Re: freeradius + ldap
Josip, thanks for your response.
Add LDAP into the authenticate section, so that it simply tries to re-bind
with the provided credentials? Like this:
Auth-Type LDAP {
ldapPerson
}
I try this configuration too, but it doesn't work for me. Freeradius doesn't
set the value to Auth-Type attribute. I thik that this is because the
userPassword attribute is only visible to each particular user when binds.
rad_recv: Access-Request packet from host X.X.X.X port 49621, id=130,
length=58
User-Name = aigalla...@unex.es
User-Password =
server test {
# Executing section authorize from file /etc/freeradius/sites-enabled/test
+- entering group authorize {...}
[suffix] Looking up realm unex.es for User-Name = aigalla...@unex.es
[suffix] Found realm unex.es
[suffix] Adding Stripped-User-Name = aigallardo
[suffix] Adding Realm = unex.es
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[files] users: Matched entry DEFAULT at line 33
++[files] returns ok
[ldapPerson] performing user authorization for aigallardo
[ldapPerson] expand: %{Stripped-User-Name} - aigallardo
[ldapPerson] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=aigallardo)
[ldapPerson] expand: ou=people,dc=unex,dc=es - ou=people,dc=unex,dc=es
[ldapPerson] ldap_get_conn: Checking Id: 0
[ldapPerson] ldap_get_conn: Got Id: 0
[ldapPerson] attempting LDAP reconnection
[ldapPerson] (re)connect to ldap.unex.es:389, authentication 0
[ldapPerson] bind as / to ldap.unex.es:389
[ldapPerson] waiting for bind result ...
[ldapPerson] Bind was successful
[ldapPerson] performing search in ou=people,dc=unex,dc=es, with filter
(uid=aigallardo)
[ldapPerson] No default NMAS login sequence
[ldapPerson] looking for check items in directory...
[ldapPerson] looking for reply items in directory...
[ldapPerson] gecos - Nombre-Completo = Ana-Isabel Gallardo Gomez,Dpto.
Tecno. Computadores y Comuni.,,
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldapPerson] user aigallardo authorized to use remote access
[ldapPerson] ldap_release_conn: Release Id: 0
++[ldapPerson] returns ok
++[expiration] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
} # server test
Thank you very much and sorry for my english.
++ Ana Gallardo Gómez ++
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Mikrotik-Xmit-Limit - Not enforced on first logon but is on subsequent logons...
Hi,
I normally use MK for lots of things. The Mikrotik-Xmit-Limit attribute is
recognize for MK as a limitation, so when the limit arrives, the MT cuts the
user account.
You can write a exec program to modify the Mikrotik-Xmit-Limit attribute or
insert a trigger in the DB or use sqlcounter.
You choose what solucion is easier for you.
Santiago
From: sh...@sme.net.au
Date: Sat, 27 Nov 2010 20:44:24 +1000
Subject: Mikrotik-Xmit-Limit - Not enforced on first logon but is on
subsequent logons...
To: freeradius-users@lists.freeradius.org
Hi all,
Doing some trials with freeradius 2.x with the intention of moving from
1.1.7
I have an odd problem with mikrotik nas.
An account with download limit will not enforce the limit on the first
logon but will on subsequent logons.
On the first logon, no limit is imposed in mikrotik and the account can
use unlimited traffic. If I log off then log on again, the limit is
enforced... (I have checked in winbox and the limit bytes in column is
not populated on first logon).
It is taking me a while to get use to v2 of freeradius.
Tks
Setup details below:
User account has attribute Mikrotik-Xmit-Limit := 10471200 in radcheck
Do I need to have something in radreply as this is where the shaping is
done?
In: sql/mysql/counter.conf
sqlcounter downloadbytecounter {
counter-name = Mikrotik-Xmit-Limit
check-name = Mikrotik-Xmit-Limit
reply-name = Mikrotik-Xmit-Limit
sqlmod-inst = sql
key = User-Name
reset = never
query = SELECT SUM(acctoutputoctets) FROM radacct WHERE
username='%{%k}'
}
In sites-available/default
authorize {
downloadbytecounter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: use existing sql table for user-password
Oguzhan Kayhan wrote: As i noticed (i might be wrong), there is only one setting for authcheck_table. My username and passwords are in a table that i shouldnt change its structure. Yes, that was clear from your previous message. But for radcheck, i need to add attribute and value fields as i see. How can i check just username and password from one table, and check other attributes (AuthType etc) from another?? Write an SQL function. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL modul
Miha Zoubek wrote: at the end of this file I am getting massage Failed to load module sql. Could you please help me what to do ? Does your system have the rlm_sql library? Did you configure the SQL module? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/TTLS and Client certificates
So a few weeks later and still not much further.. Has anyone got an idea how I could force PEAP sessions to supply client a client certificate? -- View this message in context: http://freeradius.1045715.n5.nabble.com/PEAP-TTLS-and-Client-certificates-tp3238845p3289077.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting and Acct-Delay-Time in MySQL
Stefan Winter wrote: Okay, I'll see what I can do. One thing I noticed is that the default schema has a column xascendsessionsvrkey varchar(10) default NULL, A VSA, of a vendor that's long dead? This is one column that I would wipe out. If some people find they need it, they can always modify the tables to their (peculiar ;-) ) needs. No reason to push this column into every FreeRADIUS installation on the planet. Yup. Another thing I miss very much is in radpostauth: * some gear sends a different User-Name attribute in its reply than was in the request. It would be good to have these two names correlated easily, at least for forensics. Adding a column reply-username would do a lot of good here. reply-username ? Or accounting-request ? * callingstationid would also be nice to have * and an indication which NAS the user used to log in (and/or which virtual server was used to handle the request) All of that is info one typically has to dig out of detail files; which is much more cumbersome than having it in SQL. Any thoughts here? It sounds good to me. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/TTLS and Client certificates
rdeboer wrote: So a few weeks later and still not much further.. Has anyone got an idea how I could force PEAP sessions to supply client a client certificate? Read raddb/eap.conf. Look for client cert Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/TTLS and Client certificates
I already enabled said option, the only problem is that this doesn't enforce the use of PEAP with a client certificate, as the TLS module is enabled and configured, it allows you to log in with just a client certificate using TLS. What I want is to enforce the use of not just TLS but PEAP with a client cert. Suppose I should have made that clearer in my post, sorry about that. -Remy -- View this message in context: http://freeradius.1045715.n5.nabble.com/PEAP-TTLS-and-Client-certificates-tp3238845p3289088.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting and Acct-Delay-Time in MySQL
On 18/11/10 07:58, Stefan Winter wrote:
Hi,
I'd re-visit the entire accounting table queries. Create a *new*
table, so that people don't have surprises when they upgrade.
