Re: users match list criteria and vendor identification
Thanks for the reply Phil, that looks like exactly like what I was after. Cheers Cam. -- On Thu, Sep 23, 2010 at 20:36, Phil Mayers wrote: > On 23/09/10 08:23, Cameron Wood wrote: > >> In the clients.conf file is it possible to make custom variables and >> then test for those/match them in the users file? >> > > Yes; this came up on the list recently: > > > http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg62699.html > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + EAP_TLS + Cisco AP
Hi
I configured a freeradius server with EAP_TLS to authenticate clients that
connects to Cisco AP.
When I run freeradius -X I got a lot of activity output but the client is
still trying to authenticate
I post last lines from the server's output
I see the port of Access-request es 1645 but I did configure 1812 in both
server and Cisco AP
The line "[tls] eaptls_process returned 13 " means something wrong?
What should be the correct output when successful authentication occurs?
Thanks
rad_recv: Access-Request packet from host 192.168.X.X port 1645, id=51,
length=143
User-Name = "etalaveran"
Framed-MTU = 1400
Called-Station-Id = "aca0.16ba.89f2"
Calling-Station-Id = "0021.63ca.fdbe"
Service-Type = Login-User
Message-Authenticator = 0x32824bc17cf2b4b4920577cc57e00177
EAP-Message = 0x020700060d00
NAS-Port-Type = Wireless-802.11
NAS-Port = 285
NAS-Port-Id = "285"
State = 0x732b0744702c0abef63c2dd8a2b9de35
NAS-IP-Address = 192.168.1.82
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "etalaveran", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry etalaveran at line 2
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 51 to 192.168.X.X port 1645
EAP-Message = 0x0108000a0d80
Message-Authenticator = 0x
State = 0x732b074477230abef63c2dd8a2b9de35
Finished request 19.
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 15 ID 47 with timestamp +117
Cleaning up request 16 ID 48 with timestamp +117
Cleaning up request 17 ID 49 with timestamp +117
Cleaning up request 18 ID 50 with timestamp +117
Cleaning up request 19 ID 51 with timestamp +117
Ready to process requests.
=
--
*Esteban Talavera*
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pushing group attribute from OpenDirectory to Cisco
In the "users" file is where you specify the reply attributes in my example.
So using your example:
DEFAULT Huntgroup-Name == CiscoVPN, Ldap-Group ==
"cn=CiscoVPN,ou=Roles,ou=Radius,DC=ACME,DC=COM"
Service-Type = "NAS-Prompt-User",
Idle-Timeout = 600,
Cisco-AVPair =
"webvpn:user-vpn-group=whatevervpngroupyouwanttoaddtheuserto"
Then you can either use the huntgroup file and set the IP addresses of the
Routers (NAS's) you're using: http://wiki.freeradius.org/Huntgroups
Or you can have the Huntgroups in ldap as per my e-mail, and that would be
if you have a more dynamic environment or want to move the NAS between
different huntgroups easily.
On Fri, Sep 24, 2010 at 2:03 AM, Sander van Loosbroek <
san...@vanloosbroek.com> wrote:
> Hello Peter and Alan,
>
> Thank you for your reply. I've given the documentation of Peter a look but
> I'm not that familiar with LDAP or how its underpinnings work in OS X
> Server.
>
> When the Cisco router now authenticates against the FreeRADIUS server all
> works fine except for the fact that the group name is not returned with the
> webvpn:vpn-user-group attribute. What is unclear to me is how I instruct
> FreeRADIUS to include that attribute when it returns the authorization
> message. I have made the following addition to my clients file:
>
> client 192.168.13.1/32 {
>secret = xxx
>shortname = vpn
>nastype = cisco
> }
>
> I have added a policy to the Cisco router to pick up the attribute but it
> doesn't seem to get through. Can you suggest what to try next?
