Re: Version 2.1.4 has been released
Alan DeKok wrote: Alan DeKok wrote: It's about time we have a formal testing process. I have some hosted machines with spare cycles. I'll install CruiseControl... Nope. After a quick review of "continuous integration" systems: . I think it's easier just to write a few shell scripts && a cron job, to do daily builds. Suggest the following (similar to what samba does). When you are ready to release, you simply "snapshot" a rc1. (downloadable source.tar.gz), with suitable "not for production" warnings. Everyone then tries to install it on their production server immediately (because they LOVE the new features). You then get some very good testing for a week. If their are no complaints you release a production version. Cheers, -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to allow nas'es to serve only groups of clients?
On Wed, 11 Mar 2009 23:51:50 +0200, wrote: Hi. I have two types of nases: 1) hotspots 2) vpn servers. I need vpn nases authorize only vpn users and hotspot nases authorize only hotspot users. How can i divide users into several groups and reject vpn accounts to login through hotspot and vice versa? I think i must use huntgroups and unlang, but not cleanly understand how. That depends on where do you keep your user details. If it's in sql you can have SQL-Groups, in Ldap you put them in Ldap-Groups etc. I use rlm_sql to store user attributes, but i thought sql groups it's internal feature of rlm_sql and not related to radius server at all. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ISP CrIS, Softwarium - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius+Java application api call and authenticate
>also i am going thru the documentation part of jradius to imply? can anyone
>of you suggest me whether i am in right direction?
>
If you want to use Java that is a good way.
>> now by
>> making the ACS to do proxying at network configuration, i can see the
>> request
Well, we don't. Post the debug *with* the request.
>> is flowing to freeradius from ACS, and the freeradius does
>> ""
>> [chap] rlm_chap: Attribute "User-Name" is required for authentication.
>> ++[chap] returns invalid
>> Failed to authenticate the user.
>> Using Post-Auth-Type Reject
>> +- entering group REJECT {...}
>> [attr_filter.access_reject] expand: %{User-Name} ->
>> ++[attr_filter.access_reject] returns noop
>> Delaying reject of request 27 for 1 seconds
>>
It's quite likely that it wasn't a chap request to start with. You are
forcing Auth-Type CHAP onto something that isn't chap.
>> ""
>>
>> after a while it says
>>
>> ""
>> [pap] Found existing Auth-Type, not changing it.
>> ++[pap] returns noop
>> Found Auth-Type = CHAP
>> +- entering group CHAP {...}
>> [chap] login attempt by "Doe" with CHAP password
>> [chap] Using clear text password "hello" for user Doe authentication.
>> [chap] chap user Doe authenticated succesfully
>> ++[chap] returns ok
>> +- entering group post-auth {...}
>> ++[exec] returns noop
>> Sending Access-Accept of id 63 to
>>
>> ""
That looks fine. But you might need to return things like Service-Type in
the Access-Accept. You will need to read Cisco documentation to see what
is need for making a connection.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to allow nas'es to serve only groups of clients?
>I use rlm_sql to store user attributes, but i thought sql groups it's >internal feature of rlm_sql and not related to radius server at all. > It is internal, but SQL-Group can be used in other modules too. If you check SQL-Group in, lets say, users file, rlm_sql will be called and value of SQL-Group will be compared to values in radusergroup for that User-Name. If there is a match ... Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Running an external script
In my my inner-tunnel virtual server, authorize section, I have some
code like this, for sorting users into vlans:
update control {
Tunnel-Type := "VLAN"
Tunnel-Medium-Type := "IEEE-802"
Tunnel-Private-Group-Id :=
`/usr/local/etc/raddb/scripts/userVlan.pl %{User-Name} 2>/dev/null`
}
update reply {
Tunnel-Type := "VLAN"
Tunnel-Medium-Type := "IEEE-802"
Tunnel-Private-Group-Id :=
`/usr/local/etc/raddb/scripts/userVlan.pl %{User-Name} 2>/dev/null`
}
This was put together in a hurry and is pretty undesirable, as the perl
script (which queries a slow database) is executed twice. Of course in
any other language, one would simply save the return value of the script
in a variable and reference it twice - but quoting "man unlang": " Note
that unlike C, there is no way to declare variables".
So is there a way to store the return value such that I can execute the
script only once?
