Re: access reject packet
hi rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=194, length=20 you should also post the output of radius -X , the relevant contents of radius.conf, clients.conf, huntgroups and the users file. without these, it's very difficult to tell anything - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible FreeBSD Jail problem, or other bug in/with FreeRADIUS 2.0.0-pre2
Scott Lambert wrote: I decided to simplify and try just using radclient from the new server and leaving the FreeRADIUS daemon out of it. That also gets replies but radclient throws them out because it doesn't think it sent the request. Ok. Both the server and radclient now use the same code to match replies to requests, so it's expected that they will have the same issues. I suspect that the jail has a lot to do with the problem. Try running a test system outside of the jail. If that works, then the problem will at least be narrowed down to the jail. If it can't be worked around, I'm in trouble. In that case I'll try to take it up with the FreeBSD developers to see if they have any ideas, while I scrounge up some seperate hardware to run FreeRADIUS on. Or, just install run it outside of the jail. tcpdump of the request: ... That looks OK. Another option is to instrument src/lib/packet.c, function lrad_packet_cmp(). Have it print out WHAT it's comparing, and WHEN it's returning. You'll get a lot of spurious output, but you'll also find out why the reply isn't being matched to a request. It may be that the client is binding to one IP address, and the reply is sent (and seen as received by) another IP address. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization in RADIUS, Authorization in freeradius
Hi George I guess it is more a question of definition of the scope of the authorization and authentication than of the actual mechanisms. I would invite you to read the RADIUS RFCs since your conclusions sound a little bit hasty. In RADIUS and in freeradius in particular the authentication is part of the authorization. This might sound somewhat strange, but is actually a sound and more general alternative from the AAA perspective, i.e. from an authenitcation service point of view. It goes like that: identification vector - authorization - authentication - everything else. You could reflect upon it in terms of phases, although strictly speaking the whole treatment is applied on a per packet basis. It is of course true that one can do a lot of things with RADIUS (and especially with freeradius), that might not directly correspond to the initial goals, but I do believe that logically and generally one could speak about these phases. Thus, a user (or machine, or address or user logging in from certain mac address or whatever else is used as identity) can be allowed or not to use certain authentication schemes. Once a method is chosen, the claimed identity (or another one, unfortunately) can be verified during the authentication. If this verification of the identity (=authentication) is successful, certain parameters are transmitted to the NAS in the Access-Accept packet. These are to be applied to the service to be delivered. It could be duration, QoS parameters, service types, etc. - that is utterly dependent on the service and on the NAS and often employs a bunch of VSAs. So for me most definitely things such as Session-Timeout, the Tunnel attributes, and the most VSAs are authorizations, because these are properties to be applied to the already accepted service delivery for an authenticated identity. Now, there are other attributes (almost all of them, to cite Alan) that are actually authorizations. E.g. the same verified identity can be granted service access in certain conditions and not in the others. These conditions can be time, location, accounting (e.g. previous resource usage), roaming etc. related. E.g. you could allow only any member of a group A access to certain WiFi Access Points during certain time periods if and only if this particular member did not use up its resource limit. At the same time a group B could access all the other Access Points, etc. If that is not authorization for you, please explain your definition, since it would interest me personally. I do confess however that this particular scenario mixes up RADIUS and freeradius capabilities, but that seems normal since IETF protocols rarely specify behaviour. That leads to your question on policies. Policies also need a definition: what is a policy for you? In the broad common sense of the word, policies are not part of the RADIUS protocol. However you can quite easily implement policies in freeradius e.g. by grouping and actual resource usage (see example above - during the course hours students are not allowed to login WiFi from the cafeteria, is that not a policy for you?). Depending on NAS capabilities and service to be provided, you can do more complex things... Is that helpful? artur On 2 Sep 2007, at 17:52, George Beitis wrote: Hey Alan, thank you for your reply. I am writing up a part of my dissertation and I 'm referring to freeradius and the RADIUS protocol trying to explain how it works. From my research most people who use RADIUS for authentication purposes. Noone gives a clear image of whether or not they use it for authorization once they established authentication, so in other words authentication and authorization become one the same. Do you know of any products that can be used with freeradius to provide such authorization facilities? Using perhaps policies? regards George Alan DeKok wrote: George Beitis wrote: I have a general question regarding Authorization in the RADIUS protocol and how it is implemented in freeradius. What does the RADIUS protocol refer to when it talks about Authorization, does it actually refer to users being probably authorized after being authenticated, using the protocol? I guess. It's not really clear. i.e. No one knows... Are there RADIUS specific attributes that are for authorization? (not authentication). Most of them? The authentication attributes are User-Password, CHAP-Password, EAP-Message... and not much else. Most everything else are authorization related. There are ways of implementing authorization into freeradius, but do those simply overwrite the authentication decision? I have no idea what you mean by that. DIAMETER provides such authorization messeges from my understanding but the RADIUS protocol does not talk about any, is this correct? Diameter is useless. It's a wonderful theoretical design
Re: Configure warnings ... why ?
