Radius MAC filtering with EAP-PEAP
I want to setup two WIFI networks: MAC Filter with EAP-PEAP. MAC Filter with WEP. How can I use Radius MAC filtering and EAP-PEAP simultaneously in one network. Could you please suggest me how can I check MAC filter(via Radius) and after that do EAP-PEAP authorization? Thank you Alexey - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius MAC filtering with EAP-PEAP
Hi! Could you please assist me to find my fault. I have test user with laptop. I want to restrict access for this laptop. In users file I added wrong mac address (00-18-de-4e-8f-11) but laptop still can connect with testuser/12345 credentials. :( Here is my AP request : rad_recv: Access-Request packet from host 10.10.10.139:6001, id=65, length=195 User-Name = testuser NAS-IP-Address = 89.10.10.139 Called-Station-Id = 00-20-a6-64-66-a3:A Calling-Station-Id = 00-18-de-4e-8f-1d NAS-Identifier = ORiNOCO-AP-700-64-66-a3 State = 0x47e0330ad155ef064a62de62873e8690 Framed-MTU = 1400 NAS-Port = 2 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020900261900170301001b139845f4c8e9bcb46 Debug log: rlm_checkval: Item Name: Calling-Station-Id, Value: 00-18-de-4e-8f-1d rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs modcall[authorize]: module checkval returns notfound for request 8 Here is my users file: testuser User-Password == 12345 Calling-Station-Id = 00-18-de-4e-8f-11 Here is my checkval config: checkval { # The attribute to look for in the request item-name = Calling-Station-Id # The attribute to look for in check items. Can be multi valued check-name = Calling-Station-Id # The data type. Can be # string,integer,ipaddr,date,abinary,octets data-type = string # If set to yes and we dont find the item-name attribute in the # request then we send back a reject # DEFAULT is no notfound-reject = yes } Era -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Ivan Kalik Sent: Wednesday, February 27, 2008 12:33 PM To: FreeRadius users mailing list Subject: Re: Radius MAC filtering with EAP-PEAP Could you please suggest me how can I check MAC filter(via Radius) and after that do EAP-PEAP authorization? Read your NAS documentation. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius MAC filtering with EAP-PEAP
Could you please suggest me how can I check MAC filter(via Radius) and after that do EAP-PEAP authorization? Read your NAS documentation. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
header enrichment
Hi all i would like to know if freeradius can help to enrich the user header for that mobile services that needs some particular params as for connection type ( 3g, gprs...). Somebody has experience in this ? thanks ___ L'email della prossima generazione? Puoi averla con la nuova Yahoo! Mail: http://it.docs.yahoo.com/nowyoucan.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: header enrichment
mauro wrote: Hi all i would like to know if freeradius can help to enrich the user header for that mobile services that needs some particular params as for connection type ( 3g, gprs...). What does that mean? I'm not a 3g expert. Maybe the 3g equipment you're using can use RADIUS attributes. If so, see it's documentation for what RADIUS attributes it uses. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius MAC filtering with EAP-PEAP
Era wrote: Could you please assist me to find my fault. I have test user with laptop. I want to restrict access for this laptop. In users file I added wrong mac address (00-18-de-4e-8f-11) but laptop still can connect with testuser/12345 credentials. Did you read the documentation for the users file? Here is my users file: testuser User-Password == 12345 Calling-Station-Id = 00-18-de-4e-8f-11 What do you think this entry does? Here is my checkval config: I don't think you need to use the checkval module. In 2.0, you can just write the logic you want in unlang. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with IP Pools and multiple ranges with same pool name
Dave wrote: I cant seem to find the relative documentation or examples, but I want to have an IP pool pool2 with multiple range-start and range-stop IP ranges in it, but Im not sure how to put together the config for it. You configure multiple instances of the pool module, one for each start/stop range. You will also need to have per-pool session DB's and IP index DB's. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VMPS support