>
> Thanks,
> Sander
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Acct-Interim-Interval not being sent to NAS with Accept-Accept
Charles Hooper wrote: > I am trying to work out why an Acct-Interim-Interval is not being sent > to NAS with the Accept-Accept. You need to configure the server to send it back. > I don't receive back any accounting > messages from my WRT54GL with DD-WRT v24 on it. It might not even support accounting packets. See the DD-WRT documentation for details. > I have seen other posts > where this comes out with the Accept-Accept and I presume it is needed > by the NAS to know if to send Acct records back. No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring LDAP lookups for EAP and inner-tunnel
Jeffrey Collyer wrote: > setup information that I failed to explain properly the first time : > freeradius 2.1.7 is used to > authenticate wireless users with eap-tls Well... that would have been nice to say. > I started with a default configuation and added ldap to it in the > sites-enabled/default file's authorize section. And it worked > authenticating the client, but with many (about a dozen) ldap lookups. Because there are about a dozen EAP packet exchanges. > Then I realized that the 'tls' section of the modules/eap.conf file > doesn't have a virtual_server directive, but even after putting that in > the 'tls' section, its still doesn't run an ldap query when I try to > authenticate. Because the "virtual_server" directive doesn't belong in the "tls" section. > So my assumption is that the eap module doesn't use the inner tunnel for > tls. Yes. The solution is to move the LDAP checks to the "post-auth" stage. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring LDAP lookups for EAP and inner-tunnel
On 9/17/10 11:09 AM, Alan DeKok wrote: Jeffrey Collyer wrote: Could someone give me a pointer/hint as to how to configure eap/ldap to cut down on the number of ldap queries. Any help greatly appreciated. The default configuration does *not* do LDAP lookups. So... use the default config, and then enable LDAP lookups in the "inner-tunnel". setup information that I failed to explain properly the first time : freeradius 2.1.7 is used to authenticate wireless users with eap-tls with the users authorization to connect being the cn of the certificates they have on their client. That cn is checked against ldap for an attirbute 'wirelessAccess'. (and I know that the certs outer identity can be set to anything, but for this test its valid on the connecting machine.) I started with a default configuation and added ldap to it in the sites-enabled/default file's authorize section. And it worked authenticating the client, but with many (about a dozen) ldap lookups. I then moved the ldap line over to the sites-enabled/inner-tunnel file and removed it from default. The configuration would run, but would not validate against ldap. Then I realized that the 'tls' section of the modules/eap.conf file doesn't have a virtual_server directive, but even after putting that in the 'tls' section, its still doesn't run an ldap query when I try to authenticate. So my assumption is that the eap module doesn't use the inner tunnel for tls. If this is not the case, then I can certainly provide the debug output from 'freeradius -X', but I don't want to waste the bits if my assumption is true. Thanks Jeff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How do I have one Freeradius server hosting multiple ldap instances and associate each SSID with particular LDAP instance to authenticate
Thank you. On Thu, Sep 23, 2010 at 8:32 AM, Phil Mayers wrote: > On 23/09/10 16:21, Ziggy Bopster wrote: > >> Hi Phil, >> >> Let me look into the docs and see if I can get something setup.. >> >> If I had one SSID and wanted multiple LDAP servers & search bases behind >> it, should I use Option#1.. (i.e. User selects SSID Secure.. If user is >> not found in LDAP search base #1, look for user in LDAP search base #2, >> if not found in LDAP search base #3, look for it in #4 and etc.. >> > > Yes. See doc/configurable_failover > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How do I have one Freeradius server hosting multiple ldap instances and associate each SSID with particular LDAP instance to authenticate
On 23/09/10 16:21, Ziggy Bopster wrote: Hi Phil, Let me look into the docs and see if I can get something setup.. If I had one SSID and wanted multiple LDAP servers & search bases behind it, should I use Option#1.. (i.e. User selects SSID Secure.. If user is not found in LDAP search base #1, look for user in LDAP search base #2, if not found in LDAP search base #3, look for it in #4 and etc.. Yes. See doc/configurable_failover - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How do I have one Freeradius server hosting multiple ldap instances and associate each SSID with particular LDAP instance to authenticate
Hi Phil, Let me look into the docs and see if I can get something setup.. If I had one SSID and wanted multiple LDAP servers & search bases behind it, should I use Option#1.. (i.e. User selects SSID Secure.. If user is not found in LDAP search base #1, look for user in LDAP search base #2, if not found in LDAP search base #3, look for it in #4 and etc.. Doreen On Thu, Sep 23, 2010 at 7:47 AM, Phil Mayers wrote: > On 23/09/10 15:08, Ziggy Bopster wrote: > >> Hi Phil, >> >> Thank you so much for responding with your recommendations.. The Ldap >> config varies only by Server IP, Base DN and password.. If I use option >> > > If the bind DN passwords are different, you probably can't use this option. > You'll probably need >1 ldap module. > > > #2, how does Free Radius know which OU to plug in when authorizing >> users? Does that mean users have to enter their fully qualified login >> name ? >> > > Have you read docs/rlm_ldap? > > > >> Maybe Option #1 is good if I check for Calling Station ID in the "if" >> statement in the authorize section? >> > > Yes, I think that's your best option. > > > >> Thank you for your patience again with my questions.. I wasn't sure what >> to call what I am trying to do, so couldn't find exact documentation on >> it.. Do you have a link where I can find out more info on how to do >> this? THANK YOU SOOO MUCH. >> > > FreeRadius basically passes each request through a series of modules. You > can control the flow through these modules in various ways. > > See "man unlang" for the basic documentation. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Auth first, then User?
