Re: Dynamic Vlan Allocation based on LDAP Attribute Value
Am Freitag, 13. Februar 2009 07:17:17 schrieb Paul Dealy: > I have a working radius server (ver 1.1.3). which I am using for > 802.1x authentication of wired switch ports. I would like to > dynamically assign users vlans. I have cisco gear and have achieved > basic vlan allocation by configuring a Default entry in the users > file. So the vlan allocation part works ok. > > What I want to be able to do is allocate the vlan by matching the > value of an LDAP attribute. Not by group membership, but the actual > value of a users attribute. Is this possible? > > Cheers, > Dealy Yes. Just assign these attributes to the user object in LDAP. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic Vlan Allocation based on LDAP Attribute Value
I have a working radius server (ver 1.1.3). which I am using for 802.1x authentication of wired switch ports. I would like to dynamically assign users vlans. I have cisco gear and have achieved basic vlan allocation by configuring a Default entry in the users file. So the vlan allocation part works ok. What I want to be able to do is allocate the vlan by matching the value of an LDAP attribute. Not by group membership, but the actual value of a users attribute. Is this possible? Cheers, Dealy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-timeout problem
hi, thanks for the reply. i have tried this thing but when i am doing so its taking this as a default entry and giving error for user name and password i have entered username and cleartext-password in user file. also i have configured the mysql database for authentication and accounting. so at that time i am getting error "no User-password or CHAP-password" in request. thanks, mitul modi On Fri, Feb 13, 2009 at 12:07 AM, Will D. Spann wrote: > Mitul Modi, > > >i am new to free radius. can any one help how i can cinfigure > Session-Timeout? > > >i am using EAP-TTLS with chap password. > > >i have added credentials for user name and password in users file. > > To apply a Session-Timeout to all the users in your 'users' file, add the > following entry after the user entries. > > DEFAULT > Session-Timeout = > > Enter a number in seconds for . This should do the trick. > > Will D. Spann > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use for roaming wireless user
Hi all, We enabled Simultaneous-Use checking with checking against accouting data stored in MySQL database. However, found that some of the Stop records are not received and this makes Simultaneous-Use checking fail. Seems roaming users will always encountered this problem. I wonder if I've to use checkrad instead but seems our AP (Aurba) is not permitted as nastype in clients.conf. Would anyone please advise any solution for this issue? Thank you very much. Best Regards, /ST Wong - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
I have exactly the same problem with Fedora 9 and 10 only. It works perfectly fine in Fedora 8 with the exact same configuration. I have spent hours trying to fix this, and could not figure it out. Thomas E. Casartello, Jr. Staff Assistant - Wireless Technician/Linux Administrator Information Technology Wilson 105A Westfield State College Red Hat Certified Technician (RHCT) -Original Message- From: freeradius-users-bounces+tcasartello=wsc.ma@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma@lists.freeradius.org ] On Behalf Of andrey.trubni...@unicreditgroup.ru Sent: Thursday, February 12, 2009 8:58 AM To: freeradius-users@lists.freeradius.org Subject: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem Hi I configure Freeradius 2.1.3 how it describes in http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO but it doesn't work. here is debug output: FreeRADIUS Version 2.1.3, for host i386-redhat-linux-gnu, built on Dec 8 2008 at 16:00:08 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/inner-tunnel group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client 10.6.0.0/16 { require_message_authenticator = no secret = "secret" shortname = "cisco" } client localhost { ipaddr = 127.0.0
Grouping different kinds of clients and returning different attributes
