Web Management
hello list can someone give me a step by step manual to configure freeradius with web interface -- ^^^| |Linux band wagon|;...,___ |__===|___|__|...,] "(@)'(@)*|(@)(@ )(@) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
simulation of the radius
Hello ,some body know if exist a software platform for simulation of the radius out of an production envairoment. I configure radius in my first upon with pgsql an "freeradius -X" give me freeradius listen 1813 1815 1817 ports for auth pass an proxy and waiting request seemingly ok. But i need to prove it without a NAS ,for work reason i can not affect the services with a prove Some body know if i can use for a prove with radius a modem, a software or some thing thus -- Este mensaje le ha llegado mediante el servicio de correo electronico que ofrece Infomed para respaldar el cumplimiento de las misiones del Sistema Nacional de Salud. La persona que envia este correo asume el compromiso de usar el servicio a tales fines y cumplir con las regulaciones establecidas Infomed: http://www.sld.cu/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different reply items out of LDAP depending on the NAS
On Sat, Aug 29, 2009 at 7:11 AM, Peter Lambrechtsen wrote:
> On Fri, Aug 28, 2009 at 10:38 PM, Ivan Kalik wrote:
>
>> > I am trying to have a granular based reply items depending on the NAS
>> they
>> > connected to all driven using attributes in LDAP without needing to use
>> > realms.
>> >
>> > IE User A passes just User&Password to NAS A. and gets reply attr
>> > "Service-Type=admin", and the admin comes from an LDAP Attribute "nasA"
>> > attribute in LDAP
>> > Same user logs into NAS B and gets back a "Service-Type=user" and the
>> > value
>> > user comes from an attribute "nasB".
>> >
>> > Looking through the ldap.attrmap it seems to be a static mapping for
>> > Service-Type to be staticly set to a single value from LDAP, but what
>> > happens if I want that value to be different depending on which NAS I
>> have
>> > connected from.
>> >
>> > Have searched around and havn't found any documents talking about how to
>> > have this grainular level of configuration.
>>
>> Well, you have custom attributes in Ldap - translate them to custom
>> attributes in radius (define them first in raddb/dictionary and map them
>> in ldap.attrmap, lets say nasA to nasA as replyItem, etc.)
>>
>> Then use unlang to set service type:
>>
>> if(NAS-IP-Address == NAS A IP) {
>> update reply {
>> Service-Type = "%{reply:nasA}"
>> }
>> }
>> elsif(NAS-IP-Address == NAS B IP) {
>> ...
>
>
> Another thought would be to have ldap group based authorize and attributes
> being passed back.
>
> IE the user has a"member" attributes specifying which services it has
> access to and which attributes to be passed back,
>
> This is the user in LDAP.
>
> dn: cn=user,o=users
> member: cn=admin,ou=nasA,o=radius
> member: cn=user,ou=nasB,o=radius
> member: cn=1,ou=nasC,o=radius
> member: cn=15,ou=nasC,o=radius
> member: cn=somethingelse,o=groups
>
> Then I think I would specify in the clients the update reply ie:
>
> if(NAS-IP-Address == NAS A IP) {
>
> update reply {
> Service-Type = "%{reply:nasA}"
> }
> }
>
What I was actually meaning was:
if(NAS-IP-Address == NAS A IP) {
if(member contains "ou=nasA,o=radius") {
if(member = cn=admin,ou=nasA,o=radius)
update reply {
Service-Type = "admin"
}
}
}
}
}
Or something similar.
I assume I would update the post-auth section under sites-enabled/default?
Or would it be under clients.conf or the modules/ldap?
>
>
>
>
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different reply items out of LDAP depending on the NAS
On Fri, Aug 28, 2009 at 10:38 PM, Ivan Kalik wrote:
> > I am trying to have a granular based reply items depending on the NAS
> they
> > connected to all driven using attributes in LDAP without needing to use
> > realms.
