1, reply 2, ... DEFAULT Called-Station-Id == hotspot100 reply 1, reply 2, ... Ivan Kalik Kalik Informatika ISP Dana 27/7/2007, Jeffrey Sewell [EMAIL PROTECTED] piše: I'm trying to solve a design issue and wonder if anyone has done something similar with hotspots. I would like to send back different values in the VSAs when a user logs in from one calledStationID vs another. For example. User joe logs in from hotspot1. the calledStationID is sent. FreeRADIUS takes that and sends back the local DNS server IP address (or whatever is specific to that region) instead of the one tied to, say, hotspot100. The goal is to allow me to setup different regions in FreeRADIUS with region-specific parameters. I had some things that I thought would work, but I'm wondering how others have solved this problem. Jeffrey - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius Juniper
IPCP (thing that's failing) is a part of PPP negotiation. It has absolutely nothing to do with radius authentication. Your radius server is not at fault here. Installing new one will not help. Don't bother looking at radius. Look into PPP negotiation between routers. Ivan Kalik Kalik Informatika ISP Dana 27/7/2007, J-P Raymond [EMAIL PROTECTED] piše: I'm using freeradius 0.9.3 (mandrake 10) to authenticate pppoe users ! When a juniper equipment try to authenticate it fails! (most other brand succed) They told me the field order are not send in the good order... First of all, I have no idea what you are doing from your explanation... you are authenticating the PPPoE users, so I would think that you are the ISP yourself. As a mather of fact I'm working for an ISP ! - What is the role of the Juniper device? (The device that is requesting the connection? The device that is receiving the connection?) - Exactly what kind of equipment is on the other end of the line? - Which device is communicating with FreeRADIUS? Our equipment ISP is a Xedia router (Lucent AP) The authentication is done via Freeradius 0.9.3 running on mdk 10 The juniper equipment is on one of our client side, and it's the only equipment that won't authenticate at all In the radius users file we have the following: [EMAIL PROTECTED] Auth-Type := Local, User-Password == edc852 Service-Type = Login,Framed-Protocol = PPP,Framed-Address = 200.100.50.25,Xedia-DNS-Server = 175.200.225.250, XEDIA-PPP-ECHO-INTERVAL = 30 To answer the other question : No I didn't try with the latest version I'm having problems installing it (1.1.6) on this distribution (mdk 10) Thanks for your reply : SEND DECODE:(ethernet0/0) ***[IPCP ConfReq ID=0x1 ADDR 0.0.0.0 DNS_P 0.0.0.0 DNS_S 0.0.0.0 NBNS_P 0.0.0.0 NBNS_S 0.0.0.0]***RECV DECODE:(ethernet0/0) ***[IPCP ConfRej ID=0x1 NBNS_P 0.0.0.0 DNS_S 0.0.0.0 NBNS_S 0.0.0.0]***Can I do something about this rapidely This does not look like a RADIUS problem One of your PPP peers (the one on the other end of the line) is mangling its responses and the device from which you posted the logs is not accepting that (as it should, like you already indicated yourself). This is a PPPoE problem. Gtnx Marcel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Soyez parmi les premiers ŕ essayer Windows Live Mail. http://ideas.live.com/programpage.aspx?versionId=5d21c51a-b161-4314-9b0e-4911fb2b2e6d - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CalledStationID
Could the same thing apply if I'm using MySQL instead of the users file? Maybe a separate sql query based on calledStationID? On 7/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: users file: DEFAULT Called-Station-Id == hotspot1 reply 1, reply 2, ... DEFAULT Called-Station-Id == hotspot100 reply 1, reply 2, ... Ivan Kalik Kalik Informatika ISP Dana 27/7/2007, Jeffrey Sewell [EMAIL PROTECTED] piše: I'm trying to solve a design issue and wonder if anyone has done something similar with hotspots. I would like to send back different values in the VSAs when a user logs in from one calledStationID vs another. For example. User joe logs in from hotspot1. the calledStationID is sent. FreeRADIUS takes that and sends back the local DNS server IP address (or whatever is specific to that region) instead of the one tied to, say, hotspot100. The goal is to allow me to setup different regions in FreeRADIUS with region-specific parameters. I had some things that I thought would work, but I'm wondering how others have solved this problem. Jeffrey - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CalledStationID
