RE:
> But, how I said, I don't need proxy, Then I have commented the line proxy > proxy_requests = no > #$INCLUDE proxy.conf ... and broke the server (inner-tunnel processing). Well done! Now put it back the way it was. I read in the radiusd.conf # The server has proxying turned on by default. If your system is NOT # set up to proxy requests to another server, then you can turn proxying # off here. This will save a small amount of resources on the server. then I disable the proxy. But in the next line have # If you have proxying turned off, and your configuration files say # to proxy a request, then an error message will be logged. How I can turn off the proxy and my config file say proxy request? I think was this that broke my server. P.S. I have returned to default donfiguration proxy_requests = yes $INCLUDE proxy.conf Inácio Alves http://www.polluxweb.com/inacioalves/site - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Invitation to connect on LinkedIn
LinkedIn Nelson Acero Fino requested to add you as a connection on LinkedIn: -- Glen, I'd like to add you to my professional network on LinkedIn. - Nelson Accept invitation from Nelson Acero Fino http://www.linkedin.com/e/ABSVWpZ1_sZ_yf9BG_W25ECMqsoijRbBG-E27EnW_z6-V09s3gIVpd3/blk/I1521121267_2/pmpxnSRJrSdvj4R5fnhv9ClRsDgZp6lQs6lzoQ5AomZIpn8_cBYTdz8Ncz4NczkNiiZ8kP91nS5Mk2YRdPkQdzkVc3wLrCBxbOYWrSlI/EML_comm_afe/ View invitation from Nelson Acero Fino http://www.linkedin.com/e/ABSVWpZ1_sZ_yf9BG_W25ECMqsoijRbBG-E27EnW_z6-V09s3gIVpd3/blk/I1521121267_2/39vdPoOcj8Ncj8RckALqnpPbOYWrSlI/svi/ -- Why might connecting with Nelson Acero Fino be a good idea? People Nelson Acero Fino knows can discover your profile: Connecting to Nelson Acero Fino will attract the attention of LinkedIn users. See who's been viewing your profile: http://www.linkedin.com/e/wvp/inv18_wvmp/ -- (c) 2009, LinkedIn Corporation - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
Thanks Alan DeKok, but I have some questions. > So, how I said in the last post, > the HOW_TO about SQL is out-of-date. The tables has name/schema changed. > But I will have success. All of this is documented in the config files. I search in the config files but I don't find nothing about this changes. In the sql directory have only the schemas to databases, and in the sql.conf file have only the configurations to access the database. See raddb/sites-available/dhcp, and modules/mac2ip Don't have problems in use this options? I read that it is in experimental stage. I think that this can break my server. No more, thanks Inácio Alves http://www.polluxweb.com/inacioalves/site - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session resumption problem
Alexander Clouter wrote: > Make sure you 'git cherry-pick' the patches related to: > > https://bugs.freeradius.org/bugzilla/show_bug.cgi?id=15 > https://bugs.freeradius.org/bugzilla/show_bug.cgi?id=21 > > ...if you are using a vanilla 2.1.7. Thanks for the heads up. I'm currently in a testing phase, so I'll probably just grab the current git version and run that. Given the rate things move for me, 2.1.8 will be out by the time I'm ready for production. -David > > Cheers > -- - | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session resumption problem
David Mitchell wrote: > > Alan DeKok wrote: > >> David Mitchell wrote: >>> I was searching back in the archives, and in September there was a user >>> who reported a problem with session resumption. I'm seeing the exact >>> same symptoms I believe, also on Debian 5.0 with OpenSSL 0.9.8g. I never >>> saw any follow up? Is there a fix known for this? I am using a locally >>> compiled version of FreeRadius 2.1.7. It's linked against the system >>> OpenSSL libraries though. Building a local 0.9.8k or even 1.0.0 is >>> certainly an option if there is a chance it will help. >> >> There isn't a lot we can do. It's not clear *why* OpenSSL resumes >> sessions when session resumption is disabled. > > I did manage to find an easy workaround for this. Simply enabling the > cache in eap.conf allows these connections to succeed. I think there may > still be a bug somewhere, or maybe more than one. At a minimum it seems > a bit foolish for wpa_supplicant to keep trying to do a fast reconnect > after getting an Access-Reject. > > Whatever the root problem is, there is an easy workaround. I wanted to > follow up primarily in case others find this thread in the future it > will have a workaround. I'm guessing the only real downside to enabling > the EAP cache is memory usage, which I'm not too worried about. > Make sure you 'git cherry-pick' the patches related to: https://bugs.freeradius.org/bugzilla/show_bug.cgi?id=15 https://bugs.freeradius.org/bugzilla/show_bug.cgi?id=21 ...if you are using a vanilla 2.1.7. Cheers -- Alexander Clouter .sigmonster says: I'm not laughing with you, I'm laughing at you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to call an external script once the users is expired?
