RE: Clear text password (radius)
Hello, I do not know how I missed that, thanks :) But now I am getting different problem. In sql table I entered Cryped password. (acctsessionid, acctuniqueid, username, realm, nasipaddress, naspor tid, nasporttype, acctstarttime, acctstoptime, acctses siontime, acctauthentic, connectinfo_start, connectinfo_stop, accti nputoctets, acctoutputoctets, calledstationid, callingstationid, ac ctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-S ession-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port -Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session -Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '% S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Inf o}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct -Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{C alling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Ser vice-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{ %{Acct-Delay-Time}:-0}')"group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"connect_failure_retry_delay = 60simul_count_query = "" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacctWHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" postauth_query = "INSERT INTO radpostauth (use rname, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap -Password}}', '%{reply:Packet-Type}', '%S')"safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789.-_: /" }rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linkedrlm_sql (sql): Attempting to connect to r...@localhost:/radiusrlm_sql (sql): starting 0rlm_sql (sql): Attempting to connect rlm_sql_mysql #0rlm_sql_mysql: Starting connect to MySQL server for #0rlm_sql (sql): Connected new DB handle, #0rlm_sql (sql): starting 1rlm_sql (sql): Attempting to connect rlm_sql_mysql #1rlm_sql_mysql: Starting connect to MySQL server for #1rlm_sql (sql): Connected new DB handle, #1rlm_sql (sql): starting 2rlm_sql (sql): Attempting to connect rlm_sql_mysql #2rlm_sql_mysql: Starting connect to MySQL server for #2rlm_sql (sql): Connected new DB handle, #2rlm_sql (sql): starting 3rlm_sql (sql): Attempting to connect rlm_sql_mysql #3rlm_sql_mysql: Starting connect to MySQL server for #3rlm_sql (sql): Connected new DB handle, #3rlm_sql (sql): starting 4rlm_sql (sql): Attempting to connect rlm_sql_mysql #4rlm
Re: agent-remote-id, agent-circuit-id strange format change.
>"octets" should work. >i.e. the default configuration works. >Which version are you running, and why did you edit the dictionary files? As i wrote in my very first post i'm already using octets format in attributes. "default configuration" isn't working. I'm running 2.1.7 on CentOS Why I'm editing dictionaries ? Because i've read whole mailing list regarding this problem and read such suggestions in some posts (suggested even by you) SO RESULTS: 1. default FreeRadius 2.1.7 setup: has old redback dicitionary from 2000y. with incorrect format of attributes, which are STRING there. Changed them to OCTETS - still not working. 2. took patched redback dicitionary from 2.1.10 and placed it into 2.1.7 which already has this two attributes (96 and 97) in proper format: OCTETS (and please don't yell, it has no significant changes which may interfere 2.1.7 working process). >Really? There are other RADIUS servers? Sorry if i've broken ur illusions that FreeRadius is only RADIUS server in the world. I just wanted to say that i've tested this setup on other server and system which has almost same config files, just couple PERL scripts. Maybe something else should be changed in some configuration files that makes FreeRadius to understand or convert this attributes in normal format. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configure radius to write detailed log to multiple files
Great, thank you both. I will give it a try right now. On Wed, Dec 1, 2010 at 1:12 PM, Alan Buxey wrote: > Hi, > > to add a second detail module, simply copy the first one and add a name to > it > > > ie > > the first detail file will have something like this... > > detail { > > blah blah > > blah blah > > } > > > > change this to > > detail detail1 { > > blah blah > > blah blah > > } > > and now make a second file (you can do it all in one file but I find > it neater to use seperate files for each function!)...eg called detail2 > with the contents > > detail detail2 { > > blah blah > > blah blah > > } > > now, in the configuration files...where it calls 'detail' change that to > have > detail1 and detail2 (on 2 lines) > > there. done > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limiting user accounts for specific devices
On Fri, Dec 3, 2010 at 7:24 AM, Garber, Neal wrote: > > so it would need to be set per IP address or range only for > > the limits so that the other users in AD can be used for that > > Have you thought about using huntgroups to group your NAS together and then > authorize based upon Huntgroup-Name? > If you set the client shortname in your clients file to the same value for all the same "types" of switches you can do that as well. That's what we do since we are using Dynamic Groups and using the client-shortname for auth: In our users file: DEFAULT Client-Shortname == "CiscoSwitch", Ldap-Group == "cn=SwitchAccess,o=Identities" Service-Type = "Login-User", Idle-Timeout = 600 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute not passing to NAS?
Also, check your radius server configuration on the controller. Check the timeout and retry settings (might even try changing the retry value to 1). I'm set to retries = 3, timeout = 5 for this server. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Attribute-not-passing-to-NAS-tp3289418p3289974.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute not passing to NAS?
"Yes, I have done a packet trace. The Filter-Id attribute is sent on the 2nd packet of the authentication attempt, during the first access-challenge. After that, Filter-Id isnt mentioned again until after the Access-Accept packet on the Accounting-Request. However, on the Accounting-Request packet its shown as Students, not Faculty. The whole authentication process is 20 packets, excluding the accounting packets. The only thing I noticed that may be out of the ordinary is that there are 10 access-request packets, with 9 of them being duplicates to the first request. The Filter-Id attribute is only sent on the first challenge response. Im not sure if this is normal or not as I dont have anything to compare to. Do you see something similar with your configuration?" Nope, one Access-Request, one Access-Accept. I just turned off accounting to keep it as clean and simple as possible, so just a request and an accept. Sounds like this may be the heart of the issue, it sounds as though you would be fine if you just had 1 Request/Accept since that first Accept contains the Filter-Id. It seems as though that is being lost/overwritten when the second, etc. Accept is received. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Attribute-not-passing-to-NAS-tp3289418p3289961.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute not passing to NAS?