Ideally, it should be robust in the face of duplicate packets, and
packets forwarded via 2 different paths (think radrelay + delays)
Okay, I'll see what I can do. One thing I noticed is that the default
schema has a column
xascendsessionsvrkey varchar(10) default NULL,
A VSA, of a vendor that's long dead? This is one column that I would
wipe out. If some people find they need it, they can always modify the
tables to their (peculiar ;-) ) needs. No reason to push this column
into every FreeRADIUS installation on the planet.
Another thing I miss very much is in radpostauth:
* some gear sends a different User-Name attribute in its reply than was
in the request. It would be good to have these two names correlated
easily, at least for forensics. Adding a column reply-username would
do a lot of good here.
* callingstationid would also be nice to have
* and an indication which NAS the user used to log in (and/or which
virtual server was used to handle the request)
All of that is info one typically has to dig out of detail files; which
is much more cumbersome than having it in SQL.
Any thoughts here?
I've made some pretty extensive modifications to the default SQL schemas
here (although we use postgresql).
We log:
CREATE TABLE radpostauth (
id serial,
authdate timestamptz,
authserver character varying(16),
virtualserver text,
reply text,
username text NOT NULL,
realm text,
callingstationid text,
framedipaddress inet,
nasipaddress inet,
nasport text,
replyclass text,
replymessage text
);
...and we use something like the following in radiusd.conf:
localopts {
hostname = thehostname
}
sql {
...
postauth_query = insert into radpostauth (
authdate, authserver, virtualserver,
reply,
username, realm,
callingstationid, framedipaddress,
nasipaddress, nasport,
replyclass,
replymessage
) values (
now(), '${localopts.hostname}', '%{Virtual-Server}',
'%{reply:Packet-Type}',
'%{SQL-User-Name}', '%{Realm}',
'%{Calling-Station-Id}', '%{reply:Framed-IP-Address}',
'%{NAS-IP-Address}', '%{%{NAS-Port}:-%{NAS-Port-Id}}',
'%{reply:Class}',
'%{reply:Reply-Message}'
)
...it's actually a bit more complex than that, but you get the idea.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ldap
On Thu, Dec 02, 2010 at 09:09:51AM +0100, Ana Gallardo wrote:
Add LDAP into the authenticate section, so that it simply tries to re-bind
with the provided credentials? Like this:
Auth-Type LDAP {
ldapPerson
}
I try this configuration too, but it doesn't work for me. Freeradius doesn't
set the value to Auth-Type attribute. I thik that this is because the
userPassword attribute is only visible to each particular user when binds.
This is an orthogonal issue; you don't have to allow anyone to read the
value of the userPassword attribute, you just have to get the FR ldap
module to *bind* to the LDAP server with the username and password from
the request. Then the LDAP server verifies it against whatever it needs
in the background, and you don't care.
# Executing section authorize from file /etc/freeradius/sites-enabled/test
+- entering group authorize {...}
[ldapPerson] bind as / to ldap.unex.es:389
[ldapPerson] waiting for bind result ...
[ldapPerson] Bind was successful
This is log output for an anonymous bind in authorize section (bind as /
to means bind as no user/no password). What is the output for the
authenticated bind, that happens in the authenticate section?
--
2. That which causes joy or happiness.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
redundant LDAP-Group
Hi,
I know this has been covered in the archives, and the news is generally
not good, but my users file currently looks like:
DEFAULT NAS-Identifier == switch, Huntgroup-Name == allied-telesis,
ldap_login1-LDAP-Group == it-switch-admin
Service-Type = Administrative-User
DEFAULT NAS-Identifier == switch, Huntgroup-Name == allied-telesis,
ldap_login2-LDAP-Group == it-switch-admin
Service-Type = Administrative-User
DEFAULT NAS-Identifier == switch, Huntgroup-Name == cisco, NAS-Port-Type ==
Virtual, ldap_login1-LDAP-Group == it-switch-admin
Service-Type = NAS-Prompt-User,
Cisco-AVPair = shell:priv-lvl=15
DEFAULT NAS-Identifier == switch, Huntgroup-Name == cisco, NAS-Port-Type ==
Virtual, ldap_login2-LDAP-Group == it-switch-admin
Service-Type = NAS-Prompt-User,
Cisco-AVPair = shell:priv-lvl=15
DEFAULT NAS-Identifier == switch, Auth-Type := Reject
In my global configuration I have:
instantiate {
ldap_login1
ldap_login2
redundant-load-balance ldap-login {
ldap_login1
ldap_login2
}
ldap_lanwarden1
ldap_lanwarden2
redundant-load-balance ldap-lanwarden {
ldap_lanwarden1
ldap_lanwarden2
}
}
It would be really nice to fold those duplicate LDAP-Group lines into
'ldap_login-LDAP-Group', however alas FreeRADIUS does not love me:
/etc/freeradius/LOCAL/users-login[1]: Parse error (check) for entry DEFAULT:
Invalid octet string it-switch-admin for attribute name
ldap_login-LDAP-Group
Errors reading /etc/freeradius/LOCAL/users-login
/etc/freeradius/LOCAL/modules.conf[1]: Instantiation failed for module
files-login
/etc/freeradius/sites-enabled/login[72]: Failed to load module files-login.
/etc/freeradius/sites-enabled/login[35]: Errors parsing authorize section.
This 'redundant' LDAP-Group problem often crops up, unfortunately it is
way above my head to resolve.
Another moon-on-a-stick feature is that I have two sets of LDAP
servers configured[1], in my authorise section I have:
authorize {
...
ldap-login
if (!ok) {
reject
}
files
...
}
If I instead simply use 'LDAP-Group' in the users file, 'ldap-lanwarden'
is invoked (rather than me expecting a contination of the last used LDAP
server)... Is this a bug or a 'feature'?
Cheers
[1] ldap_login[12] - ldap_login, ldap_lanwarden[12] - ldap_lanwarden
--
Alexander Clouter
.sigmonster says: An idea is not responsible for the people who believe in it.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
agent-remote-id, agent-circuit-id strange format change.