I dont want it to work with mysql but with MSSQL and I installed, libiodbc-devel-3.52.2-1.i386.rpm and still get that warning about iodbc... Please tell me the absolute minimum packets that I need to run Freeradius with a database. Thanks --- [EMAIL PROTECTED] wrote: hi, if the configure stage is giving you WARNINGs regarding the options you want/need to use, then that suggests that you dont have the packages you need to have installed. this is a 'development'/'compilation' issue - which means that you need to have the include headers, libraries etc of the packages you want - not just the runtime/binary parts - usually on Fedora-type systems you need to install the -devel part of the package... eg User 1 wants mysql support. install mysql-devel eg User 2 wants snmp support - install net-snmp-devel etc alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yahoo! oneSearch: Finally, mobile search that gives answers, not web links. http://mobile.yahoo.com/mobileweb/onesearch?refer=1ONXIC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
nas / usergroup?
Hello, I've been browsing the wiki looking for information on how to set up different domains or authentication groups, but couldn't find how to link a nas to a usergroup (is community in the nas table equivalent to GroupName?)... What I want is to define several groups and that only users in a group can autenticate through a nas from that group. regards, Genís La información de este correo electrónico es confidencial, personal e intransferible y sólo está dirigida a la(s) dirección(es) indicada(s) arriba. Si usted lee este mensaje por equivocación, le informamos que está prohibida su divulgación, uso o distribución, completos o parciales; le rogamos que lo notifique inmediatamente al remitente y borre el mensaje original junto con sus ficheros anexos sin leerlo ni grabarlo. Gracias. La informació d'aquest correu electrònic és confidencial, personal i intransferible, i només està dirigida a l'adreça(ces) indicada(des). Si vostè llegeix aquest missatge per error, l'informem que n'està prohibida la propagació, l'ús o la distribució, complets o parcials; li demanem que ho notifiqui immediatament a la persona que li ha enviat i esborri el missatge original amb les dades adjuntes sense llegir-lo ni desar-lo. Gràcies. This e-mail contains confidential information. The information is intended for exclusive use by the abovementioned recipient. If you have received this e-mail in error, please notify us immediately to arrange for the confidential information to be returned to us. We hereby inform you that it is strictly prohibited to disclose, copy, distribute or take any action based on this information. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: nas / usergroup?
Use huntgroups to group access servers. Then use Huntgroup-Name in radgroupcheck to restrict access. Ivan Kalik Kalik Informatika ISP Dana 3/9/2007, Genis Pujol Hamelink [EMAIL PROTECTED] piše: Hello, I've been browsing the wiki looking for information on how to set up different domains or authentication groups, but couldn't find how to link a nas to a usergroup (is community in the nas table equivalent to GroupName?)... What I want is to define several groups and that only users in a group can autenticate through a nas from that group. regards, Genís La información de este correo electrónico es confidencial, personal e intransferible y sólo está dirigida a la(s) dirección(es) indicada(s) arriba. Si usted lee este mensaje por equivocación, le informamos que está prohibida su divulgación, uso o distribución, completos o parciales; le rogamos que lo notifique inmediatamente al remitente y borre el mensaje original junto con sus ficheros anexos sin leerlo ni grabarlo. Gracias. La informació d'aquest correu electrňnic és confidencial, personal i intransferible, i només estŕ dirigida a l'adreça(ces) indicada(des). Si vostč llegeix aquest missatge per error, l'informem que n'estŕ prohibida la propagació, l'ús o la distribució, complets o parcials; li demanem que ho notifiqui immediatament a la persona que li ha enviat i esborri el missatge original amb les dades adjuntes sense llegir-lo ni desar-lo. Grŕcies. This e-mail contains confidential information. The information is intended for exclusive use by the abovementioned recipient. If you have received this e-mail in error, please notify us immediately to arrange for the confidential information to be returned to us. We hereby inform you that it is strictly prohibited to disclose, copy, distribute or take any action based on this information. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configure warnings ... why ?