Or how about something like:
update control {
Tunnel-Type := "VLAN"
Tunnel-Medium-Type := "IEEE-802"
Tunnel-Private-Group-Id :=
`/usr/local/etc/raddb/scripts/userVlan.pl %{User-Name} 2>/dev/null`
}
update reply {
Tunnel-Type := "VLAN"
Tunnel-Medium-Type := "IEEE-802"
Tunnel-Private-Group-Id :=
%{control.Tunnel-Private-Group-Id}
}
Cheers,
Jonathan
Jonathan Gazeley
Systems Support Specialist
ResNet | Wireless & VPN Team
Information Services
University of Bristol
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Config. Help please - ldap and Active Directory
> And many requests later you ask about it: > > >++? if (control:Tmp-String-0 == "ldap-student") > >(Attribute control:Tmp-String-0 was not found) > > .. and it's not there. Of course it's not, since it wasn't > set during processing of that Access-Request but much earlier > in the exchange. Obvious when it's pointed out but I really don't understand the whole process yet. I'll keep reading the docs until I do! > I would suggest that you move unlang statements to > inner-tunnel virtual server. You can do update reply and set > Reply-Message in authorize there (forget about temp attribute > and changeing it in post-auth). Just enable > use_tunneled_reply in peap section of eap.conf and > Reply-Message will be passed on from inner tunnel into the > final reply. > All working now. Thank you. Leighton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Running an external script
t...@kalik.net wrote:
In my my inner-tunnel virtual server, authorize section, I have some
code like this, for sorting users into vlans:
update control {
Tunnel-Type := "VLAN"
Tunnel-Medium-Type := "IEEE-802"
Tunnel-Private-Group-Id :=
`/usr/local/etc/raddb/scripts/userVlan.pl %{User-Name} 2>/dev/null`
}
What does that do? Nothing me thinks ;-)
Thanks for your reply, Ivan. So I don't need to "update control" to
place a user in a vlan? If I can safely remove this section, that's my
problem solved - thanks.
Jonathan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Running an external script
Hi, > Thanks for your reply, Ivan. So I don't need to "update control" to > place a user in a vlan? If I can safely remove this section, that's my > problem solved - thanks. this sort of stuff needs to go into the RADIUS REPLY. you can use eg PERL to do this, see the examples that come with the server - you need to populate $RAD_REPLY. stick 'perl' into the post_auth section of the relevant virtual host (sites-enabled/* file) and ensure that the perl module gets loaded up (radiusd -X) and ensure that the post_auth section for perl and the post_auth routine in the perl code is set. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Running an external script
>In my my inner-tunnel virtual server, authorize section, I have some
>code like this, for sorting users into vlans:
>
>update control {
>Tunnel-Type := "VLAN"
>Tunnel-Medium-Type := "IEEE-802"
>Tunnel-Private-Group-Id :=
>`/usr/local/etc/raddb/scripts/userVlan.pl %{User-Name} 2>/dev/null`
>}
What does that do? Nothing me thinks ;-)
>update reply {
>Tunnel-Type := "VLAN"
>Tunnel-Medium-Type := "IEEE-802"
>Tunnel-Private-Group-Id :=
>`/usr/local/etc/raddb/scripts/userVlan.pl %{User-Name} 2>/dev/null`
>}
Or replace that just with:
perl
And crete sub authorize in your script that will populate $RAD_REPLY for
those attributes. See rlm_perl wiki page or documentation included with
the server.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to allow nas'es to serve only groups of clients?
Thank you for help. I try to do as you say and put this to authorize
section after preprocess:
preprocess
# allow hotspot users only
if (SQL-Group != 'Spot') {
reject
}
Here debug on this action:
++? if (SQL-Group != 'Spot')
sql_groupcmp
expand: %{User-Name} -> spot2
sql_set_user escaped user --> 'spot2'
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}'
ORDER BY priority -> SELECT groupname FROM
radusergroup WHERE username = 'spot2'
ORDER BY priority
sql_groupcmp finished: User is a member of group Spot
rlm_sql (sql): Released sql socket id: 4
? Evaluating (SQL-Group != 'Spot') -> TRUE
++? if (SQL-Group != 'Spot') -> TRUE
++- entering if (SQL-Group != 'Spot') {...}
+++[reject] returns reject
++- if (SQL-Group != 'Spot') returns reject
strange behaviour, user 'spot2' belongs to group 'Spot', but if clause
return TRUE and reject returned.
Other strange thing is user 'test2' which do not a member of 'Spot' group,
but if clause do not work for them:
++? if (SQL-Group != 'Spot')
sql_groupcmp
expand: %{User-Name} -> test2
sql_set_user escaped user --> 'test2'
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}'
ORDER BY priority -> SELECT groupname FROM
radusergroup WHERE username = 'test2'
ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
sql_groupcmp finished: User is NOT a member of group Spot <-- and
not reject here
++[chap] returns noop
++[mschap] returns noop
Here spot2 and test2 groups:
mysql> select * from radusergroup where username='spot2' or
username='test2';
+--+---+--+
| username | groupname | priority |
+--+---+--+
| spot2| Spot |1 |
| test2| VPN |1 |
+--+---+--+
2 rows in set (0.01 sec)
On Thu, 12 Mar 2009 12:12:15 +0200, wrote:
I use rlm_sql to store user attributes, but i thought sql groups it's
internal feature of rlm_sql and not related to radius server at all.
It is internal, but SQL-Group can be used in other modules too. If you
check SQL-Group in, lets say, users file, rlm_sql will be called and
value of SQL-Group will be compared to values in radusergroup for that
User-Name. If there is a match ...