> >
> > IE User A passes just User&Password to NAS A. and gets reply attr
> > "Service-Type=admin", and the admin comes from an LDAP Attribute "nasA"
> > attribute in LDAP
> > Same user logs into NAS B and gets back a "Service-Type=user" and the
> > value
> > user comes from an attribute "nasB".
> >
> > Looking through the ldap.attrmap it seems to be a static mapping for
> > Service-Type to be staticly set to a single value from LDAP, but what
> > happens if I want that value to be different depending on which NAS I
> have
> > connected from.
> >
> > Have searched around and havn't found any documents talking about how to
> > have this grainular level of configuration.
>
> Well, you have custom attributes in Ldap - translate them to custom
> attributes in radius (define them first in raddb/dictionary and map them
> in ldap.attrmap, lets say nasA to nasA as replyItem, etc.)
>
> Then use unlang to set service type:
>
> if(NAS-IP-Address == NAS A IP) {
> update reply {
> Service-Type = "%{reply:nasA}"
> }
> }
> elsif(NAS-IP-Address == NAS B IP) {
> ...
Another thought would be to have ldap group based authorize and attributes
being passed back.
IE the user has a"member" attributes specifying which services it has access
to and which attributes to be passed back,
This is the user in LDAP.
dn: cn=user,o=users
member: cn=admin,ou=nasA,o=radius
member: cn=user,ou=nasB,o=radius
member: cn=1,ou=nasC,o=radius
member: cn=15,ou=nasC,o=radius
member: cn=somethingelse,o=groups
Then I think I would specify in the clients the update reply ie:
if(NAS-IP-Address == NAS A IP) {
update reply {
Service-Type = "%{reply:nasA}"
}
}
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different reply items out of LDAP depending on the NAS
On 28/08/2009, at 10:38 PM, "Ivan Kalik" wrote:
I am trying to have a granular based reply items depending on the
NAS they
connected to all driven using attributes in LDAP without needing to
use
realms.
IE User A passes just User&Password to NAS A. and gets reply attr
"Service-Type=admin", and the admin comes from an LDAP Attribute
"nasA"
attribute in LDAP
Same user logs into NAS B and gets back a "Service-Type=user" and the
value
user comes from an attribute "nasB".
Looking through the ldap.attrmap it seems to be a static mapping for
Service-Type to be staticly set to a single value from LDAP, but what
happens if I want that value to be different depending on which NAS
I have
connected from.
Have searched around and havn't found any documents talking about
how to
have this grainular level of configuration.
Well, you have custom attributes in Ldap - translate them to custom
attributes in radius (define them first in raddb/dictionary and map
them
in ldap.attrmap, lets say nasA to nasA as replyItem, etc.)
Then use unlang to set service type:
if(NAS-IP-Address == NAS A IP) {
update reply {
Service-Type = "%{reply:nasA}"
}
}
elsif(NAS-IP-Address == NAS B IP) {
...
Ahhh I knew there must be an easy way. This is exactly what I was
looking for. I will have a play and post my results. Or update the wiki.
Many thanks!!
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: add attribute to Access-Accept
Apologies I omitted that our freeradius is Version 2.0.4 Gary Prosser - IT Manager Trinity College, Bristol (http://www.trinity-bris.ac.uk) To ensure you receive email from Trinity College into your inbox, please add @trinity-bris.ac.uk to your email safe list (also known as whitelist). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
add attribute to Access-Accept
We have freeradius running successfully with 3 ldap instances (one for
each of 3 different sets of user credentials, two of which are active
directory).
We want to provide to the calling nas in the Access-Accept reply some
identifier of the ldap instance that authorizes a user. I have not been
able to achieve this.