Hello i'm using DHCP Option 82 with Freeradius auth. it uses several fields as username for auth: User-Name, agent-remote-id and agent-circuit-id. User-Name is mac address of cdhcp-client, and comes to radius in normal format aa:bb:cc:dd:ee:ff agent-remote-id and agent-circuit-id - are combination of dhcp-client mac address, vlan id, port id, slot id of dhcp relay. they should come in same normal hex format aa:bb:cc:dd:ee:ff but lil bit bit longer e.g.: Agent-Remote-Id = 0006000ded21a480 Agent-Circuit-Id = 00040002 But they are coming in this unknow unreadable format: Agent-Remote-Id = \000\006\000\r\355!\244\200 Agent-Circuit-Id = \000\004\000\002\000 dictionary used is Redback with attributes 96 and 97i've tried both octets and string format in dictionary for this attributes. How can i tell freeradius to work with this attributes in normal format ? Other way i've to enter this stupid strings in users db to authenticate user (it works like this right now). There is other commercial multi OS radius server built on perl RADIATOR and it works like charm with only few string in its rad.conf. (in my case it's working on WinXP, and FreeRadius main server on CentOS) here is debug output of both radius servers: FreeRadius: rad_recv: Access-Request packet from host 192.168.1.101 port 50213, id=4, length=143 NAS-Port-Type = Ethernet NAS-Port = 2210402311 Calling-Station-Id = 1:0:c:42:40:40:38 Called-Station-Id = CLIENTS_pool1 User-Name = 00:0C:42:40:40:38 User-Password = *Agent-Remote-Id = \000\006\000\r\355!\244\200 Agent-Circuit-Id = \000\004\000\002\000* NAS-Identifier = R1 NAS-IP-Address = 192.168.1.101 Radiator Attributes: NAS-Port-Type = Ethernet NAS-Port = 2213543991 Calling-Station-Id = 1:0:c:42:40:40:38 Framed-IP-Address = 192.168.3.156 Called-Station-Id = CLIENTS_pool1 User-Name = 00:0C:42:40:40:38 User-Password = 230182134I22196196178\#8Uq251162201 * RB-Agent-Remote-Id = 0006000ded21a480 RB-Agent-Circuit-Id = 00040002* NAS-Identifier = R1 NAS-IP-Address = 192.168.0.22 Link on my mikrotik forum with detail wireshark sniffing: http://forum.mikrotik.com/viewtopic.php?f=2t=47083 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redundant LDAP-Group
On Thu, Dec 02, 2010 at 11:54:28AM +, Alexander Clouter wrote:
DEFAULT NAS-Identifier == switch, Huntgroup-Name == allied-telesis,
ldap_login1-LDAP-Group == it-switch-admin
DEFAULT NAS-Identifier == switch, Huntgroup-Name == allied-telesis,
ldap_login2-LDAP-Group == it-switch-admin
instantiate {
ldap_login1
ldap_login2
This sounds like you're comparing attributes called ldap_login1-LDAP-Group
and ldap_login2-LDAP-Group. Presumably these are generated with those
distinct names, by your two LDAP module instances.
How do the definitions of those two look like?
IOW have you tried using a common LDAP attribute map in both?
--
2. That which causes joy or happiness.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redundant LDAP-Group
On 02/12/10 11:54, Alexander Clouter wrote:
It would be really nice to fold those duplicate LDAP-Group lines into
'ldap_login-LDAP-Group', however alas FreeRADIUS does not love me:
/etc/freeradius/LOCAL/users-login[1]: Parse error (check) for entry DEFAULT: Invalid octet string
it-switch-admin for attribute name ldap_login-LDAP-Group
Errors reading /etc/freeradius/LOCAL/users-login
AFAICT this doesn't really work because of the way the attributes
comparisons are actually handled.
You probably know this, but: Basically when a copy of the ldap module
is instantiated, it registers a paircompare handler for the global
LDAP-Group, then if the module is named:
1. Registers a new attribute modname-LDAP-Group
2. Registers a paircompare handler for that attribute
The redundant construct has no way to know about this; the ldap
module(s) are instantiated (and the attribute/comparisons registered)
completely separately from the redundant{} processing.
Similar problems hold for the %{modname:} xlat stuff; modules can
potentially register any xlat they like, and the modgroup code doesn't
know about that.
In addition, the paircompare handlers currently don't return an error
status; they just return an integer, 0 meaning equality, so a
redundant paircompare would have no way of distinguishing a LDAP OK,
user not in group from LDAP down, try next module, and would end up
querying both LDAP modules much of the time.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: agent-remote-id, agent-circuit-id strange format change.
Denis Iskandarov wrote: they should come in same normal hex format aa:bb:cc:dd:ee:ff but lil bit bit longer e.g.: Agent-Remote-Id = 0006000ded21a480 Agent-Circuit-Id = 00040002 But they are coming in this unknow unreadable format: Agent-Remote-Id = \000\006\000\r\355!\244\200 Agent-Circuit-Id = \000\004\000\002\000 Use octets for the data type. dictionary used is Redback with attributes 96 and 97i've tried both octets and string format in dictionary for this attributes. octets should work. i.e. the default configuration works. Which version are you running, and why did you edit the dictionary files? How can i tell freeradius to work with this attributes in normal format ? Other way i've to enter this stupid strings in users db to authenticate user (it works like this right now). There is other commercial multi OS radius server built on perl RADIATOR and it works like charm with only few string in its rad.conf. Really? There are other RADIUS servers? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ldap
Hello again. Ok, now I can authenticate an user using LDAP.
I'm using freeradius 2.1.10 and I want to use ldap like a backend in
authorize section to take userPassword attribute (unix crypt) to
authenticate the user.
My problem is: the ldap server don't have public key that an admin user (who
bind) can take. So I have to bind in the authorize section with the user and
password (clear text) in the request.
Is this posible?
I have read that this is not ok
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg49993.html
What are my posibilities?
I think that what I can do is:
- in authorize section bind like anonymous user and take the public
attributes that I need to authorize the user.
