Re: Question on Virtual Servers and inner-tunnel
On 01/25/2011 11:18 PM, Brett Littrell wrote:
with inner-tunnel requests. So my question is wether naming the server
inner-tunnel causes it to exclusively handle inner-tunnel requests, in
other word is inner-tunnel a hard coded name that has to be used for
handling inner-tunnel requests?
No. It is set in eap.conf; see the virtual_server option under the
peap and ttls stanzas.
You can also override (per-request) to use a different virtual server in
the outer tunnel e.g.
/etc/raddb/sites-available/default:
authorize {
...
if (EAP-Message) {
if (...some lookup...) {
update control {
# this directs the inner tunnel from this EAP
# session to the named virtual server
Virtual-Server := somedifferentthing
}
}
}
...
}
Something that might not be obvious also - the virtual server name
actually comes from the:
server NAME {
authorize {
..
}
}
...NAME option on the server{} block. By convention and to avoid
confusion the filename in /etc/raddb/sites-{available,enabled} is the
same, but it doesn't need to be (and in fact doesn't need to be in a
separate file)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OT: email fail [was Re: Question on Virtual Servers and inner-tunnel]
Gary Gatten ggat...@waddell.com wrote: And I don't have control over what our half dozen email processors do to my email after I send it. You live in a country that prevents you using any other SMTP server other than the one allocated to you? Unable to get a freebie email address (Gborg) that comes with SMTP submission? Unable to run your own SMTP server and/or buy your own domain. That's a terrible place to live, let me know so I know never to visit. If that's not the case, learn to use a n...@waddell.com email address though you undoubtedly have. Cheers -- Alexander Clouter .sigmonster says: Everything ends badly. Otherwise it wouldn't end. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OT: email fail [was Re: Question on Virtual Servers and inner-tunnel]
Hmmm, build/use a different email system? Genius! Why didn't I think of that - Original Message - From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org freeradius-users-bounces+ggatten=waddell@lists.freeradius.org To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Sent: Wed Jan 26 02:56:23 2011 Subject: OT: email fail [was Re: Question on Virtual Servers and inner-tunnel] Gary Gatten ggat...@waddell.com wrote: And I don't have control over what our half dozen email processors do to my email after I send it. You live in a country that prevents you using any other SMTP server other than the one allocated to you? Unable to get a freebie email address (Gborg) that comes with SMTP submission? Unable to run your own SMTP server and/or buy your own domain. That's a terrible place to live, let me know so I know never to visit. If that's not the case, learn to use a n...@waddell.com email address though you undoubtedly have. Cheers -- Alexander Clouter .sigmonster says: Everything ends badly. Otherwise it wouldn't end. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Virtual Servers and inner-tunnel
Brett Littrell wrote: Hope this is not to stupid of a question but I have been checking out the inner-tunnel virtual server under sites-enabled. I read up a little on virtual servers and it looks like the inner-tunnel virtual server is just a regular old virtual server Yes. yet in the comments is says it specifically handles inner tunnel requests. So? Some families have two cars. One for each of two adults. I went through the default config for the inner-tunnel and did not see any commands that were un-commented that seemed to specify that the server exclusively dealt with inner-tunnel requests. It's *designed* work with inner-tunnel requests. But see the file in version 2.1.10: you can use it as a normal server for testing. So my question is wether naming the server inner-tunnel causes it to exclusively handle inner-tunnel requests, in other word is inner-tunnel a hard coded name that has to be used for handling inner-tunnel requests? See eap.conf. Look for inner-tunnel Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying to strip the Windows Domain name from a login
Brett Littrell wrote: First you mention looking into the realm information, did that, it is looking like that may not be to hard to do, if I am using the FR server to access the LDAP server then I just need to set a realm of ntdomain and auth=LOCAL, correct? Yes. Then you go on to say strip the domain at the LDAP lookup, well if I do it there wouldn't that fix the problem regardless of changing the realm? I'm not sure what you mean by that. You go on to explain that I should do the LDAP lookup in the inner-tunnel config, I have no problem with this, it makes sense, the problem I have is how do you specify the inner tunnel in the configuration? Edit the inner-tunnel configuration file. Remember, I am new to FreeRadius, been using Cisco ACS for a few years now so I know about Radius in general, just not how to configure FreeRadius and docs are a bit hard to come by. See the Wiki, and the comments in the configuration files. *Everything* is documented. But there are few howtos for specific situations. You've got to understand the pieces, and put the solution together yourself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Virtual Servers and inner-tunnel
Hi All, You guys really explained it well, appreciate it. I really wanted to know to try and get an idea of how this works and figure out the best way to set this up and clarifying that really helped. And yes I did get Gary joking and I do not mind a little eldow in the ribs joking, just as long as he does not mind pay backs in other email..HeHe:) I do appreciate Alex popping is on my behalf as well, it is nice to see someone out there helping out the new guys. Anyway, I think I have enough info to do some damage, hopefully I won't spam the list with to many more questions:) FYI: You guys are great, and I think I speak for everyone new to freeradius that we appreciate your help. PS: What is up with Garys email? or is it my threaded view? Gary's email keeps popping up as a new email and not as a threaded response? Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Virtual Servers and inner-tunnel