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
ISP CrIS, Softwarium
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: No accounting Freeradius + EAP/PEAP/TLS
Hi Ivan, The Zinwell manual didn't say anything about enabling account. My Freeradius is configured with default values, only things I changed was to use EAP/PEAP and freeradius, at radius database I configured tables NAS, Usergroup, radcheck ang groupreply(Auth-Type:=EAP). Could you tell me thar have to be another think at GroupReply and suggest some nas devices? Thanks. > Date: Thu, 12 Mar 2009 00:11:44 +0100 > From: > Subject: Re: Re: No accounting Freeradius + EAP/PEAP/TLS > To: "FreeRadius users mailing list" > > Message-ID: <9kef2edk.1236813104.0870720@kalik.net> > Content-Type: text/plain; charset=ISO-8859-2 > > >I used wireshark and didn't see anything referred about Account Packages. > >Only thing I see is Radius-Access Resquest, Access Challenges and Access > >Accept. > > > > So read Zinwell documentation about enabling accounting. > > Ivan Kalik > Kalik Informatika ISP _ News, entertainment and everything you care about at Live.com. Get it now! http://www.live.com/getstarted.aspx- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to allow nas'es to serve only groups of clients?
Hi,
> Thank you for help. I try to do as you say and put this to authorize
> section after preprocess:
>
>preprocess
>
> # allow hotspot users only
> if (SQL-Group != 'Spot') {
> reject
> }
if (SQL-Group != /Spot/) ?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.1.4 has been released
Dear Alan You might consider to take a look on the mysql module on freeradius 2.1.4. I have tried with Debian Lenny + mysql , error: mysql module not found. Same machine with 2.1.3, no such issue. Thanks - Original Message From: Johan Meiring To: FreeRadius users mailing list Cc: a.l.m.bu...@lboro.ac.uk Sent: Thursday, March 12, 2009 2:58:28 PM Subject: Re: Version 2.1.4 has been released Alan DeKok wrote: > Alan DeKok wrote: >> It's about time we have a formal testing process. I have some hosted >> machines with spare cycles. >> >> I'll install CruiseControl... > > Nope. > > After a quick review of "continuous integration" systems: > . > > I think it's easier just to write a few shell scripts && a cron job, > to do daily builds. > Suggest the following (similar to what samba does). When you are ready to release, you simply "snapshot" a rc1. (downloadable source.tar.gz), with suitable "not for production" warnings. Everyone then tries to install it on their production server immediately (because they LOVE the new features). You then get some very good testing for a week. If their are no complaints you release a production version. Cheers, -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: No accounting Freeradius + EAP/PEAP/TLS
Hi,
> The Zinwell manual didn't say anything about enabling account. My Freeradius
> is configured with default values, only things I changed was to use EAP/PEAP
> and freeradius, at radius database I configured tables NAS, Usergroup,
> radcheck ang groupreply(Auth-Type:=EAP).
if it doesnt mention it, how do you know it can do it?
you're only real choice is to sniff ALL the traffic on the wire
from the zinwell and see what the heck its sending. if it doesnt
send any accounting then theres nothing magical that FreeRADIUS
(or any other RADIUS server) can do - as the RADIUS server
doesnt tell the NAS to 'oi, send me stuff!' - the NAS is configured
to do accounting and then where to send it. if its good, the NAS
sends accounting packets as per the RFCs.but from personal
experience 90% of devices out there break accounting in wierd
and wonderful ways..be it cisco, hp, 3com, zyxel, hauwei etc.
once you DO get accounting packets to the RADIUS server, then thats
when the real fun begins! ("oh, but i wanted unique per client
sessions that could be matched to the real user!" argggh! ;-) )
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to allow nas'es to serve only groups of clients?
>Thank you for help. I try to do as you say and put this to authorize
>section after preprocess:
>
>preprocess
>
> # allow hotspot users only
> if (SQL-Group != 'Spot') {
> reject
> }
>
>Here debug on this action:
>
>++? if (SQL-Group != 'Spot')
>sql_groupcmp
> expand: %{User-Name} -> spot2
>sql_set_user escaped user --> 'spot2'
>rlm_sql (sql): Reserving sql socket id: 4
> expand: SELECT groupname FROM radusergroup
>WHERE username = '%{SQL-User-Name}'
>ORDER BY priority -> SELECT groupname FROM
>radusergroup WHERE username = 'spot2'
>ORDER BY priority
>sql_groupcmp finished: User is a member of group Spot
>rlm_sql (sql): Released sql socket id: 4
>? Evaluating (SQL-Group != 'Spot') -> TRUE
>++? if (SQL-Group != 'Spot') -> TRUE
>++- entering if (SQL-Group != 'Spot') {...}
>+++[reject] returns reject
>++- if (SQL-Group != 'Spot') returns reject
>
>strange behaviour, user 'spot2' belongs to group 'Spot', but if clause
>return TRUE and reject returned.