- in authenticate section bind like the user who want to access
The configuration that work:
LDAP MODULE
ldap ldapPerson{
server = xxx
basedn = ou=people,dc=unex,dc=es
filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldapPerson.attrmap
edir_account_policy_check = no
set_auth_type = yes
}
SERVER
server test{
authorize {
suffix
files
ldapPerson
expiration
update control {
Auth-Type := LDAP
}
}
authenticate {
Auth-Type LDAP {
ldapPerson
}
}
}
DEBUG
rad_recv: Access-Request packet from host x.x.x.x port 48259, id=145,
length=58
User-Name = aigalla...@unex.es
User-Password =
server test {
# Executing section authorize from file /etc/freeradius/sites-enabled/test
+- entering group authorize {...}
[suffix] Looking up realm unex.es for User-Name = aigalla...@unex.es
[suffix] Found realm unex.es
[suffix] Adding Stripped-User-Name = aigallardo
[suffix] Adding Realm = unex.es
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[files] users: Matched entry DEFAULT at line 33
++[files] returns ok
[ldapPerson] performing user authorization for aigallardo
[ldapPerson] expand: %{Stripped-User-Name} - aigallardo
[ldapPerson] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=aigallardo)
[ldapPerson] expand: ou=people,dc=unex,dc=es - ou=people,dc=unex,dc=es
[ldapPerson] ldap_get_conn: Checking Id: 0
[ldapPerson] ldap_get_conn: Got Id: 0
[ldapPerson] attempting LDAP reconnection
[ldapPerson] (re)connect to x.x.x.x:389, authentication 0
[ldapPerson] bind as / to x.x.x.x:389
[ldapPerson] waiting for bind result ...
[ldapPerson] Bind was successful
[ldapPerson] performing search in ou=people,dc=unex,dc=es, with filter
(uid=aigallardo)
[ldapPerson] No default NMAS login sequence
[ldapPerson] looking for check items in directory...
[ldapPerson] looking for reply items in directory...
[ldapPerson] gecos - Nombre-Completo = Ana-Isabel Gallardo Gomez...
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldapPerson] user aigallardo authorized to use remote access
[ldapPerson] ldap_release_conn: Release Id: 0
++[ldapPerson] returns ok
++[expiration] returns noop
++[control] returns noop
Found Auth-Type = LDAP
# Executing group from file /etc/freeradius/sites-enabled/test
+- entering group LDAP {...}
[ldapPerson] login attempt by aigallardo with password
[ldapPerson] user DN: uid=aigallardo,ou=People,dc=unex,dc=es
[ldapPerson] (re)connect to x.x.x.x:389, authentication 1
[ldapPerson] bind as uid=aigallardo,ou=People,dc=unex,dc=es/x to
x.x.x.x:389
[ldapPerson] waiting for bind result ...
[ldapPerson] Bind was successful
[ldapPerson] user aigallardo authenticated succesfully
++[ldapPerson] returns ok
} # server test
Sending Access-Accept of id 145 to x.x.x.x port 48259
Nombre-Completo = Ana-Isabel Gallardo Gomez...
I don't know if this is the best way to solve my problem, I someone have
something better, I would like to know.
Thank you very much and sorry for my english.
++ Ana Gallardo Gómez ++
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ldap
Hello Josip and thank you again for your response. This is an orthogonal issue; you don't have to allow anyone to read the value of the userPassword attribute, you just have to get the FR ldap module to *bind* to the LDAP server with the username and password from the request. Ok, now I know. This is log output for an anonymous bind in authorize section (bind as / to means bind as no user/no password). What is the output for the authenticated bind, that happens in the authenticate section? There is no authenticated bind because Freeradius doesn't set Auth-Type and... ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Thanks ++ Ana Gallardo Gómez ++ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Attribute not passing to NAS?
I have a Enterasys HiPath controller that Im trying to pass an attribute to throw the user into the correct policy upon authentication. I talked with their support and they say to set the Filter-Id attribute to the name of the policy set on the controller. I did, but it doenst seem to pass. In the debug for radius I get this: [peap] Got tunneled reply RADIUS code 2 Filter-Id = Faculty EAP-Message = 0x03080004 Message-Authenticator = 0x User-Name = ktest and it goes on to: Cleaning up request 18 ID 109 with timestamp +12 User-Name = ktest NAS-IP-Address = 127.0.4.1 NAS-Port = 222 Framed-MTU = 1400 Called-Station-Id = 00:1f:45:7f:83:fa Calling-Station-Id = 00:24:d6:a6:ce:ce NAS-Port-Type = Wireless-802.11 NAS-Identifier = TEST Siemens-AP-Serial = 0500010143052305 Siemens-AP-Name = AP09 Siemens-VNS-Name = TEST Siemens-BSSID = TEST Siemens-BSS-MAC = 00:1f:45:7f:83:fa Siemens-Policy = Students Siemens-Topology = TopoStudents Siemens-Ingress-Rate = Unlimited Siemens-Egress-Rate = Unlimited I use LDAP (via eDirectory) on the backend and authentication is working fine. It pulls the correct value for the Filter-Id attribute, but it doesnt seem to take effect. The Siemens-xxx attributes are coming from the controller and you can see based on the Siemens-Policy = Students attribute that the student policy is still applying - not the Faculty policy as is defined in the Filter-Id attribute. I have also tried to set the Siemens-Policy attribute on the user but that did not work either. Am I missing something in the config to have this value sent back to the NAS? FreeRadius 2.1.8 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redundant LDAP-Group
Josip Rodin j...@entuzijast.net wrote:
DEFAULT NAS-Identifier == switch, Huntgroup-Name == allied-telesis,
ldap_login1-LDAP-Group == it-switch-admin
DEFAULT NAS-Identifier == switch, Huntgroup-Name == allied-telesis,
ldap_login2-LDAP-Group == it-switch-admin
instantiate {
ldap_login1
ldap_login2
This sounds like you're comparing attributes called ldap_login1-LDAP-Group
and ldap_login2-LDAP-Group. Presumably these are generated with those
distinct names, by your two LDAP module instances.
How do the definitions of those two look like?