iodbc is not required for mysql support... As you have already been told you need mysql-devel. If you are not familiar with building software, I suggest you use one of the available freeradius rpm packages Regards Peter On Mon 03 Sep 2007, Pretty Woman wrote: I dont want it to work with mysql but with MSSQL and I installed, libiodbc-devel-3.52.2-1.i386.rpm and still get that warning about iodbc... Please tell me the absolute minimum packets that I need to run Freeradius with a database. Thanks --- [EMAIL PROTECTED] wrote: hi, if the configure stage is giving you WARNINGs regarding the options you want/need to use, then that suggests that you dont have the packages you need to have installed. this is a 'development'/'compilation' issue - which means that you need to have the include headers, libraries etc of the packages you want - not just the runtime/binary parts - usually on Fedora-type systems you need to install the -devel part of the package... eg User 1 wants mysql support. install mysql-devel eg User 2 wants snmp support - install net-snmp-devel etc alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ __ Yahoo! oneSearch: Finally, mobile search that gives answers, not web links. http://mobile.yahoo.com/mobileweb/onesearch?refer=1ONXIC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configure warnings ... why ?
Or if you definitly don't want the error about iodbc and you don't need iodbc, just run configure with option --without-rlm_sql_iodbc This will tell configure to skip the iodbc module. Regards, Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Nixon Sent: Monday, September 03, 2007 3:38 PM To: freeradius-users@lists.freeradius.org Subject: Re: Configure warnings ... why ? iodbc is not required for mysql support... As you have already been told you need mysql-devel. If you are not familiar with building software, I suggest you use one of the available freeradius rpm packages Regards Peter On Mon 03 Sep 2007, Pretty Woman wrote: I dont want it to work with mysql but with MSSQL and I installed, libiodbc-devel-3.52.2-1.i386.rpm and still get that warning about iodbc... Please tell me the absolute minimum packets that I need to run Freeradius with a database. Thanks --- [EMAIL PROTECTED] wrote: hi, if the configure stage is giving you WARNINGs regarding the options you want/need to use, then that suggests that you dont have the packages you need to have installed. this is a 'development'/'compilation' issue - which means that you need to have the include headers, libraries etc of the packages you want - not just the runtime/binary parts - usually on Fedora-type systems you need to install the -devel part of the package... eg User 1 wants mysql support. install mysql-devel eg User 2 wants snmp support - install net-snmp-devel etc alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ __ Yahoo! oneSearch: Finally, mobile search that gives answers, not web links. http://mobile.yahoo.com/mobileweb/onesearch?refer=1ONXIC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ÿþD�i�t� �b�e�r�i�c�h�t� �i�s� �v�e�r�t�r�o�u�w�e�l�i�j�k� �e�n� �k�a�n� �g�e�h�e�i�m�e� �i�n�f�o�r�m�a�t�i�e� �b�e�v�a�t�t�e�n� �e�n�k�e�l� � �b�e�s�t�e�m�d� �v�o�o�r� �d�e� �g�e�a�d�r�e�s�s�e�e�r�d�e�.