Mikal- Yes, I have done a packet trace. The Filter-Id attribute is sent on the 2nd packet of the authentication attempt, during the first access-challenge. After that, Filter-Id isnt mentioned again until after the Access-Accept packet on the Accounting-Request. However, on the Accounting-Request packet its shown as Students, not Faculty. The whole authentication process is 20 packets, excluding the accounting packets. The only thing I noticed that may be out of the ordinary is that there are 10 access-request packets, with 9 of them being duplicates to the first request. The Filter-Id attribute is only sent on the first challenge response. Im not sure if this is normal or not as I dont have anything to compare to. Do you see something similar with your configuration? On Thu, Dec 2, 2010 at 1:01 PM, mikal wrote: > > Rob, > > You shouldn't need to check the "restrict policy" option. My setup is > actually using a Captive Portal for the users to enter credentials. So I > start them off with a non-auth policy that uses a "Routed" topology and > then > once authenticated uses a "Bridge at AP" topology. > > So the controller is serving up the CP page, and then I'm using freeradius > with a MySQL backend. > > Did you capture a trace from the controller interface just to ensure that > the attribute/value pair is appearing at the controller interface > correctly? > Wireless Controller->Utilities->Wireless Controller TCP Dump Management. > > So my VNS setup looks like: > > VNS Name: SMFC > WLAN Service: SMFC > Non-Auth policy: SMFC NonAuth > Auth Policy: SMFC Auth (support is correct, this will be > overwritten if the radius-accept contains a Filter-Id value that matches a > configured policy) > Restrict policy set unchecked > Enable checked > > Under VNS Configuration->Policies I have a policy: named Policy > Name:NewmanN. > > I throw a row in my MySQL radreply table to use a Filter-Id value of > NewmanN > for a particular user (test.user11 in this case) and I'm off and running. > If I set the Filter-Id value in my MySQL row to Newmann, or newmanN, etc. > then I get the default policy applied to test.user11. The same behavior > that you're seeing. > > "ktest Cleartext-Password := "password" >Filter-Id = "Faculty" > > When I authenticate with this user I get: > > Client session MAC [00:24:D6:A6:CE:CE] on AP [JRG-1FL-AP09] with SSID > [TEST] > from VNS [TEST] with username [ktest] has been successfully authenticated. > Policy [Students] is applied. > > I get the same msg for an ldap user that has the Filter-Id set to Faculty > as > well. > > For comparison, on the controller my vns settings include: > VNS Name: TEST > WLAN Service: TESTWLAN > Non-Auth policy: NonAuth > Auth Policy: Students (support told me this doesnt matter > what > its set to...the Filter-Id will override this) > Restrict policy set unchecked > Enable checked > > I have another policy named Faculty that is assigned the AuthFaculty > topology (which sets the tagged vlan). > > How does this compare to your setup? Do I need the restrict policy set > option checked and config'd?" > > -- > View this message in context: > http://freeradius.1045715.n5.nabble.com/Attribute-not-passing-to-NAS-tp3289418p3289846.html > Sent from the FreeRadius - User mailing list archive at Nabble.com. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute not passing to NAS?
Rob, You shouldn't need to check the "restrict policy" option. My setup is actually using a Captive Portal for the users to enter credentials. So I start them off with a non-auth policy that uses a "Routed" topology and then once authenticated uses a "Bridge at AP" topology. So the controller is serving up the CP page, and then I'm using freeradius with a MySQL backend. Did you capture a trace from the controller interface just to ensure that the attribute/value pair is appearing at the controller interface correctly? Wireless Controller->Utilities->Wireless Controller TCP Dump Management. So my VNS setup looks like: VNS Name: SMFC WLAN Service: SMFC Non-Auth policy: SMFC NonAuth Auth Policy: SMFC Auth (support is correct, this will be overwritten if the radius-accept contains a Filter-Id value that matches a configured policy) Restrict policy set unchecked Enable checked Under VNS Configuration->Policies I have a policy: named Policy Name:NewmanN. I throw a row in my MySQL radreply table to use a Filter-Id value of NewmanN for a particular user (test.user11 in this case) and I'm off and running. If I set the Filter-Id value in my MySQL row to Newmann, or newmanN, etc. then I get the default policy applied to test.user11. The same behavior that you're seeing. "ktest Cleartext-Password := "password" Filter-Id = "Faculty" When I authenticate with this user I get: Client session MAC [00:24:D6:A6:CE:CE] on AP [JRG-1FL-AP09] with SSID [TEST] from VNS [TEST] with username [ktest] has been successfully authenticated. Policy [Students] is applied. I get the same msg for an ldap user that has the Filter-Id set to Faculty as well. For comparison, on the controller my vns settings include: VNS Name: TEST WLAN Service: TESTWLAN Non-Auth policy: NonAuth Auth Policy: Students (support told me this doesnt matter what its set to...the Filter-Id will override this) Restrict policy set unchecked Enable checked I have another policy named Faculty that is assigned the AuthFaculty topology (which sets the tagged vlan). How does this compare to your setup? Do I need the restrict policy set option checked and config'd?" -- View this message in context: http://freeradius.1045715.n5.nabble.com/Attribute-not-passing-to-NAS-tp3289418p3289846.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wifi ip allocation
Alexandre Chapellon wrote: > NAS IP and Port in the DHCP request? That's option 82 isn't it? If my > NAS doesn't support relaying DHCP requests adding option 82 fields (my > NASes may be very common wifi access points) is it still safe using such > a setup? It's option 82, yes. And it may work... it all depends on what the APs do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: where to MAC addresses?
Gilberto Uriostegui García wrote: > Description: > > Windos Vista OS > With an implementation of Oracle VM VirtualBox virtual machine > Ubuntu 9.10 > with a server radiusd > aser nesesito filtration equipment through this server > > The question is ... Where I have to put the MAC addresses of the users? > so that only they can enter their MAC You either are the same person with 3 different accounts posting the same message, or 3 different people in the same course looking for someone else to do your work for you. Read the documentation, and stop posting the same message over and over again. It's rude. If you keep doing it, you can be banned from the list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
validation of MAC addresses
Hello I have installed on my computer a virtual machine which has installed the Ubuntu OS 2.1.10, install freeradius and I have it running. I have doubts about the MAC addresses I know they are validated and are discharged sen Directory users and clients But how to do it My question is how they are validated and high MAC addresses - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mac address validation
Hi ... my name is Jorge I have a virtual machine with Ubuntu operating system and installed freeradius, I validate mac address. I know how high the addresses given in the file mac users? and validated as mac addresses? your help will be very important !- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mac address validation
Hi ... my name is Jorge I have a virtual machine with Ubuntu operating system and installed freeradius, I validate mac address. I know how high the addresses given in the file mac users. and As validate mac address your help will be very important !- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Limiting user accounts for specific devices
> so it would need to be set per IP address or range only for > the limits so that the other users in AD can be used for that Have you thought about using huntgroups to group your NAS together and then authorize based upon Huntgroup-Name? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute not passing to NAS?