IOW have you tried using a common LDAP attribute map in both?
http://wiki.freeradius.org/Rlm_ldap#Group_Support
Cheers
--
Alexander Clouter
.sigmonster says: Screw up your courage! You've screwed up everything else.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redundant LDAP-Group
Phil Mayers p.may...@imperial.ac.uk wrote: It would be really nice to fold those duplicate LDAP-Group lines into 'ldap_login-LDAP-Group', however alas FreeRADIUS does not love me: /etc/freeradius/LOCAL/users-login[1]: Parse error (check) for entry DEFAULT: Invalid octet string it-switch-admin for attribute name ldap_login-LDAP-Group Errors reading /etc/freeradius/LOCAL/users-login AFAICT this doesn't really work because of the way the attributes comparisons are actually handled. Was wondering if someone out there knew of a neater way to do this? Twas all. Cheers -- Alexander Clouter .sigmonster says: He who has a shady past knows that nice guys finish last. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radsniff behaviour change?
As of 2.1.10, radsniff doesn't decode packets automatically without -x: $ sudo bin/radsniff -i lo -c 1 Access-Request Id 17127.0.0.1:43171 - 127.0.0.1:1812 +0.000 Attr-1 = 0x7374657665 Attr-2 = 0x98f7337df71223dc220a3a682c5f0a7f Attr-4 = 0x7f01 Attr-5 = 0x0001 Looking at the code, it doesn't even read the dictionary unless you add -x (debug) or -F (filter). This change was made in commit 7a85628d I wonder if this logic is unintentionally broken, and in fact you meant to load the dictionary *unless* -F is present? Regards, Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radsniff behaviour change?
On Thu, Dec 02, 2010 at 02:32:16PM +, Brian Candler wrote:
I wonder if this logic is unintentionally broken, and in fact you meant to
load the dictionary *unless* -F is present?
This appears to fix it.
diff --git a/src/main/radsniff.c b/src/main/radsniff.c
index 935d2ce..6c3ca14 100644
--- a/src/main/radsniff.c
+++ b/src/main/radsniff.c
@@ -422,7 +422,7 @@ int main(int argc, char *argv[])
/*
* There are many times where we don't need the dictionaries.
*/
- if (fr_debug_flag || radius_filter) {
+ if (fr_debug_flag || !radius_filter) {
if (dict_init(radius_dir, RADIUS_DICTIONARY) 0) {
fr_perror(radsniff);
return 1;
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ldap
On Thu, Dec 02, 2010 at 02:37:43PM +0100, Ana Gallardo wrote:
I have read that this is not ok
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg49993.html
OK, and you're not doing that which is described above, so you're fine.
The configuration that work:
ldap ldapPerson{
set_auth_type = yes
}
I think this is the catch. I don't have this particular option in my config,
but I see now that it looks like they're all 2.1.8.
authorize {
ldapPerson
update control {
Auth-Type := LDAP
}
}
This seems redundant. If ldapPerson already ran, with the set_auth_type
option, ...
--
2. That which causes joy or happiness.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redundant LDAP-Group
On 02/12/10 13:14, Alexander Clouter wrote:
Phil Mayersp.may...@imperial.ac.uk wrote:
It would be really nice to fold those duplicate LDAP-Group lines into
'ldap_login-LDAP-Group', however alas FreeRADIUS does not love me:
/etc/freeradius/LOCAL/users-login[1]: Parse error (check) for entry DEFAULT: Invalid octet string
it-switch-admin for attribute name ldap_login-LDAP-Group
Errors reading /etc/freeradius/LOCAL/users-login
AFAICT this doesn't really work because of the way the attributes
comparisons are actually handled.
Was wondering if someone out there knew of a neater way to do this?
Ah I see.
I was thinking you might be able to do something with the ldap xlat:
update control {
My-Group-Staff = %{ldap1:...}
}
if (!control:My-Group-Staff) {
update control {
My-Group-Staff = %{ldap2:...}
}
}
or:
update control {
My-Group-Staff = %{%{ldap1:..}:-%{ldap2:...}}
}
...but sadly again, the ldap xlat doesn't return an error code, just 0
so it's impossible to distinguish between no match and error, and you'll
end up hitting the ldap2 module a lot when you don't need to.
Hmm. Tricky.
How about a pair of ldap modules and creative use of the ldap.attrmap,
so something like:
checkItem My-Group memberOf +=
...then:
policy {
myldap {
ldap1
if (fail) {
ldap2
}
}
}
...then:
authorize {
myldap
if (control:My-Group == Staff) {
# something
}
}
Alternatively, how about:
policy {
myldap {
update request {
Module-Failure-Message !* 0x00
My-Group = %{ldap1:...}
}
if (Module-Failure-Message) {
update request {
My-Group = %{ldap2:...}
}
}
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: use existing sql table for user-password
But for radcheck, i need to add attribute and value fields as i see.
How can i check just username and password from one table, and check other
attributes (AuthType etc) from another??
Write an SQL function.
Or use the group functionality. That is, use
authorize_check_query
authorize_reply_query
to get the password, and
group_membership_query
authorize_group_check_query
authorize_group_reply_query
to get the attributes from another table. In group_membership_query you map
the username to some other key, but you can just map it to the username
again if you wish.
But if this is MySQL, as Alan says it may be easier (and is certainly more
flexible) to put your logic into stored procedures. Then use
authorize_check_query = call getCheck('%{User-Name}');
authorize_reply_query = call getReply('%{User-Name}');
Regards,
Brian.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redundant LDAP-Group
On 02/12/10 14:49, Phil Mayers wrote:
Alternatively, how about:
policy {
myldap {
update request {
Module-Failure-Message !* 0x00
My-Group = %{ldap1:...}
}
if (Module-Failure-Message) {
Nah, this won't work sorry - I was misreading the rlm_ldap.c code,
Module-Failure-Message is only set by ldap_authorize on NOTFOUND, not
FAIL and not in perform_search()
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: use existing sql table for user-password
Hello,
I just solved it with sql trigger.
When a new user is created on other table, same user/password is inserted in
radcheck table with auth-Type and other static variables.
If password change occurs in other table, it updates radcheck table password
field too.
Thank you all for help.
On Thursday, December 02, 2010 04:52:01 pm Brian Candler wrote:
But for radcheck, i need to add attribute and value fields as i see.
How can i check just username and password from one table, and check
other attributes (AuthType etc) from another??
Write an SQL function.
Or use the group functionality. That is, use
authorize_check_query
authorize_reply_query
to get the password, and
group_membership_query
authorize_group_check_query
authorize_group_reply_query
to get the attributes from another table. In group_membership_query you map
the username to some other key, but you can just map it to the username
again if you wish.
