Re: Two or more freeradius server
* I got it, it should be written like this, not two lines, hope this will help new guys. : * * authserver ip1:1812 ip2:1812 * On Mon, Sep 20, 2010 at 12:56 PM, Spacelee fjct...@gmail.com wrote: # RADIUS server to use for authentication requests. this config # item can appear more then one time. if multiple servers are # defined they are tried in a round robin fashion if one # server is not answering. # optionally you can specify a the port number on which is remote # RADIUS listens separated by a colon from the hostname. if # no port is specified /etc/services is consulted of the radius # service. if this fails also a compiled in default is used. authserver ip1:1812 authserver ip2:1812 I use pptp+ppp+freeradius+mysql and in the radiusclient.conf, it set two authsever server, so that it's round robin. but in fact, when I stop ip1, ip2 is up, it's ok, and then i stop ip2, ip1 is up, it's not ok what's the problem, have you met before ? -- *Space Lee* -- *Space Lee* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Use both SQL and SQL-LOG
Marius Pesé wrote: I’m using mySQL to log accounting data, and also want to save the queries (not the packets) to a text file to use with a different program. Since that is both in sites-enabled/default, they seem to be mutually exclusive. No. Why would you conclude that? Alan DeKok. Hi Alan, I assumed that to be the case because uncommenting sql_log didn't work and the comment says: # Instead of sending the query to the SQL server, # write it into a log file. So essentially uncommenting the line should call modules/sql_log which should write into the text file, correct? Maybe I'm simply having a permissions issue then... Thanks for the advice Marius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to access proxy-reply:Packet-Type in if condition
Hi Alan, Sorry, I did not clearly understand your response. Are you saying that, it will be possible to write if (proxy-reply:Packet-Type == Access-Accept){ update proxy-reply{ attr = value . } } in freeRADIUS version 2.1.10 Thanks, Chidanand On Fri, Sep 17, 2010 at 2:33 PM, Alan DeKok al...@deployingradius.comwrote: Chidanand wrote: Alan, can you please throw some light on this issue I am stuck. It works in the head of the v2.1.x branch. i.e. what will become 2.1.10. post-proxy { update reply { Filter-Id := %{proxy-reply:Packet-Type} } ... } And the client gets: Filter-Id = Access-Accept Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Chidanand Gangur Pune. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dictionary vendor options
Hi! I'm running # rpm -qa | grep radius freeradius2-mysql-2.1.7-7.el5 freeradius2-2.1.7-7.el5 freeradius2-python-2.1.7-7.el5 freeradius2-utils-2.1.7-7.el5 and I copied following into the /etc/raddb/dictionary VENDOR Extreme 1916 ATTRIBUTE Extreme-CLI-Authorization 201 integer Extreme ATTRIBUTE Extreme-Shell-Command 202 string Extreme ATTRIBUTE Extreme-Netlogin-Vlan 203 string Extreme ATTRIBUTE Extreme-Netlogin-Url204 string Extreme ATTRIBUTE Extreme-Netlogin-Url-Desc 205 string Extreme ATTRIBUTE Extreme-Netlogin-Only 206 integer Extreme ATTRIBUTE Extreme-User-Location 208 string Extreme ATTRIBUTE Extreme-Netlogin-Vlan-Tag 209 integer Extreme ATTRIBUTE Extreme-Netlogin-Extended-Vlan 211 string Extreme ATTRIBUTE Extreme-Security-Profile212 string Extreme VALUE Extreme-CLI-Authorization Disabled0 VALUE Extreme-CLI-Authorization Enabled 1 VALUE Extreme-Netlogin-Only Disabled0 VALUE Extreme-Netlogin-Only Enabled 1 which seems ok for me but the freeradius thinks otherwise as I get including dictionary file /etc/raddb/dictionary Errors reading dictionary: dict_init: /etc/raddb/dictionary[37]: unknown option Extreme Does anyone know the problem with my config? thx! Mit freundlichen Grüßen Robert Penz Dipl. Inf. Robert Penz DVT-Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 512 508 3334 / Fax: +43 512 508 3355 eMail: robert.p...@tirol.gv.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dictionary vendor options
PENZ Robert wrote: # rpm -qa | grep radius freeradius2-mysql-2.1.7-7.el5 ... and I copied following into the /etc/raddb/dictionary Why? What's wrong with the dictionary.extreme file that is included with the server? After 10 years of doing FreeRADIUS, I *still* don't understand why many people feel the need to destroy the default configuration as soon as they install the server. including dictionary file /etc/raddb/dictionary Errors reading dictionary: dict_init: /etc/raddb/dictionary[37]: unknown option Extreme It's a bug in 2.1.7. If you used the *default* dictionaries, the VSAs would work, and there wouldn't be a problem. Does anyone know the problem with my config? thx! Stop destroying the default configuration. If you did *less* work, you would have *better* results. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to access proxy-reply:Packet-Type in if condition