>
OK, it looks like it doesn't work in unlang. I don't know if it is
suposed to, but Alan will know. Put this in users file:
DEFAULT SQL-Group != "Spot", Auth-Type := Reject (, Huntgroup-Name ==
"hotspot")
Reply-Message := "Only hotspot users allowed"
You will probably need to add NAS-IP-Address or Huntgroup-Name in order
to tie it to the originating NAS.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.1.4 has been released
piston wrote: > You might consider to take a look on the mysql module on freeradius 2.1.4. > > I have tried with Debian Lenny + mysql , error: mysql module not found. Same > machine with 2.1.3, no such issue. Is it so difficult to provide more information? Like... configure logs, build logs, etc. Saying "it doesn't work" is nearly a complete waste of time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No accounting Freeradius + EAP/PEAP/TLS
Leonardo Mártyres wrote: > The Zinwell manual didn't say anything about enabling account. Then it doesn't do accounting. Nothing you do to FreeRADIUS will make the Zinwell machine send accounting packets. Throw the Zinwell box in the garbage, and buy an access point that has the features you need. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to allow nas'es to serve only groups of clients?
Alexander Solodukhin wrote:
> Thank you for help. I try to do as you say and put this to authorize
> section after preprocess:
>
>preprocess
>
> # allow hotspot users only
> if (SQL-Group != 'Spot') {
That won't work... the SQL-Group attribute is a "callback" attribute.
i.e. Using it results in a call to the SQL module, which then does the
comparison itself.
And... it ignores the operator '!='. The operator is always '=='.
This is because the SQL-Group functionality goes way back to version
0.2, and isn't integrated with the newer "unlang" feature.
You could send a patch to integrate it with unlang, or do:
if (! (SQL-Group == 'Spot')) {
reject
}
That should work. It lets the SQL-Group code use '==', and then uses
the newer expression parser to do the "NOT in the group" checking.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: No accounting Freeradius + EAP/PEAP/TLS
>The Zinwell manual didn't say anything about enabling account. Well, there is nothing you can do on the radius server to make AP send accounting. >My Freeradius is configured with default values, only things I changed was to >use EAP/PEAP and freeradius, at radius database I configured tables NAS, >Usergroup, radcheck Fine. > ang groupreply(Auth-Type:=EAP). > Oh, dear. Why? First thing written in eap.conf is: # Whatever you do, do NOT set 'Auth-Type := EAP'. >Could you tell me thar have to be another think at GroupReply and suggest some >nas devices? I am not the one to ask about wireless. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to allow nas'es to serve only groups of clients?
On Thu, 12 Mar 2009 14:30:07 +0200, Alan DeKok
wrote:
Alexander Solodukhin wrote:
Thank you for help. I try to do as you say and put this to authorize
section after preprocess:
preprocess
# allow hotspot users only
if (SQL-Group != 'Spot') {
That won't work... the SQL-Group attribute is a "callback" attribute.
i.e. Using it results in a call to the SQL module, which then does the
comparison itself.
And... it ignores the operator '!='. The operator is always '=='.
This is because the SQL-Group functionality goes way back to version
0.2, and isn't integrated with the newer "unlang" feature.
You could send a patch to integrate it with unlang, or do:
if (! (SQL-Group == 'Spot')) {
reject
}
That should work. It lets the SQL-Group code use '==', and then uses
the newer expression parser to do the "NOT in the group" checking.
No luck, Alan. Here the code:
# allow hotspot users only
if (!(SQL-Group == 'Spot')) {
reject
}
And debug output:
++? if (!(SQL-Group == 'Spot'))
sql_groupcmp
expand: %{User-Name} -> spot2
sql_set_user escaped user --> 'spot2'
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}'
ORDER BY priority -> SELECT groupname FROM
radusergroup WHERE username = 'spot2'
ORDER BY priority
sql_groupcmp finished: User is a member of group Spot
rlm_sql (sql): Released sql socket id: 4
?? Evaluating (SQL-Group == 'Spot') -> TRUE
? Converting !TRUE -> FALSE
++? if (!(SQL-Group == 'Spot')) -> FALSE
Seems it works for 'spot2' account, but:
++? if (!(SQL-Group == 'Spot'))
sql_groupcmp
expand: %{User-Name} -> test2
sql_set_user escaped user --> 'test2'
rlm_sql (sql): Reserving sql socket id: 1
expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}'
ORDER BY priority -> SELECT groupname FROM
radusergroup WHERE username = 'test2'
ORDER BY priority
rlm_sql (sql): Released sql socket id: 1
sql_groupcmp finished: User is NOT a member of group Spot
++[chap] returns noop
++[mschap] returns noop
not work for test2 account.
--
ISP CrIS, Softwarium
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: No accounting Freeradius + EAP/PEAP/TLS
--
>
> Message: 7
> Date: Thu, 12 Mar 2009 12:17:56 +
> From: a.l.m.bu...@lboro.ac.uk
> Subject: Re: Re: No accounting Freeradius + EAP/PEAP/TLS
> To: FreeRadius users mailing list
>
> Message-ID: <20090312121756.gd28...@lboro.ac.uk>
> Content-Type: text/plain; charset=us-ascii
>
> Hi,
>
> > The Zinwell manual didn't say anything about enabling account. My
> > Freeradius is configured with default values, only things I changed was to
> > use EAP/PEAP and freeradius, at radius database I configured tables NAS,
> > Usergroup, radcheck ang groupreply(Auth-Type:=EAP).