Rob Yamry wrote: > > We are experiencing an issue where certain policies need to push down to > laptops before the user enters their credentials to authenticate to the > wireless network. We only have Radius/802.1x enabled on the wireless right > now. Is it possible to authenticate the device based on MAC address so the > initial connection is there (so the laptop is "online") and then have the > user authenticate via the Novell Client (with 802.1x) to login to the > desktop? > No, not unless your wireless controller supports it. On the wired side, you can usually get something better: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/application_note_c27-573287.pdf To be frank, in your situation I would *not* recommend it. Workstation and User authentication are two separate things; although you might use the user credentials to 'bootstrap' (to vouch for the MAC address in use for that session) the host authentication. This has nothing to do with FreeRADIUS also... Cheers -- Alexander Clouter .sigmonster says: Chicken Little was right. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about sending VLAN attributes to Access Points
Aiko Barz wrote: >> > Now I am able to ask various Active Directory servers by using > Net::LDAPS. This enables me to put the following parameters into > relation: > - DOMAIN > - username > - SSID > > And it makes me more flexible when I have to deal with complex Active > Directory forest structures. The script returns something like >> Tunnel-Type = 13, >> Tunnel-Medium-Type = 6, >> Tunnel-Private-Group-ID = 1234 > or nothing at all. > You could do that, or do like the rest of us do and use rlm_ldap with some unlang... Cheers -- Alexander Clouter .sigmonster says: You will probably marry after a very brief courtship. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How do I have one Freeradius server hosting multiple ldap instances and associate each SSID with particular LDAP instance to authenticate
On 23/09/10 15:08, Ziggy Bopster wrote: Hi Phil, Thank you so much for responding with your recommendations.. The Ldap config varies only by Server IP, Base DN and password.. If I use option If the bind DN passwords are different, you probably can't use this option. You'll probably need >1 ldap module. #2, how does Free Radius know which OU to plug in when authorizing users? Does that mean users have to enter their fully qualified login name ? Have you read docs/rlm_ldap? Maybe Option #1 is good if I check for Calling Station ID in the "if" statement in the authorize section? Yes, I think that's your best option. Thank you for your patience again with my questions.. I wasn't sure what to call what I am trying to do, so couldn't find exact documentation on it.. Do you have a link where I can find out more info on how to do this? THANK YOU SOOO MUCH. FreeRadius basically passes each request through a series of modules. You can control the flow through these modules in various ways. See "man unlang" for the basic documentation. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How do I have one Freeradius server hosting multiple ldap instances and associate each SSID with particular LDAP instance to authenticate
Hi Phil,
Thank you so much for responding with your recommendations.. The Ldap config
varies only by Server IP, Base DN and password.. If I use option #2, how
does Free Radius know which OU to plug in when authorizing users? Does that
mean users have to enter their fully qualified login name ?
Maybe Option #1 is good if I check for Calling Station ID in the "if"
statement in the authorize section?
Thank you for your patience again with my questions.. I wasn't sure what to
call what I am trying to do, so couldn't find exact documentation on it.. Do
you have a link where I can find out more info on how to do this? THANK YOU
SOOO MUCH.
Doreen
On Wed, Sep 22, 2010 at 3:50 PM, Phil Mayers wrote:
> On 09/22/2010 09:58 PM, Ziggy Bopster wrote:
>
>> Hello All.
>>
>> Please help.. Any suggestions on where I should start? Thank you very
>> much for your help!!
