Re: users file auth failing
>But how would you "remove LDAP access control" for these users? > You can't remove it for some users. You have to remove it to allow users that are not in ldap to connect. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logical Or in check items?
Martin Pauly wrote: Hi all, I have a question about the users file. Several check items are always treated as an AND condition. I would like to implement the OR case. $ man unlang Don't use the "users" file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logical Or in check items?
Hi all,
I have a question about the users file.
Several check items are always treated as an AND condition.
I would like to implement the OR case.
I.e. I have 2 groups of NASes:
Group 1 is recognized by their NAS-IP-Address:
pauly Auth-Type := System, NAS-IP-Adress =
Reply-Message = "Matched local user entry %{User-Name}, recognized by
NAS-IP-Address"
Group 2 is only accessed from a certain Calling-Station-Id, but their IP
addresses
are arbitrary. So I do
pauly Auth-Type := System, Calling-Station-Id =
Reply-Message = "Matched local user entry %{User-Name}, recognized by
Calling-Station-Id"
Could I combine this into a single entry somehow?
Thanks for any help
Martin
--
Dr. Martin Pauly Fax:49-6421-28-26994
HRZ Univ. MarburgPhone: 49-6421-28-23527
Hans-Meerwein-Str. E-Mail: [EMAIL PROTECTED]
D-35032 Marburg
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users file auth failing
Antony, > I would like to add a very simple user with only a Cleartext-Password to > the users file (this is strictly a FreeRADIUS user and in the interest > of security shouldn't be in LDAP). I have a very similar setup (lots of users in LDAP, a few with "local" passwords on the RADIUS server). As to security, I created the user as a local unix account on the RADIUS server and do Auth-Type := System. This way, I don't have to put a Cleartext-Password anywhere. In addition, my special users _are_ in LDAP, so when LDAP is asked they get authorized. Only the password is checked against /etc/passwd on the RADIUS server. But how would you "remove LDAP access control" for these users? Cheers, Martin -- Dr. Martin Pauly Fax:49-6421-28-26994 HRZ Univ. MarburgPhone: 49-6421-28-23527 Hans-Meerwein-Str. E-Mail: [EMAIL PROTECTED] D-35032 Marburg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with authorization PEAP - EAP-MSCHAPv2 clients [ SOLVED ]
Hi all, problem is in 3com switch. I found in 3com knowledge base a record about similar 3com Baseline switches and only EAP not PEAP is supported. This ugly device also doesn't allow to pass through auth traffic for another connected devices. Is not possible to authorize via IEEE 802.1x wifi AP when RADIUS and AP uplink is connected into 3com switch. If dlink switch is used instead, everything works fine. AVOID 3com baseline switches! thanks for all replies Lukas Lisa Lukas Lisa wrote: > Hello, > I would like to authorize windows clients access to 3com Baseline > Switch 2948 SFP against FreeRADIUS server 2.0.5. > > Windows are cofigured to use PEAP - EAP-MSCHAPv2. > Server certificate was created with bootstrap script (xpextensions > are included). > > I tried windows xp sp3 and linux (wpa_supplicant) client and both > cause the same server output and authorization can't pass. > Testing tools eapol_test, radeapclient and jRadiusSimulator can pass > all tests fine. > > EAP - MD5 Challenge works fine. > > Attaching radiusd.conf and radius -X output. > Thanks for help. > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Lukas Lisa Administrator StringData, s.r.o. _ Antala Staska 38, 140 00 Praha 4, CR +420 266 772 625 www.stringdata.cz - ISO 9001:2000 - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM radius module and "Prompt" attribute.
Hi,
the proposed patch doesn't work on solaris 10 & RSA Authentication Manager 7.1:
"Bus Error" and core-dump when the Access-Challenge is received.
The following patch works (gcc 3.4.3):
--- pam_radius_auth.c.orig Tue Oct 28 13:07:22 2008
+++ pam_radius_auth.c Wed Oct 29 15:11:20 2008
@@ -1188,8 +1188,9 @@
* challenges as we receive.
