Re: dealing with 'corrupt' detail file
a.l.m.bu...@lboro.ac.uk wrote:
> okay. so i've been preaching that people use eg
> the buffered-sql virtual machine rather than do accounting
> DB entries 'live' - therefore giving the admin better
> FR performance with slower DBs etc...
Yup.
> however, I've been approached today by someone who has a
> rather large detail file (few gigs)
Bad. Bad, bad, bad. They should be writing detail files per day, or
per hour. If they're using a version of the server from the last 6
months, it supports file globbing, which helps with this.
> that has 'corrupt'
> records in it... eg entries with no Acct-Status-Type
> set (broken NAS, duff RADIUS server or possibly
> attrbute filtering along the path)...
But... that can happen no matter what the NAS. This needs to be
handled in any case.
> anyway, my first
> though was edit the accouting stanza of buffered-sql
> so that it looks like
>
> if(Acct-Status-Type){
> sql
> }
>
> instead of just calling sql and borking over the
> lack of Accounting status in the packet.
>
> but, of course, whilst this stop the bork, it also
> stops the ingestion of the detail file as it sticks
> at that point, doesnt flush that entry and move on...
> so...can anyone info me the magic or steps to bypass
> this entry in the detail file so it can continue
> working on it? the code itself seems to need to go
> through something before flushing the packet..
Easy. The accounting section has to be told "it's OK to continue":
if (broken nas) {
ok
}
else {
sql
}
Or maybe better:
sql
if (noop || invalid) {
ok
}
The module returns FAIL if it can't write to SQL, OK if it succeeded.
It returns INVALID if there's no Acct-Status-Type, and NOOP for unknown
Acct-Status-Type or zero session length.
> which reminds me...any best practice from the
> FR community regarding the detail file and
> the aforementioned protection from duff NAS etc
Write small detail files, and handle failure codes from SQL as above.
> (I've already got, on my list, use Calling-Station-Id
> instead of NAS-Port for the unique function as many
> NAS use the same port for every accounting packet :-|)
Create a patch, and send it to the list via git format-patch. "Best
practices" really need to go into the server configuration. Anything
else is too frustrating for the end users.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: chap or pap
jon jon wrote: > Hi, > I have pap authentication working just fine. I want to change auth type > to chap. I am using the radius book that is very outdated. Why? Why not just follow the documentation, FAQ, etc. that is included with the server? > Don't really > understand why can't chap to work. I looked in the default file and chap > auth-type is not commented out, so I am assuming that if pap > authentication didn't work then chap would be the next auth type radius > would try right. that is why they put pap at the bottom of the file to > let the other auth types a try first. I am using mysql backend server > with username and cleartext := passwords. Can anyone point me the right > direction or tell me to read more:P Don't read the RADIUS book. It's useless. Alan DeKok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re-compiling modules
Rupert Finnigan wrote: > Hi All, > > I'm *attempting* to recompile the rlm_mschap module with a quick mod to > hopefully fix my host authentication domain extraction problems. > > Is this as simple as running make, and copying the resulting files to > "/usr/lib" (on my system atleast)?? And if so, is it just the two files > I need to copy, the .la and the .so? If this eventually works I'll > rebuild my rpms, but I'm looking for a quick way of finding out if this > does actually behave as expected. > > Sorry if this is a bit of an obvious question - I've never really done > much C before. First you must run the configure script from the top level before you run make. It's best to run configure with the exact same arguments the RPM build would use. The easiest way to accomplish this is by running rpmbuild and preserving the build tree (I think you'll have to comment out the %clean section of the spec file first). Then modify the code and run make in the directory. You'll only need the .so, not the .la. Be careful about the destination directory, it's probably not /usr/lib, more likely /usr/lib/freeradius, but it depends on the system, could be /usr/share/lib/freeradius or /usr/local/lib/freeradius. You can figure this out by looking for the original .so (the locate command helps) or if you're using an RPM based install, as it sounds like you are then do a: % rpm -ql freeradius | grep rlm_mschap that will print out the file location. HTH, John -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re-compiling modules
Hi All, I'm *attempting* to recompile the rlm_mschap module with a quick mod to hopefully fix my host authentication domain extraction problems. Is this as simple as running make, and copying the resulting files to "/usr/lib" (on my system atleast)?? And if so, is it just the two files I need to copy, the .la and the .so? If this eventually works I'll rebuild my rpms, but I'm looking for a quick way of finding out if this does actually behave as expected. Sorry if this is a bit of an obvious question - I've never really done much C before. Many Thanks, Rupert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth, universal principal name, multi-domain active directory, howto?