Chidanand Gangur wrote: Sorry, I did not clearly understand your response. I am saying that you can reference the proxy reply Packet-Type. It works. Are you saying that, it will be possible to write if (proxy-reply:Packet-Type == Access-Accept){ update proxy-reply{ attr = value . } } in freeRADIUS version 2.1.10 That's what I meant. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2 Called-Station-Id authorize unlang filtering question
Hi everyone ... I need to put up a certain scenario for radius. I have 2 Called-Station-Id numbers 11 an 12, first number should always be accepted for auth users, the second one should be accessed after the user hits 10 hours quota on first number. I was wonder if this configuration is the right way. server dialup { authorize { preprocess expiration logintime if (Called-Station-Id == 11) { sql_dialup pap } elsif (Called-Station-Id == 12 %{sql_dialup: SELECT SUM(acctsessiontime) FROM radacct_dialup \ WHERE YEAR(acctstarttime) = YEAR(CURDATE()) AND MONTH(acctstarttime) = MONTH(CURDATE()) \ AND username = '%{SQL-User-Name}' HAVING SUM(acctsessiontime) 36000}) { sql_dialup pap update control { Auth-Type := Reject } update replay { Reply-Message := 10 hour quota still not reached } elsif (Called-Station-Id == 12 %{sql_dialup: SELECT SUM(acctsessiontime) FROM radacct_dialup \ WHERE YEAR(acctstarttime) = YEAR(CURDATE()) AND MONTH(acctstarttime) = MONTH(CURDATE()) \ AND username = '%{SQL-User-Name}' HAVING SUM(acctsessiontime) = 36000}) { sql_dialup pap update control { Auth-Type := Accept } update replay { Reply-Message := 10 hour quota reached, access accepted } else { reject } } ... post-auth { exec Post-Auth-Type REJECT { attr_filter.access_reject update reply { Reply-Message := Access denied } } } } -- View this message in context: http://freeradius.1045715.n5.nabble.com/2-Called-Station-Id-authorize-unlang-filtering-question-tp2846418p2846418.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: dictionary vendor options
Hi! Ah, did not know about the default extreme config. I just went along the official Howto from Extreme Networks and it stated that I need to put the lines into the dictionary... Thx for the Info ;-) Mit freundlichen Grüßen Robert Penz -Ursprüngliche Nachricht- Von: freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org [mailto:freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Montag, 20. September 2010 11:40 An: FreeRadius users mailing list Betreff: Re: dictionary vendor options PENZ Robert wrote: # rpm -qa | grep radius freeradius2-mysql-2.1.7-7.el5 ... and I copied following into the /etc/raddb/dictionary Why? What's wrong with the dictionary.extreme file that is included with the server? After 10 years of doing FreeRADIUS, I *still* don't understand why many people feel the need to destroy the default configuration as soon as they install the server. including dictionary file /etc/raddb/dictionary Errors reading dictionary: dict_init: /etc/raddb/dictionary[37]: unknown option Extreme It's a bug in 2.1.7. If you used the *default* dictionaries, the VSAs would work, and there wouldn't be a problem. Does anyone know the problem with my config? thx! Stop destroying the default configuration. If you did *less* work, you would have *better* results. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
convert mac adresses to lower case
Hi! I'm running # rpm -qa | grep radius freeradius2-mysql-2.1.7-7.el5 freeradius2-2.1.7-7.el5 freeradius2-python-2.1.7-7.el5 freeradius2-utils-2.1.7-7.el5 and I've different switch types. Some send the MAC address lower case the others upper case. For switches which send it lower it case it works (as the macs are stored lower case in the db). How can I convert them all in the clear text password attribute to lower case? The attr_rewrite module looks good, but the only way I see is to have 6 rewrite rules each replacing one letter, but that seems inefficient. The matching in the SQL Database works case insensitive and returns a row but the pap check logs following: rlm_sql (sql): Released sql socket id: 1 +++[sql] returns ok ++- policy redundant returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password 0025B3A013AA [pap] Using clear text password 0025b3a013aa [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. I tried to remove pap but then I get following +++[sql] returns ok ++- policy redundant returns ok ++[expiration] returns noop ++[logintime] returns noop WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request does NOT match known good password. Failed to authenticate the user. Hope someone can help me. Thx! Mit freundlichen Grüßen Robert Penz Dipl. Inf. Robert Penz DVT-Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 512 508 3334 / Fax: +43 512 508 3355 eMail: robert.p...@tirol.gv.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: convert mac adresses to lower case