But if this is MySQL, as Alan says it may be easier (and is certainly more
flexible) to put your logic into stored procedures. Then use
authorize_check_query = call getCheck('%{User-Name}');
authorize_reply_query = call getReply('%{User-Name}');
Regards,
Brian.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
user-group for rejected users
Hello! Let´s suppose the following situations: 1) User exists but the password is wrong 2) User does not exist In both cases the answer is REJECT. It happens that certain hardware is making endless attempts that eventually saturating the server. - It is possible to cause the server, instead of rejecting the users, accept the login but responds ACCEPT with framed-pool = pool-block ? or/and - Is there any way to put REJECT users in a given group by default? Thanks! Fabricio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: Informacio
From: horacio...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: Informacio Date: Thu, 2 Dec 2010 03:46:19 + Hi I am newbie at this help please Description O. System Windos Vista With 1 application of Oracle VM VirtualBox Virtual Machine O. System Ubuntu 10.10 with a server radiusd aser nesesito mac filtering equipment through this server Well my question is if the users file I register users with their password to be linia file that I register the MAC addresses Well I hope and I can help because it is very important to me as it is for a practice School Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clear text password (radius)
Hi, WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! thats your answer. the server doesnt lie alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Limiting user accounts for specific devices
We have a bunch of HP switches that we're using radius authentication on to
configure. Our freeradius server is configured to grab users from an active
directory server. We want to be able to only allow a single user account to
be able to have rights to login to these switches so if any other account is
used it should be denied access. I have to be able to pull this information
from AD so that the user password can be changed quickly by someone not
familiar with configuring radius. Later on we're going to use this same
radius server to authenticate wireless access so it would need to be set per
IP address or range only for the limits so that the other users in AD can be
used for that. I'm thinking there is a way to do this in clients.conf but
haven't found anything so far in my research. Here's an example client we
have in our clients.conf:
client 10.0.0.251 {
secret = x
shortname = NOC_5308
}
Any help would be greatly appreciated.
Thanks,
Jared
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute not passing to NAS?
Rob, You need to ensure that the value of Filter-Id maps exactly to the value of the policy that you're trying to apply. So you need to have a policy defined on the controller named Faculty, not faculty or facultY, but Faculty. For instance, if I have a policy named NewmanN and I pass a Filter-Id=NewmanN then I get: Client session MAC [00:22:6B:9A:2B:77] on AP [IRV-AP3620] with SSID [SMFC] from VNS [SMFC] with username [test.user11] with mu session timer [52549] has been successfully authenticated. Policy [NewmanN] is applied. The desired policy is applied. If I pass a Filter-Id=Newmann then I get: Client session MAC [00:22:6B:9A:2B:77] on AP [IRV-AP3620] with SSID [SMFC] from VNS [SMFC] with username [test.user11] with mu session timer [52201] has been successfully authenticated. Policy [SMFC Auth] is applied. The default policy for that VNS is applied because there was no policy matching Newmann. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Attribute-not-passing-to-NAS-tp3289418p3289720.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
HELLO COULD TELL ME TO syntax to add client in freeradius and could tell me to sintax to add user in freeradius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wifi ip allocation
Le jeudi 02 décembre 2010 à 07:38 +0100, Alan DeKok a écrit : Alexandre Chapellon wrote: Am not sure to understand... Once the wifi user entered the network (level2: no IP yet), I have an entry for its sessions in my accouting database, with username, sessionID, maybe mac_address and so on... Yes. This often includes NAS IP and port. But when the user sends a DHCP request to obtain IP address (gain level3 access), that request may not contain any reference to the username, but to the mac address... that's it? And often the NAS IP and port. NAS IP and Port in the DHCP request? That's option 82 isn't it? If my NAS doesn't support relaying DHCP requests adding option 82 fields (my NASes may be very common wifi access points) is it still safe using such a setup? Anyway, it's much more clear now thanks. So the trick would be to get the username from the mac address querying the accouting database? Yes. And then? Can I use any ippool module in the freeradius DHCP server? or Do I have to use static mapping mac2ip? The ippool module doesn't do allocation for DHCP. But you could write a short Perl program to do it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Follow us on: twitter https://www.twitter.com/manainternet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
where to MAC addresses?
Description: Windos Vista OS With an implementation of Oracle VM VirtualBox virtual machine Ubuntu 9.10 with a server radiusd aser nesesito filtration equipment through this server The question is ... Where I have to put the MAC addresses of the users? so that only they can enter their MAC I hope my question and be concise and can help me Thanks Friends ...- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute not passing to NAS?
Hi Mikal- Thanks for responding. I have it set up just like that...the policy on the controller is named Faculty. I even took LDAP out of it to make sure that the attribute was passing correctly. I have a user defined in the /etc/raddb/users ktest Cleartext-Password := password Filter-Id = Faculty When I authenticate with this user I get: Client session MAC [00:24:D6:A6:CE:CE] on AP [JRG-1FL-AP09] with SSID [TEST] from VNS [TEST] with username [ktest] has been successfully authenticated. Policy [Students] is applied. I get the same msg for an ldap user that has the Filter-Id set to Faculty as well. For comparison, on the controller my vns settings include: VNS Name: TEST WLAN Service: TESTWLAN Non-Auth policy: NonAuth Auth Policy: Students (support told me this doesnt matter what its set to...the Filter-Id will override this) Restrict policy set unchecked Enable checked I have another policy named Faculty that is assigned the AuthFaculty topology (which sets the tagged vlan). How does this compare to your setup? Do I need the restrict policy set option checked and config'd? -Rob On Thu, Dec 2, 2010 at 11:38 AM, mikal m...@atceast.com wrote: Rob, You need to ensure that the value of Filter-Id maps exactly to the value of the policy that you're trying to apply. So you need to have a policy defined on the controller named Faculty, not faculty or facultY, but Faculty. For instance, if I have a policy named NewmanN and I pass a Filter-Id=NewmanN then I get: Client session MAC [00:22:6B:9A:2B:77] on AP [IRV-AP3620] with SSID [SMFC] from VNS [SMFC] with username [test.user11] with mu session timer [52549] has been successfully authenticated. Policy [NewmanN] is applied. The desired policy is applied. If I pass a Filter-Id=Newmann then I get: Client session MAC [00:22:6B:9A:2B:77] on AP [IRV-AP3620] with SSID [SMFC] from VNS [SMFC] with username [test.user11] with mu session timer [52201] has been successfully authenticated. Policy [SMFC Auth] is applied. The default policy for that VNS is applied because there was no policy matching Newmann. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Attribute-not-passing-to-NAS-tp3289418p3289720.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Limiting user accounts for specific devices
so it would need to be set per IP address or range only for the limits so that the other users in AD can be used for that Have you thought about using huntgroups to group your NAS together and then authorize based upon Huntgroup-Name? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mac address validation
Hi ... my name is Jorge I have a virtual machine with Ubuntu operating system and installed freeradius, I validate mac address. I know how high the addresses given in the file mac users. and As validate mac address your help will be very important !- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mac address validation
Hi ... my name is Jorge I have a virtual machine with Ubuntu operating system and installed freeradius, I validate mac address. I know how high the addresses given in the file mac users? and validated as mac addresses? your help will be very important !- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
validation of MAC addresses
Hello I have installed on my computer a virtual machine which has installed the Ubuntu OS 2.1.10, install freeradius and I have it running. I have doubts about the MAC addresses I know they are validated and are discharged sen Directory users and clients But how to do it My question is how they are validated and high MAC addresses - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: where to MAC addresses?