Hi Mikal- Thanks for responding. I have it set up just like that...the policy on the controller is named Faculty. I even took LDAP out of it to make sure that the attribute was passing correctly. I have a user defined in the /etc/raddb/users ktest Cleartext-Password := "password" Filter-Id = "Faculty" When I authenticate with this user I get: Client session MAC [00:24:D6:A6:CE:CE] on AP [JRG-1FL-AP09] with SSID [TEST] from VNS [TEST] with username [ktest] has been successfully authenticated. Policy [Students] is applied. I get the same msg for an ldap user that has the Filter-Id set to Faculty as well. For comparison, on the controller my vns settings include: VNS Name: TEST WLAN Service: TESTWLAN Non-Auth policy: NonAuth Auth Policy: Students (support told me this doesnt matter what its set to...the Filter-Id will override this) Restrict policy set unchecked Enable checked I have another policy named Faculty that is assigned the AuthFaculty topology (which sets the tagged vlan). How does this compare to your setup? Do I need the restrict policy set option checked and config'd? -Rob On Thu, Dec 2, 2010 at 11:38 AM, mikal wrote: > > Rob, > > You need to ensure that the value of Filter-Id maps exactly to the value of > the policy that you're trying to apply. So you need to have a policy > defined on the controller named "Faculty", not "faculty" or "facultY", but > "Faculty". > > For instance, if I have a policy named "NewmanN" and I pass a > Filter-Id="NewmanN" then I get: > > Client session MAC [00:22:6B:9A:2B:77] on AP [IRV-AP3620] with SSID [SMFC] > from VNS [SMFC] with username [test.user11] with mu session timer [52549] > has been successfully authenticated. Policy [NewmanN] is applied. > > The desired policy is applied. > > If I pass a Filter-Id="Newmann" then I get: > > Client session MAC [00:22:6B:9A:2B:77] on AP [IRV-AP3620] with SSID [SMFC] > from VNS [SMFC] with username [test.user11] with mu session timer [52201] > has been successfully authenticated. Policy [SMFC Auth] is applied. > > The default policy for that VNS is applied because there was no policy > matching "Newmann". > > > -- > View this message in context: > http://freeradius.1045715.n5.nabble.com/Attribute-not-passing-to-NAS-tp3289418p3289720.html > Sent from the FreeRadius - User mailing list archive at Nabble.com. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
where to MAC addresses?
Description: Windos Vista OS With an implementation of Oracle VM VirtualBox virtual machine Ubuntu 9.10 with a server radiusd aser nesesito filtration equipment through this server The question is ... Where I have to put the MAC addresses of the users? so that only they can enter their MAC I hope my question and be concise and can help me Thanks Friends ...- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wifi ip allocation
Le jeudi 02 décembre 2010 à 07:38 +0100, Alan DeKok a écrit : > Alexandre Chapellon wrote: > > Am not sure to understand... Once the wifi user entered the network > > (level2: no IP yet), I have an entry for its sessions in my accouting > > database, with username, sessionID, maybe mac_address and so on... > > Yes. This often includes NAS IP and port. > > > But when the user sends a DHCP request to obtain IP address (gain level3 > > access), that request may not contain any reference to the username, but > > to the mac address... that's it? > > And often the NAS IP and port. NAS IP and Port in the DHCP request? That's option 82 isn't it? If my NAS doesn't support relaying DHCP requests adding option 82 fields (my NASes may be very common wifi access points) is it still safe using such a setup? Anyway, it's much more clear now thanks. > > > So the trick would be to get the username from the mac address querying > > the accouting database? > > Yes. > > > And then? Can I use any ippool module in the freeradius DHCP server? or > > Do I have to use static mapping mac2ip? > > The ippool module doesn't do allocation for DHCP. But you could write > a short Perl program to do it. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Follow us on: twitter https://www.twitter.com/manainternet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
HELLO COULD TELL ME TO syntax to add client in freeradius and could tell me to sintax to add user in freeradius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute not passing to NAS?
Rob, You need to ensure that the value of Filter-Id maps exactly to the value of the policy that you're trying to apply. So you need to have a policy defined on the controller named "Faculty", not "faculty" or "facultY", but "Faculty". For instance, if I have a policy named "NewmanN" and I pass a Filter-Id="NewmanN" then I get: Client session MAC [00:22:6B:9A:2B:77] on AP [IRV-AP3620] with SSID [SMFC] from VNS [SMFC] with username [test.user11] with mu session timer [52549] has been successfully authenticated. Policy [NewmanN] is applied. The desired policy is applied. If I pass a Filter-Id="Newmann" then I get: Client session MAC [00:22:6B:9A:2B:77] on AP [IRV-AP3620] with SSID [SMFC] from VNS [SMFC] with username [test.user11] with mu session timer [52201] has been successfully authenticated. Policy [SMFC Auth] is applied. The default policy for that VNS is applied because there was no policy matching "Newmann". -- View this message in context: http://freeradius.1045715.n5.nabble.com/Attribute-not-passing-to-NAS-tp3289418p3289720.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Limiting user accounts for specific devices
We have a bunch of HP switches that we're using radius authentication on to configure. Our freeradius server is configured to grab users from an active directory server. We want to be able to only allow a single user account to be able to have rights to login to these switches so if any other account is used it should be denied access. I have to be able to pull this information from AD so that the user password can be changed quickly by someone not familiar with configuring radius. Later on we're going to use this same radius server to authenticate wireless access so it would need to be set per IP address or range only for the limits so that the other users in AD can be used for that. I'm thinking there is a way to do this in clients.conf but haven't found anything so far in my research. Here's an example client we have in our clients.conf: client 10.0.0.251 { secret = x shortname = NOC_5308 } Any help would be greatly appreciated. Thanks, Jared - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clear text password (radius)
Hi, > WARNING: Unprintable characters in the password. Double-check the >shared secret on the server and the NAS! thats your answer. the server doesnt lie alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: Informacio