Hello I store the expiration date as a radius attribute inside the LDAP (radius profile object class). But where I check this value and where i call the script? in which module? The think is clear i do not know where to configure it, in which file. For example, the echo module is clear, if it is instantiated in the authorize section then it is executed. thanks Ivan Kalik wrote: > >> please i need to know how to call an external script one the users is >> expired. >> I got radius call an external script once the user is authenticated with >> success by using the echo module, but now I need to call another script >> when >> the user tries to connect after expiration date. > > Where do you store expiration date? If it's in a database you can make a > query that checks if Expiration value is less then now() and then calls > the script. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- View this message in context: http://www.nabble.com/how-to-call-an-external-script-once-the-users-is-expired--tp25978512p25981362.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: {control:SQL-Group} in post-auth
> Ok, we can see that because ###if ( SQL-Group == my_pool ) ### - so, > radius try to use new SQL query to sql DB.. But why? In this point > radius knows that user had been found in group my_pool - see ###point > 1###. And what if user belongs to more than one group? What value should SQL-Group have then? SQL-Group and Ldap-Group are not "true" attributes but are used for comparing values instead. SQL-Group is internally used by sql module (instances) but is not placed on the attribute list, nor is a list of found groups made. It's just used for radgroupcheck/radgroupreply queries. That is because there is no requirement to use sql in authorize (that's when sql module test group membership) - you can use SQL-Group without listing sql there (if it's not listed anywhere you need to list sql in instantiate). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to call an external script once the users is expired?
> please i need to know how to call an external script one the users is > expired. > I got radius call an external script once the user is authenticated with > success by using the echo module, but now I need to call another script > when > the user tries to connect after expiration date. Where do you store expiration date? If it's in a database you can make a query that checks if Expiration value is less then now() and then calls the script. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Max-All-Session vs. Expiration attributes
> We sell our time in Day, Week and Month > increments, and the users are free to used the system as much as they want > during their time. My Question is, do I really need to use > Max-All-Session > if all I really need is a hard expiration date for my users? You don't need Max-All-Session then. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clear Text PAP passwords - how to enable
Don't use User-Password at all. See man rlm_pap. Ivan Kalik Kalik Informatika ISP > user password i guess is same as System? > > On Mon, Oct 19, 2009 at 11:49 AM, Alan Buxey > wrote: > >> Hi, >> >> > But I still got small problem, when i run in de debug mode i saw this >> > warning. I'm not fully sure what it asks me to do? Any advice on this? >> >> its fairly clear isnt it? the error is written very clearly. follow >> the advice. >> >> > !!! Please update your configuration so that the "known good" >> > !!! clear text password is in Cleartext-Password, and not in >> User-Password. >> >> somewhere in your config you are matching against 'User-Password'. >> change that attribute to 'Cleartext-Password' >> >> alan >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session resumption problem
Alan DeKok wrote: > David Mitchell wrote: >> I was searching back in the archives, and in September there was a user >> who reported a problem with session resumption. I'm seeing the exact >> same symptoms I believe, also on Debian 5.0 with OpenSSL 0.9.8g. I never >> saw any follow up? Is there a fix known for this? I am using a locally >> compiled version of FreeRadius 2.1.7. It's linked against the system >> OpenSSL libraries though. Building a local 0.9.8k or even 1.0.0 is >> certainly an option if there is a chance it will help. > > There isn't a lot we can do. It's not clear *why* OpenSSL resumes > sessions when session resumption is disabled. I did manage to find an easy workaround for this. Simply enabling the cache in eap.conf allows these connections to succeed. I think there may still be a bug somewhere, or maybe more than one. At a minimum it seems a bit foolish for wpa_supplicant to keep trying to do a fast reconnect after getting an Access-Reject. Whatever the root problem is, there is an easy workaround. I wanted to follow up primarily in case others find this thread in the future it will have a workaround. I'm guessing the only real downside to enabling the EAP cache is memory usage, which I'm not too worried about. -David Mitchell > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to call an external script one the users is expired?
