Re: Dynamic Vlan Allocation based on LDAP Attribute Value
>>>I'm using version 1.1.3 so, I moved the "files" entry below the ldap >>>entry but my DEFAULT entry in the file: users does not match or return >>>any value. >>> >> >> You should upgrade. Did something else match in files? Post the debug. > >Stuck with this version for now. > >I have a "catchall" DEFAULT entry with no comparison which set the >vlan. But it didn't match on the userORGUNIT ldap attribute. value > Upgrade. Checking control:My-Attribute with unlang works. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
Both Fedora 9 and 10. Fedora jumped up to the samba 3.2 line with version 9. If you want it to work in 9 or 10 you have to use an older version of samba. Thomas E. Casartello, Jr. Staff Assistant - Wireless Technician/Linux Administrator Information Technology Wilson 105A Westfield State College Red Hat Certified Technician (RHCT) -Original Message- From: freeradius-users-bounces+tcasartello=wsc.ma@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma@lists.freeradius.org ] On Behalf Of a.l.m.bu...@lboro.ac.uk Sent: Monday, February 16, 2009 11:04 AM To: FreeRadius users mailing list Subject: Re: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem Hi, > Yeah that's got to be it. Fedora 8 uses 3.0.34 while fedora 10 uses 3.2.8. > I'll have to try it with the old version of samba. I'll post back if it > works. is this a confirmation that ntlm_auth doesnt work with samba 3.2.8 and , therefore, with FC10 ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
On Tue, Feb 17, 2009 at 11:44 AM, wrote: >>I'm using version 1.1.3 so, I moved the "files" entry below the ldap >>entry but my DEFAULT entry in the file: users does not match or return >>any value. >> > > You should upgrade. Did something else match in files? Post the debug. Stuck with this version for now. I have a "catchall" DEFAULT entry with no comparison which set the vlan. But it didn't match on the userORGUNIT ldap attribute. value modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for asmith radius_xlat: '(&(objectClass=inetOrgPerson)(cn=asmith))' radius_xlat: 'o=sut' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=sut, with filter (&(objectClass=inetOrgPerson)(cn=asmith)) rlm_ldap: checking if remote access for asmith is allowed by userORGUNIT rlm_ldap: looking for check items in directory... rlm_ldap: Adding userORGUNIT as userORGUNIT, value ISITCP & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user asmith authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 users: Matched entry DEFAULT at line 25 modcall[authorize]: module "files" returns ok for request 2 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 35 to xxx.xxx.xxx.xxx port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "226" EAP-Message = 0x010502f71900170d3036303132343133323630375a30819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d4c5b19724f164acf1ffb189db1c8fbff4f14396ea7cb1e90f78d69451725377895dfe52ccb99b41e8 EAP-Message = 0x0ddeb58b127a943f4f58cbc562878192fbdc6fece9f871e7c130d35cf5188817e9b133249edd2a1c75d31043ae87553cec7a77ef26aa7d74281db9b77e17c6446c5dd9b188b43250ca0229963722a123a726b00b4027fd0203010001a381ff3081fc301d0603551d0e0416041468d36d3e1ee7bc9d5a057021c363da1365d1ade33081cc0603551d230481c43081c1801468d36d3e1ee7bc9d5a057021c363da1365d1ade3a181a5a481a230819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010 EAP-Message = 0x060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d820100300c0603551d13040530030101ff300d06092a864886f70d01010405000381810033c00b66b1e579ef73a06798252dab8d5e5511fc00fd276d80d12f834777c6743fdc2743fca1507704e4bc0979e4f60ac3ad9ee83e6f347369229d1f77229ba2e982359da563024a00163dba6d6c986c0bad28af85132ff8f0d76501bf1b7c2dff658ce1e62c01997b6e64e3e8d4373354ce9912847651539063b85bbc5485c516030100040e00 Message-Authenticator = 0x State = 0xb4d641b20399b8f92c0d9fb148763ead Finished request 2 Going to the next request The users file looks like: DEFAULT userORGUNIT == "ISITCP" tunnel-type = VLAN, tunnel-medium-type = IEEE-802, tunnel-private-group-ID = 5, Fall-Through = No DEFAULT tunnel-type = VLAN, tunnel-medium-type = IEEE-802, tunnel-private-group-ID = 226, Fall-Through = No > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
>I'm using version 1.1.3 so, I moved the "files" entry below the ldap >entry but my DEFAULT entry in the file: users does not match or return >any value. > You should upgrade. Did something else match in files? Post the debug. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