I beieve there is a lower() function you can use in the sql statement. Sent from Verizon Wireless -Original Message- From: PENZ Robert robert.p...@tirol.gv.at Sender: freeradius-users-bounces+ironrake=yahoo@lists.freeradius.org Date: Mon, 20 Sep 2010 14:11:14 To: FreeRadius users mailing listfreeradius-users@lists.freeradius.org Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: convert mac adresses to lower case Hi! I'm running # rpm -qa | grep radius freeradius2-mysql-2.1.7-7.el5 freeradius2-2.1.7-7.el5 freeradius2-python-2.1.7-7.el5 freeradius2-utils-2.1.7-7.el5 and I've different switch types. Some send the MAC address lower case the others upper case. For switches which send it lower it case it works (as the macs are stored lower case in the db). How can I convert them all in the clear text password attribute to lower case? The attr_rewrite module looks good, but the only way I see is to have 6 rewrite rules each replacing one letter, but that seems inefficient. The matching in the SQL Database works case insensitive and returns a row but the pap check logs following: rlm_sql (sql): Released sql socket id: 1 +++[sql] returns ok ++- policy redundant returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password 0025B3A013AA [pap] Using clear text password 0025b3a013aa [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. I tried to remove pap but then I get following +++[sql] returns ok ++- policy redundant returns ok ++[expiration] returns noop ++[logintime] returns noop WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request does NOT match known good password. Failed to authenticate the user. Hope someone can help me. Thx! Mit freundlichen Grüßen Robert Penz Dipl. Inf. Robert Penz DVT-Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 512 508 3334 / Fax: +43 512 508 3355 eMail: robert.p...@tirol.gv.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: convert mac adresses to lower case
Hi! But thats not the problem. The mac address matches in the SQL statement but I need also to return the mac address to the radius. In this reply the mac address is lower case. And now the radius checks that against its upper case version it gets from the switch. I cannot return the mac always upper case as it would not work with the switches which send the mac lower case. I hope this makes sense. Mit freundlichen Grüßen Robert Penz -Ursprüngliche Nachricht- Von: freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org [mailto:freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org] Im Auftrag von ironr...@yahoo.com Gesendet: Montag, 20. September 2010 15:26 An: FreeRadius users mailing list Betreff: Re: convert mac adresses to lower case I beieve there is a lower() function you can use in the sql statement. Sent from Verizon Wireless -Original Message- From: PENZ Robert robert.p...@tirol.gv.at Sender: freeradius-users-bounces+ironrake=yahoo@lists.freeradius.org Date: Mon, 20 Sep 2010 14:11:14 To: FreeRadius users mailing listfreeradius-users@lists.freeradius.org Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: convert mac adresses to lower case Hi! I'm running # rpm -qa | grep radius freeradius2-mysql-2.1.7-7.el5 freeradius2-2.1.7-7.el5 freeradius2-python-2.1.7-7.el5 freeradius2-utils-2.1.7-7.el5 and I've different switch types. Some send the MAC address lower case the others upper case. For switches which send it lower it case it works (as the macs are stored lower case in the db). How can I convert them all in the clear text password attribute to lower case? The attr_rewrite module looks good, but the only way I see is to have 6 rewrite rules each replacing one letter, but that seems inefficient. The matching in the SQL Database works case insensitive and returns a row but the pap check logs following: rlm_sql (sql): Released sql socket id: 1 +++[sql] returns ok ++- policy redundant returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password 0025B3A013AA [pap] Using clear text password 0025b3a013aa [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. I tried to remove pap but then I get following +++[sql] returns ok ++- policy redundant returns ok ++[expiration] returns noop ++[logintime] returns noop WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request does NOT match known good password. Failed to authenticate the user. Hope someone can help me. Thx! Mit freundlichen Grüßen Robert Penz Dipl. Inf. Robert Penz DVT-Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 512 508 3334 / Fax: +43 512 508 3355 eMail: robert.p...@tirol.gv.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: convert mac adresses to lower case