I'm new to FreeRadius, so please understand that my understanding of the vocabulary and structures are limited. I've read through the documentation and I'm trying to do something that may be obvious to some. I'm trying to configure FreeRadius to do administrator authentication from a series of switches, routers, and firewalls. Some are Cisco IOS, some HP Procurve, and some Juniper. I've got it working so that all are properly authenticating. The back-end authentication is LDAP. The problem is that there are roughly 250 units on various IP addresses across the WAN. I'd like to redirect them all to the same RADIUS server. The problem is that although I have some 250 client definitions in clients.conf, I'd rather avoid using 250 definitions in users. I'm trying to find a way to categorize the RADIUS clients into Cisco, HP, etc. What I was trying to do was to give each client a name: client Cisco_IOS.host-10.1.2.3 { ipaddr = 10.1.2.3 secret = supersecret } client HP_Procurve.host-10.3.2.1 { ipaddr = 10.3.2.1 secret = alsoverysecret } And then build something to refer to them in the users file along the lines of: DEFAULT Client-Shortname =~ "Cisco_IOS.*", User-Name := "someadmin", Cleartext-Password := "goodpassword" Service-Type = NAS-Prompt-User DEFAULT Client-Shortname =~ "HP_Procurve.*", User-Name := "anotheradmin", Cleartext-Password := "greatpassword" Service-Type = 6 of maybe DEFAULT Client-Shortname =~ "Somethingelse.*", Auth-Type := Pam (or LDAP) Service-Type = (something else), Other-attributes = XXX I'm having some problems, so I'm either missing something, or I'm going down an entirely wrong path. I got the "Client-Shortname" from the Run-time variables page in the Wiki, but I suspect it isn't evaluating like I think it ought to. Thank you for your time. -- View this message in context: http://www.nabble.com/Grouping-different-kinds-of-clients-and-returning-different-attributes-tp21986276p21986276.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating to ldaps/tls
>> use start_tls=no fails also, >Maybe but keep it to no did that, still fails with the same message >> it seems to have a problem with the cert and/or cert directory: >> >> rlm_ldap: attempting LDAP reconnection >> rlm_ldap: (re)connect to ldap1.stvincents.com.au:636, authentication 0 >> rlm_ldap: setting TLS mode to 1 >> rlm_ldap: could not set LDAP_OPT_X_TLS option Success >> >?? this is confusing... could that mean that your ldap library wasn't >compiled with ssl support... I'm not sure >see >http://www.mail-archive.com/freeradius-us...@lists.cistron.nl/msg09575.html >(but this is a rather old post) The version openssl I'm using is: OpenSSL 0.9.8i 15 Sep 2008 The CA certificate is valid for the ldap server because the client connects when I test with... "openssl s_client -CAfile SVMHS_CA_SSL_Server.pem -connect ldap1.stvincents.com.au:636" Freeradius was compiled as follows: /configure --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --localstatedir=/var --libdir=/usr/lib --includedir=/usr/include --with-radacctdir=/var/log/freeradius/radacct --with-raddbdir=/etc/freeradius --with-openssl-includes=/etc/include/openssl --with-openssl-libraries=/usr/lib cheers Peter ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents & Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
andrey.trubni...@unicreditgroup.ru wrote: > Hi > I configure Freeradius 2.1.3 how it describes in > http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO > but it doesn't work. ... > Sending Access-Challenge of id 130 to 10.6.0.86 port 1645 > EAP-Message = > 0x010a004a1900170301003f7201bd50ad95ad02eed7b8c10e950ce1d0858a8d2e64401635f1f270813682833ee111b5a1eb2db22fd25daf6a8fea82236d0ff920182b9e3325150deefeeb > Message-Authenticator = 0x > State = 0x9c8a80f59b809961300b089b526f445b > Finished request 7. > Going to the next request > Waking up in 4.8 seconds. > Cleaning up request 0 ID 123 with timestamp +51 Read "eap.conf". Complete documentation is there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regular expressions doesn't work in /etc/raddb/hints
Victor Shkamerda wrote: > Hi, > > We are migrating from other RADIUS software to FreeRADIUS. In order to avoid > changing existing users database objects, I'm trying to fix the User-Name > attribute format in NAS request and it seems that preprocess module is the > right place to do that. But after adding new default rule in the hints file I > have discovered that it doesn't work. The rule is always matching my regular > expression no matter what string I put into it. The regular expression is > simply the string itself i.e. like "/string/". After looking through sources > I found that in src/lib/valuepair.c in pairmove the operator T_OP_REG_EQ is > commented out. Could it be the culprit or is there anything else that I > should know? The FreeRADIUS version is 2.1.3 on SLES 10 compiled from sources. This should be fixed in 2.1.4. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-timeout problem
Mitul Modi, >i am new to free radius. can any one help how i can cinfigure Session-Timeout? >i am using EAP-TTLS with chap password. >i have added credentials for user name and password in users file. To apply a Session-Timeout to all the users in your 'users' file, add the following entry after the user entries. DEFAULT Session-Timeout = Enter a number in seconds for . This should do the trick. Will D. Spann - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MS-CHAPv2 for some, Kerberos (or PAM) for others...