From: horacio...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: Informacio Date: Thu, 2 Dec 2010 03:46:19 + Hi I am newbie at this help please Description O. System Windos Vista With 1 application of Oracle VM VirtualBox Virtual Machine O. System Ubuntu 10.10 with a server radiusd aser nesesito mac filtering equipment through this server Well my question is if the users file I register users with their password to be linia file that I register the MAC addresses Well I hope and I can help because it is very important to me as it is for a practice School Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
user-group for rejected users
Hello! Let´s suppose the following situations: 1) User exists but the password is wrong 2) User does not exist In both cases the answer is REJECT. It happens that certain hardware is making endless attempts that eventually saturating the server. - It is possible to cause the server, instead of rejecting the users, accept the login but responds ACCEPT with "framed-pool = pool-block" ? or/and - Is there any way to put REJECT users in a given group by default? Thanks! Fabricio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: use existing sql table for user-password
Hello, I just solved it with sql trigger. When a new user is created on other table, same user/password is inserted in radcheck table with auth-Type and other static variables. If password change occurs in other table, it updates radcheck table password field too. Thank you all for help. On Thursday, December 02, 2010 04:52:01 pm Brian Candler wrote: > > > But for radcheck, i need to add attribute and value fields as i see. > > > How can i check just username and password from one table, and check > > > other attributes (AuthType etc) from another?? > > > > > Write an SQL function. > > Or use the group functionality. That is, use > > authorize_check_query > authorize_reply_query > > to get the password, and > > group_membership_query > authorize_group_check_query > authorize_group_reply_query > > to get the attributes from another table. In group_membership_query you map > the username to some other key, but you can just map it to the username > again if you wish. > > But if this is MySQL, as Alan says it may be easier (and is certainly more > flexible) to put your logic into stored procedures. Then use > > authorize_check_query = "call getCheck('%{User-Name}');" > authorize_reply_query = "call getReply('%{User-Name}');" > > Regards, > > Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redundant LDAP-Group
On 02/12/10 14:49, Phil Mayers wrote: Alternatively, how about: policy { myldap { update request { Module-Failure-Message !* 0x00 My-Group = "%{ldap1:...}" } if (Module-Failure-Message) { Nah, this won't work sorry - I was misreading the rlm_ldap.c code, Module-Failure-Message is only set by ldap_authorize on NOTFOUND, not FAIL and not in perform_search() - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: use existing sql table for user-password
> > But for radcheck, i need to add attribute and value fields as i see. > > How can i check just username and password from one table, and check other > > attributes (AuthType etc) from another?? > > Write an SQL function. Or use the group functionality. That is, use authorize_check_query authorize_reply_query to get the password, and group_membership_query authorize_group_check_query authorize_group_reply_query to get the attributes from another table. In group_membership_query you map the username to some other key, but you can just map it to the username again if you wish. But if this is MySQL, as Alan says it may be easier (and is certainly more flexible) to put your logic into stored procedures. Then use authorize_check_query = "call getCheck('%{User-Name}');" authorize_reply_query = "call getReply('%{User-Name}');" Regards, Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redundant LDAP-Group
On 02/12/10 13:14, Alexander Clouter wrote: Phil Mayers wrote: It would be really nice to fold those duplicate LDAP-Group lines into 'ldap_login-LDAP-Group', however alas FreeRADIUS does not love me: /etc/freeradius/LOCAL/users-login[1]: Parse error (check) for entry DEFAULT: Invalid octet string "it-switch-admin" for attribute name "ldap_login-LDAP-Group" Errors reading /etc/freeradius/LOCAL/users-login AFAICT this doesn't really work because of the way the attributes comparisons are actually handled. Was wondering if someone out there knew of a neater way to do this? Ah I see. I was thinking you might be able to do something with the ldap xlat: update control { My-Group-Staff = "%{ldap1:...}" } if (!control:My-Group-Staff) { update control { My-Group-Staff = "%{ldap2:...}" } } or: update control { My-Group-Staff = "%{%{ldap1:..}:-%{ldap2:...}}" } ...but sadly again, the ldap xlat doesn't return an error code, just 0 so it's impossible to distinguish between no match and error, and you'll end up hitting the "ldap2" module a lot when you don't need to. Hmm. Tricky. How about a pair of ldap modules and creative use of the ldap.attrmap, so something like: checkItem My-Group memberOf += ...then: policy { myldap { ldap1 if (fail) { ldap2 } } } ...then: authorize { myldap if (control:My-Group == Staff) { # something } } Alternatively, how about: policy { myldap { update request { Module-Failure-Message !* 0x00 My-Group = "%{ldap1:...}" } if (Module-Failure-Message) { update request { My-Group = "%{ldap2:...}" } } } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ldap
On Thu, Dec 02, 2010 at 02:37:43PM +0100, Ana Gallardo wrote: > I have read that this is not ok > > http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg49993.html OK, and you're not doing that which is described above, so you're fine. > The configuration that work: > > ldap ldapPerson{ >set_auth_type = yes > } I think this is the catch. I don't have this particular option in my config, but I see now that it looks like they're all 2.1.8. > authorize { > ldapPerson > update control { > Auth-Type := "LDAP" > } > } This seems redundant. If ldapPerson already ran, with the set_auth_type option, ... -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radsniff behaviour change?
On Thu, Dec 02, 2010 at 02:32:16PM +, Brian Candler wrote: > I wonder if this logic is unintentionally broken, and in fact you meant to > load the dictionary *unless* -F is present? This appears to fix it. diff --git a/src/main/radsniff.c b/src/main/radsniff.c index 935d2ce..6c3ca14 100644 --- a/src/main/radsniff.c +++ b/src/main/radsniff.c @@ -422,7 +422,7 @@ int main(int argc, char *argv[]) /* * There are many times where we don't need the dictionaries. */ - if (fr_debug_flag || radius_filter) { + if (fr_debug_flag || !radius_filter) { if (dict_init(radius_dir, RADIUS_DICTIONARY) < 0) { fr_perror("radsniff"); return 1; - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radsniff behaviour change?
