RE: What Next??

[Thomas Reeves]

Thanks for your reply, Fajar.  

In your example, is the wireless access point the "client" that I've seen
referred to in some of the FreeRADIUS documentation?  If yes, then I would
have these three "clients":
1. Apache web server
2. Open-Xchange server (java-based)
3. Postfix + Dovecot mail server

So, my "clients" should pass a userid/password to FreeRADIUS and receive
back an accept or reject from FreeRADIUS?

Thomas

-Original Message-
From:
freeradius-users-bounces+thomas_reeves=verizon@lists.freeradius.org
[mailto:freeradius-users-bounces+thomas_reeves=verizon@lists.freeradius.
org] On Behalf Of Fajar A. Nugraha
Sent: Monday, July 05, 2010 1:44 AM
To: FreeRadius users mailing list
Subject: Re: What Next??

On Mon, Jul 5, 2010 at 12:20 PM, Thomas Reeves
 wrote:
> I have a FreeBSD-based gateway server running pfSense software.

> I want to authenticate and authorize all incoming http(s) requests before
> allowing access to any back-end services.
>
> However, I seemed to have missed something fundamental about the
FreeRADIUS
> server – what do I do next??  How do I “attach” FreeRADIUS to the inbound
> TCP stream to accept/reject requests??


That question would be better addressed to pfSense support/discussion
list. radius does not really care what the end usage is, it simply
provides Authentication, Authorization, and Accounting (AAA).

Here's a similar example: you can limit which users are allowed to use
wireless network on your office by listing the users and their
respective password on a radius server. But to get the actual
limitation to work, you need to configure your wireless access point
to "ask" radius whether a particular user/password combination is
allowed. Does this make sense so far?

-- 
Fajar

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: What Next??

[Fajar A. Nugraha]

On Mon, Jul 5, 2010 at 12:20 PM, Thomas Reeves
 wrote:
> I have a FreeBSD-based gateway server running pfSense software.

> I want to authenticate and authorize all incoming http(s) requests before
> allowing access to any back-end services.
>
> However, I seemed to have missed something fundamental about the FreeRADIUS
> server – what do I do next??  How do I “attach” FreeRADIUS to the inbound
> TCP stream to accept/reject requests??


That question would be better addressed to pfSense support/discussion
list. radius does not really care what the end usage is, it simply
provides Authentication, Authorization, and Accounting (AAA).

Here's a similar example: you can limit which users are allowed to use
wireless network on your office by listing the users and their
respective password on a radius server. But to get the actual
limitation to work, you need to configure your wireless access point
to "ask" radius whether a particular user/password combination is
allowed. Does this make sense so far?

-- 
Fajar

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

What Next??

[Thomas Reeves]

Greetings, All

I have a FreeBSD-based gateway server running pfSense software.  This is the
only server directly connected to the internet.  It distributes (port
forwards) all incoming internet requests to about five back-end servers
based on static IP address and/or ports.  

I have a new FreeRADIUS/MySQL server among the five back-end servers.  I
just completed installation, configuration and testing of this server.

I want to authenticate and authorize all incoming http(s) requests before
allowing access to any back-end services.

However, I seemed to have missed something fundamental about the FreeRADIUS
server - what do I do next??  How do I "attach" FreeRADIUS to the inbound
TCP stream to accept/reject requests??  Where does the accept/reject
response go??  The available documentation did not discuss deployment...

Any links or tips would be appreciated.

Cheers,

Rubix Cube

 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: the termination of Lost-Carrier

[Spacelee]

simultaneious was set to 1

On Mon, Jul 5, 2010 at 1:07 AM, Alan Buxey  wrote:

> Hi,
> > but this kind of termination make he unable to login... but a day later,
> he can login again... have you met such situation>?
>
> what sort of simultaneious use etc are you doing?  such nasty
> disconnections may
> easily leave an open session if you've got some random NAS.   i havent met
> this situation, no.
> but thats probably because we dont do billing in the same way as you.
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Spacelee
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to encrypting accounting?