>>
>>
> You have two options:
>
> First, create >1 instance of the ldap module. Use conditional statements in
> the authorize section to do your ldap queries. For example:
>
> modules/my_ldap:
>
> ldap staff_ldap {
> ... ldap config
> }
>
> ldap other_ldap {
> ... ldap config
> }
>
> sites-available/...
>
> authorize {
> ...
> if (...) {
>staff_ldap
> }
> elsif (...) {
>other_ldap
> }
> ...
> }
>
>
>
> The other option - if only a small amount of config varies, the ldap module
> expands some of it's config. For example:
>
> modules/ldap:
>
> ldap {
> basedn = "ou=%{Tmp-String-0},ou=MyOrg,c=US"
> ...
> }
>
> sites-available/...
>
> authorize {
> if (...) {
>update request {
> Tmp-String-0 = "Staff"
>}
> }
> elsif (...) {
>update request {
> Tmp-String-0 = "..."
>}
> }
> }
>
>
> ...when the LDAP module is executed the basedn will be expanded dynamically
> and search based on what you've configured.
>
> Most of this is documented. Have you read the docs?
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pushing group attribute from OpenDirectory to Cisco
Hello Peter and Alan,
Thank you for your reply. I've given the documentation of Peter a look but I'm
not that familiar with LDAP or how its underpinnings work in OS X Server.
When the Cisco router now authenticates against the FreeRADIUS server all works
fine except for the fact that the group name is not returned with the
webvpn:vpn-user-group attribute. What is unclear to me is how I instruct
FreeRADIUS to include that attribute when it returns the authorization message.
I have made the following addition to my clients file:
client 192.168.13.1/32 {
secret = xxx
shortname = vpn
nastype = cisco
}
I have added a policy to the Cisco router to pick up the attribute but it
doesn't seem to get through. Can you suggest what to try next?
Thanks,
Sander
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about sending VLAN attributes to Access Points
On Tue, Sep 21, 2010 at 12:41:08PM +0100, Alan Buxey wrote:
> Hi,
>
> > is it possible to send attributes based on the used SSID?
>
> yes. as that can be gained from RADIUS attributes sent to the
> RADIUS server . where you do them, and how you do them - ie unlang,
> users, SQL huntgroups etc etc is down to you
What I needed:
DEFAULT Auth-Type = ntlm_auth
Exec-Program-Wait = "/usr/local/sbin/radius-vlan-attribute.pl %{User-Name}
%{Called-Station-Id}"
Now I am able to ask various Active Directory servers by using
Net::LDAPS. This enables me to put the following parameters into
relation:
- DOMAIN
- username
- SSID
And it makes me more flexible when I have to deal with complex Active
Directory forest structures. The script returns something like
> Tunnel-Type = 13,
> Tunnel-Medium-Type = 6,
> Tunnel-Private-Group-ID = 1234
or nothing at all.
So long,
Aiko
--
:wq ✉
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Last call for 2.1.10
John Dennis wrote: > I just noticed the redhat/freeradius.spec file wasn't fully updated in > 2.1.0. It was missing the dynamic_clients and opendirectory modules in > the %files section. Also the release tag was left at 2 instead of being > reset to 1. Attached is a patch, in addition to the above it adds the > changelog information. Added, thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC Auth first, then User?
We are experiencing an issue where certain policies need to push down to laptops before the user enters their credentials to authenticate to the wireless network. We only have Radius/802.1x enabled on the wireless right now. Is it possible to authenticate the device based on MAC address so the initial connection is there (so the laptop is "online") and then have the user authenticate via the Novell Client (with 802.1x) to login to the desktop? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Last call for 2.1.10
I just noticed the redhat/freeradius.spec file wasn't fully updated in
2.1.0. It was missing the dynamic_clients and opendirectory modules in
the %files section. Also the release tag was left at 2 instead of being
reset to 1. Attached is a patch, in addition to the above it adds the
changelog information.