hello, please i need to know how to call an external script one the users is expired. I got radius call an external script once the user is authenticated with success by using the echo module, but now I need to call another script when the user tries to connect after expiration date. Any ideas? thanks a lot -- View this message in context: http://www.nabble.com/how-to-call-an-external-script-one-the-users-is-expired--tp25978511p25978511.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to call an external script once the users is expired?
hello, please i need to know how to call an external script one the users is expired. I got radius call an external script once the user is authenticated with success by using the echo module, but now I need to call another script when the user tries to connect after expiration date. Any ideas? thanks a lot -- View this message in context: http://www.nabble.com/how-to-call-an-external-script-once-the-users-is-expired--tp25978512p25978512.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about Max-All-Session vs. Expiration attributes
I have a successful wifi captured portal system running with FreeRadius and HP Procurve equipment. When I originally started learning how to build it, I used WiFiGator as my first test case. When they set up that system, they used both the Max-All-Session and the Expiration attributes for all users, so I am still doing this now. We sell our time in Day, Week and Month increments, and the users are free to used the system as much as they want during their time. My Question is, do I really need to use Max-All-Session if all I really need is a hard expiration date for my users? Thank you in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clear Text PAP passwords - how to enable
user password i guess is same as System? On Mon, Oct 19, 2009 at 11:49 AM, Alan Buxey wrote: > Hi, > > > But I still got small problem, when i run in de debug mode i saw this > > warning. I'm not fully sure what it asks me to do? Any advice on this? > > its fairly clear isnt it? the error is written very clearly. follow > the advice. > > > !!! Please update your configuration so that the "known good" > > !!! clear text password is in Cleartext-Password, and not in > User-Password. > > somewhere in your config you are matching against 'User-Password'. > change that attribute to 'Cleartext-Password' > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
{control:SQL-Group} in post-auth
Hello!
My user is inserted in group = my_pool in sql DB.
I try to use in my sites-enabled/default something like this
post-auth {
...
...
if ( SQL-Group == my_pool ) {
...
...
}
}
when my user comes I can see it :
Tue Oct 20 18:49:23 2009 : Info: [sqlauth] expand: SELECT
id,UserName,Attribute,Value,op FROM radcheck WHERE Username =
'%{SQL-User-Name}' ORDER BY id
...
Tue Oct 20 18:49:23 2009 : Info: [sqlauth] expand: SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE (usergroup.Username =
'%{SQL-User-Name}' OR usergroup.CLID = '%{Calling-Station-Id}') AND
usergroup.GroupName = radgroupcheck.GroupName AND usergroup.GroupName =
'%{SQL-Group}' ORDER BY usergroup.PRIORITY,radgroupcheck.id
...
Tue Oct 20 18:49:23 2009 : Info: [sqlauth] User found in group my_pool
...
Ok, we can see that user is in my_pool group - this it ## point 1
...