� �I�n�d�i�e�n� �d�i�t� �b�e�r�i�c�h�t� �n�i�e�t� �v�o�o�r� �u� �i�s� �b�e�s�t�e�m�d�,� � �v�e�r�z�o�e�k�e�n� �w�i�j� �u� �d�i�t� �o�n�m�i�d�d�e�l�l�i�j�k� �a�a�n� �o�n�s� �t�e� �m�e�l�d�e�n� �e�n� �h�e�t� �b�e�r�i�c�h�t� �t�e� � �v�e�r�n�i�e�t�i�g�e�n�.� � �A�a�n�g�e�z�i�e�n� �d�e� �i�n�t�e�g�r�i�t�e�i�t� �v�a�n� �h�e�t� �b�e�r�i�c�h�t� �n�i�e�t� �v�e�i�l�i�g� �g�e�s�t�e�l�d� �i�s� �m�i�d�d�e�l�s� � �v�e�r�z�e�n�d�i�n�g� �v�i�a� �i�n�t�e�r�n�e�t�,� �k�a�n� �A�t�o�s� �O�r�i�g�i�n� �n�i�e�t� �a�a�n�s�p�r�a�k�e�l�i�j�k� �w�o�r�d�e�n� �g�e�h�o�u�d�e�n� � �v�o�o�r� �d�e� �i�n�h�o�u�d� �d�a�a�r�v�a�n�.� � �H�o�e�w�e�l� �w�i�j� �o�n�s� �i�n�s�p�a�n�n�e�n� �e�e�n� �v�i�r�u�s�v�r�i�j� �n�e�t�w�e�r�k� �t�e� �h�a�n�t�e�r�e�n�,� �g�e�v�e�n� � �w�i�j� �g�e�e�n� �e�n�k�e�l�e� �g�a�r�a�n�t�i�e� �d�a�t� �d�i�t� �b�e�r�i�c�h�t� �v�i�r�u�s�v�r�i�j� �i�s�,� �n�o�c�h� �a�a�n�v�a�a�r�d�e�n� �w�i�j� � �e�n�i�g�e� �a�a�n�s�p�r�a�k�e�l�i�j�k�h�e�i�d� �v�o�o�r� �d�e� �m�o�g�e�l�i�j�k�e� �a�a�n�w�e�z�i�g�h�e�i�d� �v�a�n� �e�e�n� �v�i�r�u�s� �i�n� �d�i�t� � �b�e�r�i�c�h�t�.� � � � � �O�p� �a�l� �o�n�z�e� �r�e�c�h�t�s�v�e�r�h�o�u�d�i�n�g�e�n�,� �a�a�n�b�i�e�d�i�n�g�e�n� �e�n� �o�v�e�r�e�e�n�k�o�m�s�t�e�n� �w�a�a�r�o�n�d�e�r� � �A�t�o�s� �O�r�i�g�i�n� �g�o�e�d�e�r�e�n� �e�n�/�o�f� �d�i�e�n�s�t�e�n� �l�e�v�e�r�t� �z�i�j�n� �m�e�t� �u�i�t�s�l�u�i�t�i�n�g� �v�a�n� �a�l�l�e� � �a�n�d�e�r�e� �v�o�o�r�w�a�a�r�d�e�n� �d�e� �L�e�v�e�r�i�n�g�s�v�o�o�r�w�a�a�r�d�e�n� �v�a�n� �A�t�o�s� �O�r�i�g�i�n� �v�a�n� �t�o�e�p�a�s�s�i�n�g�.� � �D�e�z�e� �w�o�r�d�e�n� �u� �o�p� �a�a�n�v�r�a�a�g� �d�i�r�e�c�t� �k�o�s�t�e�l�o�o�s� �t�o�e�g�e�z�o�n�d�e�n�.� � � � � �T�h�i�s� �e�-�m�a�i�l� �a�n�d� �t�h�e� �d�o�c�u�m�e�n�t�s� �a�t�t�a�c�h�e�d� �a�r�e� �c�o�n�f�i�d�e�n�t�i�a�l� �a�n�d� �i�n�t�e�n�d�e�d� �s�o�l�e�l�y� � �f�o�r� �t�h�e� �a�d�d�r�e�s�s�e�e�;� �i�t� �m�a�y� �a�l�s�o� �b�e� �p�r�i�v�i�l�e�g�e�d�.� �I�f� �y�o�u� �r�e�c�e�i�v�e� �t�h�i�s� �e�-�m�a�i�l� � �i�n� �e�r�r�o�r�,� �p�l�e�a�s�e� �n�o�t�i�f�y� �t�h�e� �s�e�n�d�e�r� �i�m�m�e�d�i�a�t�e�l�y� �a�n�d� �d�e�s�t�r�o�y� �i�t�.� � �A�s� �i�t�s� �i�n�t�e�g�r�i�t�y� �c�a�n�n�o�t� �b�e� �s�e�c�u�r�e�d� �o�n� �t�h�e� �I�n�t�e�r�n�e�t�,� �t�h�e� �A�t�o�s� �O�r�i�g�i�n� �g�r�o�u�p� � �l�i�a�b�i�l�i�t�y� �c�a�n�n�o�t� �b�e� �t�r�i�g�g�e�r�e�d� �f�o�r� �t�h�e� �m�e�s�s�a�g�e� �c�o�n�t�e�n�t�.� �A�l�t�h�o�u�g�h� �t�h�e� � �s�e�n�d�e�r� �e�n�d�e�a�v�o�u�r�s� �t�o� �m�a�i�n�t�a�i�n� �a� �c�o�m�p�u�t�e�r� �v�i�r�u�s�-�f�r�e�e� �n�e�t�w�o�r�k�,� �t�h�e� �s�e�n�d�e�r� � �d�o�e�s� �n�o�t� �w�a�r�r�a�n�t� �t�h�a�t� �t�h�i�s� �t�r�a�n�s�m�i�s�s�i�o�n� �i�s� �v�i�r�u�s�-�f�r�e�e� �a�n�d� �w�i�l�l� �n�o�t� �b�e� � �l�i�a�b�l�e� �f�o�r� �a�n�y�
Question about book
Hello. I'm new here... What (free)radius book do you recommend? I found AAA (by Madjid Nakhjiri) and Radius (O'Reilly) but they are not so good as I thought. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configure warnings ... why ?