Phil Mayers wrote: The value of VQP-Error-Code may make a difference; the code in OpenVMPS seems to work like this: Do you have some sample unlang config we can add to the server examples? What's the easiest way to get the MAC address out of these? I used this in the end: # the mac address can be in several places... if (%{VMPS-Ethernet-Frame} =~ /0x(..)(..)(..)(..)(..)(..).*/) { update request { MyMac = %{1}:%{2}:%{3}:%{4}:%{5}:%{6} Wow... I guess that works, but wow. It's been a while since I used regular expressions to parse raw packets. Also, in 2.0.1, you don't need %{..} for VMPS-Ethernet-Frame. You can just put the bare name before the =~ operator. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS+samba3.0.1+AD(multiple domains)
Hangjun He wrote: But there are multiple domains in active-directory. How to configure freeRADIUS or samba can let it support multiple domains? FreeRADIUS just used Samba to do authentication with AD. The winbind ntlm_auth API used in Samba cannot authenticate to multiple domains. People have done this by writing wrapper scripts to start/stop the Samba processes for each authentication request, but that's a very bad hack. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with IP Pools and multiple ranges with same pool name
Dave wrote: I cant seem to find the relative documentation or examples, but I want to have an IP pool pool2 with multiple range-start and range-stop IP ranges in it, but Im not sure how to put together the config for it. Can't be done. You'd need to use sqlippool for that. Something like this? *ippool* pool2 { range-start = 208.64.35.2 range-start = 208.5.60.100 range-stop = 208.64.35.254 range-stop = 208.5.60.200 netmask = 255.255.255.255 cache-size = 253 session-db = ${raddbdir}/db.*ippool* *ip*-index = ${raddbdir}/db.*ipindex* override = no maximum-timeout = 0 } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: header enrichment
On 27/02/2008, Alan DeKok [EMAIL PROTECTED] wrote: mauro wrote: Hi all i would like to know if freeradius can help to enrich the user header for that mobile services that needs some particular params as for connection type ( 3g, gprs...). What does that mean? I'm not a 3g expert. Maybe the 3g equipment you're using can use RADIUS attributes. If so, see it's documentation for what RADIUS attributes it uses. Alan is right. I would imagine that you'd need to use the 3GPP or 3GPP2 RADIUS dictionary to respond with attributes that could be used by the client to perform the header enrichment. As long as the information can be presented as a regular RADIUS attribute or VSA, then you can use FreeRADIUS to provide that information to the client (the device performing the header enrichment function). Rgds, Guy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius MAC filtering with EAP-PEAP
Era wrote: Could you please assist me to find my fault. I have test user with laptop. I want to restrict access for this laptop. In users file I added wrong mac address (00-18-de-4e-8f-11) but laptop still can connect with testuser/12345 credentials. Did you read the documentation for the users file? [Era]: Yes I did. But no result. Here is my users file: testuser User-Password == 12345 Calling-Station-Id = 00-18-de-4e-8f-11 What do you think this entry does? [Era:] I thought that this entry maps user with mac hardware address. Here is my checkval config: I don't think you need to use the checkval module. [Era:] I'm using 1.1.7 on debian. Please don't judge me hard. I didn't find any howto or manual about mac filtering feature in freeradius doc. I found howto about eap-peap and setup it thought ldap. Because of that I ask these stupid questions. Where can I find this howto ? In 2.0, you can just write the logic you want in unlang. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeRADIUS+samba3.0.1+AD(multiple domains)
But there are multiple domains in active-directory. How to configure freeRADIUS or samba can let it support multiple domains? FreeRADIUS just used Samba to do authentication with AD. The winbind ntlm_auth API used in Samba cannot authenticate to multiple domains. that's not entirely true, you can (and i do) get samba to auth to multiple domains. the domains either need to be in the same forest,and or have full trusts back and forth. (i also found that adding them each to your kerberos config helps) basically you join to one of them and you should be able to enumerate all the users from both thru winbind or getent... Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VMPS support
