RE: What Next??
Thanks for your reply, Fajar. In your example, is the wireless access point the "client" that I've seen referred to in some of the FreeRADIUS documentation? If yes, then I would have these three "clients": 1. Apache web server 2. Open-Xchange server (java-based) 3. Postfix + Dovecot mail server So, my "clients" should pass a userid/password to FreeRADIUS and receive back an accept or reject from FreeRADIUS? Thomas -Original Message- From: freeradius-users-bounces+thomas_reeves=verizon@lists.freeradius.org [mailto:freeradius-users-bounces+thomas_reeves=verizon@lists.freeradius. org] On Behalf Of Fajar A. Nugraha Sent: Monday, July 05, 2010 1:44 AM To: FreeRadius users mailing list Subject: Re: What Next?? On Mon, Jul 5, 2010 at 12:20 PM, Thomas Reeves wrote: > I have a FreeBSD-based gateway server running pfSense software. > I want to authenticate and authorize all incoming http(s) requests before > allowing access to any back-end services. > > However, I seemed to have missed something fundamental about the FreeRADIUS > server what do I do next?? How do I attach FreeRADIUS to the inbound > TCP stream to accept/reject requests?? That question would be better addressed to pfSense support/discussion list. radius does not really care what the end usage is, it simply provides Authentication, Authorization, and Accounting (AAA). Here's a similar example: you can limit which users are allowed to use wireless network on your office by listing the users and their respective password on a radius server. But to get the actual limitation to work, you need to configure your wireless access point to "ask" radius whether a particular user/password combination is allowed. Does this make sense so far? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What Next??
On Mon, Jul 5, 2010 at 12:20 PM, Thomas Reeves wrote: > I have a FreeBSD-based gateway server running pfSense software. > I want to authenticate and authorize all incoming http(s) requests before > allowing access to any back-end services. > > However, I seemed to have missed something fundamental about the FreeRADIUS > server – what do I do next?? How do I “attach” FreeRADIUS to the inbound > TCP stream to accept/reject requests?? That question would be better addressed to pfSense support/discussion list. radius does not really care what the end usage is, it simply provides Authentication, Authorization, and Accounting (AAA). Here's a similar example: you can limit which users are allowed to use wireless network on your office by listing the users and their respective password on a radius server. But to get the actual limitation to work, you need to configure your wireless access point to "ask" radius whether a particular user/password combination is allowed. Does this make sense so far? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What Next??
Greetings, All I have a FreeBSD-based gateway server running pfSense software. This is the only server directly connected to the internet. It distributes (port forwards) all incoming internet requests to about five back-end servers based on static IP address and/or ports. I have a new FreeRADIUS/MySQL server among the five back-end servers. I just completed installation, configuration and testing of this server. I want to authenticate and authorize all incoming http(s) requests before allowing access to any back-end services. However, I seemed to have missed something fundamental about the FreeRADIUS server - what do I do next?? How do I "attach" FreeRADIUS to the inbound TCP stream to accept/reject requests?? Where does the accept/reject response go?? The available documentation did not discuss deployment... Any links or tips would be appreciated. Cheers, Rubix Cube - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: the termination of Lost-Carrier
simultaneious was set to 1 On Mon, Jul 5, 2010 at 1:07 AM, Alan Buxey wrote: > Hi, > > but this kind of termination make he unable to login... but a day later, > he can login again... have you met such situation>? > > what sort of simultaneious use etc are you doing? such nasty > disconnections may > easily leave an open session if you've got some random NAS. i havent met > this situation, no. > but thats probably because we dont do billing in the same way as you. > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Spacelee - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to encrypting accounting?
Hi, > yesterday I successful installed freeswitch 1.0.6 with mod_radius_cdr > accounting on a remote freeradius 2.1.9 server, > freeswitch use freeradius-client 1.1.6 library. > > I am looking for a way to TLS encrypt accounting messages between > Freeswitch and remote Freeradius, > actually I can do only clear text accounting with simple shared key auth. > > > Is there a way using configurations files to setup TLS accounting? > Do I need to code a bit with freeradius-client library? > > I keep trying, for the moment many thanks, either run a VPN tunnel between the two hosts...or use RADIUS over TLS (FreeRADIUS doesnt support this just yet, but you can trivially do it with radsecproxy) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: the termination of Lost-Carrier
Hi, > but this kind of termination make he unable to login... but a day later, he > can login again... have you met such situation>? what sort of simultaneious use etc are you doing? such nasty disconnections may easily leave an open session if you've got some random NAS. i havent met this situation, no. but thats probably because we dont do billing in the same way as you. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
Matthew P wrote: > But I guess I missed to point with doing it this way, because: > > if (User-Name =~ /@mydomain.com/) { > if (User-Name =~ /^(.*)@(.*)$/) { > update request { > Stripped-User-Name = %{1} $ man unlang This says "put the string %{1} as the value of Stripped-User-Name". See the "data types' section of the manual page, and the "strings" section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
>> In a general regexp language, I guess that could be done with >> ([\w.-]+)(?...@.*). > Most regexes don't support \w, or (?... constructs. > > Keep it simple: > > if (User-Name =~ /^(.*)@(.*)$/) { > # name = %{1} > # realm = %{2} > } Makes sense now :) Thanks. man regex is written mostly descriptive, it's much easier to understand on examples like these, than on "weeknights" :D But I guess I missed to point with doing it this way, because: if (User-Name =~ /@mydomain.com/) { if (User-Name =~ /^(.*)@(.*)$/) { update request { Stripped-User-Name = %{1} } ldap } } doesn't work ^^ It gives: rlm_ldap - authorize rlmd_ldap: performing user authorization for %{1} ... Also, I tried to apply this directly in the ldap module configuration, different outcome, but also doesn't work. Where did I go wrong? -_- _ Hotmail: Trusted email with Microsoft’s powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: mschap/peap question
Wegener, Norbert wrote: > I installed samba 3..4.8 and it produces the same errors as the previous > version. > Should the only workaround really be downgrading back to samba/winbind > 3.0.30. Quite possibly. > as suggested in https://bugzilla.samba.org/show_bug.cgi?id=6563 ? > It is hard to believe that the only way to use peap/mschap in this context > requires that old versions of samba :-( I'm impressed with the amount of work that the Samba people have done. Integrating with MS is *hard*. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius2 with EAP-TLS and LDAP authorization
Riccardo Veraldi wrote: > First I need to extract the CN field (which can be done and I Already > did You can't *extract* the CN field. You can *compare* the CN field to another value, as shown in the eap.conf file. > and I can set up > a list of allowed CN in hte users file), and after I need to do an LDAP > query to check for authorization. > How can I do the following in this exact order ? You edit the config files so that the "ldap" module is run after the "users" file. > LDAP authorization is tryed first then comes authentication or am I wrong ? Yes. > What I'd need is to extract the CN and check it against LDAP attributes... > How might I do it ? You can't. To do that, you will need to edit the source code to add that feature. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html