Tue Oct 20 18:49:23 2009 : Info: +- entering group post-auth {...}
Tue Oct 20 18:49:23 2009 : Info: ++[exec] returns noop
Tue Oct 20 18:49:23 2009 : Info: ++? if (SQL-Group == pool )
Tue Oct 20 18:49:23 2009 : Info: sql_groupcmp
Tue Oct 20 18:49:23 2009 : Debug: rlm_sql (sqlacct): Reserving sql
socket id: 24
Tue Oct 20 18:49:23 2009 : Info: expand: SELECT GroupName FROM
usergroup WHERE UserName='%{SQL-User-Name}' OR
CLID='%{Calling-Station-Id}' order by priority -> SELECT GroupName FROM
usergroup WHERE UserName='bebebeb' OR CLID='bebebeb' order by priority
Tue Oct 20 18:49:23 2009 : Info: sql_groupcmp finished: User is a member
of group pool
Tue Oct 20 18:49:23 2009 : Debug: rlm_sql (sqlacct): Released sql socket
id: 24
Tue Oct 20 18:49:23 2009 : Info: ? Evaluating (SQL-Group == pool ) -> TRUE
Tue Oct 20 18:49:23 2009 : Info: ++? if (SQL-Group == pool ) -> TRUE
Tue Oct 20 18:49:23 2009 : Info: ++- entering if (SQL-Group == pool ) {...}
Ok, we can see that because ###if ( SQL-Group == my_pool ) ### - so,
radius try to use new SQL query to sql DB.. But why? In this point
radius knows that user had been found in group my_pool - see ###point 1###.
Can I use another world for this check?, for example
if ( '%{control:SQL-Group}' == my_pool ) { }
because in this point I know exactly that my user belong to group
my_pool (see point 1).
If I can use previous sql-select (###point 1), I do not have to make
another SQL query every time when I use "if (SQL-Group == my_pool)" .
--
Yours faithfully,
Anton Borisov.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows client MS-chap auto-reauthentication
Doc Phillips wrote: > I was thinking something along the lines of > "--require-membership-of=domain\\ computers" && > "--require-membership-of=domain\\ users". You can only access the > network if you're logging on from a valid machine with valid > credentials. Does that make sense or am I totally off? Pass those command-line options to ntlm_auth? Sure, I guess. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: IP address assignment for the authenticated users in Free
Just because RADIUS has an attribute defined, doesn't mean the NAS supports it for your use. In general, the IP address assignment attributes are intended for use with NAS's that are point-to-point access routers where the address will be for an "unnumbered" connection, where the link level understands such an assignment. 802.11 Wifi Access Points don't do this. There is no link level mechanism for it. You must use DHCP or static assignments. Dave.Oct 20, 2009 05:48:34 AM, t...@kalik.net wrote: > Alan Thanks for the quick reply.> I would like to have one more clarification.> Can we use IP addrss as Attribute value pair so that the RADIUS server> throws IPs dynamically to users after authentication.Did you actually read the reply?> For WiFi authentication, you need a DHCP server. Sending IP addresses> to the NAS in a RADIUS packet won't work.>> You can configure FreeRADIUS to be a DHCP server, but that involves> creating a DHCP configuration, not a RADIUS configuration.Ivan KalikKalik Informatika ISP-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy based on Multiple Realms
Oops, just a typo :)
Anyway I have tested it with one domains, (I will have more in the future)
but in theory it should work and my testing using RADNTPING and RADIUS -X
shows that it should.
Thanks
Bob
On Tue, Oct 20, 2009 at 12:36 PM, Alan Buxey wrote:
> Hi,
>
> > if ( User-Name =~ /^host\//i ) {
> > if ( User-Name =~ /\\.first\\.domain$/i ) {
> > update control {
> > Proxy-To-Realm := "first.domain"
> > }
> > }
> > if ( User-Name =~ /\\.second\\.domain$/i ) {
> > update control {
> > Proxy-To-Realm := "second.domain"
> > }
> > }
> > if ( User-Name =~ /\\*.third*\\.domain$/i ) {
> > update control {
> > Proxy-To-Realm := "third.domain"
> > }
> > }
> > }
>
> will that 4th if ever work (first.domain being sent to third.domain)
> as the match would have already happened on the 2nd if..