Alan DeKok wrote: Phil Mayers wrote: The value of VQP-Error-Code may make a difference; the code in OpenVMPS seems to work like this: Do you have some sample unlang config we can add to the server examples? We're currently using something almost identical to this (minor edits to remove site-specific vlan assignment policy with a switch/case): modules { $INCLUDE postgresql.conf exec logger { wait = no input_pairs = request shell_escape = yes output = none program = /usr/bin/logger -t vmpsd -- ALLOW: %{MyMac} - %{reply:VMPS-VLAN-Name}, switch %{VMPS-Client-IP-Address} port % {VMPS-Port-Name} } } server { listen { ... type = vmps } vmps { # the mac address can be in several places... if (%{VMPS-Ethernet-Frame} =~ /0x(..)(..)(..)(..)(..)(..).*/) { update request { MyMac = %{1}:%{2}:%{3}:%{4}:%{5}:%{6} } } else { update request { MyMac = %{%{VMPS-Cookie}:-%{VMPS-MAC}} } } # required VMPS reply attributes update reply { VMPS-Packet-Type = VMPS-Join-Response VMPS-Cookie = %{MyMac} } # lookup the zone in sql update reply { VMPS-VLAN-Name = %{sql:select ... where mac='%{MyMac}'} } # an instance of the exec module logging to a similar format # that openvmps used, for easy of operator transition :o) logger } } What's the easiest way to get the MAC address out of these? I used this in the end: # the mac address can be in several places... if (%{VMPS-Ethernet-Frame} =~ /0x(..)(..)(..)(..)(..)(..).*/) { update request { MyMac = %{1}:%{2}:%{3}:%{4}:%{5}:%{6} Wow... I guess that works, but wow. It's been a while since I used regular expressions to parse raw packets. Yeah. It's pretty disgusting :o) I originally tried: /..(..).*/ ...but of course the octets AVP is rendered to the hex 0xNN.. format prior to the regexp match being applied. Also, in 2.0.1, you don't need %{..} for VMPS-Ethernet-Frame. You can just put the bare name before the =~ operator. Yeah, I am waiting a change approval to update the software (sigh). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius MAC filtering with EAP-PEAP
On Wed, Feb 27, 2008 at 1:19 PM, Era [EMAIL PROTECTED] wrote: Era wrote: Could you please assist me to find my fault. I have test user with laptop. I want to restrict access for this laptop. In users file I added wrong mac address (00-18-de-4e-8f-11) but laptop still can connect with testuser/12345 credentials. Did you read the documentation for the users file? [Era]: Yes I did. But no result. Here is my users file: testuser User-Password == 12345 Calling-Station-Id = 00-18-de-4e-8f-11 What do you think this entry does? [Era:] I thought that this entry maps user with mac hardware address. No that lines means that the user tester/12345 will be granted access and freeradius will send a Calling-Station-Id attribute reply to the NAS in return, which is not what you wanted... I hope this makes more sense. Regards, Liran Tal. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VMPS support
Phil Mayers wrote: We're currently using something almost identical to this (minor edits to remove site-specific vlan assignment policy with a switch/case): Nice. I've added it to raddb/sites-available/vmps, with some edits. modules { $INCLUDE postgresql.conf exec logger { ... program = /usr/bin/logger -t vmpsd -- ALLOW: %{MyMac} - %{reply:VMPS-VLAN-Name}, switch %{VMPS-Client-IP-Address} port % {VMPS-Port-Name} Hmm... it shouldn't be too hard to add a syslog module. There's on on bugzilla, but it has issues... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: header enrichment
Normally in a mobile services there's no specification into the header about connection type. many sniffing were done but only specific equipment allows to enrich the header with this inofrmation, for example some particular charging proxy. We need to have this information cause from server side could be interesting to give to the user different services according to the user connections. now i asked, if freeradius can help us in this. regards Mauro - Messaggio originale - Da: Guy Davies [EMAIL PROTECTED] A: FreeRadius users mailing list freeradius-users@lists.freeradius.org Inviato: Mercoledì 27 febbraio 2008, 12:01:21 Oggetto: Re: header enrichment On 27/02/2008, Alan DeKok [EMAIL PROTECTED] wrote: mauro wrote: Hi all i would like to know if freeradius can help to enrich the user header for that mobile services that needs some particular params as for connection type ( 3g, gprs...). What does that mean? I'm not a 3g expert. Maybe the 3g equipment you're using can use RADIUS attributes. If so, see it's documentation for what RADIUS attributes it uses. Alan is right. I would imagine that you'd need to use the 3GPP or 3GPP2 RADIUS dictionary to respond with attributes that could be used by the client to perform the header enrichment. As long as the information can be presented as a regular RADIUS attribute or VSA, then you can use FreeRADIUS to provide that information to the client (the device performing the header enrichment function). Rgds, Guy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ___ L'email della prossima generazione? Puoi averla con la nuova Yahoo! Mail: http://it.docs.yahoo.com/nowyoucan.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: header enrichment