*/
while (response->code == PW_ACCESS_CHALLENGE) {
-attribute_t *a_state, *a_reply;
+attribute_t *a_state, *a_reply, *a_prompt;
char challenge[BUFFER_SIZE];
+int prompt;
/* Now we do a bit more work: challenge the user, and get a response */
if (((a_state = find_attribute(response, PW_STATE)) == NULL) ||
@@ -1212,8 +1213,18 @@
memcpy(challenge, a_reply->data, a_reply->length - 2);
challenge[a_reply->length - 2] = 0;
+prompt = PAM_PROMPT_ECHO_ON;
+if((a_prompt = find_attribute(response, PW_PROMPT)) != NULL){
+ uint32_t prompt_val_net = 0;
+ uint32_t prompt_val = 0;
+ memcpy((void *)&prompt_val_net, (void *) a_prompt->data,
sizeof(uint32_t));
+ prompt_val = ntohl(prompt_val_net);
+ DPRINT(LOG_DEBUG, "Got Prompt=%d",prompt_val);
+ if(!prompt_val) prompt=PAM_PROMPT_ECHO_OFF;
+}
+
/* It's full challenge-response, we should have echo on */
-retval = rad_converse(pamh, PAM_PROMPT_ECHO_ON, challenge,
&resp2challenge);
+retval = rad_converse(pamh, prompt, challenge, &resp2challenge);
/* now that we've got a response, build a new radius packet */
build_radius_packet(request, user, resp2challenge, &config);
--- radius.h.orig Tue Oct 28 13:07:29 2008
+++ radius.hTue Oct 28 13:12:36 2008
@@ -123,7 +123,7 @@
#define PW_NAS_PORT_TYPE61 /* integer */
#define PW_PORT_LIMIT 62 /* integer */
#define PW_LOGIN_LAT_PORT 63 /* string */
-#define PW_PROMPT 64 /* integer */
+#define PW_PROMPT 76 /* integer */
/*
* INTEGER TRANSLATIONS
Regards,
Cesare
--- Mer 22/10/08, Alan DeKok <[EMAIL PROTECTED]> ha scritto:
> Da: Alan DeKok <[EMAIL PROTECTED]>
> Oggetto: Re: PAM radius module and "Prompt" attribute.
> A: [EMAIL PROTECTED], "FreeRadius users mailing list"
>
> Data: Mercoledì 22 ottobre 2008, 18:40
> [EMAIL PROTECTED] wrote:
> > All is working well, but I found a problem when the
> PAM module receives an Access-Challenge.
> >
> > Here is the problem: even if the RADIUS server sends a
> Prompt="No Echo" attribute, my PAM conversation
> function receives a PAM_PROMPT_ECHO_ON msg_style instead of
> a PAM_PROMPT_ECHO_OFF.
>
> See: http://bugs.freeradius.org/show_bug.cgi?id=609
>
> > As far as I know the Prompt attribute is not mandatory
> for RFC 2865 compliance, in fact this attribute is specified
> into RFC 2869 - Radius Extensions.
> >
> > The question is: will the Prompt attribute be
> supported in a future release of the PAM service module?
>
> Possibly, yes.
>
> Alan DeKok.