Freeradius -X output shows
rlm_ldap: - authorize
rlm_ldap: performing user authorization for leesle
expand: %{Stripped-User-Name} ->
expand: %{User-Name} -> leesle
expand: (samAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
-> (samAccountName=leesle)
expand: OU=Students,DC=PUBLIC,DC=trinity-bris,DC=ac,DC=uk ->
OU=Students,DC=PUBLIC,DC=trinity-bris,DC=ac,DC=uk
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in
OU=Students,DC=PUBLIC,DC=trinity-bris,DC=ac,DC=uk, with filter
(samAccountName=leesle)
rlm_ldap: checking if remote access for leesle is allowed by
samAccountName
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
rlm_ldap: Setting Auth-Type = ldap1
rlm_ldap: user leesle authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap1] returns ok
And then two further authorize sections
++[ldap2] returns notfound
++[ldap3] returns notfound
Then
users: Matched entry DEFAULT at line 159
users: Matched entry DEFAULT at line 163
users: Matched entry DEFAULT at line 167
++[files] returns ok
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type ldap1
auth: type "ldap1"
+- entering group authenticate
rlm_ldap: - authenticate
rlm_ldap: login attempt by "leesle" with password "x"
rlm_ldap: user DN: CN=Seonghye
Lee,OU=Students,DC=PUBLIC,DC=TRINITY-BRIS,DC=AC,DC=UK
rlm_ldap: (re)connect to 192.168.4.250:389, authentication 1
rlm_ldap: bind as CN=Seonghye
Lee,OU=Students,DC=PUBLIC,DC=TRINITY-BRIS,DC=AC,DC=UK/16763673 to
192.168.4.250:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user leesle authenticated succesfully
++[ldap1] returns ok
Login OK: [leesle/x] (from client esther2-webserver port 0)
Sending Access-Accept of id 91 to 192.168.2.1 port 1026
Callback-Id := "TCBStaff"
I have tried to put a new attribute into the Access-Accept reply via
users file
159 DEFAULT Auth-Type == "ldap1"
160 Callback-Id = "TCBStudents",
161 Fall-Through = Yes
162 #
163 DEFAULT Auth-Type == "ldap2"
164 Callback-Id := "BBCUsers",
165 Fall-Through = Yes
166 #
167 DEFAULT Auth-Type == "ldap3"
168 Callback-Id := "TCBStaff",
169 Fall-Through = Yes
Since each line in users apparantly matches, the attribute Callback-Id
acquires the value of the last DEFAULT. Meanwhile I was hoping that
rlm_ldap: Setting Auth-Type = ldap1
would match only the first.
Can I fix this by adjusting the syntax or do I need a different method ?
Any comment appreciated !
Gary Prosser
-
IT Manager
Trinity College, Bristol (http://www.trinity-bris.ac.uk)
To ensure you receive email from Trinity College into your inbox, please add
@trinity-bris.ac.uk to your email safe list (also known as whitelist).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ldap logs
Hi I am using Version 2.1.1 with openldap on Centos 5 I wonder if is feasible dumping to logs when user gets login incorrect if due to non-existance of that uid on Ldap. Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting FreeRadius and Ldap. - Getting Educated Now
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28/08/2009 16:50, Steven Sprague wrote: > Thanks Alan, > > WPA Enterprise with AES, I will do some more reading to understand the > benefits of AES. TKIP is semi-broken, in that you can do ARP poisoning attacks without needing the PMK. Were mandating WPA2-AES for this academic year. - -- Arran Cudbard-Bell , Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqX/rcACgkQcaklux5oVKKx8gCgiovBkbrreyYeujZJtKqQFW5w UPoAoJHW3K0eFB/BTeoMIRppdzzQHjVM =d5FR -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting FreeRadius and Ldap. - Getting Educated Now
Thanks Alan, WPA Enterprise with AES, I will do some more reading to understand the benefits of AES. As for the older laptop - I choose this unit because if represents the oldest of technologies that will be accessing the network. This IBM Thinkpad uses a Cisco (Calexico) internal wireless card using current Windows XP (SP3) card drivers (from IBM / Lenovo). So unless there is a better solution for controlling this wireless card I am stuck with dealing with its offerings: WEP, Cisco Leap and EAP FAST. Steven -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting FreeRadius and Ldap. - User settings