On Tue, Feb 17, 2009 at 11:04 AM, wrote: Am I correct in saying that the LDAP-attribute that is mapped to Tunnel-Private-Group-ID would need to be set to the value of the the VLAN I require? The LDAP-attribute that I wish to use curently contains values like "ITISCP" and "ENISCP". I want to say if attribute value == ITISCP set vlan to 226 (ie Tunnel-Private-Group-ID = 226). Using ldap.attrmap mappings I would need to store the required vlan in a LDAP attribute. (I can't change the LDAP only read it). >>> >>> No. You can define your own attribute (let's say VLAN-Flag) in >>> raddb/dictionary and use unlang in authorize section to test and set >>> tunnel attributes. >> >>Thanks Ivan, >> >>I've configured a dictionary value "userORGUNIT" and added a >>ldap.attrmap mapping. I've tried to perform a comparison operation >>on the value of userORGUNIT in the config file: users. >> >>i.e DEFAULT userORGUNIT == "HR" >> Tunnel-Private-Group-Id = "226" >> >>But this does not match, even though debug shows "rlm_ldap: Adding >>userORGUNIT as userORGUNIT, value HR & op=21" >> >>Is this the correct location for these comparison operations? There >>are around 50 userORGUNIT''s that I need to compare against. >> > > Files are normally listed before ldap in authorize. Use unlang switch > command *after* ldap entry. Or list files after ldap if you are using an > old version. Ivan, I'm using version 1.1.3 so, I moved the "files" entry below the ldap entry but my DEFAULT entry in the file: users does not match or return any value. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
>>>Am I correct in saying that the LDAP-attribute that is mapped to >>>Tunnel-Private-Group-ID would need to be set to the value of the the >>>VLAN I require? The LDAP-attribute that I wish to use curently >>>contains values like "ITISCP" and "ENISCP". I want to say if >>>attribute value == ITISCP set vlan to 226 (ie Tunnel-Private-Group-ID >>>= 226). Using ldap.attrmap mappings I would need to store the >>>required vlan in a LDAP attribute. (I can't change the LDAP only read >>>it). >>> >> >> No. You can define your own attribute (let's say VLAN-Flag) in >> raddb/dictionary and use unlang in authorize section to test and set >> tunnel attributes. > >Thanks Ivan, > >I've configured a dictionary value "userORGUNIT" and added a >ldap.attrmap mapping. I've tried to perform a comparison operation >on the value of userORGUNIT in the config file: users. > >i.e DEFAULT userORGUNIT == "HR" > Tunnel-Private-Group-Id = "226" > >But this does not match, even though debug shows "rlm_ldap: Adding >userORGUNIT as userORGUNIT, value HR & op=21" > >Is this the correct location for these comparison operations? There >are around 50 userORGUNIT''s that I need to compare against. > Files are normally listed before ldap in authorize. Use unlang switch command *after* ldap entry. Or list files after ldap if you are using an old version. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
On Tue, Feb 17, 2009 at 9:50 AM, wrote: >>Am I correct in saying that the LDAP-attribute that is mapped to >>Tunnel-Private-Group-ID would need to be set to the value of the the >>VLAN I require? The LDAP-attribute that I wish to use curently >>contains values like "ITISCP" and "ENISCP". I want to say if >>attribute value == ITISCP set vlan to 226 (ie Tunnel-Private-Group-ID >>= 226). Using ldap.attrmap mappings I would need to store the >>required vlan in a LDAP attribute. (I can't change the LDAP only read >>it). >> > > No. You can define your own attribute (let's say VLAN-Flag) in > raddb/dictionary and use unlang in authorize section to test and set > tunnel attributes. Thanks Ivan, I've configured a dictionary value "userORGUNIT" and added a ldap.attrmap mapping. I've tried to perform a comparison operation on the value of userORGUNIT in the config file: users. i.e DEFAULT userORGUNIT == "HR" Tunnel-Private-Group-Id = "226" But this does not match, even though debug shows "rlm_ldap: Adding userORGUNIT as userORGUNIT, value HR & op=21" Is this the correct location for these comparison operations? There are around 50 userORGUNIT''s that I need to compare against. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fall-Through attribute, reply or configure item?
> > But it isn't a real reply attribute isn't it? It's more of a configure > > attribute like Cleartext-Password, right? So it should be used in a > > check line with := (or radcheck DB table). > > Theoretically, yes. Practically, no. > > There are 100,000 deployments on the server using the existing > functionality of Fall-Through, along with lots of documentation. > Changing it for the sake of "purity" is a waste of time. Of course, I understand that. I will be explaining Freeradius to some coworkers, including why we have to use Cleartext-Password and about the := operator in check lines, and somehow I came to Fall-Through that seemed like a configuration item. I had to know exactly what's going on, so I can prepare better. thanks. -- damjan | дамјан This is my jabber ID --> dam...@bagra.net.mk -- not my mail address, it's a Jabber ID --^ :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pool-Name woes with sqlippool
>What I would love to do is set up Huntgroups (OK so that bit works too!)
>and then in the sqlippool.conf just assign pool-name = %{Huntgroup-Name}
>
>This doesn't work, and all I get is pool-name is undefined.
>
>Does anyone have any ideas?