--
John Dennis
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
--- freeradius-server-2.1.10/redhat/freeradius.spec 2010-09-22 05:50:14.0 -0400
+++ freeradius.spec 2010-09-22 13:11:44.0 -0400
@@ -1,7 +1,7 @@
Summary: High-performance and highly configurable free RADIUS server
Name: freeradius
Version: 2.1.10
-Release: 2%{?dist}
+Release: 1%{?dist}
License: GPLv2+ and LGPLv2+
Group: System Environment/Daemons
URL: http://www.freeradius.org/
@@ -325,6 +325,7 @@
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/detail.example.com
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/detail.log
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/digest
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/dynamic_clients
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/echo
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/etc_group
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/exec
@@ -339,6 +340,7 @@
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/mac2vlan
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/mschap
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/ntlm_auth
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/opendirectory
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/otp
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/pam
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/pap
@@ -557,6 +559,226 @@
%{_libdir}/freeradius/rlm_sql_unixodbc-%{version}.so
%changelog
+* Wed Sep 22 2010 John Dennis - 2.1.10-1
+- upgrade to latest upstream release
+ Feature improvements
+ * Install the "radcrypt" program.
+ * Enable radclient to send requests containing MS-CHAPv1
+Send packets with: MS-CHAP-Password = "password". It will
+be automatically converted to the correct MS-CHAP attributes.
+ * Added "-t" command-line option to radtest. You can use "-t pap",
+ "-t chap", "-t mschap", or "-t eap-md5". The default is "-t pap"
+ * Make the "inner-tunnel" virtual server listen on 127.0.0.1:18120
+This change and the previous one makes PEAP testing much easier.
+ * Added more documentation and examples for the "passwd" module.
+ * Added dictionaries for RFC 5607 and RFC 5904.
+ * Added note in proxy.conf that we recommend setting
+"require_message_authenticator = yes" for all home servers.
+ * Added example of second "files" configuration, with documentation.
+This shows how and where to use two instances of a module.
+ * Updated radsniff to have it write pcap files, too. See '-w'.
+ * Print out large WARNING message if we send an Access-Challenge
+for EAP, and receive no follow-up messages from the client.
+ * Added Cached-Session-Policy for EAP session resumption. See
+raddb/eap.conf.
+ * Added support for TLS-Cert-* attributes. For details, see
+raddb/sites-available/default, "post-auth" section.
+ * Added sample raddb/modules/{opendirectory,dynamic_clients}
+ * Updated Cisco and Huawei, HP, Redback, and ERX dictionaries.
+ * Added RFCs 5607, 5904, and 5997.
+ * For EAP-TLS, client certificates can now be validated using an
+external command. See eap.conf, "validate" subsection of "tls".
+ * Made rlm_pap aware of {nthash} prefix, for compatibility with
+legacy RADIUS systems.
+ * Add Module-Failure-Message for mschap module (ntlm_auth)
+ * made rlm_sql_sqlite database configurable. Use "filename"
+in sql{} section.
+ * Added %{tolower: ...string ... }, which returns the lowercase
+version of the string.
+
+ Bug fixes
+ * Fix endless loop when there are multiple sub-options for
+DHCP option 82.
+ * More debug output when sending / receiving DHCP packets.
+ * EAP-MSCHAPv2 should return the MPPE keys when used outside
+of a TLS tunnel. This is needed for IKE.
+ * Added SSL "no ticket" option to prevent SSL from creating sessions
+without IDs. We need the IDs, so this option should be set.
+ * Fix proxying of packets from inside a TTLS/PEAP tunnel.
+Closes bug #25.
+ * Allow IPv6 address attributes to be created from domain names
+Closes bug #82.
+ * Set the string length to the correct value when parsing double
+quotes. Closes bug #88.
+ * No longer look users up in /etc/passwd in the default configuration.
+This can be reverted by enabling "unix" in the "authorize" section.
+ * More #ifdef's to enable building on systems without certain
+features.
+ * Fixed SQL-Group comparison to register only if the group
+query is defined.
+ * Fixed SQL-Group comparison to reg
Re: Problem with expand result of exec-program
Juan Rodríguez wrote:
> Thank you Alan.
> I get this error now:
> expand: %{exec:/aplicaciones/radius/bin/radius_ath.sh} -> 1
> ERROR: Failed parsing value "1 " for attribute mi-resultado-script:
> Unknown value 1 for attribute mi-resultado-script
See scripts/exec-program-wait
This is documented.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session Resumption fails
Panagiotis Georgopoulos wrote:
>
> Hmm, yes I think I do. So the server keeps the reply of an authentication
> and therefore if a client has authenticated successfully before, there
> should be a valid entry of his identity in the cache so that Phase 2 of TTLS
> in my case would be skipped.