As of 2.1.10, radsniff doesn't decode packets automatically without -x: $ sudo bin/radsniff -i lo -c 1 Access-Request Id 17127.0.0.1:43171 -> 127.0.0.1:1812 +0.000 Attr-1 = 0x7374657665 Attr-2 = 0x98f7337df71223dc220a3a682c5f0a7f Attr-4 = 0x7f01 Attr-5 = 0x0001 Looking at the code, it doesn't even read the dictionary unless you add -x (debug) or -F (filter). This change was made in commit 7a85628d I wonder if this logic is unintentionally broken, and in fact you meant to load the dictionary *unless* -F is present? Regards, Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redundant LDAP-Group
Phil Mayers wrote: > >> It would be really nice to fold those duplicate LDAP-Group lines into >> 'ldap_login-LDAP-Group', however alas FreeRADIUS does not love me: >> >> /etc/freeradius/LOCAL/users-login[1]: Parse error (check) for entry DEFAULT: >> Invalid octet string "it-switch-admin" for attribute name >> "ldap_login-LDAP-Group" >> Errors reading /etc/freeradius/LOCAL/users-login > > AFAICT this doesn't really work because of the way the attributes > comparisons are actually handled. > Was wondering if someone out there knew of a neater way to do this? Twas all. Cheers -- Alexander Clouter .sigmonster says: He who has a shady past knows that nice guys finish last. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redundant LDAP-Group
Josip Rodin wrote: > >> DEFAULT NAS-Identifier == switch, Huntgroup-Name == allied-telesis, >> ldap_login1-LDAP-Group == it-switch-admin >> DEFAULT NAS-Identifier == switch, Huntgroup-Name == allied-telesis, >> ldap_login2-LDAP-Group == it-switch-admin >> >> instantiate { >> ldap_login1 >> ldap_login2 > > This sounds like you're comparing attributes called "ldap_login1-LDAP-Group" > and "ldap_login2-LDAP-Group". Presumably these are generated with those > distinct names, by your two LDAP module instances. > > How do the definitions of those two look like? > IOW have you tried using a common LDAP attribute map in both? > http://wiki.freeradius.org/Rlm_ldap#Group_Support Cheers -- Alexander Clouter .sigmonster says: Screw up your courage! You've screwed up everything else. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Attribute not passing to NAS?
I have a Enterasys HiPath controller that Im trying to pass an attribute to throw the user into the correct policy upon authentication. I talked with their support and they say to set the Filter-Id attribute to the name of the policy set on the controller. I did, but it doenst seem to pass. In the debug for radius I get this: [peap] Got tunneled reply RADIUS code 2 Filter-Id = "Faculty" EAP-Message = 0x03080004 Message-Authenticator = 0x User-Name = "ktest" and it goes on to: Cleaning up request 18 ID 109 with timestamp +12 User-Name = "ktest" NAS-IP-Address = 127.0.4.1 NAS-Port = 222 Framed-MTU = 1400 Called-Station-Id = "00:1f:45:7f:83:fa" Calling-Station-Id = "00:24:d6:a6:ce:ce" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "TEST" Siemens-AP-Serial = "0500010143052305" Siemens-AP-Name = "AP09" Siemens-VNS-Name = "TEST" Siemens-BSSID = "TEST" Siemens-BSS-MAC = "00:1f:45:7f:83:fa" Siemens-Policy = "Students" Siemens-Topology = "TopoStudents" Siemens-Ingress-Rate = "Unlimited" Siemens-Egress-Rate = "Unlimited" I use LDAP (via eDirectory) on the backend and authentication is working fine. It pulls the correct value for the Filter-Id attribute, but it doesnt seem to take effect. The Siemens-xxx attributes are coming from the controller and you can see based on the Siemens-Policy = "Students" attribute that the student policy is still applying - not the Faculty policy as is defined in the Filter-Id attribute. I have also tried to set the Siemens-Policy attribute on the user but that did not work either. Am I missing something in the config to have this value sent back to the NAS? FreeRadius 2.1.8 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ldap
Hello Josip and thank you again for your response. This is an orthogonal issue; you don't have to allow anyone to read the > value of the userPassword attribute, you just have to get the FR ldap > module to *bind* to the LDAP server with the username and password from > the request. Ok, now I know. This is log output for an anonymous bind in authorize section ("bind as / > to" means "bind as /"). What is the output for the > authenticated bind, that happens in the authenticate section? > There is no authenticated bind because Freeradius doesn't set Auth-Type and... ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Thanks ++ Ana Gallardo Gómez ++ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ldap
Hello again. Ok, now I can authenticate an user using LDAP. I'm using freeradius 2.1.10 and I want to use ldap like a backend in > authorize section to take userPassword attribute (unix crypt) to > authenticate the user. > My problem is: the ldap server don't have public key that an admin user (who > bind) can take. So I have to bind in the authorize section with the user and > password (clear text) in the request. > Is this posible? > I have read that this is not ok http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg49993.html > What are my posibilities? > I think that what I can do is: - in authorize section bind like anonymous user and take the public attributes that I need to authorize the user. - in authenticate section bind like the user who want to access The configuration that work: LDAP MODULE ldap ldapPerson{ server = "xxx" basedn = "ou=people,dc=unex,dc=es" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldapPerson.attrmap edir_account_policy_check = no set_auth_type = yes } SERVER server test{ authorize { suffix files ldapPerson expiration update control { Auth-Type := "LDAP" } } authenticate { Auth-Type LDAP { ldapPerson } } } DEBUG rad_recv: Access-Request packet from host x.x.x.x port 48259, id=145, length=58 User-Name = "aigalla...@unex.es" User-Password = "" server test { # Executing section authorize from file /etc/freeradius/sites-enabled/test +- entering group authorize {...} [suffix] Looking up realm "unex.es" for User-Name = "aigalla...@unex.es" [suffix] Found realm "unex.es" [suffix] Adding Stripped-User-Name = "aigallardo" [suffix] Adding Realm = "unex.es" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [files] users: Matched entry DEFAULT at line 33 ++[files] returns ok [ldapPerson] performing user authorization for aigallardo [ldapPerson] expand: %{Stripped-User-Name} -> aigallardo [ldapPerson] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=aigallardo) [ldapPerson] expand: ou=people,dc=unex,dc=es -> ou=people,dc=unex,dc=es [ldapPerson] ldap_get_conn: Checking Id: 0 [ldapPerson] ldap_get_conn: Got Id: 0 [ldapPerson] attempting LDAP reconnection [ldapPerson] (re)connect to x.x.x.x:389, authentication 0 [ldapPerson] bind as / to x.x.x.x:389 [ldapPerson] waiting for bind result ... [ldapPerson] Bind was successful [ldapPerson] performing search in ou=people,dc=unex,dc=es, with filter (uid=aigallardo) [ldapPerson] No default NMAS login sequence [ldapPerson] looking for check items in directory... [ldapPerson] looking for reply items in directory... [ldapPerson] gecos -> Nombre-Completo = "Ana-Isabel Gallardo Gomez..." WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldapPerson] user aigallardo authorized to use remote access [ldapPerson] ldap_release_conn: Release Id: 0 ++[ldapPerson] returns ok ++[expiration] returns noop ++[control] returns noop Found Auth-Type = LDAP # Executing group from file /etc/freeradius/sites-enabled/test +- entering group LDAP {...} [ldapPerson] login attempt by "aigallardo" with password "" [ldapPerson] user DN: uid=aigallardo,ou=People,dc=unex,dc=es [ldapPerson] (re)connect to x.x.x.x:389, authentication 1 [ldapPerson] bind as uid=aigallardo,ou=People,dc=unex,dc=es/x to x.x.x.x:389 [ldapPerson] waiting for bind result ... [ldapPerson] Bind was successful [ldapPerson] user aigallardo authenticated succesfully ++[ldapPerson] returns ok } # server test Sending Access-Accept of id 145 to x.x.x.x port 48259 Nombre-Completo = "Ana-Isabel Gallardo Gomez..." I don't know if this is the best way to solve my problem, I someone have something better, I would like to know. Thank you very much and sorry for my english. ++ Ana Gallardo Gómez ++ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: agent-remote-id, agent-circuit-id strange format change.