PENZ Robert robert.p...@tirol.gv.at wrote: and I've different switch types. Some send the MAC address lower case the others upper case. For switches which send it lower it case it works (as the macs are stored lower case in the db). How can I convert them all in the clear text password attribute to lower case? The attr_rewrite module looks good, but the only way I see is to have 6 rewrite rules each replacing one letter, but that seems inefficient. The matching in the SQL Database works case insensitive and returns a row but the pap check logs following: Do the mac-auth via unlang and not PAP. policy { ... mac_auth { if (Realm == NULL !(EAP-Message) NAS-Port-Type == Ethernet \ Service-Type == Call-Check \ User-Name == %{User-Password} \ User-Name =~ /^[0-9a-f]{12}$/i \ Calling-Station-Id =~ /^([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})$/i \ User-Name =~ /^%{1}%{2}%{3}%{4}%{5}%{6}$/i) { ok } else { noop } } ... } authorize { ... mac_auth if (ok) { update control { Auth-Type := Accept } # 'handled' does not work here ok = return } ... } You might need to tweak the policy{} rule to meet your local needs; the above is what I use for our Cisco switches. You could tweak the above so that 'mac_auth' sets 'Cleartext-Password = %{User-Password}' but I personally cannot see the reason to bother when you can just skip authenticate{} completely. If you really do need to lowercase something, the only way to do it really is to use 'exec' and call 'tr A-F a-f', nasty but it works. Cheers -- Alexander Clouter .sigmonster says: Don't guess -- check your security regulations. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Use both SQL and SQL-LOG
Marius Pesé wrote: Hi Alan, I assumed that to be the case because uncommenting sql_log didn't work and the comment says: # Instead of sending the query to the SQL server, # write it into a log file. So essentially uncommenting the line should call modules/sql_log which should write into the text file, correct? Maybe I'm simply having a permissions issue then... Probably. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: convert mac adresses to lower case
On 2010/09/20 04:01 PM, PENZ Robert wrote: Hi! But thats not the problem. The mac address matches in the SQL statement but I need also to return the mac address to the radius. In this reply the mac address is lower case. And now the radius checks that against its upper case version it gets from the switch. I cannot return the mac always upper case as it would not work with the switches which send the mac lower case. I hope this makes sense. Search this list. The question was asked about 2 months ago. It was answered. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: convert mac adresses to lower case
Am 20.09.10 15:51, schrieb Alexander Clouter: PENZ Robertrobert.p...@tirol.gv.at wrote: and I've different switch types. Some send the MAC address lower case the others upper case. For switches which send it lower it case it works (as the macs are stored lower case in the db). How can I convert them all in the clear text password attribute to lower case? The attr_rewrite module looks good, but the only way I see is to have 6 rewrite rules each replacing one letter, but that seems inefficient. The matching in the SQL Database works case insensitive and returns a row but the pap check logs following: Do the mac-auth via unlang and not PAP. policy { ... mac_auth { if (Realm == NULL !(EAP-Message) NAS-Port-Type == Ethernet \ Service-Type == Call-Check \ User-Name == %{User-Password} \ User-Name =~ /^[0-9a-f]{12}$/i \ Calling-Station-Id =~ /^([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})$/i \ User-Name =~ /^%{1}%{2}%{3}%{4}%{5}%{6}$/i) { ok } else { noop } } ... } authorize { ... mac_auth if (ok) { update control { Auth-Type := Accept } # 'handled' does not work here ok = return } ... } You might need to tweak the policy{} rule to meet your local needs; the above is what I use for our Cisco switches. You could tweak the above so that 'mac_auth' sets 'Cleartext-Password = %{User-Password}' but I personally cannot see the reason to bother when you can just skip authenticate{} completely. If you really do need to lowercase something, the only way to do it really is to use 'exec' and call 'tr A-F a-f', nasty but it works. Cheers If your using SQL then I would simply modify the SQL querry to INSERT everything in lower case only PLUS to SELECT everything in lowercase only. You can simply modify those querries afaik. I just figured that as well and it made my live WAY easier - but I used it for my MailServer configuration - and it works perfect - no matter whether its PostgreSQL (which I'm using), or MySQL ... even others such as Oracle, etc. offer those functions. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: convert mac adresses to lower case