Ivan, Based on your advice I need to set myself up as a user and start testing from my workstation. Since it seems I am missing the docs supplied in source (used packaged file) can you give me some guidance on minimum setting. 1. RADIUS server Shared Secret Where is the best place to set my RADIUS server Shared Secret? or can I use a default Shared Secret in Free Radius? 2. Users I will be using WPA Enterprise on my workstation and not sure of the following settings on in the 'users". DHCP is used for wireless users. If needed I could reserve an test address and place it here? Not sure if that's needed or practical. Here's what I gleaned from the users file I assume: steven Cleartext-Password := "xx" Service-Type = what is used here for local wireless network ??? Anything else? Thanks Steven -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting FreeRadius and Ldap. - Getting Educated Now
Hi, > Now I am facing a dilemma - deciding what WEP protocol to use based on > my test setup. After reading the 'sites' and 'modules' files it seems > that "some" WEP or EAP protocols are weaker than others, some not > suggested for use. dont use WEP. ever. > Router can provide - WEP 40/128 shared key, WEP Personal, WEP Enterprise > Chiper: TKIP or AES surely you mean WPA personal and WPA enterprise (TKIP or AES)? I would say WPA enterprise with AES. its the bext you can get currently on your kit > Older Laptop: WEP 40/128 shared key, 802.1 Cisco LEAP or EAP FAST > --this may be the limiting machine. the limiting factor here is most likely the software on the system - use a different tool to control the wireless authentication alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting FreeRadius and Ldap. - Getting Educated Now
> Now I am facing a dilemma - deciding what WEP protocol to use based on > my test setup. After reading the 'sites' and 'modules' files it seems > that "some" WEP or EAP protocols are weaker than others, some not > suggested for use. > > Here's what my test router and machines can handle. > > Router can provide - WEP 40/128 shared key, WEP Personal, WEP Enterprise > Chiper: TKIP or AES > > Workstation:WEP 40/128 shared key, Leap, Dynamic WEP, WPA & WPA2 > Personal & Enterprise > > Older Laptop: WEP 40/128 shared key, 802.1 Cisco LEAP or EAP FAST > --this may be the limiting machine. Use WPA2 Enterprise (PEAP) on the workstation and LEAP for older laptop. Server should support both in default configuration. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting FreeRadius and Ldap. - Getting Educated Now
Ivan, Thanks for the url link to the missing documentation. Very helpful. Ldap is not going to work for EAP. Now I am facing a dilemma - deciding what WEP protocol to use based on my test setup. After reading the 'sites' and 'modules' files it seems that "some" WEP or EAP protocols are weaker than others, some not suggested for use. Here's what my test router and machines can handle. Router can provide - WEP 40/128 shared key, WEP Personal, WEP Enterprise Chiper: TKIP or AES Workstation:WEP 40/128 shared key, Leap, Dynamic WEP, WPA & WPA2 Personal & Enterprise Older Laptop: WEP 40/128 shared key, 802.1 Cisco LEAP or EAP FAST --this may be the limiting machine. I need to rely on list users experience for suggested paths to pursue? Steven -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang: matching for 'Access-Accept'
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
> There does seem to be a problem, the %control:Packet-Type does not seem
> to expand to a value.
>
> rad_recv: Access-Accept packet from host 118.67.xxx.xxx port 1812,
> id=10, length=25
> Proxy-State = 0x313534
> +- entering group post-proxy {...}
>
> ++? if (control:Packet-Type == "Access-Accept")
> expand: %{control:Packet-Type} ->
> ? Evaluating (control:Packet-Type == "Access-Accept") -> FALSE
> ++? if (control:Packet-Type == "Access-Accept") -> FALSE
> .
>
> Could version 2.1.4 have a bug in this area ?