On Feb 9, 2009, at 4:05 PM, sth wrote: I'd like to integrate the function of an older RADIUS server (FR 1.0.1) into the new one (FR 2.1.3), which handles 802.1X. The old FR box handles authentication for a VPN concentrator. It has some static users defined, then defaults to PAM (which, in this context, means krb5). Krb5 works fine on the FR 2.1.3 config if I append: DEFAULT Auth-Type := Kerberos to the users file. Doing so breaks all tunneled EAP methods (which reading leads me to believe is predictable). Using PAM gives similar results, and I figured it better to use FR's native krb5 support anyway. I started down the path indicated in a seemingly-similar thread[3] from February of 2008, but my understanding of FR is still not good enough that I can parlay those (mostly FR1.x) instructions into a valid FR2.x config, in spite of Phil Mayers' general comments re: using 2.x's virtual server functionality. Are EAP and DEFAULTs mutually-exclusive? If not, what's the most effective way to approach this? Your thoughts on the matter are appreciated. I apologize in advance if there's already a wiki page or thread that deals with this, and accept links to such posts with great gusto. :-) One way would be to not manually set Auth-Type in the users file and instead use unlang: authorize { ... update control { Auth-Type = Kerberos } } This would set Auth-Type to Kerberos if and only if no other modules in the authorize section (such as files or eap) set Auth-Type. See 'man unlang' for more details. Mike Loosbrock Bethel University Network Services 651-638-6723 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxy with two interfaces configuration
P.S: another quick question. It is possible with some logging option (or in other ways) to save the attributes that the server adds to the auth accept message locally in a file in the proxy machine? I saw that there is some options to add/modify the attributes in the reply, but it is possible to save them in a file? I answered the second question reading with more accuracy the modules documentation. Thank you anyway. (The proxy problem is still there anyway) -- D'Avella Stefano Bell Labs Alcatel-Lucent Centre de Villarceaux Route de Villejust 91625 NOZAY - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy with two interfaces configuration
Hello all, I am using freeradius 2.1.0 on two ubuntu machines, one of which is configured as server and one as proxy. The network is configured in ipv6 but that's not the problem here (everything regarding ipv6 works well now) I am trying to create a testbed where there is three machines: -one server, which listens to an interface -one client (for testing I am just using radclient) that sends auth requests to a proxy -one proxy, in the middle of the two other machines, that proxies auth requests to the server. This proxy has two interfaces, one connected to the client and one to the server. All following ipv6 addresses are to be read with global scope (but as I said, if they were ipv4 it would be the same I think) Server address : 2001::400 Proxy (interface to the server) 2001::300 Proxy (interface to the client) 2000::300 Client 2000:200 Now when I try to run the test what it happens is that the client sends the auth request, the proxy correctly forwards it to the server, and the server correctly authenticate the client. The problem is that the proxy sends the proxied message with the address 2000::300, not 2001::300. When the server tries to reply to the proxy, it tries to send the packet to 2000::300 but since it is a different network there is no route for it. I have been searching for a while in the users / radiusd.conf / clients.conf / proxy.conf for a option to set the proxy ip address when proxying messages. It seemed to me that I saw something like that , but if I did I just can't find it again. If it exists it would be sufficient to tell me where to find it and I will hopefully solve this issue on my own. I attach some config files: Server: Clients.conf # IPv6 Client client 2000::300 { nastype = other secret = testing123 shortname = relay } (if I set 2001::300 it tells me that it receives a packet from the unknown host 2000::300 and discards it) Radiusd.conf listen { # ipaddr = * ipv6addr = 2001::400 port = 0 type = auth } Proxy Clients.conf # IPv6 Client client 