Unisciti alla community di Io fotografo e video, il nuovo corso di
fotografia di Gazzetta dello sport:
http://www.flickr.com/groups/iofotografoevideo
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius help
Rolando Tejada wrote: > in ubuntu says: > "rlm_sql_mysql: Couldn't connect socket to MySQL server > [EMAIL PROTECTED]:radius", > "rlm_sql_mysql: Mysql error 'Access denied for user 'root'@'localhost' > (using password: YES)'", That message would seem to be clear. The MySQL server is... denying access. Perhaps you want to check access for "[EMAIL PROTECTED]" in MySQL? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius help
http://wiki.freeradius.org/FAQ#It_says_.22Could_not_link_..._file_not_found.22.2C_what_do_I_do.3F Ivan Kalik Kalik Informatika ISP Dana 31/10/2008, "Rolando Tejada" <[EMAIL PROTECTED]> piše: >hi, i'm trying to configurate freeradius in ububtu 7.04 and fedora 6. i >can't in both. in fedora says: >"cannot find a configuration entry for module "sql" ", >"unknown module sql", >"failed to parse authorize section". > > >in ubuntu says: >"rlm_sql_mysql: Couldn't connect socket to MySQL server [EMAIL PROTECTED] >:radius", >"rlm_sql_mysql: Mysql error 'Access denied for user 'root'@'localhost' >(using password: YES)'", >"rlm_sql (sql): Failed to connect DB handle #0". > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius help
hi, i'm trying to configurate freeradius in ububtu 7.04 and fedora 6. i can't in both. in fedora says: "cannot find a configuration entry for module "sql" ", "unknown module sql", "failed to parse authorize section". in ubuntu says: "rlm_sql_mysql: Couldn't connect socket to MySQL server [EMAIL PROTECTED] :radius", "rlm_sql_mysql: Mysql error 'Access denied for user 'root'@'localhost' (using password: YES)'", "rlm_sql (sql): Failed to connect DB handle #0". - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VMPS - Initial project ideas
Hairy51 wrote: Hi all, I am just about to start a project to remove the VMPS system from an aging catalyst switch and i would like to investigate the possibilty of using FreeRadius for this. We currently have about 1500 hosts that rely on VMPS for dynamic assignment and an ideal solution would be to move the VMPS service onto a server (Or multiple servers) with as little interuptions to users as possible. Also, for simplicities sake it would be great if we could re-use the current Static VMPS file that the catalyst switch uses. You won't be able to do that, but you should be able to convert it pretty easily, probably into a comma-separated: mac,vlan-name ...file I have looked into FreeNAC as a solution, but want to investigate other ways of acheiving this. We do not really need to do anything other than assign (or block) VLANs, so the extra functionality of FreeNAC is not needed at this point. FreeNAC offers nothing useful that I can see. Considering i am coming from a limited Linux background, how hard would it be for me to acheive this using FreeRADIUS? Does it sound feasible? I am really looking for a bit of advice from those with experience of the FreeRADIUS application and who know of the potential pit-falls and complications that we may face! We've done it. It was not very hard. Basically, you need: * FreeRadius 2 - pick the most recent version * A list of the mac,vlan pairs in a text file * Ability to follow the (pretty simple) examples in the FreeRadius source Specifically see "raddb/sites-available/vmps" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VMPS - Initial project ideas
Hairy51 wrote: > Also, for simplicities sake it would be great if we could re-use the current > Static VMPS file that the catalyst switch uses. That's a little difficult, because FreeRADIUS doesn't parse those VMPS files. But it shouldn't be hard to convert the format to something FreeRADIUS can use. > Considering i am coming from a limited Linux background, how hard would it > be for me to acheive this using FreeRADIUS? Does it sound feasible? I am > really looking for a bit of advice from those with experience of the > FreeRADIUS application and who know of the potential pit-falls and > complications that we may face! It's doable. Download the server, and read raddb/sites-available/vmps There are examples doing MAC to VLAN assignment. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VMPS - Initial project ideas
Hi all, I am just about to start a project to remove the VMPS system from an aging catalyst switch and i would like to investigate the possibilty of using FreeRadius for this. We currently have about 1500 hosts that rely on VMPS for dynamic assignment and an ideal solution would be to move the VMPS service onto a server (Or multiple servers) with as little interuptions to users as possible. Also, for simplicities sake it would be great if we could re-use the current Static VMPS file that the catalyst switch uses. I have looked into FreeNAC as a solution, but want to investigate other ways of acheiving this. We do not really need to do anything other than assign (or block) VLANs, so the extra functionality of FreeNAC is not needed at this point. Considering i am coming from a limited Linux background, how hard would it be for me to acheive this using FreeRADIUS? Does it sound feasible? I am really looking for a bit of advice from those with experience of the FreeRADIUS application and who know of the potential pit-falls and complications that we may face! Many thanks - any comments or idea's much appreciated... Cheers Jonathan -- View this message in context: http://www.nabble.com/VMPS---Initial-project-ideas-tp20264221p20264221.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need some help with Access-Reject messagesin upgrade from FreeRadius1.1.0 to FreeRadius 2.0.5