Denis Iskandarov wrote: > they should come in same normal hex format aa:bb:cc:dd:ee:ff but lil bit > bit longer e.g.: > Agent-Remote-Id = 0006000ded21a480 > Agent-Circuit-Id = 00040002 > > But they are coming in this unknow unreadable format: > Agent-Remote-Id = "\000\006\000\r\355!\244\200" > Agent-Circuit-Id = "\000\004\000\002\000" Use "octets" for the data type. > dictionary used is Redback with attributes 96 and 97i've tried both > octets and string format in dictionary for this attributes. "octets" should work. i.e. the default configuration works. Which version are you running, and why did you edit the dictionary files? > How can i tell freeradius to work with this attributes in normal format ? > Other way i've to enter this stupid strings in users db to authenticate > user (it works like this right now). > > There is other commercial multi OS radius server built on perl > "RADIATOR" and it works like charm with only few string in its rad.conf. Really? There are other RADIUS servers? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redundant LDAP-Group
On 02/12/10 11:54, Alexander Clouter wrote: It would be really nice to fold those duplicate LDAP-Group lines into 'ldap_login-LDAP-Group', however alas FreeRADIUS does not love me: /etc/freeradius/LOCAL/users-login[1]: Parse error (check) for entry DEFAULT: Invalid octet string "it-switch-admin" for attribute name "ldap_login-LDAP-Group" Errors reading /etc/freeradius/LOCAL/users-login AFAICT this doesn't really work because of the way the attributes comparisons are actually handled. You probably know this, but: Basically when a copy of the "ldap" module is instantiated, it registers a "paircompare" handler for the global "LDAP-Group", then if the module is named: 1. Registers a new attribute "modname-LDAP-Group" 2. Registers a "paircompare" handler for that attribute The "redundant" construct has no way to know about this; the "ldap" module(s) are instantiated (and the attribute/comparisons registered) completely separately from the redundant{} processing. Similar problems hold for the %{modname:} xlat stuff; modules can potentially register any xlat they like, and the modgroup code doesn't know about that. In addition, the "paircompare" handlers currently don't return an error status; they just return an integer, 0 meaning "equality", so a redundant paircompare would have no way of distinguishing a "LDAP OK, user not in group" from "LDAP down, try next module", and would end up querying both LDAP modules much of the time. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redundant LDAP-Group
On Thu, Dec 02, 2010 at 11:54:28AM +, Alexander Clouter wrote: > DEFAULT NAS-Identifier == switch, Huntgroup-Name == allied-telesis, > ldap_login1-LDAP-Group == it-switch-admin > DEFAULT NAS-Identifier == switch, Huntgroup-Name == allied-telesis, > ldap_login2-LDAP-Group == it-switch-admin > > instantiate { > ldap_login1 > ldap_login2 This sounds like you're comparing attributes called "ldap_login1-LDAP-Group" and "ldap_login2-LDAP-Group". Presumably these are generated with those distinct names, by your two LDAP module instances. How do the definitions of those two look like? IOW have you tried using a common LDAP attribute map in both? -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
agent-remote-id, agent-circuit-id strange format change.
Hello i'm using DHCP Option 82 with Freeradius auth. it uses several fields as username for auth: User-Name, agent-remote-id and agent-circuit-id. User-Name is mac address of cdhcp-client, and comes to radius in normal format "aa:bb:cc:dd:ee:ff" agent-remote-id and agent-circuit-id - are combination of dhcp-client mac address, vlan id, port id, slot id of dhcp relay. they should come in same normal hex format aa:bb:cc:dd:ee:ff but lil bit bit longer e.g.: Agent-Remote-Id = 0006000ded21a480 Agent-Circuit-Id = 00040002 But they are coming in this unknow unreadable format: Agent-Remote-Id = "\000\006\000\r\355!\244\200" Agent-Circuit-Id = "\000\004\000\002\000" dictionary used is Redback with attributes 96 and 97i've tried both octets and string format in dictionary for this attributes. How can i tell freeradius to work with this attributes in normal format ? Other way i've to enter this stupid strings in users db to authenticate user (it works like this right now). There is other commercial multi OS radius server built on perl "RADIATOR" and it works like charm with only few string in its rad.conf. (in my case it's working on WinXP, and FreeRadius main server on CentOS) here is debug output of both radius servers: FreeRadius: rad_recv: Access-Request packet from host 192.168.1.101 port 50213, id=4, length=143 NAS-Port-Type = Ethernet NAS-Port = 2210402311 Calling-Station-Id = "1:0:c:42:40:40:38" Called-Station-Id = "CLIENTS_pool1" User-Name = "00:0C:42:40:40:38" User-Password = "" *Agent-Remote-Id = "\000\006\000\r\355!\244\200" Agent-Circuit-Id = "\000\004\000\002\000"* NAS-Identifier = "R1" NAS-IP-Address = 192.168.1.101 Radiator Attributes: NAS-Port-Type = Ethernet NAS-Port = 2213543991 Calling-Station-Id = "1:0:c:42:40:40:38" Framed-IP-Address = 192.168.3.156 Called-Station-Id = "CLIENTS_pool1" User-Name = "00:0C:42:40:40:38" User-Password = <230><182><134>I<22><196><196><178>\#<8>Uq<251><162><201> * RB-Agent-Remote-Id = 0006000ded21a480 RB-Agent-Circuit-Id = 00040002* NAS-Identifier = "R1" NAS-IP-Address = 192.168.0.22 Link on my mikrotik forum with detail wireshark sniffing: http://forum.mikrotik.com/viewtopic.php?f=2&t=47083 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
redundant LDAP-Group