Here are the wornings: [EMAIL PROTECTED] freeradius-1.1.7]# ./configure | grep WARN Good lord... why do people insist on stripping out the data. configure: WARNING: snmpget not found - Simultaneous-Use and checkrad.pl may not work configure: WARNING: snmpwalk not found - Simultaneous-Use and checkrad.pl may not work config.status: WARNING: ./Make.inc.in seems to ignore the --datarootdir setting config.status: WARNING: ./src/include/build-radpaths-h.in seems to ignore the --datarootdir setting configure: WARNING: the comm_err library isn't found! configure: WARNING: silently not building rlm_krb5. configure: WARNING: FAILURE: rlm_krb5 requires: krb5. configure: WARNING: iodbc headers not found. Use --with-iodbc-include-dir=path. That simply could not be clearer. What don't you understand about that? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems using freeradius with ldap
I have problem when in Fedora 4 (sadly in my job I cannot change this) using
radtest against LDAP
Packages version:
openldap-servers-2.2.29-1.FC4
openldap-clients-2.2.29-1.FC4
openldap-2.2.29-1.FC4
freeradius-1.0.4-1.FC4.1
This is part of /etc/raddb/radiusd.conf:
ldap {
server = localhost
basedn = ou=people,dc=mydomain,dc=com
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = userPassword
(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)
(uniquemember=%{Ldap-UserDn})))
timeout = 4
timelimit = 3
net_timeout = 1
}
authorize {
chap
mschap
suffix
eap
files
ldap
checkval
}
And this a portion of /etc/raddb/users:
DEFAULT Auth-Type = System
Fall-Through = 1
DEFAULT Auth-Type = LDAP
Fall-Through = 1
I've appended the schemas in /etc/openldap/slapd.conf:
/usr/share/doc/freeradius-1.0.4/RADIUS-LDAPv3.schema
/usr/share/doc/freeradius-1.0.4/RADIUS-LDAP.schema
Well, when I issue radtest in debug mode I get:
radtest testuser sample localhost 0 testing123
Sending Access-Request of id 88 to 127.0.0.1:1812
User-Name = testuser
User-Password = sample
NAS-IP-Address = host.mydomain.com
NAS-Port = 0
rad_recv: Access-Request packet from host 127.0.0.1:42077, id=88, length=58
User-Name = testuser
User-Password = sample
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module preprocess returns ok for request 2
modcall[authorize]: module chap returns noop for request 2
modcall[authorize]: module mschap returns noop for request 2
rlm_realm: No '@' in User-Name = testuser, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 2
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 2
users: Matched entry DEFAULT at line 152
users: Matched entry DEFAULT at line 155
modcall[authorize]: module files returns ok for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser
radius_xlat: '(uid=testuser)'
radius_xlat: 'ou=people,dc=mydomain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=mydomain,dc=com, with filter
(uid=testuser)
rlm_ldap: Added password sample in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 2
modcall: group authorize returns ok for request 2
rad_check_password: Found Auth-Type System
auth: type System
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
modcall[authenticate]: module unix returns notfound for request 2
modcall: group authenticate returns notfound for request 2
auth: Failed to validate the user.
