Re: the termination of Lost-Carrier
but this kind of termination make he unable to login... but a day later, he can login again... have you met such situation>? On Sat, Jul 3, 2010 at 6:43 PM, Alan Buxey wrote: > Hi, > > > but what does lost-carrier means? I can't find in freeradius's wiki, but > I saw this status in Daloradius > > and when will the termination be Lost-Carrier? and the user whose > termination is Lost-Carrier can't login the next day, the the next next day, > he can login again, I don't know why? can somebody figure this out? > > the session went without proper goodbyes etc - eg phoine line dropped or > wifi link went. > those are 2 quick and basic examples. > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Spacelee - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: mschap/peap question
I installed samba 3..4.8 and it produces the same errors as the previous version. Should the only workaround really be downgrading back to samba/winbind 3.0.30. as suggested in https://bugzilla.samba.org/show_bug.cgi?id=6563 ? It is hard to believe that the only way to use peap/mschap in this context requires that old versions of samba :-( Norbert Wegener ... Hi, > Using the users file it works. So samba can be blamed even in the current > version 3.4.7 :-( I've had several reports that 3.4.8 works - which isnt even the latest version (thats 3.5.4!) 3.4.x is old but I personally have no experience of whether any 3.5.x works alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius2 with EAP-TLS and LDAP authorization
For starting it should be enough but what I am not able to do is to set
up the correct sequence.
First I need to extract the CN field (which can be done and I Already
did and I can set up
a list of allowed CN in hte users file), and after I need to do an LDAP
query to check for authorization.
How can I do the following in this exact order ?
LDAP authorization is tryed first then comes authentication or am I wrong ?
What I'd need is to extract the CN and check it against LDAP attributes...
How might I do it ?
thank you
Riccardo
Alan DeKok wrote:
Edgar Fuß wrote:
I don't understand. rlm_eap's check_cert_cn must be able to extract the CN from
the user certificate in order to check it against User-Name (or whatever).
Yes...
Or at least, with check_cert_cn = %{User-Name}, you can substitute User-Name
for an extracted CN for whatever additional lookup you need.
Yes.
Or am I getting it wrong?
No. But there's no code to extract other fields from the cert.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to encrypting accounting?
Fabio Dive wrote: > I am looking for a way to TLS encrypt accounting messages between > Freeswitch and remote Freeradius, > actually I can do only clear text accounting with simple shared key auth. Install a VPN. > Is there a way using configurations files to setup TLS accounting? No. > Do I need to code a bit with freeradius-client library? You will need to add a *lot* of code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius2 with EAP-TLS and LDAP authorization
Edgar Fuß wrote:
> I don't understand. rlm_eap's check_cert_cn must be able to extract the CN
> from the user certificate in order to check it against User-Name (or
> whatever).
Yes...
> Or at least, with check_cert_cn = %{User-Name}, you can substitute User-Name
> for an extracted CN for whatever additional lookup you need.
Yes.
> Or am I getting it wrong?
No. But there's no code to extract other fields from the cert.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius2 with EAP-TLS and LDAP authorization
RV> but if I wanted to extract the emailAddress or CN field from the
RV> X509 certificate and authorize it against my LDAP tree
AdK> The limitation isn't the users file.
AdK> It's that extracting the fields from the certificate is hard.
I don't understand. rlm_eap's check_cert_cn must be able to extract the CN from
the user certificate in order to check it against User-Name (or whatever).
Or at least, with check_cert_cn = %{User-Name}, you can substitute User-Name
for an extracted CN for whatever additional lookup you need.
Or am I getting it wrong?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to encrypting accounting?
Hello, yesterday I successful installed freeswitch 1.0.6 with mod_radius_cdr accounting on a remote freeradius 2.1.9 server, freeswitch use freeradius-client 1.1.6 library. I am looking for a way to TLS encrypt accounting messages between Freeswitch and remote Freeradius, actually I can do only clear text accounting with simple shared key auth. Is there a way using configurations files to setup TLS accounting? Do I need to code a bit with freeradius-client library? I keep trying, for the moment many thanks, cheers, Fabio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + AD + Cisco authetication
Jevos, Peter wrote: > Thank you alan, > yes i can check the man page ( to be honest, that was i afraid of : ),but i > was looking for the examples Please also edit your replies. There is no need to leave the original message at the top of your reply. > As i wrote in my first email, cisco is configured and working well with the > IAS radius server. > I was solving the freeradius againts the cisco. To be honest, i still cannot > understand what should contain users file, and other files. > One example how to configure the users file and other files would be enough The "users" file contains documentation and *many* examples. There's no need to me to cut & paste those examples on this list. You already have them in front of you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
Matthew P wrote:
> I forgot to mention that I need the "user" portion of "u...@mydomain.com" for
> sql too.