No. Wrong list. I think it's something like Proxy-Reply:Packet-Type, check man
unlang for details.
You didn't specify you were wanting to match a Proxied Accept in your original
post.
- -Arran
- --
Arran Cudbard-Bell ,
Systems Administrator (AAA),
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkqX178ACgkQcaklux5oVKIFVwCfaCG/gVSHsMwoFeimW6qxKVPI
Q6IAn1AmkSdGfXuUNyKjZamoGVL256pz
=CYgC
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang: matching for 'Access-Accept'
Ivan Kalik wrote:
>> How would I match for the packet type ie 'Access-Accept' in unlang
>>
>
> Answers to questions like this can be found examining
> dictionary.freeradius.internal. These attributes are mostly on control
> list. So it should be:
>
> if(control:Packet-Type == "Access-Accept) {
> ...
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
Hi Ivan
Did not know that this information was available there. Thanks.
There does seem to be a problem, the %control:Packet-Type does not seem
to expand to a value.
rad_recv: Access-Accept packet from host 118.67.xxx.xxx port 1812,
id=10, length=25
Proxy-State = 0x313534
+- entering group post-proxy {...}
++? if (control:Packet-Type == "Access-Accept")
expand: %{control:Packet-Type} ->
? Evaluating (control:Packet-Type == "Access-Accept") -> FALSE
++? if (control:Packet-Type == "Access-Accept") -> FALSE
.
Could version 2.1.4 have a bug in this area ?
Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: "user supplied User-Password does NOT match local User-Password" even though they do.
On Fri, 2009-08-28 at 11:51 +0100, Ivan Kalik wrote:
> > On Fri, 2009-08-28 at 11:26 +0100, Ivan Kalik wrote:
> 1. You are using 1.x queries in a 2.x server. Fix that.
> 2. That user was found as system user as well and unix module is enabled.
> You likely have different password in /etc/passwd. Make sure you provide
> only one password to the server.
Here's what I'm getting with a newly made user and the 2.x queries set
up:
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "Nshadur", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
expand: %{User-Name} -> Nshadur
rlm_sql (sql): sql_set_user escaped user --> 'Nshadur'
rlm_sql (sql): sql_set_user escaped user --> 'Nshadur'
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'Nshadur' ORDER BY id
+-+--++-+--+
| id | username | attribute | value | op |
+-+--++-+--+
| 347 | Nshadur | Cleartext-Password | foo | := |
+-+--++-+--+
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'Nshadur' ORDER BY id
++--+---+---+--+
| id | username | attribute | value | op |
++--+---+---+--+
| 98 | Nshadur | Giganews-mbpm | 5 | := |
++--+---+---+--+
expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'Nshadur' ORDER BY priority
+---+
| groupname |
+---+
| news |
+---+
expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'news' ORDER BY
id
++---++---+--+
| id | groupname | attribute | Value | op |
++---++---+--+
| 8 | news | Huntgroup-Name | news | == |
++---++---+--+
rlm_sql (sql): User found in group news
expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = 'news' ORDER BY
id
++---+---+---+--+
| id | groupname | attribute | value | op |
++---+---+---+--+
| 27 | news | Giganews-mbpm | 512 | := |
++---+---+---+--+
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[pap] returns updated
rad_check_password: Found Auth-Type
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "foo"
rlm_pap: No password configured for the user. Cannot do authentication
++[pap] returns fail
auth: Failed to validate the user.
Login incorrect: [Nshadur/foo] (from client giganews port 1)
The "No password configured for the user" line has me stumped,
personally...