Hi Adam, I've been experimenting with something very similar recently. ntlm_auth can handle authentication in one of the follow: 1. --username = "NetBIOS Domain Name"\"Username", no --domain parameter specified 2. --username = "Username", --domain = "NetBOIS Domain Name" 3. --username = "Username", --domain = "FQDN of domain". In your case, the problem is it doesn't know which actual domain the user is in, based on the UPN. So, my thoughts are you've got two options: 1. Make the users login using a principal of usern...@fqdn, so someu...@dept1.company.net and use some logic to "split" the username into the two sections using the @ as a delimiter. Maybe attr_rewrite module would be good for this. 2. Configure some form of way to lookup the users "real" domain from AD (probably via LDAP, or maybe there's a samba related tool for this?) and then pass that to ntlm_auth, either in the newer FQDN style, or the legacy NetBIOS style. Unfortunately, I'm not too hot on the various logic options available in FR, as I'm only really just starting playing in Unlang. Hopefully someone else will be able to help with providing a working logic config, once you've decided with method best suits your requirements. Cheers, Rupert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth, universal principal name, multi-domain active directory, howto?
New to freeradius & samba - and first post here.
Rather long post so to cut to the heart of the question:
Can freeradius be configured to authenticate users against an AD Forest
(multi-domain) using universal principal name (UPN) and if so...how?
I'm posting here because our only need for samba is freeradius integration to
AD - but if I need to go to the Samba community just let me know.
The ultimate goal is to have the majority of remote access users authenticate
using their universal principal names (UPN) from AD. The path of that
authentication however is not direct.
RA Appliance --> Freeradius (Proxy) --> Freeradius --> AD
There are some instances where we need users to authenticate from a repository
other than AD, so Freeradius has been configured against both MySQL (primarily
to hold NAS information & accounting info, but could potentially host users)
and Openldap.
The MySql & Openldap configs are working just fine.
We don't really care if we use Samba - integration via LDAP would be fine, but
it appears that their is an issue with sending the password in the clear if
LDAP is used. If this is inaccurate please let me know.
Everything "appears" configured correctly. In fact authentication using the
"exec ntlm_auth" configuration referenced in
http://deployingradius.com/documents/configuration/active_directory.html works
if the username and domain are specified. Once we tried to use the UPN
(without domain name) it does not. Going back to the command line for
ntlm_auth tests resulted in the following.
Using a user account found in DEPT1.COMPANY.NET child domain
ntlm_auth --username=user WORKS
ntlm_auth --username=user --domain=DEPT1 WORKS
ntlm_auth --username=u...@company.net DOES NOT WORK
Using a user account found in DEPT2.COMPANY.NET child domain
ntlm_auth --username=user DOES NOT WORK
ntlm_auth --username=user --domain=DEPT2 WORKS
ntlm_auth --username=u...@company.net DOES NOT WORK
All of the DOES NOT WORK result in the same error.
NT_STATUS_NO_SUCH_USER: No such user (0xc064)
tcpdumps of the ntlm_auth traffic validate that all requests are being sent to
one of the domain controllers within DEPT1.COMPANY.NET
The internal freeradius host is in the child domain DEPT1.COMPANY.NET based on
policy. If moving the server to COMPANY.NET is required that could be
considered, however preference is to leave it in DEPT1.COMPANY.NET.