Hi, I know this has been covered in the archives, and the news is generally not good, but my users file currently looks like: DEFAULT NAS-Identifier == switch, Huntgroup-Name == allied-telesis, ldap_login1-LDAP-Group == it-switch-admin Service-Type = Administrative-User DEFAULT NAS-Identifier == switch, Huntgroup-Name == allied-telesis, ldap_login2-LDAP-Group == it-switch-admin Service-Type = Administrative-User DEFAULT NAS-Identifier == switch, Huntgroup-Name == cisco, NAS-Port-Type == Virtual, ldap_login1-LDAP-Group == it-switch-admin Service-Type = NAS-Prompt-User, Cisco-AVPair = "shell:priv-lvl=15" DEFAULT NAS-Identifier == switch, Huntgroup-Name == cisco, NAS-Port-Type == Virtual, ldap_login2-LDAP-Group == it-switch-admin Service-Type = NAS-Prompt-User, Cisco-AVPair = "shell:priv-lvl=15" DEFAULT NAS-Identifier == switch, Auth-Type := Reject In my global configuration I have: instantiate { ldap_login1 ldap_login2 redundant-load-balance ldap-login { ldap_login1 ldap_login2 } ldap_lanwarden1 ldap_lanwarden2 redundant-load-balance ldap-lanwarden { ldap_lanwarden1 ldap_lanwarden2 } } It would be really nice to fold those duplicate LDAP-Group lines into 'ldap_login-LDAP-Group', however alas FreeRADIUS does not love me: /etc/freeradius/LOCAL/users-login[1]: Parse error (check) for entry DEFAULT: Invalid octet string "it-switch-admin" for attribute name "ldap_login-LDAP-Group" Errors reading /etc/freeradius/LOCAL/users-login /etc/freeradius/LOCAL/modules.conf[1]: Instantiation failed for module "files-login" /etc/freeradius/sites-enabled/login[72]: Failed to load module "files-login". /etc/freeradius/sites-enabled/login[35]: Errors parsing authorize section. This 'redundant' LDAP-Group problem often crops up, unfortunately it is way above my head to resolve. Another "moon-on-a-stick" feature is that I have two sets of LDAP servers configured[1], in my authorise section I have: authorize { ... ldap-login if (!ok) { reject } files ... } If I instead simply use 'LDAP-Group' in the users file, 'ldap-lanwarden' is invoked (rather than me expecting a contination of the last used LDAP server)... Is this a bug or a 'feature'? Cheers [1] ldap_login[12] -> ldap_login, ldap_lanwarden[12] -> ldap_lanwarden -- Alexander Clouter .sigmonster says: An idea is not responsible for the people who believe in it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ldap
On Thu, Dec 02, 2010 at 09:09:51AM +0100, Ana Gallardo wrote: > > Add LDAP into the authenticate section, so that it simply tries to re-bind > > with the provided credentials? Like this: > > > >Auth-Type LDAP { > >ldapPerson > >} > > > > I try this configuration too, but it doesn't work for me. Freeradius doesn't > set the value to Auth-Type attribute. I thik that this is because the > userPassword attribute is only visible to each particular user when binds. This is an orthogonal issue; you don't have to allow anyone to read the value of the userPassword attribute, you just have to get the FR ldap module to *bind* to the LDAP server with the username and password from the request. Then the LDAP server verifies it against whatever it needs in the background, and you don't care. > # Executing section authorize from file /etc/freeradius/sites-enabled/test > +- entering group authorize {...} > [ldapPerson] bind as / to ldap.unex.es:389 > [ldapPerson] waiting for bind result ... > [ldapPerson] Bind was successful This is log output for an anonymous bind in authorize section ("bind as / to" means "bind as /"). What is the output for the authenticated bind, that happens in the authenticate section? -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting and Acct-Delay-Time in MySQL
On 18/11/10 07:58, Stefan Winter wrote: Hi, I'd re-visit the entire accounting table&& queries. Create a *new* table, so that people don't have surprises when they upgrade. Ideally, it should be robust in the face of duplicate packets, and packets forwarded via 2 different paths (think radrelay + delays) Okay, I'll see what I can do. One thing I noticed is that the default schema has a column xascendsessionsvrkey varchar(10) default NULL, A VSA, of a vendor that's long dead? This is one column that I would wipe out. If some people find they need it, they can always modify the tables to their (peculiar ;-) ) needs. No reason to push this column into every FreeRADIUS installation on the planet. Another thing I miss very much is in radpostauth: * some gear sends a different User-Name attribute in its reply than was in the request. It would be good to have these two names correlated easily, at least for forensics. Adding a column "reply-username" would do a lot of good here. * callingstationid would also be nice to have * and an indication which NAS the user used to log in (and/or which virtual server was used to handle the request) All of that is info one typically has to dig out of detail files; which is much more cumbersome than having it in SQL. Any thoughts here? I've made some pretty extensive modifications to the default SQL schemas here (although we use postgresql). We log: CREATE TABLE radpostauth ( id serial, authdate timestamptz, authserver character varying(16), virtualserver text, reply text, username text NOT NULL, realm text, callingstationid text, framedipaddress inet, nasipaddress inet, nasport text, replyclass text, replymessage text ); ...and we use something like the following in radiusd.conf: localopts { hostname = "thehostname" } sql { ... postauth_query = "insert into radpostauth ( authdate, authserver, virtualserver, reply, username, realm, callingstationid, framedipaddress, nasipaddress, nasport, replyclass, replymessage ) values ( now(), '${localopts.hostname}', '%{Virtual-Server}', '%{reply:Packet-Type}', '%{SQL-User-Name}', '%{Realm}', '%{Calling-Station-Id}', '%{reply:Framed-IP-Address}', '%{NAS-IP-Address}', '%{%{NAS-Port}:-%{NAS-Port-Id}}', '%{reply:Class}', '%{reply:Reply-Message}' ) ...it's actually a bit more complex than that, but you get the idea. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/TTLS and Client certificates
I already enabled said option, the only problem is that this doesn't enforce the use of PEAP with a client certificate, as the TLS module is enabled and configured, it allows you to log in with just a client certificate using TLS. What I want is to enforce the use of not just TLS but PEAP with a client cert. Suppose I should have made that clearer in my post, sorry about that. -Remy -- View this message in context: http://freeradius.1045715.n5.nabble.com/PEAP-TTLS-and-Client-certificates-tp3238845p3289088.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/TTLS and Client certificates
rdeboer wrote: > So a few weeks later and still not much further.. > > Has anyone got an idea how I could force PEAP sessions to supply client a > client certificate? Read raddb/eap.conf. Look for "client cert" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting and Acct-Delay-Time in MySQL