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
The problem with socialism is that you eventually run out of other people's
money. - Margaret Thatcher
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows client MS-chap auto-reauthentication
On Tue, Oct 20, 2009 at 2:46 AM, Alan DeKok wrote: > Doc Phillips wrote: > > I'm trying to prevent rogue devices from connecting to production and > > obviously only allow valid users & devices. The current setup states > > members of domain computers or domain users are allowed to auth against > > the radius server. Do you know if its possible through freeradius to > > allow these devices AND these users only? > > > Yes. FreeRADIUS can do machine && user authentication against Active > >Directory, using Samba. > > Thanks I'll research that further. > > We're using eap-peap-mschapv2 > > as our current authentication method. Is there a way using > > --require-membership-of to combine users AND groups perhaps through some > > type of regular expression? > > > I'm not sure what that means. > I was thinking something along the lines of "--require-membership-of=domain\\ computers" && "--require-membership-of=domain\\ users". You can only access the network if you're logging on from a valid machine with valid credentials. Does that make sense or am I totally off? Thanks again for all the help!! > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP (RFC- 3579) under GPL with FreeRadius1.1.8?
Divyank Rastogi wrote: > I was going through FreeRadius1.1.8 code when i saw that unlike the SRC > code which is LGPL, EAP code is under GPL. You need to read the licenses to the source code you are using. In this case, you haven't read them carefully enough. The src/lib directory is LGPL. EVERYTHING ELSE is GPL. > As per my understanding LGPL (and not GPL) is applicable to be freely > distributes as statically linked libraries Not really, no. You need to provide the ability to re-link programs if you use an LGPL version. This usually means: a) distributing a dynamically linked version b) distributed a statically linked version, along with the ".o" files for all of your proprietary source code. > I am planning to use the source code in the lib folder as well as that > in the module folder (for supporting rfc-3579) in FreeRadius. Are there > going to be issues in statically linking this code? Yes. You will be violating the GPL license. This is, without question, wrong. > If so, can anyone please help out with ideas on how to circumvent the > issue (including other (licensed) vendor recommendations as well). Go pay money for a proprietary EAP implementation, *or* find a BSD licensed one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP (RFC- 3579) under GPL with FreeRadius1.1.8?
Hi, I was going through FreeRadius1.1.8 code when i saw that unlike the SRC code which is LGPL, EAP code is under GPL. As per my understanding LGPL (and not GPL) is applicable to be freely distributes as statically linked libraries and the files in ‘module’ folder are protected by GPL as against the ‘lib’ files which are protected by LGPL. I am planning to use the source code in the lib folder as well as that in the module folder (for supporting rfc-3579) in FreeRadius. Are there going to be issues in statically linking this code? If so, can anyone please help out with ideas on how to circumvent the issue (including other (licensed) vendor recommendations as well). Thanks, Divyank - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius 2.1.7 disponible for freebsd?