mauro wrote: Normally in a mobile services there's no specification into the header about connection type. Which header? You are assuming that everyone here is familiar with 3g terminology. You were already told we were not. many sniffing were done but only specific equipment allows to enrich the header with this inofrmation, Could you describe what you mean in more words? It is meaningless to say enrich the header. We have no idea what you mean by that. for example some particular charging proxy. We need to have this information cause from server side could be interesting to give to the user different services according to the user connections. now i asked, if freeradius can help us in this. We know you asked this. We cannot help you if we have no idea what you're talking about. And we said we don't know much about 3g. Perhaps you could describe what you're talking about using more words. Simply repeating comments about 3g and header and connection type is a waste of time. *Describe* what you're doing, using words OTHER than enrich the header. If you can't, then I suspect that any answer we give will be incomprehensible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Consuming card code
Im using freeradius-1.1.7 on my remote unix machine and developing on my client .net application. By now i succesfully made authorization and start/stop accounting request/responses (packet send/recieve logic). With radiusManager3 i generated card series, services .. Can i implement user login, consuming of card codes, etc. with only packets (acct) or im missing some crucial points? I hope that i (user, client) can make an behaviour of communicating with freeradius every 10sec and consuming 10sec of currently selected card code. thank you for your time, Juraj Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
can't get radtest/radclient to work
I'm having a really stupid problem. I created a dummy user for testing: useradd -m testing passwd testing (set password to testing). not secure, but who cares - it's just for testing. left share secret as default, tried to login locally with this: echo User-Name = testing,password=testing | /usr/bin/radclient localhost:1812 auth testing123 I enabled bad password logging, and get this error in the log: Wed Feb 27 15:13:18 2008 : Auth: rlm_unix: [testing]: invalid password Wed Feb 27 15:13:18 2008 : Auth: Login incorrect: [testing/testing] (from client localhost port 0) I also tried this way: radtest testing testing 127.0.0.1:1812 0 testing123 and this was the result: Sending Access-Request of id 92 to 127.0.0.1 port 1812 User-Name = testing User-Password = testing NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Re-sending Access-Request of id 92 to 127.0.0.1 port 1812 User-Name = testing User-Password = testing NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=92, length=20 All the radius.conf defaults are left the same except the extra bad password logging. I have no idea why that's failing. I know it's something really stupid like the system login fall-through bypass not being high up enough in the config or something. Can anyone jog my memory again? thanks! Dan. _ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help With Cisco Configuration
I am trying to get a freeradius implementation rolled out for the first time and am running into a few issues that I cannot seem to resolve. I have a Cisco 2960 in a test lab with a Linux server running freeradius 2.0.0 for authentication. There are 2 problems I am running into. 1. I cannot seem to get the radius server to authenticate a user and place them at the privilege exec prompt, even thought I have configured the 'users' file to place all users at the privilege exec prompt when logging in by default (I did this just to test, ultimately I would like to create groups with different privilege levels). 2. I cannot seem to get the Cisco 2960 to accept the radius servers authentication response when logging in the device via a VTY session using SSH. When running the server in debug mode, you can see the request coming in and the server sending the authentication response back to the switch, but the authentication will still fail at the switch. The only authentication I get is at the console level. Any help would be greatly appreciated. Thank you. Joe Disclaimer: This message is intended only for the use of the individual or entity to which it is addressed and may contain information which is privileged, confidential, proprietary, or exempt from disclosure under applicable law. If you are not the intended recipient or the person responsible for delivering the message to the intended recipient, you are strictly prohibited from disclosing, distributing, copying, or in any way using this message. If you have received this communication in error, please notify the sender and destroy and delete any copies you may have received. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: can't get radtest/radclient to work