Stefan Winter wrote: > Okay, I'll see what I can do. One thing I noticed is that the default > schema has a column > > xascendsessionsvrkey varchar(10) default NULL, > > A VSA, of a vendor that's long dead? This is one column that I would > wipe out. If some people find they need it, they can always modify the > tables to their (peculiar ;-) ) needs. No reason to push this column > into every FreeRADIUS installation on the planet. Yup. > Another thing I miss very much is in radpostauth: > * some gear sends a different User-Name attribute in its reply than was > in the request. It would be good to have these two names correlated > easily, at least for forensics. Adding a column "reply-username" would > do a lot of good here. "reply-username" ? Or "accounting-request" ? > * callingstationid would also be nice to have > * and an indication which NAS the user used to log in (and/or which > virtual server was used to handle the request) > > All of that is info one typically has to dig out of detail files; which > is much more cumbersome than having it in SQL. > > Any thoughts here? It sounds good to me. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/TTLS and Client certificates
So a few weeks later and still not much further.. Has anyone got an idea how I could force PEAP sessions to supply client a client certificate? -- View this message in context: http://freeradius.1045715.n5.nabble.com/PEAP-TTLS-and-Client-certificates-tp3238845p3289077.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL modul
Miha Zoubek wrote: > at the end of this file I am getting massage Failed to load module > "sql". > > Could you please help me what to do ? Does your system have the rlm_sql library? Did you configure the SQL module? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: use existing sql table for user-password
Oguzhan Kayhan wrote: > As i noticed (i might be wrong), there is only one setting for > authcheck_table. > My username and passwords are in a table that i shouldnt change its structure. Yes, that was clear from your previous message. > But for radcheck, i need to add attribute and value fields as i see. > How can i check just username and password from one table, and check other > attributes (AuthType etc) from another?? Write an SQL function. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Mikrotik-Xmit-Limit - Not enforced on first logon but is on subsequent logons...
Hi, I normally use MK for lots of things. The Mikrotik-Xmit-Limit attribute is recognize for MK as a limitation, so when the limit arrives, the MT cuts the user account. You can write a exec program to modify the Mikrotik-Xmit-Limit attribute or insert a trigger in the DB or use sqlcounter. You choose what solucion is easier for you. Santiago > From: sh...@sme.net.au > Date: Sat, 27 Nov 2010 20:44:24 +1000 > Subject: Mikrotik-Xmit-Limit - Not enforced on first logon but is on > subsequent logons... > To: freeradius-users@lists.freeradius.org > > Hi all, > > Doing some trials with freeradius 2.x with the intention of moving from > 1.1.7 > > > I have an odd problem with mikrotik nas. > An account with download limit will not enforce the limit on the first > logon but will on subsequent logons. > On the first logon, no limit is imposed in mikrotik and the account can > use unlimited traffic. If I log off then log on again, the limit is > enforced... (I have checked in winbox and the "limit bytes in" column is > not populated on first logon). > > It is taking me a while to get use to v2 of freeradius. > > Tks > > > Setup details below: > > User account has attribute Mikrotik-Xmit-Limit := 10471200 in radcheck > Do I need to have something in radreply as this is where the shaping is > done? > > > In: sql/mysql/counter.conf > > sqlcounter downloadbytecounter { > counter-name = Mikrotik-Xmit-Limit > check-name = Mikrotik-Xmit-Limit > reply-name = Mikrotik-Xmit-Limit > sqlmod-inst = sql > key = User-Name > reset = never > query = "SELECT SUM(acctoutputoctets) FROM radacct WHERE > username='%{%k}'" > } > > > > In sites-available/default > > authorize { > downloadbytecounter > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ldap
Josip, thanks for your response. Add LDAP into the authenticate section, so that it simply tries to re-bind > with the provided credentials? Like this: > >Auth-Type LDAP { >ldapPerson >} > I try this configuration too, but it doesn't work for me. Freeradius doesn't set the value to Auth-Type attribute. I thik that this is because the userPassword attribute is only visible to each particular user when binds. rad_recv: Access-Request packet from host X.X.X.X port 49621, id=130, length=58 User-Name = "aigalla...@unex.es" User-Password = "" server test { # Executing section authorize from file /etc/freeradius/sites-enabled/test +- entering group authorize {...} [suffix] Looking up realm "unex.es" for User-Name = "aigalla...@unex.es" [suffix] Found realm "unex.es" [suffix] Adding Stripped-User-Name = "aigallardo" [suffix] Adding Realm = "unex.es" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [files] users: Matched entry DEFAULT at line 33 ++[files] returns ok [ldapPerson] performing user authorization for aigallardo [ldapPerson] expand: %{Stripped-User-Name} -> aigallardo [ldapPerson] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=aigallardo) [ldapPerson] expand: ou=people,dc=unex,dc=es -> ou=people,dc=unex,dc=es [ldapPerson] ldap_get_conn: Checking Id: 0 [ldapPerson] ldap_get_conn: Got Id: 0 [ldapPerson] attempting LDAP reconnection [ldapPerson] (re)connect to ldap.unex.es:389, authentication 0 [ldapPerson] bind as / to ldap.unex.es:389 [ldapPerson] waiting for bind result ... [ldapPerson] Bind was successful [ldapPerson] performing search in ou=people,dc=unex,dc=es, with filter (uid=aigallardo) [ldapPerson] No default NMAS login sequence [ldapPerson] looking for check items in directory... [ldapPerson] looking for reply items in directory... [ldapPerson] gecos -> Nombre-Completo = "Ana-Isabel Gallardo Gomez,Dpto. Tecno. Computadores y Comuni.,," WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldapPerson] user aigallardo authorized to use remote access [ldapPerson] ldap_release_conn: Release Id: 0 ++[ldapPerson] returns ok ++[expiration] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. } # server test Thank you very much and sorry for my english. ++ Ana Gallardo Gómez ++ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html