Gilberto Uriostegui García wrote: Description: Windos Vista OS With an implementation of Oracle VM VirtualBox virtual machine Ubuntu 9.10 with a server radiusd aser nesesito filtration equipment through this server The question is ... Where I have to put the MAC addresses of the users? so that only they can enter their MAC You either are the same person with 3 different accounts posting the same message, or 3 different people in the same course looking for someone else to do your work for you. Read the documentation, and stop posting the same message over and over again. It's rude. If you keep doing it, you can be banned from the list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wifi ip allocation
Alexandre Chapellon wrote: NAS IP and Port in the DHCP request? That's option 82 isn't it? If my NAS doesn't support relaying DHCP requests adding option 82 fields (my NASes may be very common wifi access points) is it still safe using such a setup? It's option 82, yes. And it may work... it all depends on what the APs do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute not passing to NAS?
Rob, You shouldn't need to check the restrict policy option. My setup is actually using a Captive Portal for the users to enter credentials. So I start them off with a non-auth policy that uses a Routed topology and then once authenticated uses a Bridge at AP topology. So the controller is serving up the CP page, and then I'm using freeradius with a MySQL backend. Did you capture a trace from the controller interface just to ensure that the attribute/value pair is appearing at the controller interface correctly? Wireless Controller-Utilities-Wireless Controller TCP Dump Management. So my VNS setup looks like: VNS Name: SMFC WLAN Service: SMFC Non-Auth policy: SMFC NonAuth Auth Policy: SMFC Auth (support is correct, this will be overwritten if the radius-accept contains a Filter-Id value that matches a configured policy) Restrict policy set unchecked Enable checked Under VNS Configuration-Policies I have a policy: named Policy Name:NewmanN. I throw a row in my MySQL radreply table to use a Filter-Id value of NewmanN for a particular user (test.user11 in this case) and I'm off and running. If I set the Filter-Id value in my MySQL row to Newmann, or newmanN, etc. then I get the default policy applied to test.user11. The same behavior that you're seeing. ktest Cleartext-Password := password Filter-Id = Faculty When I authenticate with this user I get: Client session MAC [00:24:D6:A6:CE:CE] on AP [JRG-1FL-AP09] with SSID [TEST] from VNS [TEST] with username [ktest] has been successfully authenticated. Policy [Students] is applied. I get the same msg for an ldap user that has the Filter-Id set to Faculty as well. For comparison, on the controller my vns settings include: VNS Name: TEST WLAN Service: TESTWLAN Non-Auth policy: NonAuth Auth Policy: Students (support told me this doesnt matter what its set to...the Filter-Id will override this) Restrict policy set unchecked Enable checked I have another policy named Faculty that is assigned the AuthFaculty topology (which sets the tagged vlan). How does this compare to your setup? Do I need the restrict policy set option checked and config'd? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Attribute-not-passing-to-NAS-tp3289418p3289846.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute not passing to NAS?
Mikal- Yes, I have done a packet trace. The Filter-Id attribute is sent on the 2nd packet of the authentication attempt, during the first access-challenge. After that, Filter-Id isnt mentioned again until after the Access-Accept packet on the Accounting-Request. However, on the Accounting-Request packet its shown as Students, not Faculty. The whole authentication process is 20 packets, excluding the accounting packets. The only thing I noticed that may be out of the ordinary is that there are 10 access-request packets, with 9 of them being duplicates to the first request. The Filter-Id attribute is only sent on the first challenge response. Im not sure if this is normal or not as I dont have anything to compare to. Do you see something similar with your configuration? On Thu, Dec 2, 2010 at 1:01 PM, mikal m...@atceast.com wrote: Rob, You shouldn't need to check the restrict policy option. My setup is actually using a Captive Portal for the users to enter credentials. So I start them off with a non-auth policy that uses a Routed topology and then once authenticated uses a Bridge at AP topology. So the controller is serving up the CP page, and then I'm using freeradius with a MySQL backend. Did you capture a trace from the controller interface just to ensure that the attribute/value pair is appearing at the controller interface correctly? Wireless Controller-Utilities-Wireless Controller TCP Dump Management. So my VNS setup looks like: VNS Name: SMFC WLAN Service: SMFC Non-Auth policy: SMFC NonAuth Auth Policy: SMFC Auth (support is correct, this will be overwritten if the radius-accept contains a Filter-Id value that matches a configured policy) Restrict policy set unchecked Enable checked Under VNS Configuration-Policies I have a policy: named Policy Name:NewmanN. I throw a row in my MySQL radreply table to use a Filter-Id value of NewmanN for a particular user (test.user11 in this case) and I'm off and running. If I set the Filter-Id value in my MySQL row to Newmann, or newmanN, etc. then I get the default policy applied to test.user11. The same behavior that you're seeing. ktest Cleartext-Password := password Filter-Id = Faculty When I authenticate with this user I get: Client session MAC [00:24:D6:A6:CE:CE] on AP [JRG-1FL-AP09] with SSID [TEST] from VNS [TEST] with username [ktest] has been successfully authenticated. Policy [Students] is applied. I get the same msg for an ldap user that has the Filter-Id set to Faculty as well. For comparison, on the controller my vns settings include: VNS Name: TEST WLAN Service: TESTWLAN Non-Auth policy: NonAuth Auth Policy: Students (support told me this doesnt matter what its set to...the Filter-Id will override this) Restrict policy set unchecked Enable checked I have another policy named Faculty that is assigned the AuthFaculty topology (which sets the tagged vlan). How does this compare to your setup? Do I need the restrict policy set option checked and config'd? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Attribute-not-passing-to-NAS-tp3289418p3289846.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute not passing to NAS?