>
%{control:Huntgroup-Name}
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fall-Through attribute, reply or configure item?
Damjan wrote: > I'm reading the documentation of freeradius 2.1.3 (I've not gone through > it all yet) and I find that "Fall-Through = Yes" is always specified as a > reply attribute. Yes. > But it isn't a real reply attribute isn't it? It's more of a configure > attribute like Cleartext-Password, right? So it should be used in a > check line with := (or radcheck DB table). Theoretically, yes. Practically, no. There are 100,000 deployments on the server using the existing functionality of Fall-Through, along with lots of documentation. Changing it for the sake of "purity" is a waste of time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
>Am I correct in saying that the LDAP-attribute that is mapped to >Tunnel-Private-Group-ID would need to be set to the value of the the >VLAN I require? The LDAP-attribute that I wish to use curently >contains values like "ITISCP" and "ENISCP". I want to say if >attribute value == ITISCP set vlan to 226 (ie Tunnel-Private-Group-ID >= 226). Using ldap.attrmap mappings I would need to store the >required vlan in a LDAP attribute. (I can't change the LDAP only read >it). > No. You can define your own attribute (let's say VLAN-Flag) in raddb/dictionary and use unlang in authorize section to test and set tunnel attributes. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fall-Through attribute, reply or configure item?
>I'm reading the documentation of freeradius 2.1.3 (I've not gone through >it all yet) and I find that "Fall-Through = Yes" is always specified as a >reply attribute. > >But it isn't a real reply attribute isn't it? It's more of a configure >attribute like Cleartext-Password, right? So it should be used in a >check line with := (or radcheck DB table). > >I understand that changing this will probably mean to much work for FR >administrators, I'm only asking to make things clearer to me. > > > > >ps. >is there a list of the special configure attributes that freeradius >works with? > All the answers are in the freeradius.internal dictionary. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fall-Through attribute, reply or configure item?
I'm reading the documentation of freeradius 2.1.3 (I've not gone through it all yet) and I find that "Fall-Through = Yes" is always specified as a reply attribute. But it isn't a real reply attribute isn't it? It's more of a configure attribute like Cleartext-Password, right? So it should be used in a check line with := (or radcheck DB table). I understand that changing this will probably mean to much work for FR administrators, I'm only asking to make things clearer to me. ps. is there a list of the special configure attributes that freeradius works with? -- damjan | дамјан This is my jabber ID --> dam...@bagra.net.mk -- not my mail address, it's a Jabber ID --^ :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Vlan Allocation based on LDAP Attribute Value
> >I have a value set for an attribute in LDAP, how do I "extract" the >value from the attribute and do a comparison on it in the users file >so I can set the VLAN? > ldap.attrmap file in raddb directory. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using Calling-Station-Id to give ippool name to vpn server
>there is a radius server with VPN server as its nas. radius server use ldap >server in back end for authentication and authorization. >we want if Calling-Station-Id of user is valid radius could give ippool >number=1 in access reply to vpn server and if Calling-Station-Id of user is >invalid could give ippool number=2. >how radius can do this compare? man unlang. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
wiki
I would be willing to update the wiki with what I have learned about how to configure Freeradius to use the wimax module. However it seems you need an account to do any wiki edits and there is no place to allow you to create and account. Does anyone have a link to how to do so ? Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No authenticate method using Mysql
hi, you've edited your ocnfigs beyond all hope and reasonable anount - why dont you use the sites-enabled files and do minor edits to the default config? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No authenticate method using Mysql
>I am trying to use mysql and Freeradius for AAA. The communication between >freeradius and mysql server seems OK, since Freeradius is getting the clients >from radclients table. >When I do a test from the command line: > >"radtest user1 pass localhost 1812 shared" > >I got the output: > >"rad_recv: Access-Request packet from host 127.0.0.1 port 56962, id=152, >length=57 >User-Name = "user1" >User-Password = "pass" >NAS-IP-Address = 127.0.1.1 >NAS-Port = 1812 >Mon Feb 16 17:22:09 2009 : Info: No authenticate method (Auth-Type) >configuration found for the request: Rejecting the user >Mon Feb 16 17:22:09 2009 : Info: Failed to authenticate the user. >Mon Feb 16 17:22:09 2009 : Info: Using Post-Auth-Type Reject >Mon Feb 16 17:22:09 2009 : Debug: WARNING: Unknown value specified for >Post-Auth-Type. Cannot perform requested action. >Mon Feb 16 17:22:09 2009 : Info: Delaying reject of request 1 for 1 seconds >Mon Feb 16 17:22:09 2009 : Debug: Going to the next request >Mon Feb 16 17:22:09 2009 : Debug: Waking up in 0.9 seconds. >Mon Feb 16 17:22:11 2009 : Info: Sending delayed reject for request 1 >Sending Access-Reject of id 152 to 127.0.0.1 port 56962 >Mon Feb 16 17:22:11 2009 : Debug: Waking up in 4.9 seconds. >" >Following is my configuration file(please note that this is only the file in >sites-avaiable dir, note radiusd.conf): What happened to the default virtual server? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No authenticate method using Mysql
Hello,
I am trying to use mysql and Freeradius for AAA. The communication between
freeradius and mysql server seems OK, since Freeradius is getting the clients
from radclients table.