> Ivan Kalik
> Kalik Informatika ISP
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more than one CA in PEAP
El vie, 28-08-2009 a las 11:53 +0100, Ivan Kalik escribió: > > Is this posible? > > I need use a auto signed CA and certificate from FNMT (external agency) > > How can it be do? > > Multiple eap instances - one for each certificate chain. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html thank, I'll try -- Por favor, NO utilice formatos de archivo propietarios para el intercambio de documentos, como DOC y XLS, sino HTML, RTF, TXT, CSV o cualquier otro que no obligue a utilizar un programa de un fabricante concreto para tratar la información contenida en él. SALUD. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more than one CA in PEAP
> Is this posible? > I need use a auto signed CA and certificate from FNMT (external agency) > How can it be do? Multiple eap instances - one for each certificate chain. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different reply items out of LDAP depending on the NAS
> I am trying to have a granular based reply items depending on the NAS they
> connected to all driven using attributes in LDAP without needing to use
> realms.
>
> IE User A passes just User&Password to NAS A. and gets reply attr
> "Service-Type=admin", and the admin comes from an LDAP Attribute "nasA"
> attribute in LDAP
> Same user logs into NAS B and gets back a "Service-Type=user" and the
> value
> user comes from an attribute "nasB".
>
> Looking through the ldap.attrmap it seems to be a static mapping for
> Service-Type to be staticly set to a single value from LDAP, but what
> happens if I want that value to be different depending on which NAS I have
> connected from.
>
> Have searched around and havn't found any documents talking about how to
> have this grainular level of configuration.
Well, you have custom attributes in Ldap - translate them to custom
attributes in radius (define them first in raddb/dictionary and map them
in ldap.attrmap, lets say nasA to nasA as replyItem, etc.)
Then use unlang to set service type:
if(NAS-IP-Address == NAS A IP) {
update reply {
Service-Type = "%{reply:nasA}"
}
}
elsif(NAS-IP-Address == NAS B IP) {
...
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: "user supplied User-Password does NOT match local User-Password" even though they do.
On Fri, 2009-08-28 at 11:26 +0100, Ivan Kalik wrote: > > Remove forcing of Auth-Type Local. Let the server set the auth type. That resulted in a different error message: ++[sql] returns ok ++[pap] returns updated rad_check_password: Found Auth-Type auth: type "PAP" +- entering group PAP rlm_pap: login attempt with password "foo" rlm_pap: No password configured for the user. Cannot do authentication ++[pap] returns fail auth: Failed to validate the user. Login incorrect: [shadur/foo] (from client giganews port 1) Delaying reject of request 1 for 1 seconds -- Rens Houben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VMPS Problem with similar requests
Hi, If two vmps requests are sent in close succession (within cleanup_delay), with the same source port, from the same switch (which does in fact seem to be common, as the cisco switch I'm using for testing sends *all* requests with a source port picked on startup), they are detected as identical by freeradius as identical, even if they are for different mac addresses. This means the second request gets the same response as the first, even when they should be different. For example, testing with the vqpcli tool: Close together: server:/etc/freeradius/tests# ./vqpcli.pl -s 127.0.0.1 -v tc.example.com -w 192.168.248.32 -i Fa0/17 -m 0016.4111.0bfe Vlan: BRIDGE MAC Address: 001641110bfe Status: ALLOW server:/etc/freeradius/tests# ./vqpcli.pl -s 127.0.0.1 -v tc.example.com -w 192.168.248.32 -i Fa0/17 -m 0016.4111.0bff Vlan: BRIDGE MAC Address: 001641110bfe Status: ALLOW then a short time later (outside cleanup_delay) server:/etc/freeradius/tests# ./vqpcli.pl -s 127.0.0.1 -v tc.example.com -w 192.168.248.32 -i Fa0/17 -m 0016.4111.0bff Vlan: MAC Address: Status: DENY Which is the correct response Cheers --Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: "user supplied User-Password does NOT match local User-Password" even though they do.