Linux Host
RHEL 5.2
Freeradius 2.1.6
Samba 3.3.4
Active Directory
Multi-Domain Model
Native Mode Win2003
Root Domain - company.net
Child Domain - dept1.company.net
Child Domain - dept2.company.net
..
Child Domain - dept9.company.net
For the sake of testing we are currently only configured for the root, child
domains dept1 and dept2. We do not have admin_server entries because all of
the examples reference port 749 which is not running on any of the domain
controllers or global catalogs.
I am including sanitized copies of the krb5.conf and smb.conf because they seem
pertinent to the question. If any of the freeradius config files, nsswitch or
some other information is needed just let me know.
Thanks
Adam
krb5.conf
-
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DEPT1.COMPANY.NET
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
COMPANY.NET = {
kdc = gc01.company.net:88
kdc = gc02.company.net:88
kdc = gc03.company.net:88
}
DEPT1.COMPANY.NET = {
kdc = dept1-dc01.dept1.company.net:88
kdc = dept1-dc02.dept1.company.net:88
kdc = dept1-dc03.dept1.company.net:88
}
DEPT2.COMPANY.NET = {
kdc = dept2-dc01.dept2.company.net:88
kdc = dept2-dc02.dept2.company.net:88
kdc = dept3-gc01.dept2.company.net:88
}
[domain_realm]
.company.net = COMPANY.NET
.dept1.company.net = DEPT1.COMPANY.NET
.dept2.company.net = DEPT2.COMPANY.NET
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
smb.conf
--
[global]
workgroup = DEPT1
netbios name = AAA-Server
realm = DEPT1.COMPANY.NET
security = ADS
template shell = /bin/bash
idmap uid = 500-1000
idmap gid = 500-1000
winbind nested groups = Yes
winbind enum users = yes
winbind enum groups = yes
server string = AAA
[homes]
comment = Home Directories
browseable = no
writable = yes
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
chap or pap
Hi, I have pap authentication working just fine. I want to change auth type to chap. I am using the radius book that is very outdated. Don't really understand why can't chap to work. I looked in the default file and chap auth-type is not commented out, so I am assuming that if pap authentication didn't work then chap would be the next auth type radius would try right. that is why they put pap at the bottom of the file to let the other auth types a try first. I am using mysql backend server with username and cleartext := passwords. Can anyone point me the right direction or tell me to read more:P jon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dealing with 'corrupt' detail file
hi,
okay. so i've been preaching that people use eg
the buffered-sql virtual machine rather than do accounting
DB entries 'live' - therefore giving the admin better
FR performance with slower DBs etc...
however, I've been approached today by someone who has a
rather large detail file (few gigs) that has 'corrupt'
records in it... eg entries with no Acct-Status-Type
set (broken NAS, duff RADIUS server or possibly
attrbute filtering along the path)...anyway, my first
though was edit the accouting stanza of buffered-sql
so that it looks like
if(Acct-Status-Type){
sql
}
instead of just calling sql and borking over the
lack of Accounting status in the packet.
but, of course, whilst this stop the bork, it also
stops the ingestion of the detail file as it sticks
at that point, doesnt flush that entry and move on...
so...can anyone info me the magic or steps to bypass
this entry in the detail file so it can continue
working on it? the code itself seems to need to go
through something before flushing the packet..
..i expect to then be told there are other broken
records too - but i hope a simple solution can deal
with all sorts then I can get them to ensure
that the call to detail is protected in the first
place so NULL records etc dont even go in.
which reminds me...any best practice from the
FR community regarding the detail file and
the aforementioned protection from duff NAS etc
(I've already got, on my list, use Calling-Station-Id
instead of NAS-Port for the unique function as many
NAS use the same port for every accounting packet :-|)
thanks
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate SQL records versus unique constraints
Arran Cudbard-Bell wrote:
> Thanks, i'll poke Alan and see if he wants to include it.