Alan, it's the age-old 64bit API problem again, it's on OpenSUSE 10.3 now, using 1.1.6 with 1.1.7 libraries it looks like the CVS fix seems to work here as well. Any way you can get those changes into the Suse pacakges? Dan. From: [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Subject: can't get radtest/radclient to work Date: Wed, 27 Feb 2008 15:49:37 -0500 I'm having a really stupid problem. I created a dummy user for testing: useradd -m testing passwd testing (set password to testing). not secure, but who cares - it's just for testing. left share secret as default, tried to login locally with this: echo User-Name = testing,password=testing | /usr/bin/radclient localhost:1812 auth testing123 I enabled bad password logging, and get this error in the log: Wed Feb 27 15:13:18 2008 : Auth: rlm_unix: [testing]: invalid password Wed Feb 27 15:13:18 2008 : Auth: Login incorrect: [testing/testing] (from client localhost port 0) I also tried this way: radtest testing testing 127.0.0.1:1812 0 testing123 and this was the result: Sending Access-Request of id 92 to 127.0.0.1 port 1812 User-Name = testing User-Password = testing NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Re-sending Access-Request of id 92 to 127.0.0.1 port 1812 User-Name = testing User-Password = testing NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=92, length=20 All the radius.conf defaults are left the same except the extra bad password logging. I have no idea why that's failing. I know it's something really stupid like the system login fall-through bypass not being high up enough in the config or something. Can anyone jog my memory again? thanks! Dan. _ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Force user disconnect on NAS
Question, Is it possible from the radius server to force a user to disconnect ? If yes what do I need to do that ? Normal Client -- NAS -- Radius server I would like to send a request Radius server -- NAS X Client Thanks for your time _ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Force user disconnect on NAS
J-P Raymond wrote: Question, Is it possible from the radius server to force a user to disconnect ? If yes what do I need to do that ? Normal Client -- NAS -- Radius server I would like to send a request Radius server -- NAS X Client Thanks for your time - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yes but your NAS needs to support CoA (Change of Authorisation) , and your RADIUS server needs to support it too; currently FR doesn't. Your best bet is to use the standard 802.1x mib and force re-authentication using SNMP. Most NAS implement this MIB just people seem to overlook it... Regards, Arran -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help With Cisco Configuration
Hi, I am trying to get a freeradius implementation rolled out for the first time and am running into a few issues that I cannot seem to resolve. I have a Cisco 2960 in a test lab with a Linux server running freeradius 2.0.0 for authentication. There are 2 problems I am running into. 1) use 2.0.2 2) you didnt supply your cisco IOS config - but there again, this isnt the cisco support mailing list - your problems seem to arise from a lack of the required 802.1x commands in the IOS config - especially the ones relating to authorization alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Force user disconnect on NAS
Ok I'll look at it thanks but what about Disconnect message ? I pull this info from my log User-Name = [EMAIL PROTECTED]Acct-Status-Type = Start Acct-Session-Id = 12345678.90.123NAS-Identifier = router NAS-IP-Address = 200.10.50.100NAS-Port-Type = Virtual Framed-IP-Address = 200.10.50.1Acct-Delay-Time = 0 Client-IP-Address = 200.10.50.100Acct-Unique-Session-Id = 8d120506b2972302 I put this in packet.txt I tried : cat packet.txt | radclient -x 200.10.50.100:3799 disconnect mysecret But radclient keep retrying and it doesn't seams to work ! on the web site it mentioned I need disconnect enabled Nas ? Someone already tried this ? Thanks Date: Wed, 27 Feb 2008 21:31:06 + To: freeradius-users@lists.freeradius.org Subject: Re: Force user disconnect on NAS From: [EMAIL PROTECTED] J-P Raymond wrote: Question,Is it possible from the radius server to force a user to disconnect ?If yes what do I need to do that ?Normal Client -- NAS -- Radius serverI would like to send a request Radius server -- NAS X ClientThanks for your time - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yes but your NAS needs to support CoA (Change of Authorisation) , and your RADIUS server needs to support it too; currently FR doesn't. Your best bet is to use the standard 802.1x mib and force re-authentication using SNMP. Most NAS implement this MIB just people seem to overlook it... Regards, Arran -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help With Cisco Configuration