>If there's no way to avoid listing all four ldap servers, There is no way of check something without checking it. >I'm going to >have to have probably 25 huge IF statements in order to get the profile >set correctly in my radius config. Perhaps organize users better not to have so many different profiles. >I've already re-done my users file >to list all four servers, and it's a bit laborious to do, and it seems >like there'd be a better way. > If checking statements for ldap groups are identical and only thing that changes is server number (1, 2, 3, 4) you can create a for loop in perl and check all four servers with one set of statements. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dell 6248 and Dynamic VLAN Assignment
Dictionary value for that Tunnel-Medium-Type is IEEE-802. Ivan Kalik Kalik Informatika ISP Dana 31/10/2008, "Luke" <[EMAIL PROTECTED]> piše: >Hi :) > >I'm trying to get dynamic VLAN assignment to work with my Dell 6248, >which they officially support as of firmware revision 2.1.0.13. > >I'm using freeradius version 2.1.1 > >I think I'm sending the information the correct way from freeradius, to wit: > >DEFAULT Auth-Type == MS-CHAP >Tunnel-Type = VLAN, >Tunnel-Medium-Type = 802, >Tunnel-Private-Group-ID = 3 > >(this is in my users file) > >When watching the debug output from radiusd -X, I can see it sending >these messages back to the Dell switch. However, the dell switch is >not correctly assigning the VLAN. > >The information from the release notes from Dell is as follows: > >802.1x Option 81 >The Tunnel Attribute indicates the tunneling protocol to be used or >the tunneling protocol in use at the Authenticator. In particular, it >may be desirable to allow a supplicant (MAC based) or port (Port >Based) to be placed into a particular Virtual LAN (VLAN) based on the >result of the authentication. To achieve the distribution of the VLAN >id to the supplicant, the tunnel attribute can be used. >For use in VLAN assignment, the following tunnel attributes are used: >Tunnel-Type=VLAN (13) >Tunnel-Medium-Type=802 >Tunnel-Private-Group-ID=VLANID, where VLANID is 12-bits, taking a >value between 1 and 4093. >The NAS-IP Attribute indicates the identifying IP Address of the NAS >(Switch or Access Point) which is requesting authentication of the >user, and should be unique to the NAS within the scope of the RADIUS >server. NAS-IP-Address is only used in Access-Request packets. Either >NAS-IP-Address or NAS-Identifier must be present in an Access-Request >packet. > >I can see from my Dell switch that this stuff is enabled, but for some >reason it's still not setting the VLAN. > >Does anyone have any suggestions? > >Thanks. >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dell 6248 and Dynamic VLAN Assignment
Talk to the vendor? Sent from my iPhone On 31 Oct 2008, at 01:20, Luke <[EMAIL PROTECTED]> wrote: Hi :) I'm trying to get dynamic VLAN assignment to work with my Dell 6248, which they officially support as of firmware revision 2.1.0.13. I'm using freeradius version 2.1.1 I think I'm sending the information the correct way from freeradius, to wit: DEFAULT Auth-Type == MS-CHAP Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 3 (this is in my users file) When watching the debug output from radiusd -X, I can see it sending these messages back to the Dell switch. However, the dell switch is not correctly assigning the VLAN. The information from the release notes from Dell is as follows: 802.1x Option 81 The Tunnel Attribute indicates the tunneling protocol to be used or the tunneling protocol in use at the Authenticator. In particular, it may be desirable to allow a supplicant (MAC based) or port (Port Based) to be placed into a particular Virtual LAN (VLAN) based on the result of the authentication. To achieve the distribution of the VLAN id to the supplicant, the tunnel attribute can be used. For use in VLAN assignment, the following tunnel attributes are used: Tunnel-Type=VLAN (13) Tunnel-Medium-Type=802 Tunnel-Private-Group-ID=VLANID, where VLANID is 12-bits, taking a value between 1 and 4093. The NAS-IP Attribute indicates the identifying IP Address of the NAS (Switch or Access Point) which is requesting authentication of the user, and should be unique to the NAS within the scope of the RADIUS server. NAS-IP-Address is only used in Access-Request packets. Either NAS-IP-Address or NAS-Identifier must be present in an Access-Request packet. I can see from my Dell switch that this stuff is enabled, but for some reason it's still not setting the VLAN. Does anyone have any suggestions? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