$ git format-patch
:)
> It'd be nice
> to have a generic
> hashing module for string expansions and not have to do some much unlang
> hackyness,
> useful for CUI too.
update reply {
User-Name := "%{md5:foo}"
}
It's already there.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate SQL records versus unique constraints
[snip]
Thanks a bundle for that, I was about to whack my head against the screen
here and type "man unlang". ;)
If you're still getting duplicates, check that the NAS is actually
sending the value of the Class attribute. Vendors are notoriously bad
for ignoring the RFC in this area.
Yeah, never mind that we are talking to proxy servers upstream which in
turn may talk to other proxy servers (nobody knows) which ultimately talk
to the NAS (BRAS) in question.
You might have more luck concatenating the random string with the User-Name
and sending that in the Access-Accept. Then stripping it out again when you
receive accounting requests.
post-auth {
update reply {
User-Name := "%{User-Name}:%{Acct-Unique-ID}"
}
...
}
--
preacct {
...
if(User-Name =~ /([^:]+)(:([[:alnum:]]*))?/){
update request {
Acct-Session-ID := "%{Acct-Session-ID}%{3}"
User-Name := "%{1}"
}
}
}
It's a more commonly used feature so is more likely to work :)
I have seen those quickly recycled Acct-Session-Id's only with one
location it seems, other people with twice the connects never had their
IDs re-used in the same sample period. So my bet is that this particular
NAS will also happily ignore the Class attribute. ^o^
Yey for standards *sigh*.
But nevertheless, a very useful configuration snippet that would do well
in a future sample configuration.
Thanks, i'll poke Alan and see if he wants to include it. It'd be nice to have
a generic
hashing module for string expansions and not have to do some much unlang
hackyness,
useful for CUI too.
Thanks again for the quick and comprehensive response
No problem. Best of luck !
Arran
--
Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippools and Pool-Name
Replying to myselferm, never mind...I must have a fairly old
raddb/radiusd.conf...I found this by googling:
db_dir = $(raddbdir) <<==
It should be:
db_dir = ${raddbdir} (brackets are wrong)
On Wed, 3 Jun 2009, u...@3.am wrote:
On Wed, 3 Jun 2009, Alan DeKok wrote:
Because you don't have the GDBM libraries or header files.
Ok, I installed those, and while I was at it, installed the latest radiusd.
The first error I got involved the "experimental"
raddb/sites-available/control-socket which was included in the old
radiusd.conf: $INCLUDE sites-enabled/. I moved the file and radiusd started
and worked as it did before.
However, when I uncomment my ippool statement, I now get this:
Module: Linked to module rlm_ippool
Module: Instantiating users_pool
ippool users_pool {
session-db = "$(raddbdir)/db.ippool"
ip-index = "$(raddbdir)/db.ipindex"
key = "%{NAS-IP-Address} %{NAS-Port}"
range-start = 172.16.1.2
range-stop = 172.16.1.253
netmask = 255.255.255.0
cache-size = 251
override = yes
maximum-timeout = 0
}
rlm_ippool: Failed to open file $(raddbdir)/db.ippool: No such file or
directory
/usr/etc/raddb/radiusd.conf[1824]: Instantiation failed for module
"users_pool"
/usr/etc/raddb/sites-enabled/default[337]: Failed to find module
"users_pool".
/usr/etc/raddb/sites-enabled/default[314]: Errors parsing accounting section.
Errors initializing modules
-
If I understand correctly, if I am running radiusd as root, shouldn't it
simply create the db. files itself when started? I tried a "touch
raddb/db.ippool" but it changed nothing.
Again, thanks for your patience...
James Smallacombe PlantageNet, Inc. CEO and Janitor
u...@3.am http://3.am
=
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
James Smallacombe PlantageNet, Inc. CEO and Janitor
u...@3.am http://3.am
=
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippools and Pool-Name
On Wed, 3 Jun 2009, Alan DeKok wrote:
Because you don't have the GDBM libraries or header files.