> I've been using FreeRadius for quite some time now, but after a recent > update (to 2.0.4, debian lenny variant) all users in a certain group > have stopped authenticating properly, with the above error -- even > though as far as I can tell the password transmitted (and logged) is > identical to the one in the database. > > I've attached a sample of the logfile, with names and passwords slightly > edited but otherwise accurate: > > > I've tried everything I could think of, including deleting the user and > entering the data anew by hand, but the error persists. > > Any suggestions to dig further and help me find what I may have missed > would be welcome. Remove forcing of Auth-Type Local. Let the server set the auth type. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
more than one CA in PEAP
Thank in advance. Is this posible? I need use a auto signed CA and certificate from FNMT (external agency) How can it be do? and sorry for my poor english. -- Por favor, NO utilice formatos de archivo propietarios para el intercambio de documentos, como DOC y XLS, sino HTML, RTF, TXT, CSV o cualquier otro que no obligue a utilizar un programa de un fabricante concreto para tratar la información contenida en él. SALUD. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: "user supplied User-Password does NOT match local User-Password" even though they do.
Hello,
I've been using FreeRadius for quite some time now, but after a recent
update (to 2.0.4, debian lenny variant) all users in a certain group
have stopped authenticating properly, with the above error -- even
though as far as I can tell the password transmitted (and logged) is
identical to the one in the database.
I've attached a sample of the logfile, with names and passwords slightly
edited but otherwise accurate:
I've tried everything I could think of, including deleting the user and
entering the data anew by hand, but the error persists.
Any suggestions to dig further and help me find what I may have missed
would be welcome.
Regards,
--
Rens Houben
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
++[files] returns noop
expand: %{User-Name} -> shadur
rlm_sql (sql): sql_set_user escaped user --> 'shadur'
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '%{SQL-User-Name}' ORDER BY id -> SELECT
id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'shadur' ORDER BY
id
+-+--++---+--+
| id | UserName | Attribute | Value | op |
+-+--++---+--+
| 346 | shadur | Cleartext-Password | foo | := |
+-+--++---+--+
rlm_sql (sql): User found in radcheck table
expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = '%{SQL-User-Name}' ORDER BY id -> SELECT
id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'shadur' ORDER BY
id
++--+---++--+
| id | UserName | Attribute | Value | op |
++--+---++--+
| 56 | shadur | Giganews-mbpm | 512000 | := |
++--+---++--+
expand: SELECT GroupName FROM usergroup WHERE
UserName='%{SQL-User-Name}' -> SELECT GroupName FROM usergroup WHERE
UserName='shadur'
+---+
| GroupName |
+---+
| news |
+---+
expand: SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}'
AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id ->
SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'shadur' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
++---++---+--+
| id | GroupName | Attribute | Value | op |
++---++---+--+
| 8 | news | Huntgroup-Name | news | == |
| 9 | news | Auth-Type | Local | := |
++---++---+--+
rlm_sql (sql): User found in group news
expand: SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}'
AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id ->
SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'shadur' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
++---+---+---+--+
| id | GroupName | Attribute | Value | op |
++---+---+---+--+
| 25 | news | Auth-Type | Local | := |
| 27 | news | Giganews-mbpm | 512 | := |
++---+---+---+--+
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.
Login incorrect: [shadur/foo] (from client giganews port 1)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Different reply items out of LDAP depending on the NAS
I am trying to have a granular based reply items depending on the NAS they connected to all driven using attributes in LDAP without needing to use realms. IE User A passes just User&Password to NAS A. and gets reply attr "Service-Type=admin", and the admin comes from an LDAP Attribute "nasA" attribute in LDAP Same user logs into NAS B and gets back a "Service-Type=user" and the value user comes from an attribute "nasB". Looking through the ldap.attrmap it seems to be a static mapping for Service-Type to be staticly set to a single value from LDAP, but what happens if I want that value to be different depending on which NAS I have connected from. Have searched around and havn't found any documents talking about how to have this grainular level of configuration. Any suggestions? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HowTo: eap-tls with crl and two level CA certificate
> My freeradius version is 2.1.1. When I config eap-tls with crl and one
> level root certificate,it's work normally. But when the ca is two level,
> the
> root ca is for signing the second level CA certificate , and the second
> level CA is for signing user certificates and crls.It's mean the root ca
> certificate is self-signed,but the second level ca certificate is not .How
> can I config ? I got the error message below:
> [tls] eaptls_verify returned 11
> [tls] <<< TLS 1.0 Handshake [length 0477], Certificate
> --> verify error:num=3:unable to get certificate CRL
> [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
> TLS Alert write:fatal:unknown CA
> TLS_accept:error in SSLv3 read client certificate B
> rlm_eap: SSL error error:140890B2:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
This means that you haven't imported the bundle onto the client.