[Alan Buxey]

Hi,

> yesterday I successful installed freeswitch 1.0.6 with mod_radius_cdr
> accounting on a remote freeradius 2.1.9 server, 
> freeswitch use freeradius-client 1.1.6 library.
> 
> I am looking for a way to TLS encrypt accounting messages between
> Freeswitch and remote Freeradius,
> actually I can do only clear text accounting with simple shared key auth.
> 
> 
> Is there a way using configurations files to setup TLS accounting?
> Do I need to code a bit with freeradius-client library?
> 
> I keep trying, for the moment many thanks,

either run a VPN tunnel between the two hosts...or use RADIUS over TLS
(FreeRADIUS doesnt support this just yet, but you can trivially do it
with radsecproxy)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: the termination of Lost-Carrier

[Alan Buxey]

Hi,
> but this kind of termination make he unable to login... but a day later, he 
> can login again... have you met such situation>?

what sort of simultaneious use etc are you doing?  such nasty disconnections 
may 
easily leave an open session if you've got some random NAS.   i havent met this 
situation, no.
but thats probably because we dont do billing in the same way as you.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius + AD + Realms

[Alan DeKok]

Matthew P wrote:
> But I guess I missed to point with doing it this way, because:
> 
> if (User-Name =~ /@mydomain.com/) {
> if (User-Name =~ /^(.*)@(.*)$/) {
> update request {
> Stripped-User-Name = %{1}

$ man unlang

  This says "put the string %{1} as the value of Stripped-User-Name".

  See the "data types' section of the manual page, and the "strings"
section.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius + AD + Realms

[Matthew P]

>> In a general regexp language, I guess that could be done with 
>> ([\w.-]+)(?...@.*).

> Most regexes don't support \w, or (?... constructs.
>
> Keep it simple:
>
> if (User-Name =~ /^(.*)@(.*)$/) {
>   # name = %{1}
>   # realm = %{2}
> }
Makes sense now :) Thanks.
man regex is written mostly descriptive, it's much easier to understand on 
examples like these, than on "weeknights" :D

But I guess I missed to point with doing it this way, because:

if (User-Name =~ /@mydomain.com/) {
if (User-Name =~ /^(.*)@(.*)$/) {
update request {
Stripped-User-Name = %{1}
}
ldap
}
}

doesn't work ^^
It gives:
rlm_ldap - authorize
rlmd_ldap: performing user authorization for %{1}
...

Also, I tried to apply this directly in the ldap module configuration, 
different outcome, but also doesn't work.

Where did I go wrong? -_-
  
_
Hotmail: Trusted email with Microsoft’s powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AW: mschap/peap question

[Alan DeKok]

Wegener, Norbert wrote:
> I installed samba  3..4.8 and it produces the same errors as the previous 
> version.
> Should the only workaround really be  downgrading back to samba/winbind 
> 3.0.30.

  Quite possibly.

> as suggested in https://bugzilla.samba.org/show_bug.cgi?id=6563 ? 
> It is hard to believe that the only way to use peap/mschap in this context 
> requires that old versions of samba :-(

  I'm impressed with the amount of work that the Samba people have done.
 Integrating with MS is *hard*.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius2 with EAP-TLS and LDAP authorization

[Alan DeKok]

Riccardo Veraldi wrote:
> First I need to extract the CN field (which can be done and I Already
> did

  You can't *extract* the CN field.  You can *compare* the CN field to
another value, as shown in the eap.conf file.

> and I can set up
> a list of allowed CN in hte users file), and after I need to do an LDAP
> query to check for authorization.
> How can I do the following in this exact order ?

  You edit the config files so that the "ldap" module is run after the
"users" file.

> LDAP authorization is tryed first then comes authentication or am I wrong ?

  Yes.

> What I'd need is to extract the CN and check it against LDAP attributes...
> How might I do it ?

  You can't.  To do that, you will need to edit the source code to add
that feature.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html