When I do a test from the command line:
"radtest user1 pass localhost 1812 shared"
I got the output:
"rad_recv: Access-Request packet from host 127.0.0.1 port 56962, id=152,
length=57
User-Name = "user1"
User-Password = "pass"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Mon Feb 16 17:22:09 2009 : Info: No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user
Mon Feb 16 17:22:09 2009 : Info: Failed to authenticate the user.
Mon Feb 16 17:22:09 2009 : Info: Using Post-Auth-Type Reject
Mon Feb 16 17:22:09 2009 : Debug: WARNING: Unknown value specified for
Post-Auth-Type. Cannot perform requested action.
Mon Feb 16 17:22:09 2009 : Info: Delaying reject of request 1 for 1 seconds
Mon Feb 16 17:22:09 2009 : Debug: Going to the next request
Mon Feb 16 17:22:09 2009 : Debug: Waking up in 0.9 seconds.
Mon Feb 16 17:22:11 2009 : Info: Sending delayed reject for request 1
Sending Access-Reject of id 152 to 127.0.0.1 port 56962
Mon Feb 16 17:22:11 2009 : Debug: Waking up in 4.9 seconds.
"
Following is my configuration file(please note that this is only the file in
sites-avaiable dir, note radiusd.conf):
"##
#
# As of 2.0.0, FreeRADIUS supports virtual hosts using the
# "server" section, and configuration directives.
#
# Virtual hosts should be put into the "sites-available"
# directory. Soft links should be created in the "sites-enabled"
# directory to these files. This is done in a normal installation.
#
# $Id$
#
##
#
# Read "man radiusd" before editing this file. See the section
# titled DEBUGGING. It outlines a method where you can quickly
# obtain the configuration you want, without running into
# trouble. See also "man unlang", which documents the format
# of this file.
#
# This configuration is designed to work in the widest possible
# set of circumstances, with the widest possible number of
# authentication methods. This means that in general, you should
# need to make very few changes to this file.
#
# The best way to configure the server for your local system
# is to CAREFULLY edit this file. Most attempts to make large
# edits to this file will BREAK THE SERVER. Any edits should
# be small, and tested by running the server with "radiusd -X".
# Once the edits have been verified to work, save a copy of these
# configuration files somewhere. (e.g. as a "tar" file). Then,
# make more edits, and test, as above.
#
# There are many "commented out" references to modules such
# as ldap, sql, etc. These references serve as place-holders.
# If you need the functionality of that module, then configure
# it in radiusd.conf, and un-comment the references to it in
# this file. In most cases, those small changes will result
# in the server being able to connect to the DB, and to
# authenticate users.
#
##
server intelitiva.com {
#
# In 1.x, the "authorize", etc. sections were global in
# radiusd.conf. As of 2.0, they SHOULD be in a server section.
#
# The server section with no virtual server name is the "default"
# section. It is used when no server name is specified.
#
# We don't indent the rest of this file, because doing so
# would make it harder to read.
#
# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the "users" file.