>
FreeRADIUS asks the OpenSSL library to store some 'opaque' data so that
if a session can be resumed, then OpenSSL will make this data available
to FreeRADIUS which will convert it back into RADIUS attributes (for the
inner 'reply' message).
When FreeRADIUS grumblesthere is nothing in the cache session, it
usually means "inner auth succeeded but you have no idea who the user
is"; as typically all you want OpenSSL to return (from the *opaque*
string of bytes) to FreeRADIUS is the 'User-Name'.
Remember your inner User-Name does not match your outer one (which
should be '@example.com'); if you do VLAN assignment based on inner
username (rather than MAC address) then you need this data.
> Residing in the cache, seems reasonable since it is a feature of SSL/TLS.
> What I don't get is that since this is a standard EAP-TTLS authentication,
> shouldn't resumption be working out of the box?
>
Well for it to work you really need to ask OpenSSL to store something
like the User-Name otherwise you will find for the first
(non-resumption) authentication things work, but for the second one
authentication succeeds but the *authorisation* fails as your
unlang/users policy has no idea what VLAN to assign as you need to know
the inner User-Name attribute.
> In my tests thought I get "Info: [ttls] WARNING: No information in cached
> session!".
>
As if you read what I said, you are *not* telling the inner virtual
server to return in the reply packet the inner username.
>> I also recommend that you also do:
>>
>> update outer.request {
>> User-Name := "%{request:User-Name}"
>> }
>>
>>
>> This means that when the authentication fails (as a quirk of the inner
>> session, post-auth{} and the whole reply packet is no available when an
>> inner request Reject's) you have access to the username that was used.
>
> Oh.. wait a minute, unless you mean that there is no way for the inner
> session, post-auth{} to know the contents of the server's reply in a
> previous authentication, which seems like a design flow.
>
*sigh*
Think about what is going on and that RADIUS is a *stateless* system.
If you want state, put that state into a persistant database.
> Would adding the outer.request part that you suggested add an entry in the
> cache for a successful auth of the inner session?
>
Reading what I wrote would probably help more Just do as I
suggested in my previous email and look at the output of 'freeradius
-X'.
Cheers
--
Alexander Clouter
.sigmonster says: Alex Haley was adopted!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello "one radius server and multiple database and multiple dialupadmin"
Hello all one radius ==> freeradius-1.1.7 one mysql server create db ==> db1, db2 , db3, db4 . I want multiple dialupadmin dialupadmin1 use ==> db1 dialupadmin2 use ==> db2 dialupadmin3 use ==> db3 dialupadmin4 use ==> db4 .. .. Would it be possible? Please Help me - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with expand result of exec-program
Thank you Alan.
I get this error now:
expand: %{exec:/aplicaciones/radius/bin/radius_ath.sh} -> 1
ERROR: Failed parsing value "1 " for attribute mi-resultado-script: Unknown
value 1 for attribute mi-resultado-script
We can see a space after value 1. I've write in my script the line
echo 1
only to be sure, but this space appear again.
Could you help me with this?
Thanks again.
> Date: Thu, 23 Sep 2010 13:19:54 +0200
> From: al...@deployingradius.com
> To: freeradius-users@lists.freeradius.org
> Subject: Re: Problem with expand result of exec-program
>
> Juan Rodríguez wrote:
> > Hi everybody!!
> > Executing /aplicaciones/radius/bin/radius_ath.sh
> > Exec-Program output:
>
> The program printed nothing.
>
> > Exec-Program: returned: 1
> > result 1
> > expand: %{exec:/aplicaciones/radius/bin/radius_ath.sh} ->
> >
> > The result of the program is "1" but the value of the expression is not
> > expanded, and the attribute "mi-resultado-script" has always zero value.
> >
> > Could you help me with this?
>
> Fix your program so that it prints something to the output.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [PATCH] Use RADIUSD_VERSION instead of RCS Id keyword for radclient version
Bjørn Mork wrote: > RCS keywords don't make sense with git, so use the RADIUSD_VERSION > macro instead, like the server and radmin already do. Added, thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with expand result of exec-program
Juan Rodríguez wrote:
> Hi everybody!!
> Executing /aplicaciones/radius/bin/radius_ath.sh
> Exec-Program output:
The program printed nothing.
> Exec-Program: returned: 1
> result 1
> expand: %{exec:/aplicaciones/radius/bin/radius_ath.sh} ->
>
> The result of the program is "1" but the value of the expression is not
> expanded, and the attribute "mi-resultado-script" has always zero value.
