Re: Device specific Access-Accept attributes and granular user group control
Matt Hite wrote:
- Different brands of gear should get different VSAs and/or general
attributes returned in Access-Accept messages. For example, if I log
in from a Cisco device, I should get a different RADIUS attribute sent
back than when logging in from a F5 or a NetScreen.
It's not well known, but the configuration files can be used as a
simple database. Any well formed text will be accepted, and can be
lookup up later. e.g.:
client foo {
ipaddr = ...
secret = ...
myfield = cisco
..
}
Then when processing a packet:
if (%{client:myfield} == cisco) {
...
}
You can define your own data, and put each device into it's own
group, simply by adding a field to each client entry. Then, return
the appropriate attributes for each type of client.
- Some users can log into certain groups of devices, others should not
be able to
Use the same thing, but also using groups for the users.
client foo {
...
class = foo
}
Then in a processing section (authorize, etc.)
if ((Group == limited) (%{client:class} != foo)) {
reject
}
If you don't want unix groups, see man rlm_passwd.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Add timestamp with milliseconds in Radius Log
Hi list! I need to add timestamp with milliseconds in radius log. I've hust try radiusd -xX but it's nont enough (adding x doesn't resolv problem). Thx all Ema - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap.conf timer_expire
Hi list which is the measure unit of this parameter, seconds or milliseconds or dec seconds. Thx all. E.B. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add timestamp with milliseconds in Radius Log
Bello, Emmanuele wrote: Hi list! I need to add timestamp with milliseconds in radius log. I've hust try radiusd -xX but it's nont enough (adding x doesn't resolv problem). Edit the source code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap.conf timer_expire
Bello, Emmanuele wrote: Hi list which is the measure unit of this parameter, seconds or milliseconds or dec seconds. Seconds. The default value of 60 should hint that it's not milliseconds, at least. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap Deprecated conditional expansion
Hi All,
I keep seeing this in the logs:
[ldap] WARNING: Deprecated conditional expansion :-. See man unlang
for details
I assume it's from this filter:
[ldap] expand:
((uid=%{Stripped-User-Name:-%{User-Name}})(!(inetCOS=802.1x_disabled)))
- ((uid=hh52)(!(inetCOS=802.1x_disabled)))
but I'm not sure what uid=%{Stripped-User-Name:-%{User-Name} should be
set to instead. Any ideas?
Cheers,
Harry
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap Deprecated conditional expansion
Hi,
I keep seeing this in the logs:
[ldap] WARNING: Deprecated conditional expansion :-. See man unlang
for details
I assume it's from this filter:
[ldap] expand:
((uid=%{Stripped-User-Name:-%{User-Name}})(!(inetCOS=802.1x_disabled)))
- ((uid=hh52)(!(inetCOS=802.1x_disabled)))
but I'm not sure what uid=%{Stripped-User-Name:-%{User-Name} should be
set to instead. Any ideas?
check the mailing archives or read the ldap module in the latest 2.1.8
release of FreeRADIUS
filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Upgrade from 1.3 to 2.0
Hello,
We just upgraded one of our FreeRadius servers from 1.3 to 2.0 (part of a
debian upgrade from Etch to Lenny).
Anyway one of the problems I'm having is updating the proxy.conf file.
It states that one should move away from the realm entry to the
home_server entry. So I have changed this entry in the proxy.conf file:
realm somedomain.net {
type= radius
authhost= wendy.somedomain.net:1645
accthost= LOCAL
secret = ItsSecret
nostrip
}
to:
home_server somedomain.net {
type = auth
virtual_server = wendy.somedomain.net
port = 1645
secret = ItsSecret
response_window= 7
zombie_period = 40
status_check = status-server
check_interval = 20
num_answers_to_alive = 3
}
I had tried the ipaddr = command as well. Anyway the authentication
request to the wendy.somedomain.net server is not getting through using
this new home_server entry.
What am I doing wrong
Thanks,
Ken
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with freeradius daemon start
Hi friends , I'm trying to install freeradius in Debian Lenny for using
WPAEnterprise in a Trendnet AP. I downloaded the latest stable version
(2.1.8),created the packages with dpkg-buildpackage -b -uc. that created
the following modules
der
freeradius-dialupadmin_2.1.8+git_all.deb
freeradius-postgresql_2.1.8+git_i386.deb
p12
freeradius_2.1.8+git_i386.changes
freeradius-iodbc_2.1.8+git_i386.deb
freeradius-server-2.1.8
pass
freeradius_2.1.8+git_i386.deb
freeradius-krb5_2.1.8+git_i386.deb
freeradius-utils_2.1.8+git_i386.deb
pem
freeradius-common_2.1.8+git_all.deb
freeradius-ldap_2.1.8+git_i386.deb
libfreeradius2_2.1.8+git_i386.deb
freeradius-dbg_2.1.8+git_i386.deb
freeradius-mysql_2.1.8+git_i386.deb
libfreeradius-dev_2.1.8+git_i386.deb
I installed the .deb files with dpkg -i
but when tried to start freeradius with /usr/sbin/freeradius -X to debug
the process I receive the following message:
Please If anyone could shed any light on this.It would be appreciated
Thanks in advance.
nas1:/usr/src# /usr/sbin/freeradius -X
FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Feb 5
2010 at 16:17:03
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/linelog
including configuration
file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
user = freerad
group = freerad
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