>
> if it doesnt mention it, how do you know it can do it?
>
> you're only real choice is to sniff ALL the traffic on the wire
> from the zinwell and see what the heck its sending. if it doesnt
> send any accounting then theres nothing magical that FreeRADIUS
> (or any other RADIUS server) can do - as the RADIUS server
> doesnt tell the NAS to 'oi, send me stuff!' - the NAS is configured
> to do accounting and then where to send it. if its good, the NAS
> sends accounting packets as per the RFCs.but from personal
> experience 90% of devices out there break accounting in wierd
> and wonderful ways..be it cisco, hp, 3com, zyxel, hauwei etc.
Could you dive me Model? ex: DWL-2100ap... etc.
Thanks
>
> once you DO get accounting packets to the RADIUS server, then thats
> when the real fun begins! ("oh, but i wanted unique per client
> sessions that could be matched to the real user!" argggh! ;-) )
>
> alan
_
Drag n’ drop—Get easy photo sharing with Windows Live™ Photos.
http://www.microsoft.com/windows/windowslive/products/photos.aspx-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to allow nas'es to serve only groups of clients?
On Thu, 12 Mar 2009 14:20:58 +0200, wrote:
Thank you for help. I try to do as you say and put this to authorize
section after preprocess:
preprocess
# allow hotspot users only
if (SQL-Group != 'Spot') {
reject
}
Here debug on this action:
++? if (SQL-Group != 'Spot')
sql_groupcmp
expand: %{User-Name} -> spot2
sql_set_user escaped user --> 'spot2'
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}'
ORDER BY priority -> SELECT groupname FROM
radusergroup WHERE username = 'spot2'
ORDER BY priority
sql_groupcmp finished: User is a member of group Spot
rlm_sql (sql): Released sql socket id: 4
? Evaluating (SQL-Group != 'Spot') -> TRUE
++? if (SQL-Group != 'Spot') -> TRUE
++- entering if (SQL-Group != 'Spot') {...}
+++[reject] returns reject
++- if (SQL-Group != 'Spot') returns reject
strange behaviour, user 'spot2' belongs to group 'Spot', but if clause
return TRUE and reject returned.
OK, it looks like it doesn't work in unlang. I don't know if it is
suposed to, but Alan will know. Put this in users file:
DEFAULT SQL-Group != "Spot", Auth-Type := Reject (, Huntgroup-Name ==
"hotspot")
Reply-Message := "Only hotspot users allowed"
You will probably need to add NAS-IP-Address or Huntgroup-Name in order
to tie it to the originating NAS.
Ivan Kalik
Kalik Informatika ISP
This is works with hungroups, thanks!
Here example for future readers:
raddb/users:
DEFAULT SQL-Group != "Spot", Auth-Type := Reject, Huntgroup-Name == "Spot"
Reply-Message := "ERROR 104: Only hotspot users allowed to login."
raddb/huntgroups:
SpotNAS-IP-Address == 212.110.144.142
SpotNAS-IP-Address == 212.110.136.226
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
ISP CrIS, Softwarium
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Winbind errors
Freeradius 2.1.3 winbindd version 3.0.33-3.7.el5 RedHat Linux 5, release 2 fully patched I know this isn't a FreeRadius issue, but is related. Has anyone running FreeRadius with Winbindd for windows authentication, found a solution to these error messages in the samba.log? [r...@prad01 log]# tail samba.log [2009/03/12 09:28:33, 0] lib/util_sid.c:string_to_sid(242) string_to_sid: Sid S-0-0 is not in a valid format. [2009/03/12 09:33:33, 0] lib/util_sid.c:string_to_sid(242) string_to_sid: Sid S-0-0 is not in a valid format. [2009/03/12 09:33:33, 0] lib/util_sid.c:string_to_sid(242) string_to_sid: Sid S-0-0 is not in a valid format. [2009/03/12 09:38:35, 0] lib/util_sid.c:string_to_sid(242) string_to_sid: Sid S-0-0 is not in a valid format. I get several a minute. I've found many posts with the same complaint, but no solution. Is upgrading (or downgrading) likely to stop it? It seems to be a purely cosmetic issue, but I'd still like to find a solution. -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroups and Network of Clients
>> What will be
>> the configuration then?
>>
>> DEFAULT Huntgroup-Name==testldap, Ldap-Group == employee, Auth-Type := Pam
>>Fall-Through = no
>>
>> DEFAULT if (NAS-IP-Address >z.z.z.z && NAS-IP-Address< y.y.y.y) {
>> Auth-Type:= Pam} else
>> {
>>
>> Auth-Type := Reject
>> Reply-Message = "Please call the helpdesk."
>> }
>>
>> Does that make sense?
>>
>>
>
> Not really. Sick to one thing - users file or unlang. I would recommend
> unlang.