#
# The order of the realm modules will determine the order that
# we try to find a matching realm.
#
# Make *sure* that 'preprocess' comes before any realm if you
# need to setup hints for the remote radius server
authorize {
#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
#
# It also adds the %{Client-IP-Address} attribute to the request.
preprocess
#
# If you want to have a log of authentication requests,
# un-comment the following line, and the 'detail auth_log'
# section, above.
#auth_log
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
chap
#
# If the users are logging in with an MS-CHAP-Challenge
# attribute f
RE: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
Ok I can confirm it now. I went back to samba 3.0.34 on my Fedora 10 machine and it now works. It's definitely a samba 3.2 issue. Thomas E. Casartello, Jr. Staff Assistant - Wireless Technician/Linux Administrator Information Technology Wilson 105A Westfield State College Red Hat Certified Technician (RHCT) -Original Message- From: freeradius-users-bounces+tcasartello=wsc.ma@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma@lists.freeradius.org ] On Behalf Of a.l.m.bu...@lboro.ac.uk Sent: Monday, February 16, 2009 11:04 AM To: FreeRadius users mailing list Subject: Re: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem Hi, > Yeah that's got to be it. Fedora 8 uses 3.0.34 while fedora 10 uses 3.2.8. > I'll have to try it with the old version of samba. I'll post back if it > works. is this a confirmation that ntlm_auth doesnt work with samba 3.2.8 and , therefore, with FC10 ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql problem
radiusd -X not x. Ivan Kalik Kalik Informatika ISP Dana 16/2/2009, "tincboy" piše: >Hi, >I've just configured my new freeradius installation with mysql, >but the output of my test command is Rejected. >radtest home home 127.0.0.1 1812 testing123 > >radius -x output is: > >Starting - reading configuration files ... >Using deprecated naslist file. Support for this will go away soon. >Module: Loaded exec >rlm_exec: Wait=yes but no output defined. Did you mean output=none? >Module: Instantiated exec (exec) >Module: Loaded expr >Module: Instantiated expr (expr) >Module: Loaded PAP >Module: Instantiated pap (pap) >Module: Loaded CHAP >Module: Instantiated chap (chap) >Module: Loaded MS-CHAP >Module: Instantiated mschap (mschap) >Module: Loaded System >Module: Instantiated unix (unix) >Module: Loaded eap >rlm_eap: Loaded and initialized type md5 >rlm_eap: Loaded and initialized type leap >rlm_eap: Loaded and initialized type gtc >rlm_eap: Loaded and initialized type mschapv2 >Module: Instantiated eap (eap) >Module: Loaded preprocess >Module: Instantiated preprocess (preprocess) >Module: Loaded realm >Module: Instantiated realm (suffix) >Module: Loaded files >Module: Instantiated files (files) >Module: Loaded SQL >rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked >rlm_sql (sql): Attempting to connect to r...@127.0.0.1:/radius >rlm_sql (sql): starting 0 >rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 >rlm_sql_mysql: Starting connect to MySQL server for #0 >rlm_sql (sql): Connected new DB handle, #0 >rlm_sql (sql): starting 1 >rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 >rlm_sql_mysql: Starting connect to MySQL server for #1 >rlm_sql (sql): Connected new DB handle, #1 >rlm_sql (sql): starting 2 >rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 >rlm_sql_mysql: Starting connect to MySQL server for #2 >rlm_sql (sql): Connected new DB handle, #2 >rlm_sql (sql): starting 3 >rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 >rlm_sql_mysql: Starting connect to MySQL server for #3 >rlm_sql (sql): Connected new DB handle, #3 >rlm_sql (sql): starting 4 >rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 >rlm_sql_mysql: Starting connect to MySQL server for #4 >rlm_sql (sql): Connected new DB handle, #4 >Module: Instantiated sql (sql) >Module: Loaded Acct-Unique-Session-Id >Module: Instantiated acct_unique (acct_unique) >Module: Loaded detail >Module: Instantiated detail (detail) >Module: Loaded radutmp >Module: Instantiated radutmp (radutmp) >Initializing the thread pool... >Listening on authentication *:1812 >Listening on accounting *:1813 >Ready to process requests. >rad_recv: Access-Request packet from host 127.0.0.1:32866, id=176, length=56 >User-Name = "home" >User-Password = "home" >NAS-IP-Address = 255.255.255.255 >NAS-Port = 1812 >rlm_sql (sql): Reserving sql socket id: 4 >rlm_sql (sql): Released sql socket id: 4 >rad_recv: Access-Request packet from host 127.0.0.1:32866, id=176, length=56 >Sending Access-Reject of id 176 to 127.0.0.1 port 32866 > > >I've found out nothing from this output, why it's not sending any sql >command to mysql? > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius is crashing in krb auth
Let me elaborate more on this. On my production system we run several instances of FreeRadius all using kerberos but for some reason this instance dies. The other difference I failed to mention is this instance is running eap-ttls. Sorry I forgot those pieces earlier. LB a.l.m.bu...@lboro.ac.uk wrote: Hi, The setup that works well is running FreeBSD 7.0 Stable on an i386 system. The one that keeps crashing is running FreeBSD 7.1 PreRelease on an AMD system. so 2 totally different systems then. Anyone have any ideas about what is happening here? I think theres a nice hint with 'stable' and 'PreRelease' - do we have the BSD ports buy on this list? I think we do - perhaps they might tell us any implications of new libraries on 7.1 alan -- Lisa Besko Systems Administrator Network Management Academic Technology Services - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-timeout problem