>
> Could you help me with this?
Fix your program so that it prints something to the output.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Last call for 2.1.10
On Thu, 2010-09-23 at 12:05 +0200, Alan DeKok wrote: > John Horne wrote: > > So, I guess the question is why is freeradius reloading the post-proxy > > filter a second time after the HUP? > > The question is why do you have two configurations for the same module? > > The only bug here is that the server should complain if you have two > instances of the same module defined. That would prevent the server > from starting in this case, and highlight the fact that the > configuration is wrong. > Ah, okay our mistake. Sorry about that. As far as I remember we created the module with the same name and it seemed to work. Obviously 'seemed to work' is not the same as 'works in all cases', and not necessarily the right way to do things. We will rename our local module. Thanks, John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users match list criteria and vendor identification
On 23/09/10 08:23, Cameron Wood wrote: In the clients.conf file is it possible to make custom variables and then test for those/match them in the users file? Yes; this came up on the list recently: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg62699.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Last call for 2.1.10
John Horne wrote:
> We also have the file /etc/raddb/modules-local/attr_filter which
> contains:
Have you *deleted* the default configuration for the
attr_filter.post-proxy module?
If not, you have *two* copies of the module configuration. That's why
it's having issues. It picks on the first time, and a different one the
second time.
> attr_filter attr_filter.post-proxy {
> attrsfile = ${confdir}/attrs.post-proxy
> }
>
> So when freeradius starts up it reads this file, and uses the defined
> module in preference to the one in the
> file /etc/raddb/modules/attr_filter.
OK... so why do you still have the default one in the configuration?
Delete it, or rename your module, and update the server configuration to
use the new name.
> So, I guess the question is why is freeradius reloading the post-proxy
> filter a second time after the HUP?
The question is why do you have two configurations for the same module?
The only bug here is that the server should complain if you have two
instances of the same module defined. That would prevent the server
from starting in this case, and highlight the fact that the
configuration is wrong.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with expand result of exec-program
Hi everybody!!
I've got a strange problem with expand the result of the execution of a
program. This is my config data:
-- dictionary ---
ATTRIBUTE mi-resultado-script 3003integer
- exec --
exec {
wait = yes
shell_escape = yes
output = yes
}
--- sites-available/default --
mi-resultado-script = "%{exec:/aplicaciones/radius/bin/radius_ath.sh}"
But during the execution:
Executing /aplicaciones/radius/bin/radius_ath.sh
Exec-Program output:
Exec-Program: returned: 1
result 1
expand: %{exec:/aplicaciones/radius/bin/radius_ath.sh} ->
The result of the program is "1" but the value of the expression is not
expanded, and the attribute "mi-resultado-script" has always zero value.
Could you help me with this?
Thank you very much.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Session Resumption fails
Hi Alexander, all
Thanks a lot for your reply. Please see my comments below...
> Panagiotis Georgopoulos wrote:
> >
> > I have a client machine that authenticates to FreeRadius using
> > EAP-TTLS over Access_Point_1 just fine. When I roam the client to
> > Access_Point_2 and tries to authenticate again to FreeRadius, session
> > resumption seems to be failing with the following error.
> >
> > [snipped]
> >
> > One thing to note on the above is that there is no cached information,
> > which seems strange as the client was authenticated some minutes over
> > Access_Point_1. The other thing is that user authentication fails
> > completely and the client resides to restart EAP-TTLS from the start
> > that finishes successfully.
> >
> The session cache stores what is in the *reply* packet of the inner
> request (if that makes sense).
>
Hmm, yes I think I do. So the server keeps the reply of an authentication
and therefore if a client has authenticated successfully before, there
should be a valid entry of his identity in the cache so that Phase 2 of TTLS
in my case would be skipped.
> In your eap.conf file, you refer to a virtual server to palm off
> requests to once the EAP layer has been peeled off. In that virtual
> server say in the authorize{} section:
>
> update reply {
> User-Name := "%{request:User-Name}"
> }
>
>
> Now you will find on resumption the username appears magically; session
> resumption is a feature of SSL/TLS and so the user-name is not
> accessible; hence the need to dig into the cache.
>
Residing in the cache, seems reasonable since it is a feature of SSL/TLS.