Thanks. I will definitely upgrade to 2.0.2. As far as the Cisco config, its pretty much the standard aaa authentication commands to enable radius authentication, the most relevant one to this problem being the aaa authorization exec radius if-authenticated command is definitely there. Nothing else special, as I said just the standard commands to enable radius authentication. Joe [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 02/27/2008 05:15 PM Please respond to FreeRadius users mailing list freeradius-users@lists.freeradius.org To FreeRadius users mailing list freeradius-users@lists.freeradius.org cc Subject Re: Help With Cisco Configuration Hi, I am trying to get a freeradius implementation rolled out for the first time and am running into a few issues that I cannot seem to resolve. I have a Cisco 2960 in a test lab with a Linux server running freeradius 2.0.0 for authentication. There are 2 problems I am running into. 1) use 2.0.2 2) you didnt supply your cisco IOS config - but there again, this isnt the cisco support mailing list - your problems seem to arise from a lack of the required 802.1x commands in the IOS config - especially the ones relating to authorization alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Disclaimer: This message is intended only for the use of the individual or entity to which it is addressed and may contain information which is privileged, confidential, proprietary, or exempt from disclosure under applicable law. If you are not the intended recipient or the person responsible for delivering the message to the intended recipient, you are strictly prohibited from disclosing, distributing, copying, or in any way using this message. If you have received this communication in error, please notify the sender and destroy and delete any copies you may have received. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS-Group? - different replies to different NASes?
Hello Ivan, I haven't had much luck with setting this up. We use a mysql DB and in the sql.conf file I don't use the DEFAULT Profile section nor do we use the users file. I've spoken with a few friends and they were able to get this working but in a flat-file environment (I.e using the users file and using the DEFAULT you've mentioned below) Is there a way to get this working with SQL without hacking the SLQ statements? I was thinking of modifying the authorization query in sql.conf (authorize_group_check_query) to utilize a Huntgroup-Name Attribute in the radgroupcheck table. Not sure if this will even work. Here is the original query: authorize_group_check_query = SELECT ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Att ribute,${g roupcheck_table}.Value,${groupcheck_table}.op FROM ${groupcheck_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQ L-User-Name}' AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY ${groupcheck_table}.id Here is the proposed changed query: authorize_group_check_query = SELECT ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Att ribute,${g roupcheck_table}.Value,${groupcheck_table}.op FROM ${groupcheck_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQ L-User-Name}' AND ${usergroup_table}.NASGroup = ${groupcheck_table}.NASGroup ORDER BY ${groupcheck_table}.id For the above to work I would have to introduce a new column in the usergroup table called NASGroup and also in the radcheckgroup table. This sounds like a lot of work and maybe unnecessary. I'm pretty sure this works with huntgroups and flat files...how can I make it work with SQL? Will my answer be turning up Default Profile under the sql.conf file of the radius server? Best regards, Adrian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adrian Sent: Tuesday, February 26, 2008 5:09 PM To: 'FreeRadius users mailing list' Subject: RE: NAS-Group? - different replies to different NASes? Thanks Ivan, I will give that a try. Thanks for all your help. Adrian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Kalik Sent: Tuesday, February 26, 2008 2:37 PM To: FreeRadius users mailing list Subject: RE: NAS-Group? - different replies to different NASes? A: I have a set of master tunnel attributes that I always have to send to this Telco. i.e. Service-type, Tunnel-Type, Tunnel-Preference, Tunnel-password, Tunnel-Server-Endpoint..etc The way this Telco obtains these attributes is by sending the Username/Password combination my way. (i.e. I need to authenticate [EMAIL PROTECTED]). Once