2000::200 { secret = testing123 shortname = mobile } Proxy.conf home_server rad_server { type = auth ipv6addr = 2001::400 port = 1812 secret =testing123 } home_server_pool my_auth { type = fail-over home_server = rad_server } realm example.com { auth_pool = my_auth } (example.com is the realm I use in the test) P.S: another quick question. It is possible with some logging option (or in other ways) to save the attributes that the server adds to the auth accept message locally in a file in the proxy machine? I saw that there is some options to add/modify the attributes in the reply, but it is possible to save them in a file? Thanks in advance for the help and sorry if I am missing out something obvious. Best Regards, -- D'Avella Stefano Bell Labs Alcatel-Lucent Centre de Villarceaux Route de Villejust 91625 NOZAY - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
Hi I configure Freeradius 2.1.3 how it describes in http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO but it doesn't work. here is debug output: FreeRADIUS Version 2.1.3, for host i386-redhat-linux-gnu, built on Dec 8 2008 at 16:00:08 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/inner-tunnel group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client 10.6.0.0/16 { require_message_authenticator = no secret = "secret" shortname = "cisco" } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home
Custom error messages
Hi, I use freeradius 1.1.7 for autenticate users to provide Internet connectivity. I have groups of usernames who has access from anywhere. However, I have others groups which only has access from one NAS (promotional codes). I know how to block these accounts from my Postgres Database: table radgroupcheck promotion NAS-IP-Address !~ 1.2.3.(4|5) I reject the request from the NAS wich IP 1.2.3.4 or 1.2.3.5. My question is: Can I send the error message: You are not allow from this site? If it is so, how? Thanks, Santiago _ Llévate Messenger en tu móvil allá donde vayas ¿A qué esperas? http://serviciosmoviles.es.msn.com/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Regular expressions doesn't work in /etc/raddb/hints
Hi, We are migrating from other RADIUS software to FreeRADIUS. In order to avoid changing existing users database objects, I'm trying to fix the User-Name attribute format in NAS request and it seems that preprocess module is the right place to do that. But after adding new default rule in the hints file I have discovered that it doesn't work. The rule is always matching my regular expression no matter what string I put into it. The regular expression is simply the string itself i.e. like "/string/". After looking through sources I found that in src/lib/valuepair.c in pairmove the operator T_OP_REG_EQ is commented out. Could it be the culprit or is there anything else that I should know? The FreeRADIUS version is 2.1.3 on SLES 10 compiled from sources. Best regards, Victor Shkamerda - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using IP address of vpn users in radius server
yes.but how can I specify Calling-Station-Ids based on valid and invalid ips? I want that radius checks that if Calling-Station-Id is valid radius sends ippool 1 for vpn server and if Calling-Station-Id is invalid sends ippool2. Where this compare is set in radius server? Message: 2 Date: Sat, 07 Feb 2009 16:12:10 +0100 From: Subject: Re: using IP address of vpn users in radius server To: "FreeRadius users mailing list" Message-ID: <5yfqtwpv.1234019530.4835870@kalik.net> Content-Type: text/plain; charset=ISO-8859-2 >I have a radius server that uses ldap server for authentication and >authorization. The client of radius server is a vpn server. >now they are working. I want to have two groups of vpn users in vpn server >base on their IP addresses. >Could radius server check IP address of users Yes. IP address should be in Calling-Station-Id attribute in the request. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating to ldaps/tls
Peter Param a écrit : it is an LDAP server answering on LDAPS connections (LDAP+SSL on port 636) ...but it also supports the latter even tho an acl is set to not allow port 389 use start_tls=no fails also, Maybe but keep it to no it seems to have a problem with the cert and/or cert directory: rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap1.stvincents.com.au:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: could not set LDAP_OPT_X_TLS option Success ?? this is confusing... could that mean that your ldap library wasn't compiled with ssl support... I'm not sure see http://www.mail-archive.com/freeradius-us...@lists.cistron.nl/msg09575.html (but this is a rather old post) rlm_ldap: setting TLS CACert Directory to /etc/openssl/certs/ rlm_ldap: could not set LDAP_OPT_X_TLS_CACERTDIR option to /etc/openssl/certs/ -- cacertfile= /etc/openssl/certs/SVMHS_CA_SSL_Server.cer - The doc states that tls_cacertfile is a a PEM-encoded file: I think your CAcert is a DER encoded one (extension.cer usually is). --- cacertdir = /etc/openssl/certs/ --- The doc states that tls_cacertdir is in "hash format" (see openssl verify) Also check that the directory and files are accessible/readable by the user running the radius server. My 2 cents,... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating to ldaps/tls
it is an LDAP server answering on LDAPS connections (LDAP+SSL on port 636) ...but it also supports the latter even tho an acl is set to not allow port 389 use start_tls=no fails also, it seems to have a problem with the cert and/or cert directory: rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap1.stvincents.com.au:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: could not set LDAP_OPT_X_TLS option Success rlm_ldap: setting TLS CACert Directory to /etc/openssl/certs/ rlm_ldap: could not set LDAP_OPT_X_TLS_CACERTDIR option to /etc/openssl/certs/ cheers Peter >>> thibault.lem...@supelec.fr 12/02/2009 9:04 pm >>> Peter Param a écrit : > Hi all, > > I'm trying to authenticate to a LDAPS backend but failing. Any suggestions? > Is it an LDAP server answering on LDAPS connections (LDAP+SSL on port 636) or an LDAP server answering on LDAP connections that are then secured by Start-TLS (LDAP on port 389 + Start-TLS) ? These are 2 different options. > ldap people_search { > server = "ldap1.stvincents.com.au" > port = 636 > ==> This implies an ldaps server > identity = "cn=admin,o=org,c=au" > password = *** > filter = "(cn=%u)" > basedn = "ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au" > tls { > tls_mode = yes > # to the LDAP database by using the StartTLS extended > # operation. > # > # The StartTLS operation is supposed to be > # used with normal ldap connections instead of > # using ldaps (port 689) connections > start_tls = yes > ==> this is not compliant with and ldaps server use start_tls=no By the way, Alan and other Gurus, I think there is a small typo in the comment: # using ldaps (port 689) connections Should be # using ldaps (port 636) connections HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents & Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating to ldaps/tls
Peter Param a écrit : Hi all, I'm trying to authenticate to a LDAPS backend but failing. Any suggestions? Is it an LDAP server answering on LDAPS connections (LDAP+SSL on port 636) or an LDAP server answering on LDAP connections that are then secured by Start-TLS (LDAP on port 389 + Start-TLS) ? These are 2 different options. ldap people_search { server = "ldap1.stvincents.com.au" port = 636 ==> This implies an ldaps server identity = "cn=admin,o=org,c=au" password = *** filter = "(cn=%u)" basedn = "ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au" tls { tls_mode = yes # to the LDAP database by using the StartTLS extended # operation. # # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 689) connections start_tls = yes ==> this is not compliant with and ldaps server use start_tls=no By the way, Alan and other Gurus, I think there is a small typo in the comment: # using ldaps (port 689) connections Should be # using ldaps (port 636) connections HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Auth User update time on mysql
Hello i am keeping session information in mysql only.. What i notice is, when a user logs in, only after a few mins i see the sql tables are updated about this user. So, if i check max-session number via sql too, user can log in a few times because, the user can not be found as online on sql side... Is there a wait limit on sql update? If so, is there a way to lower this timing? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html