Radius 2.1.7 disponible for freebsd? -- Att. Alisson F. Gonçalves Sistemas de Informação - UFGD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
INACIO ALVES wrote: > I think that lack documentation to work with freeRADIUS. The new version > 2.x is very different from early 1.x. And it contains a lot more documentation than 1.x. > So, how I said in the last post, > the HOW_TO about SQL is out-of-date. The tables has name/schema changed. > But I will have success. All of this is documented in the config files. > Finally. > About the DHCP: How I said, my AP ignores the configurations that I set > on users file, even if I disable the DHCP server in the AP. That's how EAP works. > If I configure a DHCP server on my freeRADIUS server, I need atach > MACxIP or if I set the configurations in the users file this > informations will to the client? See raddb/sites-available/dhcp, and modules/mac2ip Examples exist for all of this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE:
Thanks Santiago and Ivan, The schema of the database is in the source of instalation and I have create my database in MySQL. I think that lack documentation to work with freeRADIUS. The new version 2.x is very different from early 1.x. So, how I said in the last post, the HOW_TO about SQL is out-of-date. The tables has name/schema changed. But I will have success. Finally. About the DHCP: How I said, my AP ignores the configurations that I set on users file, even if I disable the DHCP server in the AP. If I configure a DHCP server on my freeRADIUS server, I need atach MACxIP or if I set the configurations in the users file this informations will to the client? Again thanks to all, Inácio Alves http://www.polluxweb.com/inacioalves/site - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ldap search and AD operations error
> Subject: RE: Ldap search and AD operations error > > Leighton, > > Try using ldapsearch in verbose mode (and debug mode) to get > more info from AD. > > ldapsearch -v -h -D "cn= dc=ad, > dc=hud, dc=ac, dc=uk" -w -x -b "dc=ad, dc=hud, > dc=ac, dc=uk" > "(sAMAccountName=mytestusername)" > > >From a Windows machine, you can also use tools from joeware.com, try > >adfind > (http://www.joeware.net/freetools/tools/adfind/index.htm). > > Once you are able to successfully query AD from a Windows > machine and/or ldapsearch, update your FR configuration and try again. > > Tim > Many thanks for the reply Tim and apologies for the long delay before trying this. Ldapsearch from the command line as you suggest above works fine yet the debug from FR shows this: rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=ad, dc=hud, dc=ac, dc=uk, with filter (sAMAccountName=mytestusername) rlm_ldap: ldap_search() failed: Operations error rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 The basedn and filter are identical on the command line and in the config. If I specify an AD container in the config, the search succeeds (providing it's the right container, of course ) Any more ideas - I'm really stuck on this one! Leighton --- This transmission is confidential and may be legally privileged. If you receive it in error, please notify us immediately by e-mail and remove it from your system. If the content of this e-mail does not relate to the business of the University of Huddersfield, then we do not endorse it and will accept no liability. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy based on Multiple Realms
Hi,
> if ( User-Name =~ /^host\//i ) {
> if ( User-Name =~ /\\.first\\.domain$/i ) {
> update control {
> Proxy-To-Realm := "first.domain"
> }
> }
> if ( User-Name =~ /\\.second\\.domain$/i ) {
> update control {
> Proxy-To-Realm := "second.domain"
> }
> }
> if ( User-Name =~ /\\.first\\.domain$/i ) {
> update control {
> Proxy-To-Realm := "third.domain"
> }
> }
> }
will that 4th if ever work (first.domain being sent to third.domain)
as the match would have already happened on the 2nd if..
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy based on Multiple Realms
Okay, just to update everyone and for others that might search this
mail-listing:
I have finally gotten it, using the code below in the authorize section I
can send host authentication to multiple proxies based on domain name
if ( User-Name =~ /^host\//i ) {
if ( User-Name =~ /\\.first\\.domain$/i ) {
update control {
Proxy-To-Realm := "first.domain"
}
}
if ( User-Name =~ /\\.second\\.domain$/i ) {
update control {
Proxy-To-Realm := "second.domain"
}
}
if ( User-Name =~ /\\.first\\.domain$/i ) {
update control {
Proxy-To-Realm := "third.domain"
}
}
}
For whatever reason I had to use 2 backslashes in front of the period in the
domain names?? But anyway, this part of the project is working.
Thanks for all the help!
Bob
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP address assignment for the authenticated users in Free
> Alan Thanks for the quick reply. > I would like to have one more clarification. > Can we use IP addrss as Attribute value pair so that the RADIUS server > throws IPs dynamically to users after authentication. Did you actually read the reply? > For WiFi authentication, you need a DHCP server. Sending IP addresses > to the NAS in a RADIUS packet won't work. > > You can configure FreeRADIUS to be a DHCP server, but that involves > creating a DHCP configuration, not a RADIUS configuration. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy based on Multiple Realms
Great I'll try the update control..
As for Realms file, I did try using prefix instead of suffix, but in the
case of username.domain.name, it says that the Realm is username and the
Stripped User name is domain.name
Thanks
Bob
On Tue, Oct 20, 2009 at 10:21 AM, Ivan Kalik wrote:
> > 1. Is there a way to "manually" specify a proxy or Realm in the authorize
> > section?