ironr...@yahoo.com wrote: I beieve there is a lower() function you can use in the sql statement. That sort of talk belongs over on the DWTF :) Cheers -- Alexander Clouter .sigmonster says: Biz is better. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: which samba version / patch for Active Directory 2008
Hello, Well things have taken a turn for the worse. At the weekend we upgraded the last AD Domain controller to 2008r2 (still in AD2003 mode) and the radius servers instantly stopped working with named pipe disconnected and now ntlm --username and wbinfo -a no longer work. I have a samba 3.4 install which 'works' from the ntlm --username and wbinfo -a point of view but which, I strongly suspect, returns incorrect NT_KEYs. (the reason I suspect this is that the previous servers always returned the same value and that value matches the output of the python script attached to https://bugzilla.samba.org/show_bug.cgi?id=6563) I've spent the best part of the day bang head on wall so I thought I'd ask a thing Would the KEY changing every few minutes be expected? (under samba3.0/ad2003 it remained the same) By key I mean the output of /usr/local/samba/bin/ntlm_auth --request-nt-key --username=bob --challenge=deadshortbeef --nt-response=deadlongerbeef If no one has seen things like this I'll move over to the samba lists, getting the feeling this issue belongs there. Thanks all, Neil Please access the attached hyperlink for an important electronic communications disclaimer: http://www.lse.ac.uk/collections/planningAndCorporatePolicy/legalandComplianceTeam/legal/disclaimer.htm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: which samba version / patch for Active Directory 2008
Have you tried disjoining and rejoining the domain after the upgrade? It sounds crazy but I have seen similar problems fixed this way. Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 -Original Message- From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o rg] On Behalf Of Neil Prockter Sent: Monday, September 20, 2010 11:29 AM To: freeradius-users@lists.freeradius.org Subject: Re: which samba version / patch for Active Directory 2008 Hello, Well things have taken a turn for the worse. At the weekend we upgraded the last AD Domain controller to 2008r2 (still in AD2003 mode) and the radius servers instantly stopped working with named pipe disconnected and now ntlm --username and wbinfo -a no longer work. I have a samba 3.4 install which 'works' from the ntlm --username and wbinfo -a point of view but which, I strongly suspect, returns incorrect NT_KEYs. (the reason I suspect this is that the previous servers always returned the same value and that value matches the output of the python script attached to https://bugzilla.samba.org/show_bug.cgi?id=6563) I've spent the best part of the day bang head on wall so I thought I'd ask a thing Would the KEY changing every few minutes be expected? (under samba3.0/ad2003 it remained the same) By key I mean the output of /usr/local/samba/bin/ntlm_auth --request-nt-key --username=bob --challenge=deadshortbeef --nt-response=deadlongerbeef If no one has seen things like this I'll move over to the samba lists, getting the feeling this issue belongs there. Thanks all, Neil Please access the attached hyperlink for an important electronic communications disclaimer: http://www.lse.ac.uk/collections/planningAndCorporatePolicy/legalandComp lianceTeam/legal/disclaimer.htm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: still not working (newbie for radius)
Thanks. the clients, in my case, are those juniper devices. the configuration is fairly straightforward: radius-server { 192.168.255.128 secret testing123 } class operator-local { permissions view-configuration; } user remote { uid 3000; class operator-local; } for users, i have only this: bob Cleartext-Password := bob by default, the user bob in radius server will be mapped to juniper user local user remote. yes the server is working but not configurations of the server. i checked with the file dirctory and I have the required line for juniper-specific in it: $INCLUDE /usr/local/share/freeradius/dictionary.juniper also i bought the book of radius and read some of it. as those docs online, the book doesn't seem to be very accurate. guess it has been ther since 2002 and it hasn't changed over the years. obviously the book/online docs don't get updated that much... i removed this line nastype = juniper in clients.conf and now no more duplicate messages any more. as to the NAS-Identifier and NAS-IP-Address, i don't know why they show up together --- On Sun, 9/19/10, Michael Lecuyer m...@iterpacis.org wrote: From: Michael Lecuyer m...