Ok, I installed those, and while I was at it, installed the latest
radiusd. The first error I got involved the "experimental"
raddb/sites-available/control-socket which was included in the old
radiusd.conf: $INCLUDE sites-enabled/. I moved the file and radiusd
started and worked as it did before.
However, when I uncomment my ippool statement, I now get this:
Module: Linked to module rlm_ippool
Module: Instantiating users_pool
ippool users_pool {
session-db = "$(raddbdir)/db.ippool"
ip-index = "$(raddbdir)/db.ipindex"
key = "%{NAS-IP-Address} %{NAS-Port}"
range-start = 172.16.1.2
range-stop = 172.16.1.253
netmask = 255.255.255.0
cache-size = 251
override = yes
maximum-timeout = 0
}
rlm_ippool: Failed to open file $(raddbdir)/db.ippool: No such file or
directory
/usr/etc/raddb/radiusd.conf[1824]: Instantiation failed for module
"users_pool"
/usr/etc/raddb/sites-enabled/default[337]: Failed to find module
"users_pool".
/usr/etc/raddb/sites-enabled/default[314]: Errors parsing accounting
section.
Errors initializing modules
-
If I understand correctly, if I am running radiusd as root, shouldn't it
simply create the db. files itself when started? I tried a "touch
raddb/db.ippool" but it changed nothing.
Again, thanks for your patience...
James Smallacombe PlantageNet, Inc. CEO and Janitor
u...@3.am http://3.am
=
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkval module
Hi François
Thank you
it worked out
thanks a lot :-)
Regards,
Amr el-Saeed
Senior Systems Engineer
94 Tahrir St., Maghraby Plaza,
Dokki, Giza 12311, Egypt
T: +20 (2) 33 32 0700 | Ext: 1107
F: +20 (2) 33 32 0800 |
E: amr.elsa...@tedata.net
www.tedata.net
François Mehault wrote:
Hi
I
think you have to do like this :
checkval checkNasPortId {
item-name = NAS-Port-Id
check-name = NAS-Port-Id
data-type = string
notfound-reject = yes
}
checkval checkNasPortType {
item-name = NAS-Port-Type
check-name = NAS-Port-Type
data-type = string
notfound-reject = yes
}
and in your /site-available/default you load
checkNasPortId
& checkNasPortType instead of checkval
#checkval
checkNasPortId
checkNasPortType
I hope I help you
François
De :
freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org
[mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org]
De la part de Amr el-Saeed
Envoyé : mercredi 3 juin 2009 15:36
À : FreeRadius users mailing list
Objet : checkval module
Hi every one
I am using freeradius 1.1.7
i am configuring checkval to check for Nas-Port-Type , i need to make
it checks
for Nas-Port-Id also .
this is the radius.conf checkval sections
checkval {
item-name = NAS-Port-Id
check-name = NAS-Port-Id
item-name = NAS-Port-Type
check-name = NAS-Port-Type
data-type = string
notfound-reject = yes
}
but actually it process the first entry only which is NAS-Port-Id and
ignore the second one which is NAS-Port-Type .
Is that possible to make the radius to check both items
??
thanks
Amr
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: checkval module
Hi
I think you have to do like this :
checkval checkNasPortId {
item-name = NAS-Port-Id
check-name = NAS-Port-Id
data-type = string
notfound-reject = yes
}
checkval checkNasPortType {
item-name = NAS-Port-Type
check-name = NAS-Port-Type
data-type = string
notfound-reject = yes
}
and in your /site-available/default you load checkNasPortId & checkNasPortType
instead of checkval
#checkval
checkNasPortId
checkNasPortType
I hope I help you
François
De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org
[mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org]
De la part de Amr el-Saeed
Envoyé : mercredi 3 juin 2009 15:36
À : FreeRadius users mailing list
Objet : checkval module
Hi every one
I am using freeradius 1.1.7
i am configuring checkval to check for Nas-Port-Type , i need to make it checks
for Nas-Port-Id also .
this is the radius.conf checkval sections
checkval {
item-name = NAS-Port-Id
check-name = NAS-Port-Id
item-name = NAS-Port-Type
check-name = NAS-Port-Type
data-type = string
notfound-reject = yes
}
but actually it process the first entry only which is NAS-Port-Id and ignore
the second one which is NAS-Port-Type .