> "u...@mydomain.com" only needs to be sent to the home server (in case the
> user doesn't have "@mydomain.com" or "@mydomain2.com"). In another words,
> both AD and DB contain usernames, without any realms.
> I've been reading http://freeradius.org/radiusd/man/unlang.html, and can't
> seem to figure out how to make the logic - "take everything before @ as a
> username". So please help.
See "man regex" for the regex format.
> In a general regexp language, I guess that could be done with
> ([\w.-]+)(?...@.*).
Most regexes don't support \w, or (?... constructs.
Keep it simple:
if (User-Name =~ /^(.*)@(.*)$/) {
# name = %{1}
# realm = %{2}
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
Thanks for your help Alan, it really makes a difference when learning about
Freeradius configuration.
> So... decode the user-name using a regex. You can then use that in
> the LDAP configuration. The LDAP user search is configurable for a
> *reason*.
I forgot to mention that I need the "user" portion of "u...@mydomain.com" for
sql too.
"u...@mydomain.com" only needs to be sent to the home server (in case the user
doesn't have "@mydomain.com" or "@mydomain2.com"). In another words, both AD
and DB contain usernames, without any realms.
I've been reading http://freeradius.org/radiusd/man/unlang.html, and can't seem
to figure out how to make the logic - "take everything before @ as a username".
So please help.
In a general regexp language, I guess that could be done with
([\w.-]+)(?...@.*).
> It's an option, but not the only way to do it.
>
> if (User-Name =~ /@mydomain.com/) {
> ldap
> }
> elsif (User-Name =~ /@mydomain2.com/) {
> sql
> }
> else {
> update control {
> Proxy-To-Realm := "other"
> }
> }
Works nicely, thanks for this hint.
Matthew
_
Hotmail: Trusted email with powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschap/peap question
Hi, > Using the users file it works. So samba can be blamed even in the current > version 3.4.7 :-( I've had several reports that 3.4.8 works - which isnt even the latest version (thats 3.5.4!) 3.4.x is old but I personally have no experience of whether any 3.5.x works alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: the termination of Lost-Carrier
Hi, > but what does lost-carrier means? I can't find in freeradius's wiki, but I > saw this status in Daloradius > and when will the termination be Lost-Carrier? and the user whose termination > is Lost-Carrier can't login the next day, the the next next day, he can login > again, I don't know why? can somebody figure this out? the session went without proper goodbyes etc - eg phoine line dropped or wifi link went. those are 2 quick and basic examples. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + AD + Cisco authetication
Jevos, Peter wrote: > However I was not able to find in these links anything about the > --require-membership-of See the "man" page for ntlm_auth. It is just a Unix command that can be run, like anything else. > and the vpn cisco client example > (also find on these pages found nothing :) That's a Cisco issue, for Cisco documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + AD + Cisco authetication
Jevos, Peter wrote: > However I was not able to find in these links anything about the > --require-membership-of See the "man" page for ntlm_auth. It is just a Unix command that can be run, like anything else. > and the vpn cisco client example > (also find on these pages found nothing :) That's a Cisco issue, for Cisco documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you alan, yes i can check the man page ( to be honest, that was i afraid of : ),but i was looking for the examples As i wrote in my first email, cisco is configured and working well with the IAS radius server. I was solving the freeradius againts the cisco. To be honest, i still cannot understand what should contain users file, and other files. One example how to configure the users file and other files would be enough <>- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + AD + Cisco authetication
Jevos, Peter wrote: > How should look like the ntlm_auth file ? How should look like mschap module ? > How should look like parameter --require-membership-of in these files ? > > How should look like users file ? > These answers I was not able to find in any documentation Read the URLs from the previous message. This *is* documented. If you can't find it, read the documentation again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you for your answer Alan However I was not able to find in these links anything about the --require-membership-of and the vpn cisco client example (also find on these pages found nothing :) Anyway I will follow your advice and read the documentation on these links again Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius2 with EAP-TLS and LDAP authorization ?
Riccardo Veraldi wrote: > Hello, > is it possible in some way to use EAP-TLS X509 authentication together > with LDAP authorization in freeradius2 ? Yes. You can look the username up in LDAP, and reject the request if the user doesn't exist. > Actually freeradius2 allows EAP-TLS authentication, but if I wanted to > extract the emailAddress or CN field > from the X509 certificate and authorize it against my LDAP tree > information to allow or disallow WiFi access, > is it possible ?? Not really, no. > Or the only way to authorize a EAP-TLS X509 user is only thru > freeradius2 users file ? The limitation isn't the users file. It's that extracting the fields from the certificate is hard. Patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