I see that user come through from their boxes (3 Static IPs) I have to send back to them the tunnel attributes above. Once the tunnel attributes were sent, they establish an L2TP tunnel to my LNS and my LNS now asks my Radius server again to authenticate the user. So I see the same [EMAIL PROTECTED] requesting to be authenticated. Since I currently cannot distinguish between NASes I am sending the same Tunnel Attributes to my LNS which causes my LNS to try to initiate a tunnel back to itself (because the Tunnel-Server-Endpoint attribute is the actual LNS). ++ This is very strange. That information should be on telco radius server, not yours. It should not have to proxy requests to you. They ought to know the tunnel endpoint - *they* gave you the IP to set on your router when they leased you the line. Simplest thing to do is to create a huntgroup caled LAC and place those static IPs there. Then put something like this i your users file: DEFAULT Huntgroup-Name == LAC, Auth-Type := Accept Reply-Message = You are one strange telco, and list other reply attributes that you need to send them. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Force user disconnect on NAS
J-P Raymond wrote: Ok I'll look at it thanks but what about Disconnect message ? I pull this info from my log User-Name = [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Acct-Status-Type = Start Acct-Session-Id = 12345678.90.123 NAS-Identifier = router NAS-IP-Address = 200.10.50.100 NAS-Port-Type = Virtual Framed-IP-Address = 200.10.50.1 Acct-Delay-Time = 0 Client-IP-Address = 200.10.50.100 Acct-Unique-Session-Id = 8d120506b2972302 I put this in packet.txt I tried : cat packet.txt | radclient -x 200.10.50.100:3799 disconnect mysecret // But radclient keep retrying and it doesn't seams to work ! on the web site it mentioned I need disconnect enabled Nas ? Someone already tried this ? See when someone gives you the answer to your question and you completely ignore it... *sigh* Look http://www.rfc-archive.org/getrfc.php?rfc=3576 RFC 3576 CoA It's an extension to the RADIUS protocol. Most NAS don't support it because no RADIUS servers support it. Use the IEEE 802.1x MIB, It works, It works very well. I'll try and dig out the relevant OIDs tomorrow if your interested... Arran Thanks Date: Wed, 27 Feb 2008 21:31:06 + To: freeradius-users@lists.freeradius.org Subject: Re: Force user disconnect on NAS From: [EMAIL PROTECTED] J-P Raymond wrote: Question, Is it possible from the radius server to force a user to disconnect ? If yes what do I need to do that ? Normal Client -- NAS -- Radius server I would like to send a request Radius server -- NAS X Client Thanks for your time - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yes but your NAS needs to support CoA (Change of Authorisation) , and your RADIUS server needs to support it too; currently FR doesn't. Your best bet is to use the standard 802.1x mib and force re-authentication using SNMP. Most NAS implement this MIB just people seem to overlook it... Regards, Arran -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Force user disconnect on NAS
J-P Raymond wrote: Ok I'll look at it thanks but what about Disconnect message ? I pull this info from my log User-Name = [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Acct-Status-Type = Start Acct-Session-Id = 12345678.90.123 NAS-Identifier = router NAS-IP-Address = 200.10.50.100 NAS-Port-Type = Virtual Framed-IP-Address = 200.10.50.1 Acct-Delay-Time = 0 Client-IP-Address = 200.10.50.100 Acct-Unique-Session-Id = 8d120506b2972302 I put this in packet.txt I tried : cat packet.txt | radclient -x 200.10.50.100:3799 disconnect mysecret // But radclient keep retrying and it doesn't seams to work ! on the web site it mentioned I need disconnect enabled Nas ? Someone already tried this ? http://www.ieee802.org/1/files/public/MIBs/802-1x-2004-mib.txt Thanks Date: Wed, 27 Feb 2008 21:31:06 + To: freeradius-users@lists.freeradius.org Subject: Re: Force user disconnect on NAS From: [EMAIL PROTECTED] J-P Raymond wrote: Question, Is it possible from the radius server to force a user to disconnect ? If yes what do I need to do that ? Normal Client -- NAS -- Radius server I would like to send a request Radius server -- NAS X Client Thanks for your time - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yes but your NAS needs to support CoA (Change of Authorisation) , and your RADIUS server needs to support it too; currently FR doesn't. Your best bet is to use the standard 802.1x mib and force re-authentication using SNMP. Most NAS implement this MIB just people seem to overlook it... Regards, Arran -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS-Group? - different replies to different NASes?