I already though about your advice to concetrate at unlang and to check in
sites-enabled/default
-
authorize
{
ldap
if (Ldap-Group == "employee" && NAS-IP-Address ==
^131\.(220)\.(1)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$)
{ok} else
if (Ldap-Group == "student" && NAS-IP-Address ==
^131\.(220)\.(2)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$)
{ok} else
if (Huntgroup-Name == "testldap" && Ldap-Group == "student" )
{ok} else
.
else {reject}
Is that right?
Should Auth-Type:=Pam stay then in users?
I read in another post from today "How to allow nas'es to serve only
groups of clients?" that somebody tries to do almost the same with
unlang and SQL-Groups what I'm trying to do with unlang and LDAP-Groups.
It seems that unlang doesn't works with SQL-Groups so could it be that
the same situation ist for LDAP-Groups too?
I still have freeradius 1.1.7 and I would like to do urgent upgrade only
if I can use unlang to check subnets and Ldap-Groups with it. If this is
not possible, I would like to know.
Is there maybe another way to check subnets? Can I user regex for
example in huntgroups? Then I wouldn't need to use unlang and can stay
some more time at my current version of freeradius.
Greets
Meyes
> What you posted is a mixture of both but the essence is OK. Just
> use regex for checking subnets.
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroups and Network of Clients
>
>sites-enabled/default
>-
>authorize
>{
>ldap
>
> if (Ldap-Group == "employee" && NAS-IP-Address ==
> ^131\.(220)\.(1)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$)
> {ok} else
>
> if (Ldap-Group == "student" && NAS-IP-Address ==
> ^131\.(220)\.(2)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$)
> {ok} else
> if (Huntgroup-Name == "testldap" && Ldap-Group == "student" )
> {ok} else
>..
> else {reject}
>
>
>Is that right?
No. But if you remove else and change if to elsif it will be.
>
>Should Auth-Type:=Pam stay then in users?
>
Yes. Or you can put it in here instead of ok.
>
>I read in another post from today "How to allow nas'es to serve only
>groups of clients?" that somebody tries to do almost the same with
>unlang and SQL-Groups what I'm trying to do with unlang and LDAP-Groups.
>It seems that unlang doesn't works with SQL-Groups so could it be that
>the same situation ist for LDAP-Groups too?
== should work. It seems that != doesn't work in unlang with those
attributes.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dropping requests when no authentication possible
Hi, I've set up a 2.1.4 server, and working pretty well with authentication against LDAP alone. What I've noticed though is that if the LDAP server is down on the same box then the LDAP module, rightfully, fails. However whilst this leaves the service unable to authenticate the user, it still replies back with a REJECT packet to the client. As such the client switch / router whatever, doesn't try the next server in it's config, as it's had a valid RADIUS response. Is there any way to force a logic whereby if the ldap module fails, it would drop the RADIUS request on the floor, to make it look like a service failure to the client? Kinda wrecks our resiliency model if not! We're only using a single ldap server per box, but even if we were using other ldap servers on other servers, there still is a logic whereby it may be impossible to reach any LDAP server whilst another FreeRADIUS box can reach one, but is of a lower order of preference so can't be used. Thanks Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ldap: default_profile not expanded
Is the default_profile setting in modules/ldap supposed to expand
runtime variables?
I tried to set:
default_profile = "cn=default,ou=%{Realm},ou=profiles,dc=mc,dc=com"
but on the logs I see:
rlm_ldap: performing search in
cn=default,ou=%{Realm},ou=profiles,dc=mc,dc=com
rlm_ldap: object not found
If I set:
default_profile = "cn=default,ou=company,ou=profiles,dc=mc,dc=com"
it works.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dropping requests when no authentication possible
>I've set up a 2.1.4 server, and working pretty well with authentication >against LDAP alone. What I've noticed though is that if the LDAP server is >down on the same box then the LDAP module, rightfully, fails. However whilst >this leaves the service unable to authenticate the user, it still replies >back with a REJECT packet to the client. As such the client switch / router >whatever, doesn't try the next server in it's config, as it's had a valid >RADIUS response. > >Is there any way to force a logic whereby if the ldap module fails, it would >drop the RADIUS request on the floor, to make it look like a service failure >to the client? Read the list. There is another thread about the same "problem". Only about unreachable sql servers. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dropping requests when no authentication possible