Mitul, >I have tried this configuration and it's working fine with radtest but Glad to hear you have this working with radtest. This means you have this functionality properly configured on the FreeRADIUS side now. >Ever i am getting session time out value on AP side also but during the change request time . actually i want the session time out in >accept-access time. >is it the normal scenario? >can you help me in this case? With the configuration I showed, FreeRADIUS will send the Session-Timeout attribute to the AP in an Access-Accept packet, in response to the AP sending an Access-Request packet to FreeRADIUS that is accepted. I'm not sure what you're referring to when you say change request time. Can you elaborate? It sounds like you may have a configuration issue on the AP side. Unfortunately, if this is an AP configuration issue, I doubt I'd be of much help. On the AP side, I've only worked with the ChilliSpot network access server (used for WiFi hotpots). Regards, Will D. Spann - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-timeout problem
>i have tried this thing but when i am doing so its taking this as a default entry and giving error for user name and password >i have entered username and cleartext-password in user file. Could you post your users file (with any non-testing passwords starred out of course)? My apologies; let me add a clarification. If your user entries in the users file don't have the "Fall-Through = Yes" attribute set, putting the DEFAULT section at the end of the file won't apply the Session-Timeout to the users. However, it shouldn't cause an error. Have you tried testing without the DEFAULT section, using a user with Cleartext-Password? I've tested the following configuration on FreeRADIUS 2.1.1 with success. testCleartext-Password := "testing" Fall-Through = Yes DEFAULT Session-Timeout = 60 Try testing this with radtest, such as the following, where "testing123" is your shared secret and the server is running on localhost. This should return an Access-Accept message with Session-Timeout specified. (I assume you're also running the server with debug output, as "radiusd -X".) radtest test testing localhost 0 testing123 If you don't want to add the Fall-Through attribute to each of your user entries, you could instead use the following modified DEFAULT section near the top of the users file, before all the authorized user entries. I've also tested this configuration. (Note the comma.) DEFAULT Session-Timeout = , Fall-Through = Yes >also i have configured the mysql database for authentication and accounting. so at that time i am getting error "no User-password or >CHAP-password" in request. Are you using both the users file and MySQL for authentication, or are you testing each setup separately? I'd recommend getting FreeRADIUS working with the users file alone before setting up database-based authentication. Will D. Spann - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius is crashing in krb auth
Let me elaborate more on this. On my production system we run several instances of FreeRadius all using kerberos but for some reason this instance dies. The other difference I failed to mention is this instance is running eap-ttls. Sorry I forgot those pieces earlier. LB a.l.m.bu...@lboro.ac.uk wrote: Hi, The setup that works well is running FreeBSD 7.0 Stable on an i386 system. The one that keeps crashing is running FreeBSD 7.1 PreRelease on an AMD system. so 2 totally different systems then. Anyone have any ideas about what is happening here? I think theres a nice hint with 'stable' and 'PreRelease' - do we have the BSD ports buy on this list? I think we do - perhaps they might tell us any implications of new libraries on 7.1 alan -- Lisa Besko Systems Administrator Network Management Academic Technology Services - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Grouping different kinds of clients and returning different attributes
David Bailey wrote: > Do you have a complete example showing something similar that I could refer > to? Like the example in my message? See also "man unlang". >>From the documentation, it appears that the users file is the only place to > specify attributes to be passed back to the RADIUS client. Nonsense. 2.x provides a number of methods to specify attributes. "users" file, "unlang" configuration language, Perl scripts, Python scripts, etc. > I am not certain > what to specify in your example if statement. Am I adding an attribute here? > Where is it compared? The documentation appears unclear to me, but I may > have missed where it discusses these things. $ man unlang If you don't have it, upgrade to a version that does. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Grouping different kinds of clients and returning different attributes
Alan DeKok-2 wrote:
>
>
> Try unlang:
>
> authorize {
> ...
>
> if ("%{client:vendor}" == "cisco") {
> ...
> }
> ...
> }
>
> This says: look up the current client (for this request), and find the
> "vendor' entry. If that is "cisco", then do... something.
>
> It's a lot clearer to understand than the "users" file.
>
>
>
Do you have a complete example showing something similar that I could refer
to?
>From the documentation, it appears that the users file is the only place to
specify attributes to be passed back to the RADIUS client. I am not certain
what to specify in your example if statement. Am I adding an attribute here?
Where is it compared? The documentation appears unclear to me, but I may
have missed where it discusses these things.
Thank you for your assistance.