Is that possible to make the radius to check both items ??
thanks
Amr
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
checkval module
Hi every one
I am using freeradius 1.1.7
i am configuring checkval to check for Nas-Port-Type , i need to make
it checks for Nas-Port-Id also .
this is the radius.conf checkval sections
checkval {
item-name = NAS-Port-Id
check-name = NAS-Port-Id
item-name = NAS-Port-Type
check-name = NAS-Port-Type
data-type = string
notfound-reject = yes
}
but actually it process the first entry only which is NAS-Port-Id and
ignore the second one which is NAS-Port-Type .
Is that possible to make the radius to check both items ??
thanks
Amr
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hiding passwords
Hi, > Is there a way to tell freeradius not to include passwords in the log when > debugging? many ways - which log are you seeing the password in? it *WILL ALWAYS* log any plain passwords when in full debug mode.. thats the idea of full debug mode alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "detail" log files
Alan DeKok wrote:
> Steve Bertrand wrote:
>> Can someone swing the clue bat at me, and provide me with information on
>> where I should look to find out how to disable detail log files for
>> specific NASs only?
>
> $ man unlang
>
>> I need to keep the detail files for legacy purposes, but only for
>> specific NASs, and I'd like to disable the rest of them from logging there.
>>
>> Is this possible?
>
> It's trivial.
>
> accounting {
> ...
>
> if (Packet-Src-IP-Address != 1.2.3.4) {
> detail
> }
> ...
> }
Beautiful. Thanks Alan!
Steve
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hiding passwords
Is there a way to tell freeradius not to include passwords in the log when debugging? -John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Filtering in sites-enabled default file
Hi,
> if("%{User-Name}" =~ /?([...@]+)@?([-[:alnum:]._]*)?$/) {
>
> update request {
>
>Realm := "%{2}"
>
> }
> The staff login id is:
>
> ps...@worc.ac.uk
>
> Whereas the student login is in the format:
>
> psdn1...@worc.ac.uk
>
> Would it be possible to filter on the format of the userid? The student id
> has `_02 on it.
yes, easily... eg
if("%{User-Name}" =~ /_02@/) {
update request {
Realm := "student"
}
}
it can be made scalable and more pretty but this would suffice for this question
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re: Filtering in sites-enabled default file
Hello,
I was wandering if anyone can help me. I am trying to set up freeradius
2.1.x
In the authorized section of default, we have the following coding:
if("%{User-Name}" =~ /?([...@]+)@?([-[:alnum:]._]*)?$/) {
update request {
Realm := "%{2}"
}
if(!"%{2}" || ("%{2}" == "worc.ac.uk") || ("%{2}" ==
"worcester.ac.uk") ){
update request {
Realm := "worc"
}
}
}
else{
update request {
Stripped-User-Name := "anonymous"
Realm := 'local'
}
}
switch "%{Realm}" {
case "worc" {
update control {
Proxy-To-Realm := "worc"
}
update request {
Realm := "worc"
}
# Don't do any proxy stuff here, request will be handled later.
}
case {
update control {
Proxy-To-Realm := "jrs"
}
update request {
Realm := "jrs"
}
}
}
This should check the extension to the user name, if it is worc or Worcester
it will use the realm "worc", if it is anonymous, use the "local" realm.
Otherwise use the "jrs" realm. Which works fine. There is a problem, as our
users are split into 2 separate section, staff & students.
Above works fine for staff, as the realm "worc" handles this authentication.