You could add CalledStationId field to the radgroupreply table and modify authorize_group_reply_query to check that that field is equal to %{Called-Station-Id}. Ivan Kalik Kalik Informatika ISP Dana 27/7/2007, Jeffrey Sewell [EMAIL PROTECTED] piše: Could the same thing apply if I'm using MySQL instead of the users file? Maybe a separate sql query based on calledStationID? On 7/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: users file: DEFAULT Called-Station-Id == hotspot1 reply 1, reply 2, ... DEFAULT Called-Station-Id == hotspot100 reply 1, reply 2, ... Ivan Kalik Kalik Informatika ISP Dana 27/7/2007, Jeffrey Sewell [EMAIL PROTECTED] pi#65533;e: I'm trying to solve a design issue and wonder if anyone has done something similar with hotspots. I would like to send back different values in the VSAs when a user logs in from one calledStationID vs another. For example. User joe logs in from hotspot1. the calledStationID is sent. FreeRADIUS takes that and sends back the local DNS server IP address (or whatever is specific to that region) instead of the one tied to, say, hotspot100. The goal is to allow me to setup different regions in FreeRADIUS with region-specific parameters. I had some things that I thought would work, but I'm wondering how others have solved this problem. Jeffrey - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EXEC question w/ LDAP Attributes
Hello all, I have a question regarding returning attributes from LDAP with freeRadius. I need to do some logic comparing and the only way I have been able to get close is to use the post-auth section, enable 'exec' and push out some data to an external program were I can do some patter matching. Now I have this working just fine with LDAP, the DN and search filter is fine etc. What I want to do is return other attributes from LDAP to be included in the radius reply. I have added the following to dictionary_mapping = ${raddbdir}/ldap.attrmap checkItem employeeTypeemployeeType When I run the server in debug mode, I see that it is in fact returning the value of the employeeType from LDAP. The question revolves around how to pass that out to my test program for validation? I have been able to pass out everything that is in the initial radius request, but nothing else. I have tried to modify the program line below to also send out %{employeeType} %{check:employeeType} %{request:employeeType} %{reply:employeeType} None of those work. I have even tried along the lines of %{modules.ldap.checkval} I can't seem to get it to work. Any help would be appreciated. Blow is a snip of the radius configuration file, and the little program I have seen in the user groups to echo out the responses that I am using to test. I have verified that if I return a '0' the request is accepted, and a '1' will reject the request... That part works fine. Also below is parts of the debug dump. I don't have the actual connection portion of the log as I am at a remote site currently, I can send that along also if people think it will be of benefit. Thanks for any assistance! - Reynold radius.conf --- exec { wait = yes input_pairs = request program = '${raddbdir}/test.sh %u %{Called-Station-Id}' } test.sh --- #!/bin/bash echo A: $1 echo B: $2 echo C: $3 exit 0 radiusd -X -- Module: Loaded exec exec: wait = yes exec: program = /etc/raddb/test.sh %u %{Called-Station-Id} exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Loaded LDAP ldap: server = ldapserver ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = admin ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = (null) ldap: tls_cacertdir = (null) ldap: tls_certfile = (null) ldap: tls_keyfile = (null) ldap: tls_randfile = (null) ldap: tls_require_cert = allow ldap: password = pwd ldap: basedn = base-dn ldap: filter = (uid=%{Stripped-User-Name:-%{User-Name}}) ldap: base_filter = (objectClass=user) ldap: default_profile = (null) ldap: profile_attribute = (null) ldap: password_header = (null) ldap: password_attribute = userpassword ldap: access_attr = (null) ldap: groupname_attribute = cn ldap: groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupO fUniqueNames)(uniquemember=%{Ldap-UserDn}))) ldap: groupmembership_attribute = (null) ldap: dictionary_mapping = /etc/raddb/ldap.attrmap ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP employeeType mapped to RADIUS employeeType conns: 0x8115218 Module: Instantiated ldap (ldap) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html