># Trusted Root CA list
>#
># ALL of the CA's in this list will be trusted
># to issue client certificates for authentication.
>#
># In general, you should use self-signed
># certificates for 802.1x (EAP) authentication.
># In that case, this CA file should contain
># *one* CA certificate.
>#
># This parameter is used only for EAP-TLS,
># when you issue client certificates. If you do
># not use client certificates, and you do not want
># to permit EAP-TLS authentication, then delete
># this configuration item.
>CA_file = ${cadir}/ca.pem
ca.pem should also contain a certificate bundle.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting through detail module help
Thanks. It's working fine. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang: matching for 'Access-Accept'
> How would I match for the packet type ie 'Access-Accept' in unlang
Answers to questions like this can be found examining
dictionary.freeradius.internal. These attributes are mostly on control
list. So it should be:
if(control:Packet-Type == "Access-Accept) {
...
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: deny access with huntgroups
>SQL-Group == "" is equivalent to that.
>> "%{sql AND so on...
>You can do:
>if(statement && another statement || other statement) {
>...
>Ivan Kalik
>Kalik Informatika ISP
This is Awesome! Thanks for taking the time to answer my obvious questions.
/Mika
--
View this message in context:
http://www.nabble.com/deny-access-with-huntgroups-tp25151127p25186064.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: monitoring buffered-sql
> I installed freeradius with detail, buffered-sql active. How to monitor > the > buffered-sql module. If it stops or sleeps for very long time responding > to > mysql db.? > I saw all of a sudden buffered-sql not pushing packets to mysql db > yesterday. After restarting radius process it started processing. > Please suggest. Monitor the database, not module. If last insert is x minutes/hours ago send alert or even restart radiusd. I have an alert - first examine packet that caused the freeze, then release the rest. In my experience every time reason for the freeze was database backup - I am backing it up via the network, so it can be slow. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: deny access with huntgroups
>
>> You have to enforce reject:
>
>> if(SQL-Group == "vpnuser") {
>> ok
>> }
>> else {
>> reject
>> }
>
>> Ivan Kalik
>> Kalik Informatika ISP
> Alright. that makes sense.
> But can the if(xxx) contain several sql-queries to the database?
> The username and groupname from radusergroup and groupname from
> radhuntgroup
> need to be
> matched somehow so that no one note in the right group can get through.
>
> Something like:
>
> if(SQL-Group == "%{sql:select groupname AND SQL-User-Name ==
SQL-Group == "" is equivalent to that.
> "%{sql AND so on...
You can do:
if(statement && another statement || other statement) {
...
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: deny access with huntgroups
> You have to enforce reject:
> if(SQL-Group == "vpnuser") {
> ok
> }
> else {
> reject
> }
> Ivan Kalik
> Kalik Informatika ISP
Alright. that makes sense.
But can the if(xxx) contain several sql-queries to the database?
The username and groupname from radusergroup and groupname from radhuntgroup
need to be
matched somehow so that no one note in the right group can get through.
Something like:
if(SQL-Group == "%{sql:select groupname AND SQL-User-Name ==
"%{sql AND so on...
Sorry for the obvious questions, but you are helping me alot. Thanks.
/Mika
--
View this message in context:
http://www.nabble.com/deny-access-with-huntgroups-tp25151127p25185118.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