But we do need to filter the students & place these in another realm,
"student".
The staff login id is:
ps...@worc.ac.uk
Whereas the student login is in the format:
psdn1...@worc.ac.uk
Would it be possible to filter on the format of the userid? The student id
has `_02 on it.
Regards,
Nick.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stop alive requests in a dead realm
Santiago Balaguer García wrote:
> I am using freeradius 2.1.3 for my AAA servers. I have a little problem
> when a third-patner RADIUS is dead. My problem is my freeradius send the
> following status packect every
> 2-5 seconds.
>
> Sending Access-Request of id 77 to 200.160.126.23 port 1812
> User-Name := ""
> User-Password := ""
> Service-Type := Authenticate-Only
> Message-Authenticator := 0x
> NAS-Identifier := "Status Check. Are you alive?"
> Waking up in 1.0 seconds.
> Cleaning up request 3 ID 151 with timestamp +723
> Waking up in 2.9 seconds.
>
> I want to avoid this test because my partner tell me that I send too
> many trafic ('operator' is the realm name).
...
> realm operator {
> type= radius
> authhost= 200.160.126.23 :1812
> accthost= 200.160.126.23 :1813
> secret = my_secret
You should use the new syntax to define home servers.
Also, you may want to grab a recent copy of the source from
http://git.freeradius.org/pre/. It fixes a bug where it would send
Status-Server messages, even if "status_check = none".
Or, you can use the new syntax for home_servers to set "check_interval
= 120", which should cut down on the traffic a lot.
And if you want a stable RADIUS system, you *should* enable
status-server checks. It lets the proxy use the partners server as soon
as it's up, rather than trying it while it's still down.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
is it possible one certificate for only user
Hello; I have been using freeradius with CA, eap. I am also using OPENSLL certificates My question is that how to use only one certificate for only one user. How to configure my raddb.conf, eap.conf, users for only one user. Best regards, begin:vcard fn:Abdullah Dizdar n:Dizdar;Abdullah email;internet:abdullah.diz...@gmail.com version:2.1 end:vcard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NTLM Auth Help
Hi, Following up from this, I think I've discovered what the real problem here is. I think there's a problem with the MS-CHAP module The module looks in the username to find "host/" at the beginning, and if it does then handles it differently. Whilst it sets the "username" section correctly, it doesn't set the "domain" section properly. ntlm_auth can handle both netbios and FQDN versions of a domain. For machine Auth, the mschap module works on the assumption that the first "DN=" bit of the FQDN is always the same as the netbios name - which in many situations it is, but not all the time. It should work on the logic of: "OK, I found a host/ at the beginning, so everything after the /host but before the first '.' + a '$' is the username of the machine, and *everything* after the first '.' is the domain name, not everything between the first and second periods is the domain name. My C programming isn't too hot, and so I'm not sure how to correct this logic - even though I think I've found it in source for rlm_mschap. Many Thanks, Rupert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stop alive requests in a dead realm
Hi,
I am using freeradius 2.1.3 for my AAA servers. I have a little problem when a
third-patner RADIUS is dead. My problem is my freeradius send the following
status packect every
2-5 seconds.
Sending Access-Request of id 77 to 200.160.126.23 port 1812
User-Name := ""
User-Password := ""
Service-Type := Authenticate-Only
Message-Authenticator := 0x
NAS-Identifier := "Status Check. Are you alive?"
Waking up in 1.0 seconds.
Cleaning up request 3 ID 151 with timestamp +723
Waking up in 2.9 seconds.