Hi, > Is there any way to force a logic whereby if the ldap module fails, it would > drop the RADIUS request on the floor, to make it look like a service failure > to the client? Kinda wrecks our resiliency model if not! We're only using a > single ldap server per box, but even if we were using other ldap servers on > other servers, there still is a logic whereby it may be impossible to reach > any LDAP server whilst another FreeRADIUS box can reach one, but is of a > lower order of preference so can't be used. seems to be a current popular feature. if you read the mialing list archive this veyr minth theres a similar case for doing pretty much the same with SQL (insteda of your ldap). you could, perhaps not need to do this if you let each RADIUS server also talk to each LDAP. you can then configure LDAP as a failover/redundant system (see the guides/docs for doing redundant LDAP). so RADIUS1 - ldap 1, ldap 2, ldap 3 RADIUS2 - ldap 2, ldap 1, ldap 3 RADIUS3 - ldap 3, ldap 2, ldap 1 if they can share their LDAP this would be ideal... however, if not, then you'll have to use the method mentioned previously on the list - note the (fail) and return the fail attribute to the NAS rather than reject. if the NAS is good/proper, it'll try the next RADIUS itself. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error in Authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 My problem is that, I am not able to figure out, what wrong am I doing ? I shall be highly thankful, if you can point me what part of config I need to change? Many Thanks, JK Jaswinder Kaur wrote: > I am using freeradius 2.1.1 on Suse 10 SP1. I am trying to integrate > Freeradius with edirectory, but somehow, I am not able to achieve the desired > result, the client just sits while trying to authenticate, I can see the > Radius server reading the username and password, but still its not > authenticating it. > > Kindly Help. I am attaching the debug from radius server here: This is explained in the FAQ, and in the comments in eap.conf. Please read the existing documentation. Alan DeKok. -BEGIN PGP SIGNATURE- Version: PGP Universal 2.9.0 (Build 472) Charset: US-ASCII wsBVAwUBSblWe/svZpRjP72bAQgOaAf/Y0B9kpfry1PKnyQoxCM3iyEY38vgfaky 8G/IjsL0YnnXyEyWjbCZcWqUys2d+bpN6YKa+/mWmUDME+HMcS5QXJewHDSvRH9J ONWElOOl8BKasoU4Xs7kbjJZXGRdHIJjWiCMxuxl1XP5DaXOTEwE9vgMGmZKd88f YwOBmyrzVb7ohAYKgvOp40W49By1ZB+QLdq78uMmviYn9di61i5iORyoUCEHvAGs 18y0/4ewF+jmBYXSD0vrdrXxUSfUbxVpE7/DUG35lBwqQzxEKAdOMBxiZ8D+Sx4W NTLBoxoIdUD2i4DnaEi7f7PY0XaA/z024fmOpsme5oN92K9xffJWPg== =+pcE -END PGP SIGNATURE- Access your county council services online 24 hours a day, 7 days a week at www.northyorks.gov.uk. WARNING Any opinions or statements expressed in this e-mail are those of the individual and not necessarily those of North Yorkshire County Council. This e-mail and any files transmitted with it are confidential and solely for the use of the intended recipient. If you receive this in error, please do not disclose any information to anyone, notify the sender at the above address and then destroy all copies. North Yorkshire County Councils computer systems and communications may be monitored to ensure effective operation of the system and for other lawful purposes. Although we have endeavoured to ensure that this e-mail and any attachments are free from any virus we would advise you to take any necessary steps to ensure that they are actually virus free. If you receive an out of office notice from the person you are contacting and you wish to request information under either the Freedom of Information Act, the Data Protection Act or the Environmental Information Regulations please forward your request by e-mail to the Data Management Team (datamanagement.offi...@northyorks.gov.uk) who will process your request. North Yorkshire County Council. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dropping requests when no authentication possible
On Thu, Mar 12, 2009 at 4:33 PM, wrote:
> >I've set up a 2.1.4 server, and working pretty well with authentication
> >against LDAP alone. What I've noticed though is that if the LDAP server is
> >down on the same box then the LDAP module, rightfully, fails. However
> whilst
> >this leaves the service unable to authenticate the user, it still replies
> >back with a REJECT packet to the client. As such the client switch /
> router
> >whatever, doesn't try the next server in it's config, as it's had a valid
> >RADIUS response.
> >
> >Is there any way to force a logic whereby if the ldap module fails, it
> would
> >drop the RADIUS request on the floor, to make it look like a service
> failure
> >to the client?
>
> Read the list. There is another thread about the same "problem". Only
> about unreachable sql servers.
>
> Ivan Kalik
> Kalik Informatika ISP
Quite a coincidence, I was looking at the weekend and could find nothing.
I'll try having a go at the example in the sql thread:
authorize {
...
redundant_sql
if (fail) {
update control {
# Do-Not-Respond
Response-Packet-Type = 256
}
reject
}
elsif (notfound) {
reject
}
}
And respond back one way or another.