Delaying request 2 for 1 seconds
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 88 to 127.0.0.1:42077
Waking up in 4 seconds...
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=88, length=20
17:20:33 [EMAIL PROTECTED] /etc/raddb
$ --- Walking the entire request list ---
Cleaning up request 2 ID 88 with timestamp 46dc6c8f
Nothing to do. Sleeping until we see a request.
Please could you lend me a hand to resolv this issue?
Thanks in advance!
--
Sergio Belkin
Comunicación e Internet
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using freeradius with ldap
You are picking up Auth-Type System from the users file. Comment it out.
Ivan Kalik
Kalik Informatika ISP
Dana 3/9/2007, Sergio Belkin [EMAIL PROTECTED] piše:
I have problem when in Fedora 4 (sadly in my job I cannot change this) using
radtest against LDAP
Packages version:
openldap-servers-2.2.29-1.FC4
openldap-clients-2.2.29-1.FC4
openldap-2.2.29-1.FC4
freeradius-1.0.4-1.FC4.1
This is part of /etc/raddb/radiusd.conf:
ldap {
server = localhost
basedn = ou=people,dc=mydomain,dc=com
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = userPassword
(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)
(uniquemember=%{Ldap-UserDn})))
timeout = 4
timelimit = 3
net_timeout = 1
}
authorize {
chap
mschap
suffix
eap
files
ldap
checkval
}
And this a portion of /etc/raddb/users:
DEFAULT Auth-Type = System
Fall-Through = 1
DEFAULT Auth-Type = LDAP
Fall-Through = 1
I've appended the schemas in /etc/openldap/slapd.conf:
/usr/share/doc/freeradius-1.0.4/RADIUS-LDAPv3.schema
/usr/share/doc/freeradius-1.0.4/RADIUS-LDAP.schema
Well, when I issue radtest in debug mode I get:
radtest testuser sample localhost 0 testing123
Sending Access-Request of id 88 to 127.0.0.1:1812
User-Name = testuser
User-Password = sample
NAS-IP-Address = host.mydomain.com
NAS-Port = 0
rad_recv: Access-Request packet from host 127.0.0.1:42077, id=88, length=58
User-Name = testuser
User-Password = sample
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module preprocess returns ok for request 2
modcall[authorize]: module chap returns noop for request 2
modcall[authorize]: module mschap returns noop for request 2
rlm_realm: No '@' in User-Name = testuser, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 2
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 2
users: Matched entry DEFAULT at line 152
users: Matched entry DEFAULT at line 155
modcall[authorize]: module files returns ok for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser
radius_xlat: '(uid=testuser)'
radius_xlat: 'ou=people,dc=mydomain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=mydomain,dc=com, with filter
(uid=testuser)
rlm_ldap: Added password sample in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 2
modcall: group authorize returns ok for request 2
rad_check_password: Found Auth-Type System
auth: type System
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
modcall[authenticate]: module unix returns notfound for request 2
modcall: group authenticate returns notfound for request 2
auth: Failed to validate the user.
Delaying request 2 for 1 seconds
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 88 to 127.0.0.1:42077
Waking up in 4 seconds...
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=88, length=20
17:20:33 [EMAIL PROTECTED] /etc/raddb
$ --- Walking the entire request list ---
Cleaning up request 2 ID 88 with timestamp 46dc6c8f
Nothing to do. Sleeping until we see a request.
Please could you lend me a hand to resolv this issue?
Thanks in advance!
--
Sergio Belkin
Comunicación e Internet
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What I have to modify to get X-Ascend-Session-Svr-Key value?