--
View this message in context:
http://www.nabble.com/Grouping-different-kinds-of-clients-and-returning-different-attributes-tp21986276p22040047.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
Hi, > Yeah that's got to be it. Fedora 8 uses 3.0.34 while fedora 10 uses 3.2.8. > I'll have to try it with the old version of samba. I'll post back if it > works. is this a confirmation that ntlm_auth doesnt work with samba 3.2.8 and , therefore, with FC10 ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius is crashing in krb auth
Hi, > The setup that works well is running FreeBSD 7.0 Stable on an i386 system. > The one that keeps crashing is running FreeBSD 7.1 PreRelease on an AMD > system. so 2 totally different systems then. > Anyone have any ideas about what is happening here? I think theres a nice hint with 'stable' and 'PreRelease' - do we have the BSD ports buy on this list? I think we do - perhaps they might tell us any implications of new libraries on 7.1 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius is crashing in krb auth
Freeradius keeps crashing on us. I finally put it in debug mode and this is the tail end of the messages I get before it dies: users: Matched entry DEFAULT at line 5 modcall[authorize]: module "files" returns ok for request 9 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 9 modcall: leaving group authorize (returns ok) for request 9 rad_check_password: Found Auth-Type Kerberos auth: type "Kerberos" Processing the authenticate section of radiusd.conf modcall: entering group kerberos for request 9 Segmentation fault (core dumped) --- Part of what is frustrating is I've been running this same configuration on another system and it's fine. I just moved it to a production system and I'm having issues. They are both running FreeRadius 1.1.7_3 and MIT Kerberos 1.6.3_5. The setup that works well is running FreeBSD 7.0 Stable on an i386 system. The one that keeps crashing is running FreeBSD 7.1 PreRelease on an AMD system. Anyone have any ideas about what is happening here? LB -- Lisa Besko Systems Administrator Network Management Academic Technology Services - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segfault in module accessing custom attributes fields
D'AVELLA STEFANO wrote: > I am having some problems in trying to write a little module to handle > some custom attributes. Because I have a project regarding very specific > requirements I preferred to write a module instead of trying to use the > existing ones, so I can know in a better way where to go to change > things when I want a different behaviour. The existing modules have a lot of examples of working code, too. > What I am doing right now is trying to have a testbed with a client, a > proxy and a server, exchanging some custom attributes saved in the users > file of the server and transmitted with auth-accept messages. Please use the *correct* names for everything. Otherwise, we might not be sure what you're talking about... and neither will you. > The proxy should intercept these new attributes and save them in a > specific syntax in a local file. > > I managed to create and transfer successfully the custom attributes and > to have them saved in a local file by the proxy. > > The problem is that if these attributes have a string as a value, there > is no problem in reading it using the field vp_strvalue. > > If these attributes have the attribute ipv6address, when I try to access > to them using vp_ipv6address I get a segFault. The values are correctly > stored in the packets because I can see them with wireshark and the > client receives them successfully. See doc/bugs for instructions on debugging the server with gdb. I suspect that your code is simply wrong. There is no reason why one data type should work, and another should fail. Again, existing modules && the server core have examples of working with IPv6 attributes. See those examples for what works. > In the documentation (the wiki) there is written to access the > attributes through request->packet->vps but I managed to do it only with > request->reply->vps. You "managed to do it"? There's a reason why one works and the other doesn't. Usually, it's a simple reason. > (initially I wanted to save this local file using > the post-proxy section because I was thinking that it was the best place > to do it (it's an action to do when the proxy receives the reply from > the server) but I couldn't access the right packet through the API and > so I found out that I could do it in the post-auth phase) Nonsense. You can access the proxy reply in the post-proxy section. A lot of other code in the server already does this. > I would not want to disturb you too much but the problem is that it > seems to me that there is a bit of lack in the documentation regarding > how write modules in the newer versions of freeradius and so I didn't > know other places to look (I have been looking at the source code for > all the day but maybe I can do it faster if pointed into the right > direction) Again, there is 10's of 1000's of lines of code in the server that accesses attributes in different lists, of different types. That code works, and can be used as a basis for your code, or as an opportunity to learn. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
Yeah that's got to be it. Fedora 8 uses 3.0.34 while fedora 10 uses 3.2.8. I'll have to try it with the old version of samba. I'll post back if it works. Thomas E. Casartello, Jr. Staff Assistant - Wireless Technician/Linux Administrator Information Technology Wilson 105A Westfield State College Red Hat Certified Technician (RHCT) -Original Message- From: freeradius-users-bounces+tcasartello=wsc.ma@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma@lists.freeradius.org ] On Behalf Of Alan DeKok Sent: Friday, February 13, 2009 4:18 PM To: FreeRadius users mailing list Subject: Re: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem Mike Loosbrock wrote: > Check the versions of your samba packages. > > I'm running Debian and the exact same FreeRADIUS configuration works > with 3.0.24 (stable) but fails with 3.2.5 (testing). The failure is such > that the mschap module returns success, but the very last EAP-MSCHAPv2 > challenge sent by the server causes the supplicant (both Windows and > OSX) to bail. There's apparently something wrong with the NT_KEY > returned by ntlm_auth... Ouch. Samba 3.2.8 is out, so that might fix the issue. If not, we'll have to raise it as a bug with the Samba people. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segfault in module accessing custom attributes fields
Hi all, I am having some problems in trying to write a little module to handle some custom attributes. Because I have a project regarding very specific requirements I preferred to write a module instead of trying to use the existing ones, so I can know in a better way where to go to change things when I want a different behaviour. What I am doing right now is trying to have a testbed with a client, a proxy and a server, exchanging some custom attributes saved in the users file of the server and transmitted with auth-accept messages. The proxy should intercept these new attributes and save them in a specific syntax in a local file. I managed to create and transfer successfully the custom attributes and to have them saved in a local file by the proxy. The problem is that if these attributes have a string as a value, there is no problem in reading it using the field vp_strvalue. If these attributes have the attribute ipv6address, when I try to access to them using vp_ipv6address I get a segFault. The values are correctly stored in the packets because I can see them with wireshark and the client receives them successfully. In the documentation (the wiki) there is written to access the attributes through request->packet->vps but I managed to do it only with request->reply->vps. (initially I wanted to save this local file using the post-proxy section because I was thinking that it was the best place to do it (it's an action to do when the proxy receives the reply from the server) but I couldn't access the right packet through the API and so I found out that I could do it in the post-auth phase) I would not want to disturb you too much but the problem is that it seems to me that there is a bit of lack in the documentation regarding how write modules in the newer versions of freeradius and so I didn't know other places to look (I have been looking at the source code for all the day but maybe I can do it faster if pointed into the right direction) Thank you in advance for any answer, Best regards, D'Avella Stefano Bell Labs Alcatel-Lucent Centre de Villarceaux Route de Villejust 91625 NOZAY - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restrict access to certain groups
On Tue, Feb 10, 2009 at 1:54 PM, kevin leblanc wrote:
> To remember : I want only user1 can access to host1.