One more question, Can I use a combination or the users file and the SQL at the same time? I'm thinking of enabling the users file and enter all the DEFAULT entries in there but still keep the users in SQL and have authentication fall-trhough the users file to the SQL file. Will this work? Adrian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adrian Sent: Wednesday, February 27, 2008 6:04 PM To: 'FreeRadius users mailing list' Subject: RE: NAS-Group? - different replies to different NASes? Hello Ivan, I haven't had much luck with setting this up. We use a mysql DB and in the sql.conf file I don't use the DEFAULT Profile section nor do we use the users file. I've spoken with a few friends and they were able to get this working but in a flat-file environment (I.e using the users file and using the DEFAULT you've mentioned below) Is there a way to get this working with SQL without hacking the SLQ statements? I was thinking of modifying the authorization query in sql.conf (authorize_group_check_query) to utilize a Huntgroup-Name Attribute in the radgroupcheck table. Not sure if this will even work. Here is the original query: authorize_group_check_query = SELECT ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Att ribute,${g roupcheck_table}.Value,${groupcheck_table}.op FROM ${groupcheck_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQ L-User-Name}' AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY ${groupcheck_table}.id Here is the proposed changed query: authorize_group_check_query = SELECT ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Att ribute,${g roupcheck_table}.Value,${groupcheck_table}.op FROM ${groupcheck_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQ L-User-Name}' AND ${usergroup_table}.NASGroup = ${groupcheck_table}.NASGroup ORDER BY ${groupcheck_table}.id For the above to work I would have to introduce a new column in the usergroup table called NASGroup and also in the radcheckgroup table. This sounds like a lot of work and maybe unnecessary. I'm pretty sure this works with huntgroups and flat files...how can I make it work with SQL? Will my answer be turning up Default Profile under the sql.conf file of the radius server? Best regards, Adrian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adrian Sent: Tuesday, February 26, 2008 5:09 PM To: 'FreeRadius users mailing list' Subject: RE: NAS-Group? - different replies to different NASes? Thanks Ivan, I will give that a try. Thanks for all your help. Adrian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Kalik Sent: Tuesday, February 26, 2008 2:37 PM To: FreeRadius users mailing list Subject: RE: NAS-Group? - different replies to different NASes? A: I have a set of master tunnel attributes that I always have to send to this Telco. i.e. Service-type, Tunnel-Type, Tunnel-Preference, Tunnel-password, Tunnel-Server-Endpoint..etc The way this Telco obtains these attributes is by sending the Username/Password combination my way. (i.e. I need to authenticate [EMAIL PROTECTED]). Once I see that user come through from their boxes (3 Static IPs) I have to send back to them the tunnel attributes above. Once the tunnel attributes were sent, they establish an L2TP tunnel to my LNS and my LNS now asks my Radius server again to authenticate the user. So I see the same [EMAIL PROTECTED] requesting to be authenticated. Since I currently cannot distinguish between NASes I am sending the same Tunnel Attributes to my LNS which causes my LNS to try to initiate a tunnel back to itself (because the Tunnel-Server-Endpoint attribute is the actual LNS). ++ This is very strange. That information should be on telco radius server, not yours. It should not have to proxy requests to you. They ought to know the tunnel endpoint - *they* gave you the IP to set on your router when they leased you the line. Simplest thing to do is to create a huntgroup caled LAC and place those static IPs there. Then put something like this i your users file: DEFAULT Huntgroup-Name == LAC, Auth-Type := Accept Reply-Message = You are one strange telco, and list other reply attributes that you need to send them. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: can't get radtest/radclient to work
Dan Gahlinger wrote: Alan, it's the age-old 64bit API problem again, it's on OpenSUSE 10.3 now, using 1.1.6 with 1.1.7 libraries it looks like the CVS fix seems to work here as well. Uh... which CVS fix? Any way you can get those changes into the Suse pacakges? I don't control the Suse packages. I suggest asking Suse. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Consuming card code
Juraj Bilic wrote: Can i implement user login, consuming of card codes, etc. with only packets (acct) or im missing some crucial points? No idea. What card codes are you talking about? I hope that i (user, client) can make an behaviour of communicating with freeradius every 10sec and consuming 10sec of currently selected card code. You don't want to send accounting packets to the server every 10s. It's a very bad idea. If you need 10s granularity on accounting, use a local database. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-Group? - different replies to different NASes?
Adrian wrote: Can I use a combination or the users file and the SQL at the same time? Yes. The default configuration makes it clear that you can use *many* different modules at the same time. I'm thinking of enabling the users file and enter all the DEFAULT entries in there but still keep the users in SQL and have authentication fall-trhough the users file to the SQL file. Will this work? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html