Hello!
I'm running FreeRADIUS Version 1.1.3, for host i686-redhat-linux-gnu under
Fedora Core 6 and I'm trying to save the X-Ascend-Session-Svr-Key to a DB to
later create a Disconnect Message with a PHP script.
I've modified the sql.conf and the tables of the Mysql but
X-Ascend-Session-Svr-Key is always blank :
accounting_start_query = INSERT into ACCOUNTING SET\
`User-Name` = '%{User-Name}',\
`Calling-Station-Id` = '%{Calling-Station-Id}',\
`Called-Station-Id` = '%{Called-Station-Id}',\
`NAS-IP-Address` = '%{NAS-IP-Address}',\
`NAS-Port` = '%{NAS-Port}',\
`Timestamp Start` = NOW(),\
`Acct-Unique-Session-Id` = '%{Acct-Unique-Session-Id}',\
`X-Ascend-Session-Svr-Key` = '%{X-Ascend-Session-Svr-Key}'
What I have to modify to get X-Ascend-Session-Svr-Key value?
Thanks!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem withrlm_password to authenticate user against passwd like file
Hello!
I've got passwd file
format is (username:password_in_md5: the rest field is not nessasary)
test2:$1$kjhFHrsb$pS2AZBTcE3m3HNguFhgVs/:0:0::0:0:/none:/none:/none
crypto format: md5
I read FAQ:
Can I use rlm_password to authenticate user against BLA-BLA-BLApasswd?
A: Probably you can, if BLA-BLA-BLA stores password in some format supported
by RADIUS, for example cleartext, NT/LM hashes, crypt, Netscape MD5
format.
You have to set authtype to corresponding type, for example
authtype = NS-MTA-MD5
for Netscape MD5.
in radiusd.conf there is a passwd module(see below)
My question is what format = in file should I use in order to use my
passwd file above?
Should I write something in section Authentication authenticate { ?
I need all users authenticate via my passwdor file/
What should i do for that?
Thank you in advance.
Yours faithfully,
Valery
e-mail [EMAIL PROTECTED]
# passwd module allows to do authorization via any passwd-like
# file and to extract any attributes from these modules
#
# parameters are:
# filename - path to filename
# format - format for filename record. This parameters
#correlates record in the passwd file and RADIUS
#attributes.
#
#Field marked as '*' is key field. That is, the parameter
#with this name from the request is used to search for
#the record from passwd file
#Attribute marked as '=' is added to reply_itmes instead
#of default configure_itmes
# Attribute marked as '~' is added to request_items
#
#Field marked as ',' may contain a comma separated list
#of attributes.
# authtype - if record found this Auth-Type is used to authenticate
#user
# hashsize - hashtable size. If 0 or not specified records are not
#stored in memory and file is red on every request.
# allowmultiplekeys - if few records for every key are allowed
# ignorenislike - ignore NIS-related records
# delimiter - symbol to use as a field separator in passwd file,
#for format ':' symbol is always used. '\0', '\n' are
# not allowed
#
# An example configuration for using /etc/smbpasswd.
#
#passwd etc_smbpasswd {
# filename = /etc/smbpasswd
# format = *User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::
# authtype = MS-CHAP
# hashsize = 100
# ignorenislike = no
# allowmultiplekeys = no
#}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using freeradius with ldap
Sergio Belkin wrote: I have problem when in Fedora 4 (sadly in my job I cannot change this) using radtest against LDAP ... freeradius-1.0.4-1.FC4.1 I am STRONGLY inclined to tell people using 3-year old versions of the server that they can get support from the FC project, not from us. And that version has a number of problems. See http://freeradius.org/security.html Despite using FC4, you *can* upgrade FreeRADIUS to a sane version by installing the tar file by hand. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What I have to modify to get X-Ascend-Session-Svr-Key value?
Jaume wrote: I'm running FreeRADIUS Version 1.1.3, for host i686-redhat-linux-gnu under Fedora Core 6 sigh and I'm trying to save the X-Ascend-Session-Svr-Key to a DB to later create a Disconnect Message with a PHP script. Is the attribute in the accounting packet? If not, how does the server log something that doesn't exist? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