I want to avoid this test because my partner tell me that I send too many
trafic ('operator' is the realm name).
proxy.conf file
--
proxy server {
default_fallback = yes
}
home_server localhost {
type = auth
ipaddr = 127.0.0.1
port = 1812
secret = testing123
require_message_authenticator = no
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = none
check_interval = 30
num_answers_to_alive = 3
}
home_server virtual.example.com {
virtual_server = virtual.example.com
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
type= radius
authhost= LOCAL
accthost= LOCAL
}
realm operator {
type= radius
authhost= 200.160.126.23 :1812
accthost= 200.160.126.23 :1813
secret = my_secret
strip
}
_
¿Quieres ver los mejores videos de MSN? Enciende Messenger TV
http://messengertv.msn.com/mkt/es-es/default.htm-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate SQL records versus unique constraints
Hello, On Wed, 03 Jun 2009 08:24:53 +0100 Arran Cudbard-Bell wrote: [more uniqueness for accounting packets] > Example policy for this would be something like : > [snip] Thanks a bundle for that, I was about to whack my head against the screen here and type "man unlang". ;) > > If you're still getting duplicates, check that the NAS is actually > sending the value of the Class attribute. Vendors are notoriously bad > for ignoring the RFC in this area. > Yeah, never mind that we are talking to proxy servers upstream which in turn may talk to other proxy servers (nobody knows) which ultimately talk to the NAS (BRAS) in question. I have seen those quickly recycled Acct-Session-Id's only with one location it seems, other people with twice the connects never had their IDs re-used in the same sample period. So my bet is that this particular NAS will also happily ignore the Class attribute. ^o^ But nevertheless, a very useful configuration snippet that would do well in a future sample configuration. Thanks again for the quick and comprehensive response, Christian -- Christian BalzerNetwork/Systems EngineerNOC ch...@gol.com Global OnLine Japan/Fusion Network Services http://www.gol.com/ https://secure3.gol.com/mod-pl/ols/index.cgi/?intr_id=F-2ECXvzcr6656 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate SQL records versus unique constraints
On 3/6/09 07:53, Arran Cudbard-Bell wrote:
If we add a CONSTRAINT to enforce uniqueness for acctuniqueid in the DB,
will the failure to insert an accounting record confuse the freerad sql
module and will those failures percolate up towards the radius protocol
level and thus result in the NAS keep on sending that accounting packet?
Yes. The SQL module will return fail on any errors. This will override
the priority of most other modules, and cause the accounting stanza to
return fail. The RADIUS server will then ignore the Accounting request,
and the NAS will think the RADIUS server is dead.
You should be able to add additional 'uniqueness' with the 'Class'
attribute. RFC behavior is identical to User-Name. You set it in the
Access-Accept packet, then the NAS includes its value in all future
Accounting-Requests.
Example policy for this would be something like :
populate_class {
# Hashing module only accepts dictionary attributes
update request {
Tmp-String-0 := "%t"
}
#
# Insert random string into the class attribute
#
acct_class_unique.accounting
update reply {
Class := "%{request:Acct-Unique-Session-Id}}"
}
}
and
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port, Class"
}
acct_unique acct_class_unique {
key = "User-Name, Tmp-String-0, NAS-IP-Address, Client-IP-Address,
NAS-Port"
}
For the module configuration.
If you're still getting duplicates, check that the NAS is actually sending the
value of the Class attribute. Vendors are notoriously bad for ignoring the RFC
in this area.
Regards,
Arran
--
Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate SQL records versus unique constraints
If we add a CONSTRAINT to enforce uniqueness for acctuniqueid in the DB, will the failure to insert an accounting record confuse the freerad sql module and will those failures percolate up towards the radius protocol level and thus result in the NAS keep on sending that accounting packet? Yes. The SQL module will return fail on any errors. This will override the priority of most other modules, and cause the accounting stanza to return fail. The RADIUS server will then ignore the Accounting request, and the NAS will think the RADIUS server is dead. You should be able to add additional 'uniqueness' with the 'Class' attribute. RFC behavior is identical to User-Name. You set it in the Access-Accept packet, then the NAS includes its value in all future Accounting-Requests. You can use another instance of the hashing module to generate the initial class value. Include something like system time in the list of attributes to make sure it never repeats. Then just add 'Class' into the list of attributes used to generate acctuniqueid. Arran -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