@iterpacis.org Subject: Re: still not working (newbie for radius) To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Sunday, September 19, 2010, 9:53 PM I'm merely speculating that your SSH client is rejecting the response where the User-Name Juniper-Local-User-Name for 'bob' but accepts the name 'labrat' and response name 'labrat'. well, i don't have user labrat configured in file users on the radius server. KISS: Set up the server to test the Juniper-Local-User-Name responses. You might consider testing just that side of things 'til you figure out the pattern. This part is not a RADIUS problem. BTW the Access-Request packet should use either the NAS-Identifier OR the NAS-IP-Address but not both. Something is likely to mysteriously break later. Choose one. also you are right, for some reasons, every login attempt will have two more duplicated messages besides the first one. why is that? The RADIUS server is working properly. Your client is not. Your RADIUS client sends an identical packet for each different attempt to log in. This is just plain wrong and the server is replying with a copy of the original response. Either the client is broken or SSH is misusing the client. On 2010-09-19 11:19 PM, gahn wrote: thanks. well, i don't have user labrat configured in file users on the radius server. the labrat is in local user password database on the juniper box. for the raqdius support on juniper routers, it must map a remote user (in the database of radius server) to a specific local user. in my case, i map the radius username bob to the juniper local username labrat. if i understand correctly what you were saying, this attribute of Juniper-Local-User-Name is not working? also you are right, for some reasons, every login attempt will have two more duplicated messages besides the first one. why is that? I am really new on this. thanks for the help... --- On Sun, 9/19/10, Michael Lecuyerm...@iterpacis.org wrote: From: Michael Lecuyerm...@iterpacis.org Subject: Re: still not working (newbie for radius) To: FreeRadius users mailing listfreeradius-users@lists.freeradius.org Date: Sunday, September 19, 2010, 7:26 PM By the looks of it you have two problems. The User-Password name 'bob' isn't matched by the response Juniper-Local-User-Name 'labrat'. Perhaps ssh cares. Your broken client sends the identical packet for the new authentication attempt when it must send a brand new packet (different id, socket or port). That's why the server drops subsequent login attempts from ssh - they're duplicate requests which the server has already answered. In your second attempt you're User-Name is 'labrat' and the Juniper-Local-User-Name 'labrat' is being returned in the response probably convincing SSH you are who you claim to be. On 2010-09-19 9:35 PM, gahn wrote: thanks tim: yes, it is better but yet working correctly: g...@giraffe:~:$ ssh b...@192.168.255.138 b...@192.168.255.138's password: Permission denied, please try again. b...@192.168.255.138's password: Permission denied, please try again. b...@192.168.255.138's password: Permission denied (publickey,password,keyboard-interactive). but trying local username labrat is working fine: g...@giraffe:~:$ ssh lab...@192.168.255.138 lab...@192.168.255.138's password: --- JUNOS 8.5R4.3 built 2008-08-12 23:16:55 UTC lab...@lab-r8 what is interesting here is that now i can see Access-Accept in the debugging messages of radiusd -X: rad_recv: Access-Request packet from host 192.168.255.138 port 65003, id=3, length=57 User-Name = bob User-Password = bob
Newbie
New download of Freeradius 2.1.9. Compiled and accepted all defaults. This is right out the box and the first self test is failing. Can anyone provide some helpful hints? Followed directions: Edit the users file, and add the following line of text at the top, before anything else: testing Cleartext-Password := password Start the server in debugging mode (radiusd -X), and run radtest from another terminal window: $ radtest testing password 127.0.0.1 0 testing123 Server rejects with the following debug: rad_recv: Access-Request packet from host 127.0.0.1 port 60552, id=144, length=59 User-Name = testing User-Password = password NAS-IP-Address = x.x.x.x NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = testing, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - testing attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 144 to 127.0.0.1 port 60552 Waking up in 4.9 seconds. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: convert mac adresses to lower case
On 09/20/2010 03:44 PM, Leander S. wrote: If your using SQL then I would simply modify the SQL querry to INSERT everything in lower case only PLUS to SELECT everything in lowercase only. You can simply modify those querries afaik. I just figured that as That is not what is being asked. The OP has two types of switches; one is sending: User-Name = aabbccddeeff User-Password = aabbccddeeff The other is sending: User-Name = AABBCCDDEEFF User-Password = AABBCCDDEEFF Sprinkling your SQL statements with lower() function calls doesn't fix this. Alex's advice is correct; simply write an unlang policy to do: authorize { ...check mac address then update control { Auth-Type := Accept } } Actually *running* the PAP module against a macauth request is pointless. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newbie