Thanks
Chris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dropping requests when no authentication possible
On Thu, Mar 12, 2009 at 5:07 PM, wrote: > Hi, > > > Is there any way to force a logic whereby if the ldap module fails, it > would > > drop the RADIUS request on the floor, to make it look like a service > failure > > to the client? Kinda wrecks our resiliency model if not! We're only using > a > > single ldap server per box, but even if we were using other ldap servers > on > > other servers, there still is a logic whereby it may be impossible to > reach > > any LDAP server whilst another FreeRADIUS box can reach one, but is of a > > lower order of preference so can't be used. > > seems to be a current popular feature. if you read the mialing list archive > this veyr minth theres a similar case for doing pretty much the same with > SQL > (insteda of your ldap). you could, perhaps not need to do this if you let > each RADIUS server also talk to each LDAP. you can then configure LDAP > as a failover/redundant system (see the guides/docs for doing redundant > LDAP). so > > RADIUS1 - ldap 1, ldap 2, ldap 3 > RADIUS2 - ldap 2, ldap 1, ldap 3 > RADIUS3 - ldap 3, ldap 2, ldap 1 > > if they can share their LDAP this would be ideal... however, if not, then > you'll have to use the method mentioned previously on the list - note > the (fail) and return the fail attribute to the NAS rather than reject. > if the NAS is good/proper, it'll try the next RADIUS itself. > Well they can share the LDAP servers, but if these servers have 2 nics, 1 for RADIUS access and 1 solely for back end access between RADIUS and LDAP, and this rear network connection fails then this scenario comes back big style and there's not much ideal about it. Whilst it's no fault specifically of its own, that RADIUS server is completely useless, and no client device of mine would try the second ever whilst it's getting nice and polite REJECT's back. I'll be checking out that other sql thread, although at the moment it seems that it's not working for the other guy... Cheers Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error in Authentication
Jaswinder Kaur wrote: > My problem is that, I am not able to figure out, what wrong am I doing ? I > shall be highly thankful, if you can point me what part of config I need to > change? Have you READ eap.conf? This is documented in all of the recent versions of the server. This is also in the FAQ. Look for Access-Challenge. Please... expecting us to cut & paste sections out of the existing documentation is too much. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd: symbol lookup error: /usr/lib/rlm_eap_tls-2.1.3.so: undefined symbol
>>You have two different versions of OpenSSL installed.
I'm really stumped by this. I'm replaced the default debian openssl libraries
(as per... ldconfig -v | grep ssl) with openssl 0.9.8.j and am still getting the
pesky error, radiusd: symbol lookup error: /usr/lib/rlm_eap_tls-2.1.3.so:
undefined symbol: SSL_CTX_set_info_callback
Is libgnutls-openssl.so.13 referenced by freeradius? That's the only file I
haven't been able to replace.
What else can I do? Any help would be greatly appreciated!
cheers
Peter
-X output:
FreeRADIUS Version 2.1.3, for host i686-pc-linux-gnu, built on Mar 13 2009 at
09:54:32
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/sql.conf
including configuration file /etc/freeradius/sql/mysql/dialup.conf
including configuration file /etc/freeradius/sql/mysql/counter.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/usr/local"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
radiusd: Lo
Help to by a NAS
Hi, Could someone suggest some NAS models to buy? I want to do account properly. Thanks _ Show them the way! Add maps and directions to your party invites. http://www.microsoft.com/windows/windowslive/products/events.aspx- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting server reply
Hi, Does an accounting server reply to a NAS's accounting message? How does an NAS know that the accounting message is lost (due to accounting server failure)? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help setting up machine auth with peap
Have a radius box setup and am using ntlm_auth to authenticate peapv0
with mschapv2 in the inner tunnel off a samba pdc.
All normal users authenticate fine. When I try to authenticate using the
machine account I get this:
eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for host/cc2 with NT-Password
[mschap] expand: --username=%{mschap:User-Name:-None} ->
--username=cc2$
[mschap] setting NT-Domain to same as machine name
[mschap] expand: --domain=%{mschap:NT-Domain:-ISD} -> --domain=cc2
[mschap] mschap2: bc
[mschap] expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=857e792244c9e024
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=0e44e0288f3f64004f58718f93e09c629670ab97d1e997bf
Exec-Program output: Must change password (0xc224)
Exec-Program-Wait: plaintext: Must change password (0xc224)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect: [host/cc2] (from client CCISD-REMC-Radius port 0
via TLS tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 71 to 172.17.10.108 port 1033
EAP-Message =
0x010900261900170301001b34bc45f7fbc2e102f7ec6da756ce808f27d99f1074294fb3b5b69c
Message-Authenticator = 0x
State = 0xb410f68ebc19efa88b187555f468f0ff
Finished request 18.
I do see the "Exec-Program output: Must change password (0xc224)"
which to me means the computer account password has expired? I tried
removing and re-adding the computer to the domain but get the same error.
Any ideas? Anyone else successfully doing peapv0 auth with machine
accounts and ntlm_auth?
Thanks for any help.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting server reply
rosect...@yahoo.com wrote: > Hi, Does an accounting server reply to a NAS's accounting message? Yes. > How > does an NAS know that the accounting message is lost (due to accounting > server failure)? Thanks. It doesn't receive a reply? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd: symbol lookup error: /usr/lib/rlm_eap_tls-2.1.3.so: undefined symbol
Peter Param wrote: >>> You have two different versions of OpenSSL installed. > > I'm really stumped by this. I'm replaced the default debian openssl > libraries > (as per... ldconfig -v | grep ssl) with openssl 0.9.8.j and am still getting > the > pesky error, radiusd: symbol lookup error: /usr/lib/rlm_eap_tls-2.1.3.so: > undefined symbol: SSL_CTX_set_info_callback Did you try RE-BUILDING the server when you only had one version of OpenSSL installed? That name is a macro in some versions of OpenSSL, and a function in others. If you don't re-build the server, you will get one definition at build time, and another one in the OpenSSL libraries. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: default_profile not expanded
Giovanni Lovato wrote: > Is the default_profile setting in modules/ldap supposed to expand > runtime variables? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