What I don't get is that since this is a standard EAP-TTLS authentication,
shouldn't resumption be working out of the box?
So, if full authentication *succeeds* for a client once, then there should
be a cache entry reflecting that so that he won't have to perform full
EAP-TTLS communication if he requests access within the lifetime that the
cache entry is valid (in eap.conf terms ; lifetime = 24 # hours).
In my tests thought I get "Info: [ttls] WARNING: No information in cached
session!".
> I also recommend that you also do:
>
> update outer.request {
> User-Name := "%{request:User-Name}"
> }
>
>
> This means that when the authentication fails (as a quirk of the inner
> session, post-auth{} and the whole reply packet is no available when an
> inner request Reject's) you have access to the username that was used.
>
Oh.. wait a minute, unless you mean that there is no way for the inner
session, post-auth{} to know the contents of the server's reply in a
previous authentication, which seems like a design flow.
Would adding the outer.request part that you suggested add an entry in the
cache for a successful auth of the inner session?
Cheers,
Panos
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users match list criteria and vendor identification
In the clients.conf file is it possible to make custom variables and then
test for those/match them in the users file?
What I'd like to do is create a variable called vendorname and use that to
dictate what stub in the users file gets hit depending on the make/platform
of the equipment in question, and then further filter that using huntgroups.
Can anyone tell me if any of that is possible?
Cheers
Cam.
--
On Thu, Sep 23, 2010 at 09:16, Cameron Wood wrote:
> Thanks for the reply.
>
> Resigned to the fact that I will have to distinguish my vendors/devices in
> the clients.conf file, is there a way in this file to put multiple hosts in
> a single statement, other than by using a netmask?
>
>
> Cheers
> Cam.
> --
>
>
>
>
>
>
> On Wed, Sep 22, 2010 at 17:46, Phil Mayers wrote:
>
>> On 09/22/2010 08:12 AM, Cameron Wood wrote:
>>
>>> Does Freeradius have a way for me to see the packet sent to it?
>>>
>>> I've already tried running it with the -X flag, but that isn't showing
>>> enough detail.
>>>
>>
>> That's all the detail there is. FreeRadius shows the full packet as it is
>> received; what more should it show?
>>
>> In answer to your question, no, most NASes don't send a vendor ID.
>> Sometimes they send VSAs, so you can infer the vendor from those, but other
>> times you'll get near-identical requests from two different NASes, and if
>> you want to tell them apart (so that you know which one to send VSAa back
>> to) you have to use different "clients {}" blocks and go from there.
>>
>> It's a shame the original radius specs didn't include a vendor ID, but
>> that can be said about a lot of attributes - it's an old (venerable)
>> protocol.
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session Resumption fails
Panagiotis Georgopoulos wrote:
>
> I have a client machine that authenticates to FreeRadius using
> EAP-TTLS over Access_Point_1 just fine. When I roam the client to
> Access_Point_2 and tries to authenticate again to FreeRadius, session
> resumption seems to be failing with the following error.
>
> [snipped]
>
> One thing to note on the above is that there is no cached information,
> which seems strange as the client was authenticated some minutes over
> Access_Point_1. The other thing is that user authentication fails
> completely and the client resides to restart EAP-TTLS from the start
> that finishes successfully.
>
The session cache stores what is in the *reply* packet of the inner
request (if that makes sense).
In your eap.conf file, you refer to a virtual server to palm off
requests to once the EAP layer has been peeled off. In that virtual
server say in the authorize{} section:
update reply {
User-Name := "%{request:User-Name}"
}
Now you will find on resumption the username appears magically; session
resumption is a feature of SSL/TLS and so the user-name is not
accessible; hence the need to dig into the cache.
I also recommend that you also do:
update outer.request {
User-Name := "%{request:User-Name}"
}
This means that when the authentication fails (as a quirk of the inner
session, post-auth{} and the whole reply packet is no available when an
inner request Reject's) you have access to the username that was used.
Cheers
--
Alexander Clouter
.sigmonster says: And on the eighth day, we bulldozed it.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Last call for 2.1.10
On 2010/09/22 03:15 PM, Alan DeKok wrote: I've put some preliminary tar files on: http://git.freeradius.org/pre/ If there are any issues, let me know now. Otherwise we'll release 2.1.10 on Monday. Would be nice to remove "+git" from debian/changelog -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