On 09/20/2010 08:45 PM, Schwartz, Curtis H. (GSFC-443.0)[SGT, INC] wrote: Edit the users file, and add the following line of text at the top, before anything else: testing Cleartext-Password := password You say this, but then: ++[files] returns noop Are you sure you edited the right file? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: which samba version / patch for Active Directory 2008
On 09/20/2010 05:29 PM, Neil Prockter wrote: Would the KEY changing every few minutes be expected? (under samba3.0/ad2003 it remained the same) By key I mean the output of /usr/local/samba/bin/ntlm_auth --request-nt-key --username=bob --challenge=deadshortbeef --nt-response=deadlongerbeef No. For a given challenge, username and password the response is the same every time. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How do I have one Freeradius server hosting multiple ldap instances and associate each SSID with particular LDAP instance to authenticate
Hi Freeradius user group, I am relatively new to using Freeradius. Thanks for all your help and patience in advance: I would like to have one Freeradius server hosting multiple ldap instances and associate each SSID with particular LDAP ou to authenticate. For example: 1) Marketing SSID associated with LDAP1 marketing_ldap instance pointing to i.e. OU=Marketing,o=US to authenticate using EAP-PEAP MSCHAPv2 2) Accounting SSID associated with LDAP2 accounting_ldap instance pointing to i.e. OU=Accouting,o=US to authenticate using EAP-PEAP MSCHAPv2 Ultimately, I would also need to do the following: 3) Secure SSID associated with multiple LDAPs.. If user is not found in 1st LDAP, it would look in 2nd LDAP followed by 3rd LDAP.. *How do I do items 1 2 (priority) above? Doing item #3 above is down the road. Please help.. I greatly appreciate your advice.. Thank you. I've been searching google for a couple of days and I'm stuck..* I already have the following configured on my FreeRADIUS Version 2.1.1 on SLES 11 SP1: *1) /etc/raddb/modules/ldap* with ldap marketing_ldap with accounting_ldap *2) /etc/raddb/sites-available/default /etc/raddb/sites-available/inner-tunnel* Enable LDAP1 LDAP2 in Authorize Section Authenticate Section Post-Auth Section *3) /etc/raddb/eap.conf* configured to use PEAP *4) /etc/raddb/modules/mschap* mschap settings *5) /etc/raddb/clients.conf* settings to Cisco WLAN AP Thank you, doreen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newbie
Hi, Start the server in debugging mode (radiusd -X), and run radtest from another terminal window: $ radtest testing password 127.0.0.1 0 testing123 Server rejects with the following debug: ou've removed all the utput apart from the bit YOU were interested in. can you confirm, from the radiusd -X output that you didnt post to this list that the daemon is reading the same users file that you edited. can you also confirm that you started the daemon AFTER you had edited that file? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
David Suarez De Lis/UN24956/OPERACION Y MANTENIMIENTO /TSM está ausente de la oficina.
Estaré ausente de la oficina desde el 20/09/2010 y no volveré hasta el 26/09/2010. Responderé a su mensaje cuando regrese. Si tiene alguna emergencia, puede contactar con accesos_...@telefonica (900 111 245 opción 3, 2) o Jose Manuel Gomez Perez (jmgo...@telefonica.es) ___ Este mensaje se dirige exclusivamente a su destinatario y puede contener información privilegiada o confidencial. Si no es vd. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización está prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción. El correo electrónico vía Internet no permite asegurar la confidencialidad de los mensajes que se transmiten ni su integridad o correcta recepción. Telefónica no asume ninguna responsabilidad por estas circunstancias. This message is intended exclusively for its addressee and may contain information that is CONFIDENTIAL and protected by a professional privilege or whose disclosure is prohibited by law.If you are not the intended recipient you are hereby notified that any read, dissemination, copy or disclosure of this communication is strictly prohibited by law. If this message has been received in error, please immediately notify us via e-mail and delete it. Internet e-mail neither guarantees the confidentiality nor the integrity or proper receipt of the messages sent. Telefónica does not assume any liability for those circumstances. ___ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html