>
> Yes.
>
> update control {
> Proxy-To-Realm := "some_realm"
> }
>
> > 2. Is there a way to modify the Realms file to find a realm find the
> realm
> > domain.name in from within user.domain.name. Whenever I try I only get
> > the
> > Realm name not domain.name. (i.e. I want it to pick up from the first .
> > character not the last )
>
> So put prefix not suffix as format. But that will break down if you allow
> dots in usernames, like:
>
> Sam.Body.domain.name
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
The problem with socialism is that you eventually run out of other people's
money. - Margaret Thatcher
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP address assignment for the authenticated users in Free
Alan Thanks for the quick reply. I would like to have one more clarification. Can we use IP addrss as Attribute value pair so that the RADIUS server throws IPs dynamically to users after authentication. Regards Anoop Anoop C wrote: > Hi > We are running EAP-TLS authentication for office users using WiFi > network. This is a certificate based authentication and we are using Free > RADIUS. > I would like to know whether we can assign IP address dynamically to the > users through FREE RADIUS server ie RADIUS server works as DHCP server. For WiFi authentication, you need a DHCP server. Sending IP addresses to the NAS in a RADIUS packet won't work. > So > after successful authentication Server should through an IP address which is > configured against that particular MAC of the user in the server. No. You need a DHCP server. You can configure FreeRADIUS to be a DHCP server, but that involves creating a DHCP configuration, not a RADIUS configuration. Alan DeKok. Get your world in your inbox! Mail, widgets, documents, spreadsheets, organizer and much more with your Sifymail WIYI id! Log on to http://www.sify.com ** DISCLAIMER ** Information contained and transmitted by this E-MAIL is proprietary to Sify Limited and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If this is a forwarded message, the content of this E-MAIL may not have been sent with the authority of the Company. If you are not the intended recipient, an agent of the intended recipient or a person responsible for delivering the information to the named recipient, you are notified that any use, distribution, transmission, printing, copying or dissemination of this information in any way or in any manner is strictly prohibited. If you have received this communication in error, please delete this mail & notify us immediately at ad...@sifycorp.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy based on Multiple Realms
> 1. Is there a way to "manually" specify a proxy or Realm in the authorize
> section?
Yes.
update control {
Proxy-To-Realm := "some_realm"
}
> 2. Is there a way to modify the Realms file to find a realm find the realm
> domain.name in from within user.domain.name. Whenever I try I only get
> the
> Realm name not domain.name. (i.e. I want it to pick up from the first .
> character not the last )
So put prefix not suffix as format. But that will break down if you allow
dots in usernames, like:
Sam.Body.domain.name
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy based on Multiple Realms
Hi,
> Okay, perfect that was part of the answer I needed, Thanks!
>
> I guess I now have two more questions:
>
> 1. Is there a way to "manually" specify a proxy or Realm in the authorize
> section?
>
> 2. Is there a way to modify the Realms file to find a realm find the realm
> domain.name in from within user.domain.name. Whenever I try I only get the
> Realm name not domain.name. (i.e. I want it to pick up from the first .
> character not the last )
add a small bit of unlang to the default site... eg
(and this is conceptual, not real code!)
if User-Name contains/ends in .domain.name then
update the realm identifier to be domain.name
in reality this would be *something* (ie no guarantees, check debug
etc to work out why it doesnt work etc) like
if("%{User-Name}" =~ /\.domain\.name$/) {
update request {
Realm := 'domain.name'
}
update control {
Proxy-To-Realm := 'domain.name'
}
}
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy based on Multiple Realms
Okay, perfect that was part of the answer I needed, Thanks! I guess I now have two more questions: 1. Is there a way to "manually" specify a proxy or Realm in the authorize section? 2. Is there a way to modify the Realms file to find a realm find the realm domain.name in from within user.domain.name. Whenever I try I only get the Realm name not domain.name. (i.e. I want it to pick up from the first . character not the last ) Thanks Bob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