>
> To illustrate it:
> root
> |
> --
> ||
> hosts users
> ||
> --
> |||
> host1 user1 user2
> |
> | members:
> |
> user1
>
>
> I find a possible way.
>
> in radiusd.conf, I put:
> groupname_attribute = "cn"
> group_membership_filter =
> (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
>
> In the users file, I put:
> Ldap-Group == "X" Auth-Type:= LDAP
>
> X will be the IP/hostname of the host which try to connect.
>
> Is there any variable like %{LDAP-UserDN} which could give me this
> information ??
>
> thanks for any help
>
>
> --
> KeV
>
I found the variable %{Client-IP-Address} which gives me host's ip.
But is there any way to get the hostname instead of the ip ?
By hostname, I mean the real hostname, not this defined in clients.conf with
the attribute shortname.
Other question, I don't want to store the identity/password attributes in
radiusd.conf for security reasons.
I tried with the line below in the users file, but that doesn't work :
DEFAULT Ldap-UserDN := `uid=%{User-Name},ou=people,dc=company,dc=com`
Any idea ?
Thanks
--
KeV
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-timeout problem
hi will, I have tried this configuration and it's working fine with radtest but Ever i am getting session time out value on AP side also but during the change request time . actually i want the session time out in accept-access time. is it the normal scenario? can you help me in this case? thanks, Mitul Modi On Fri, Feb 13, 2009 at 3:23 PM, Will D. Spann wrote: > Mitul, > > >i have tried this thing but when i am doing so its taking this as a > default entry and giving error for user name and password > > >i have entered username and cleartext-password in user file. > > Could you post your users file (with any non-testing passwords starred out > of course)? > > My apologies; let me add a clarification. If your user entries in the > users file don't have the "Fall-Through = Yes" attribute set, putting the > DEFAULT section at the end of the file won't apply the Session-Timeout to > the users. However, it shouldn't cause an error. Have you tried testing > without the DEFAULT section, using a user with Cleartext-Password? I've > tested the following configuration on FreeRADIUS 2.1.1 with success. > > testCleartext-Password := "testing" > Fall-Through = Yes > > DEFAULT > Session-Timeout = 60 > > Try testing this with radtest, such as the following, where "testing123" is > your shared secret and the server is running on localhost. This should > return an Access-Accept message with Session-Timeout specified. (I assume > you're also running the server with debug output, as "radiusd -X".) > > radtest test testing localhost 0 testing123 > > If you don't want to add the Fall-Through attribute to each of your user > entries, you could instead use the following modified DEFAULT section near > the top of the users file, before all the authorized user entries. I've > also tested this configuration. (Note the comma.) > > DEFAULT > Session-Timeout = , > Fall-Through = Yes > > > >also i have configured the mysql database for authentication and > accounting. so at that time i am getting error "no User-password or > >CHAP-password" in request. > > Are you using both the users file and MySQL for authentication, or are you > testing each setup separately? I'd recommend getting FreeRADIUS working > with the users file alone before setting up database-based authentication. > > Will D. Spann > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql problem
Hi, I've just configured my new freeradius installation with mysql, but the output of my test command is Rejected. radtest home home 127.0.0.1 1812 testing123 radius -x output is: Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded files Module: Instantiated files (files) Module: Loaded SQL rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to r...@127.0.0.1:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 Module: Instantiated sql (sql) Module: Loaded Acct-Unique-Session-Id Module: Instantiated acct_unique (acct_unique) Module: Loaded detail Module: Instantiated detail (detail) Module: Loaded radutmp Module: Instantiated radutmp (radutmp) Initializing the thread pool... Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32866, id=176, length=56 User-Name = "home" User-Password = "home" NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 rad_recv: Access-Request packet from host 127.0.0.1:32866, id=176, length=56 Sending Access-Reject of id 176 to 127.0.0.1 port 32866 I've found out nothing from this output, why it's not sending any sql command to mysql? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