Also, check your radius server configuration on the controller. Check the timeout and retry settings (might even try changing the retry value to 1). I'm set to retries = 3, timeout = 5 for this server. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Attribute-not-passing-to-NAS-tp3289418p3289974.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limiting user accounts for specific devices
On Fri, Dec 3, 2010 at 7:24 AM, Garber, Neal neal.gar...@iberdrolausa.comwrote: so it would need to be set per IP address or range only for the limits so that the other users in AD can be used for that Have you thought about using huntgroups to group your NAS together and then authorize based upon Huntgroup-Name? If you set the client shortname in your clients file to the same value for all the same types of switches you can do that as well. That's what we do since we are using Dynamic Groups and using the client-shortname for auth: In our users file: DEFAULT Client-Shortname == CiscoSwitch, Ldap-Group == cn=SwitchAccess,o=Identities Service-Type = Login-User, Idle-Timeout = 600 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configure radius to write detailed log to multiple files
Great, thank you both. I will give it a try right now.
On Wed, Dec 1, 2010 at 1:12 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote:
Hi,
to add a second detail module, simply copy the first one and add a name to
it
ie
the first detail file will have something like this...
detail {
blah blah
blah blah
}
change this to
detail detail1 {
blah blah
blah blah
}
and now make a second file (you can do it all in one file but I find
it neater to use seperate files for each function!)...eg called detail2
with the contents
detail detail2 {
blah blah
blah blah
}
now, in the configuration files...where it calls 'detail' change that to
have
detail1 and detail2 (on 2 lines)
there. done
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: agent-remote-id, agent-circuit-id strange format change.
octets should work. i.e. the default configuration works. Which version are you running, and why did you edit the dictionary files? As i wrote in my very first post i'm already using octets format in attributes. default configuration isn't working. I'm running 2.1.7 on CentOS Why I'm editing dictionaries ? Because i've read whole mailing list regarding this problem and read such suggestions in some posts (suggested even by you) SO RESULTS: 1. default FreeRadius 2.1.7 setup: has old redback dicitionary from 2000y. with incorrect format of attributes, which are STRING there. Changed them to OCTETS - still not working. 2. took patched redback dicitionary from 2.1.10 and placed it into 2.1.7 which already has this two attributes (96 and 97) in proper format: OCTETS (and please don't yell, it has no significant changes which may interfere 2.1.7 working process). Really? There are other RADIUS servers? Sorry if i've broken ur illusions that FreeRadius is only RADIUS server in the world. I just wanted to say that i've tested this setup on other server and system which has almost same config files, just couple PERL scripts. Maybe something else should be changed in some configuration files that makes FreeRadius to understand or convert this attributes in normal format. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Clear text password (radius)
Hello,
I do not know how I missed that, thanks :)
But now I am getting different problem. In sql table I entered Cryped password.
(acctsessionid, acctuniqueid, username, realm, nasipaddress,
naspor tid,
nasporttype, acctstarttime, acctstoptime, acctses
siontime, acctauthentic,
connectinfo_start, connectinfo_stop, accti
nputoctets, acctoutputoctets,
calledstationid, callingstationid, ac
ctterminatecause, servicetype,
framedprotocol, framedipaddress,
acctstartdelay, acctstopdelay) VALUES
('%{Acct-S
ession-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}',
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port
-Type}',
DATE_SUB('%S', INTERVAL (%{%{Acct-Session
-Time}:-0} +
%{%{Acct-Delay-Time}:-0}) SECOND), '%
S', '%{Acct-Session-Time}',
'%{Acct-Authentic}', '', '%{Connect-Inf
o}',
'%{%{Acct-Input-Gigawords}:-0}' 32 | '%{%{Acct
-Input-Octets}:-0}',
'%{%{Acct-Output-Gigawords}:-0}' 32 |
'%{%{Acct-Output-Octets}:-0}',
'%{Called-Station-Id}', '%{C
alling-Station-Id}', '%{Acct-Terminate-Cause}',
'%{Ser
vice-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0',
'%{
%{Acct-Delay-Time}:-0}')group_membership_query = SELECT groupname
FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY
priorityconnect_failure_retry_delay = 60simul_count_query =
simul_verify_query = SELECT radacctid, acctsessionid, username,
nasipaddress, nasportid, framedipaddress,
callingstationid,
framedprotocol
FROM radacctWHERE
username = '%{SQL-User-Name}'
AND acctstoptime IS NULL
postauth_query = INSERT INTO radpostauth (use
rname, pass, reply,
authdate) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap
-Password}}',
'%{reply:Packet-Type}', '%S')safe-characters =
@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789.-_: / }rlm_sql (sql): Driver
rlm_sql_mysql (module rlm_sql_mysql) loaded and linkedrlm_sql (sql): Attempting
to connect to r...@localhost:/radiusrlm_sql (sql): starting 0rlm_sql (sql):
Attempting to connect rlm_sql_mysql #0rlm_sql_mysql: Starting connect to MySQL
server for #0rlm_sql (sql): Connected new DB handle, #0rlm_sql (sql): starting
1rlm_sql (sql): Attempting to connect rlm_sql_mysql #1rlm_sql_mysql: Starting
connect to MySQL server for #1rlm_sql (sql): Connected new DB handle, #1rlm_sql
(sql): starting 2rlm_sql (sql): Attempting to connect rlm_sql_mysql
#2rlm_sql_mysql: Starting connect to MySQL server for #2rlm_sql (sql):
Connected new DB handle, #2rlm_sql (sql): starting 3rlm_sql (sql): Attempting
to connect rlm_sql_mysql #3rlm_sql_mysql: Starting connect to MySQL server for
#3rlm_sql (sql): Connected new DB handle, #3rlm_sql (sql): starting 4rlm_sql
(sql): Attempting to connect rlm_sql_mysql #4rlm_sql_mysql:
