Re: Dynamic Vlan Allocation based on LDAP Attribute Value
Am Freitag, 13. Februar 2009 07:17:17 schrieb Paul Dealy: > I have a working radius server (ver 1.1.3). which I am using for > 802.1x authentication of wired switch ports. I would like to > dynamically assign users vlans. I have cisco gear and have achieved > basic vlan allocation by configuring a Default entry in the users > file. So the vlan allocation part works ok. > > What I want to be able to do is allocate the vlan by matching the > value of an LDAP attribute. Not by group membership, but the actual > value of a users attribute. Is this possible? > > Cheers, > Dealy Yes. Just assign these attributes to the user object in LDAP. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic Vlan Allocation based on LDAP Attribute Value
I have a working radius server (ver 1.1.3). which I am using for 802.1x authentication of wired switch ports. I would like to dynamically assign users vlans. I have cisco gear and have achieved basic vlan allocation by configuring a Default entry in the users file. So the vlan allocation part works ok. What I want to be able to do is allocate the vlan by matching the value of an LDAP attribute. Not by group membership, but the actual value of a users attribute. Is this possible? Cheers, Dealy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-timeout problem
hi, thanks for the reply. i have tried this thing but when i am doing so its taking this as a default entry and giving error for user name and password i have entered username and cleartext-password in user file. also i have configured the mysql database for authentication and accounting. so at that time i am getting error "no User-password or CHAP-password" in request. thanks, mitul modi On Fri, Feb 13, 2009 at 12:07 AM, Will D. Spann wrote: > Mitul Modi, > > >i am new to free radius. can any one help how i can cinfigure > Session-Timeout? > > >i am using EAP-TTLS with chap password. > > >i have added credentials for user name and password in users file. > > To apply a Session-Timeout to all the users in your 'users' file, add the > following entry after the user entries. > > DEFAULT > Session-Timeout = > > Enter a number in seconds for . This should do the trick. > > Will D. Spann > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use for roaming wireless user
Hi all, We enabled Simultaneous-Use checking with checking against accouting data stored in MySQL database. However, found that some of the Stop records are not received and this makes Simultaneous-Use checking fail. Seems roaming users will always encountered this problem. I wonder if I've to use checkrad instead but seems our AP (Aurba) is not permitted as nastype in clients.conf. Would anyone please advise any solution for this issue? Thank you very much. Best Regards, /ST Wong - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
I have exactly the same problem with Fedora 9 and 10 only. It works
perfectly fine in Fedora 8 with the exact same configuration. I have spent
hours trying to fix this, and could not figure it out.
Thomas E. Casartello, Jr.
Staff Assistant - Wireless Technician/Linux Administrator
Information Technology
Wilson 105A
Westfield State College
Red Hat Certified Technician (RHCT)
-Original Message-
From: freeradius-users-bounces+tcasartello=wsc.ma@lists.freeradius.org
[mailto:freeradius-users-bounces+tcasartello=wsc.ma@lists.freeradius.org
] On Behalf Of andrey.trubni...@unicreditgroup.ru
Sent: Thursday, February 12, 2009 8:58 AM
To: freeradius-users@lists.freeradius.org
Subject: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
Hi
I configure Freeradius 2.1.3 how it describes in
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
but it doesn't work.
here is debug output:
FreeRADIUS Version 2.1.3, for host i386-redhat-linux-gnu, built on Dec 8
2008 at 16:00:08
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/inner-tunnel
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client 10.6.0.0/16 {
require_message_authenticator = no
secret = "secret"
shortname = "cisco"
}
client localhost {
ipaddr = 127.0.0
Grouping different kinds of clients and returning different attributes
I'm new to FreeRadius, so please understand that my understanding of the
vocabulary and structures are limited. I've read through the documentation
and I'm trying to do something that may be obvious to some.
I'm trying to configure FreeRadius to do administrator authentication from a
series of switches, routers, and firewalls. Some are Cisco IOS, some HP
Procurve, and some Juniper.
I've got it working so that all are properly authenticating. The back-end
authentication is LDAP.
The problem is that there are roughly 250 units on various IP addresses
across the WAN.
I'd like to redirect them all to the same RADIUS server.
The problem is that although I have some 250 client definitions in
clients.conf, I'd rather avoid using 250 definitions in users.
I'm trying to find a way to categorize the RADIUS clients into Cisco, HP,
etc.
What I was trying to do was to give each client a name:
client Cisco_IOS.host-10.1.2.3 {
ipaddr = 10.1.2.3
secret = supersecret
}
client HP_Procurve.host-10.3.2.1 {
ipaddr = 10.3.2.1
secret = alsoverysecret
}
And then build something to refer to them in the users file along the lines
of:
DEFAULT Client-Shortname =~ "Cisco_IOS.*", User-Name := "someadmin",
Cleartext-Password := "goodpassword"
Service-Type = NAS-Prompt-User
DEFAULT Client-Shortname =~ "HP_Procurve.*", User-Name := "anotheradmin",
Cleartext-Password := "greatpassword"
Service-Type = 6
of maybe
DEFAULT Client-Shortname =~ "Somethingelse.*", Auth-Type := Pam (or LDAP)
Service-Type = (something else),
Other-attributes = XXX
I'm having some problems, so I'm either missing something, or I'm going down
an entirely wrong path. I got the "Client-Shortname" from the Run-time
variables page in the Wiki, but I suspect it isn't evaluating like I think
it ought to.
Thank you for your time.
--
View this message in context:
http://www.nabble.com/Grouping-different-kinds-of-clients-and-returning-different-attributes-tp21986276p21986276.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating to ldaps/tls
>> use start_tls=no fails also, >Maybe but keep it to no did that, still fails with the same message >> it seems to have a problem with the cert and/or cert directory: >> >> rlm_ldap: attempting LDAP reconnection >> rlm_ldap: (re)connect to ldap1.stvincents.com.au:636, authentication 0 >> rlm_ldap: setting TLS mode to 1 >> rlm_ldap: could not set LDAP_OPT_X_TLS option Success >> >?? this is confusing... could that mean that your ldap library wasn't >compiled with ssl support... I'm not sure >see >http://www.mail-archive.com/freeradius-us...@lists.cistron.nl/msg09575.html >(but this is a rather old post) The version openssl I'm using is: OpenSSL 0.9.8i 15 Sep 2008 The CA certificate is valid for the ldap server because the client connects when I test with... "openssl s_client -CAfile SVMHS_CA_SSL_Server.pem -connect ldap1.stvincents.com.au:636" Freeradius was compiled as follows: /configure --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --localstatedir=/var --libdir=/usr/lib --includedir=/usr/include --with-radacctdir=/var/log/freeradius/radacct --with-raddbdir=/etc/freeradius --with-openssl-includes=/etc/include/openssl --with-openssl-libraries=/usr/lib cheers Peter ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents & Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
andrey.trubni...@unicreditgroup.ru wrote: > Hi > I configure Freeradius 2.1.3 how it describes in > http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO > but it doesn't work. ... > Sending Access-Challenge of id 130 to 10.6.0.86 port 1645 > EAP-Message = > 0x010a004a1900170301003f7201bd50ad95ad02eed7b8c10e950ce1d0858a8d2e64401635f1f270813682833ee111b5a1eb2db22fd25daf6a8fea82236d0ff920182b9e3325150deefeeb > Message-Authenticator = 0x > State = 0x9c8a80f59b809961300b089b526f445b > Finished request 7. > Going to the next request > Waking up in 4.8 seconds. > Cleaning up request 0 ID 123 with timestamp +51 Read "eap.conf". Complete documentation is there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regular expressions doesn't work in /etc/raddb/hints
Victor Shkamerda wrote: > Hi, > > We are migrating from other RADIUS software to FreeRADIUS. In order to avoid > changing existing users database objects, I'm trying to fix the User-Name > attribute format in NAS request and it seems that preprocess module is the > right place to do that. But after adding new default rule in the hints file I > have discovered that it doesn't work. The rule is always matching my regular > expression no matter what string I put into it. The regular expression is > simply the string itself i.e. like "/string/". After looking through sources > I found that in src/lib/valuepair.c in pairmove the operator T_OP_REG_EQ is > commented out. Could it be the culprit or is there anything else that I > should know? The FreeRADIUS version is 2.1.3 on SLES 10 compiled from sources. This should be fixed in 2.1.4. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-timeout problem
Mitul Modi, >i am new to free radius. can any one help how i can cinfigure Session-Timeout? >i am using EAP-TTLS with chap password. >i have added credentials for user name and password in users file. To apply a Session-Timeout to all the users in your 'users' file, add the following entry after the user entries. DEFAULT Session-Timeout = Enter a number in seconds for . This should do the trick. Will D. Spann - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MS-CHAPv2 for some, Kerberos (or PAM) for others...
On Feb 9, 2009, at 4:05 PM, sth wrote:
I'd like to integrate the function of an older RADIUS server (FR
1.0.1)
into the new one (FR 2.1.3), which handles 802.1X. The old FR box
handles authentication for a VPN concentrator. It has some static
users
defined, then defaults to PAM (which, in this context, means krb5).
Krb5
works fine on the FR 2.1.3 config if I append:
DEFAULT Auth-Type := Kerberos
to the users file. Doing so breaks all tunneled EAP methods (which
reading leads me to believe is predictable). Using PAM gives similar
results, and I figured it better to use FR's native krb5 support
anyway.
I started down the path indicated in a seemingly-similar thread[3]
from
February of 2008, but my understanding of FR is still not good enough
that I can parlay those (mostly FR1.x) instructions into a valid FR2.x
config, in spite of Phil Mayers' general comments re: using 2.x's
virtual server functionality.
Are EAP and DEFAULTs mutually-exclusive? If not, what's the most
effective way to approach this? Your thoughts on the matter are
appreciated. I apologize in advance if there's already a wiki page or
thread that deals with this, and accept links to such posts with great
gusto. :-)
One way would be to not manually set Auth-Type in the users file and
instead use unlang:
authorize {
...
update control {
Auth-Type = Kerberos
}
}
This would set Auth-Type to Kerberos if and only if no other modules
in the authorize section (such as files or eap) set Auth-Type.
See 'man unlang' for more details.
Mike Loosbrock
Bethel University Network Services
651-638-6723
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxy with two interfaces configuration
P.S: another quick question. It is possible with some logging option (or in other ways) to save the attributes that the server adds to the auth accept message locally in a file in the proxy machine? I saw that there is some options to add/modify the attributes in the reply, but it is possible to save them in a file? I answered the second question reading with more accuracy the modules documentation. Thank you anyway. (The proxy problem is still there anyway) -- D'Avella Stefano Bell Labs Alcatel-Lucent Centre de Villarceaux Route de Villejust 91625 NOZAY - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy with two interfaces configuration
Hello all,
I am using freeradius 2.1.0 on two ubuntu machines, one of which is
configured as server and one as proxy.
The network is configured in ipv6 but that's not the problem here
(everything regarding ipv6 works well now)
I am trying to create a testbed where there is three machines:
-one server, which listens to an interface
-one client (for testing I am just using radclient) that sends auth
requests to a proxy
-one proxy, in the middle of the two other machines, that proxies auth
requests to the server. This proxy has two interfaces, one connected to
the client and one to the server.
All following ipv6 addresses are to be read with global scope (but as I
said, if they were ipv4 it would be the same I think)
Server address : 2001::400
Proxy (interface to the server) 2001::300
Proxy (interface to the client) 2000::300
Client 2000:200
Now when I try to run the test what it happens is that the client sends
the auth request, the proxy correctly forwards it to the server, and the
server correctly authenticate the client. The problem is that the proxy
sends the proxied message with the address 2000::300, not 2001::300.
When the server tries to reply to the proxy, it tries to send the packet
to 2000::300 but since it is a different network there is no route for
it.
I have been searching for a while in the users / radiusd.conf /
clients.conf / proxy.conf for a option to set the proxy ip address when
proxying messages. It seemed to me that I saw something like that , but
if I did I just can't find it again.
If it exists it would be sufficient to tell me where to find it and I
will hopefully solve this issue on my own.
I attach some config files:
Server:
Clients.conf
# IPv6 Client
client 2000::300 {
nastype = other
secret = testing123
shortname = relay
}
(if I set 2001::300 it tells me that it receives a packet from the
unknown host 2000::300 and discards it)
Radiusd.conf
listen {
# ipaddr = *
ipv6addr = 2001::400
port = 0
type = auth
}
Proxy
Clients.conf
# IPv6 Client
client 2000::200 {
secret = testing123
shortname = mobile
}
Proxy.conf
home_server rad_server {
type = auth
ipv6addr = 2001::400
port = 1812
secret =testing123
}
home_server_pool my_auth {
type = fail-over
home_server = rad_server
}
realm example.com {
auth_pool = my_auth
}
(example.com is the realm I use in the test)
P.S: another quick question. It is possible with some logging option (or
in other ways) to save the attributes that the server adds to the auth
accept message locally in a file in the proxy machine? I saw that there
is some options to add/modify the attributes in the reply, but it is
possible to save them in a file?
Thanks in advance for the help and sorry if I am missing out something
obvious.
Best Regards,
--
D'Avella Stefano
Bell Labs
Alcatel-Lucent
Centre de Villarceaux
Route de Villejust
91625 NOZAY
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
Hi
I configure Freeradius 2.1.3 how it describes in
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
but it doesn't work.
here is debug output:
FreeRADIUS Version 2.1.3, for host i386-redhat-linux-gnu, built on Dec 8
2008 at 16:00:08
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/inner-tunnel
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client 10.6.0.0/16 {
require_message_authenticator = no
secret = "secret"
shortname = "cisco"
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home
Custom error messages
Hi, I use freeradius 1.1.7 for autenticate users to provide Internet connectivity. I have groups of usernames who has access from anywhere. However, I have others groups which only has access from one NAS (promotional codes). I know how to block these accounts from my Postgres Database: table radgroupcheck promotion NAS-IP-Address !~ 1.2.3.(4|5) I reject the request from the NAS wich IP 1.2.3.4 or 1.2.3.5. My question is: Can I send the error message: You are not allow from this site? If it is so, how? Thanks, Santiago _ Llévate Messenger en tu móvil allá donde vayas ¿A qué esperas? http://serviciosmoviles.es.msn.com/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Regular expressions doesn't work in /etc/raddb/hints
Hi, We are migrating from other RADIUS software to FreeRADIUS. In order to avoid changing existing users database objects, I'm trying to fix the User-Name attribute format in NAS request and it seems that preprocess module is the right place to do that. But after adding new default rule in the hints file I have discovered that it doesn't work. The rule is always matching my regular expression no matter what string I put into it. The regular expression is simply the string itself i.e. like "/string/". After looking through sources I found that in src/lib/valuepair.c in pairmove the operator T_OP_REG_EQ is commented out. Could it be the culprit or is there anything else that I should know? The FreeRADIUS version is 2.1.3 on SLES 10 compiled from sources. Best regards, Victor Shkamerda - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using IP address of vpn users in radius server
yes.but how can I specify Calling-Station-Ids based on valid and invalid ips? I want that radius checks that if Calling-Station-Id is valid radius sends ippool 1 for vpn server and if Calling-Station-Id is invalid sends ippool2. Where this compare is set in radius server? Message: 2 Date: Sat, 07 Feb 2009 16:12:10 +0100 From: Subject: Re: using IP address of vpn users in radius server To: "FreeRadius users mailing list" Message-ID: <5yfqtwpv.1234019530.4835870@kalik.net> Content-Type: text/plain; charset=ISO-8859-2 >I have a radius server that uses ldap server for authentication and >authorization. The client of radius server is a vpn server. >now they are working. I want to have two groups of vpn users in vpn server >base on their IP addresses. >Could radius server check IP address of users Yes. IP address should be in Calling-Station-Id attribute in the request. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating to ldaps/tls
Peter Param a écrit : it is an LDAP server answering on LDAPS connections (LDAP+SSL on port 636) ...but it also supports the latter even tho an acl is set to not allow port 389 use start_tls=no fails also, Maybe but keep it to no it seems to have a problem with the cert and/or cert directory: rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap1.stvincents.com.au:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: could not set LDAP_OPT_X_TLS option Success ?? this is confusing... could that mean that your ldap library wasn't compiled with ssl support... I'm not sure see http://www.mail-archive.com/freeradius-us...@lists.cistron.nl/msg09575.html (but this is a rather old post) rlm_ldap: setting TLS CACert Directory to /etc/openssl/certs/ rlm_ldap: could not set LDAP_OPT_X_TLS_CACERTDIR option to /etc/openssl/certs/ -- cacertfile= /etc/openssl/certs/SVMHS_CA_SSL_Server.cer - The doc states that tls_cacertfile is a a PEM-encoded file: I think your CAcert is a DER encoded one (extension.cer usually is). --- cacertdir = /etc/openssl/certs/ --- The doc states that tls_cacertdir is in "hash format" (see openssl verify) Also check that the directory and files are accessible/readable by the user running the radius server. My 2 cents,... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating to ldaps/tls
it is an LDAP server answering on LDAPS connections (LDAP+SSL on port 636)
...but it also supports the latter even tho an acl is set to not allow port 389
use start_tls=no fails also, it seems to have a problem with the cert and/or
cert directory:
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap1.stvincents.com.au:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: could not set LDAP_OPT_X_TLS option Success
rlm_ldap: setting TLS CACert Directory to /etc/openssl/certs/
rlm_ldap: could not set LDAP_OPT_X_TLS_CACERTDIR option to /etc/openssl/certs/
cheers
Peter
>>> thibault.lem...@supelec.fr 12/02/2009 9:04 pm >>>
Peter Param a écrit :
> Hi all,
>
> I'm trying to authenticate to a LDAPS backend but failing. Any suggestions?
>
Is it an LDAP server answering on LDAPS connections (LDAP+SSL on port
636) or an LDAP server answering on LDAP connections that are then
secured by Start-TLS (LDAP on port 389 + Start-TLS) ?
These are 2 different options.
> ldap people_search {
> server = "ldap1.stvincents.com.au"
> port = 636
>
==> This implies an ldaps server
> identity = "cn=admin,o=org,c=au"
> password = ***
> filter = "(cn=%u)"
> basedn = "ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au"
> tls {
> tls_mode = yes
> # to the LDAP database by using the StartTLS extended
> # operation.
> #
> # The StartTLS operation is supposed to be
> # used with normal ldap connections instead of
> # using ldaps (port 689) connections
> start_tls = yes
>
==> this is not compliant with and ldaps server
use start_tls=no
By the way, Alan and other Gurus, I think there is a small typo in the
comment:
# using ldaps (port 689) connections
Should be
# using ldaps (port 636) connections
HTH,
Thibault
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been virus
scanned and although no viruses were detected by the system, St Vincents &
Mater Health Sydney accepts no liability for any consequential damage
resulting from email containing any computer viruses.
**
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating to ldaps/tls
Peter Param a écrit :
Hi all,
I'm trying to authenticate to a LDAPS backend but failing. Any suggestions?
Is it an LDAP server answering on LDAPS connections (LDAP+SSL on port
636) or an LDAP server answering on LDAP connections that are then
secured by Start-TLS (LDAP on port 389 + Start-TLS) ?
These are 2 different options.
ldap people_search {
server = "ldap1.stvincents.com.au"
port = 636
==> This implies an ldaps server
identity = "cn=admin,o=org,c=au"
password = ***
filter = "(cn=%u)"
basedn = "ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au"
tls {
tls_mode = yes
# to the LDAP database by using the StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = yes
==> this is not compliant with and ldaps server
use start_tls=no
By the way, Alan and other Gurus, I think there is a small typo in the
comment:
# using ldaps (port 689) connections
Should be
# using ldaps (port 636) connections
HTH,
Thibault
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Auth User update time on mysql
Hello i am keeping session information in mysql only.. What i notice is, when a user logs in, only after a few mins i see the sql tables are updated about this user. So, if i check max-session number via sql too, user can log in a few times because, the user can not be found as online on sql side... Is there a wait limit on sql update? If so, is there a way to lower this timing? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