Brett Littrell blittr...@musd.org wrote: PS: What is up with Garys email? or is it my threaded view? Gary's email keeps popping up as a new email and not as a threaded response? I guess corporate policy is to use a broken email client as well as an SMTP server that adds a 'legally-holds-no-water' disclaimer. The last mail client I saw doing this was Novell Groupwise shudder/ Incase you did not know, if you look at the headers for the other emails here, you will see a 'References' line, that is what makes threading work...it's also the tell tell sign when folk hit 'Reply' rather than 'Compose' when they want to post a *new* thread to the mailing list. Now if you fix your email client for text/plain only... :) /email-nazi -- Alexander Clouter .sigmonster says: Serving coffee on aircraft causes turbulence. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Virtual Servers and inner-tunnel
Must have been a really old version of GW, I use GW here and it seems to thread fine but we are on the latest version. Thanks again.. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Wednesday, January 26, 2011 at 8:48 AM, in message vrv518-hm1@chipmunk.wormnet.eu, Alexander Clouter a...@digriz.org.uk wrote: Brett Littrell blittr...@musd.org wrote: PS: What is up with Garys email? or is it my threaded view? Gary's email keeps popping up as a new email and not as a threaded response? I guess corporate policy is to use a broken email client as well as an SMTP server that adds a 'legally-holds-no-water' disclaimer. The last mail client I saw doing this was Novell Groupwise shudder/ Incase you did not know, if you look at the headers for the other emails here, you will see a 'References' line, that is what makes threading work...it's also the tell tell sign when folk hit 'Reply' rather than 'Compose' when they want to post a *new* thread to the mailing list. Now if you fix your email client for text/plain only... :) /email-nazi -- Alexander Clouter .sigmonster says: Serving coffee on aircraft causes turbulence. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Python module/program
Hi all. I've got freeradius working using a python library for auth, but something interesting happened when I did. When I run radius -X, and press CRTL+C, it no longer exits. It just returns Ready to process requests.. The PID doesn't change, so it's not like its exiting and restarting. I looked at http://wiki.freeradius.org/Rlm_perl (yes...I know...perl != python, but as the python page doesn't say much, I'm going on the perl page for a starting point) and it doesn't look like the script has to do anything to handle exits. Does anyone know what I'm missing? Thanks, --Brian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Python module/program
Is the python module catching all exceptions? You need to make sure you don't mask out the KeyboardInterrupt exception... otherwise, you may prevent Control-C from being passed up the stack. I'm not sure if that's your issue, but it sounds like it could be. It's considered a Python best practice to explicitly catch the exact exceptions that you know how to handle, and let exceptions that you're not going to handle directly trickle up. That is to say that you should never do something like: try: some code except: some code because you *will* end up masking things like KeyboardInterrupt. You should always do something like: try: some code except TheExceptionClass: some code HTH, - Terry On Wed, Jan 26, 2011 at 2:47 PM, McCann, Brian bmcc...@andmore.com wrote: Hi all. I've got freeradius working using a python library for auth, but something interesting happened when I did. When I run radius -X, and press CRTL+C, it no longer exits. It just returns Ready to process requests.. The PID doesn't change, so it's not like its exiting and restarting. I looked at http://wiki.freeradius.org/Rlm_perl (yes...I know...perl != python, but as the python page doesn't say much, I'm going on the perl page for a starting point) and it doesn't look like the script has to do anything to handle exits. Does anyone know what I'm missing? Thanks, --Brian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius authentication problem.
Hello Friends,I have intalled RADIUS server on one machine which has fedora 10.
I have installed freeradius-server-2.1.10 on it(server machine IP
10.150.110.42).
I have one more machine with redhat linux on which i have installed
pam_radius-1.3.17(client machine IP 10.150.113.4).
I have done the follwoing configuration at both sides
SERVER SIDE.
users file
vijay nbsp; nbsp;Auth-Type := Local, Cleartext-Password == 123qwe,
NAS-IP-Address == 10.150.113.4nbsp;nbsp; nbsp; nbsp; nbsp; nbsp;
Reply-Message = Hello, %u
clients.confclient 127.0.0.1 {secret nbsp; nbsp; nbsp; nbsp; nbsp;=
testing123shortname nbsp; nbsp; nbsp; = localhostnastype nbsp; nbsp; =
other}client 10.150.113.4/24 {nbsp;nbsp; nbsp; nbsp; nbsp;secret nbsp;
nbsp; nbsp; nbsp; nbsp;= testing123nbsp;nbsp; nbsp; nbsp;
nbsp;shortname nbsp; nbsp; nbsp; = private-network-1}nbsp;client
10.150.110.42/24 {nbsp;nbsp; nbsp; nbsp; nbsp;secret nbsp; nbsp; nbsp;
nbsp; nbsp;= testing123nbsp;nbsp; nbsp; nbsp; nbsp;shortname nbsp;
nbsp; nbsp; = private-network-1}
I have not changed anything in radiusd.conf.
CLIENT SIDE/etc/pam.d/sshdauth nbsp; nbsp; nbsp; sufficient nbsp;
pam_radius_auth.so
/etc/raddb/server# server[:port] shared_secret nbsp; nbsp; nbsp;timeout
(s)127.0.0.1 nbsp; nbsp; nbsp; testing123 nbsp; nbsp; nbsp; nbsp; nbsp;
nbsp; nbsp;110.150.110.42 nbsp; testing123 nbsp; nbsp; nbsp; nbsp;
nbsp; nbsp; nbsp;3other-server nbsp; nbsp;other-secret nbsp; nbsp;
nbsp; nbsp; nbsp; nbsp;3
/etc/ssh/sshd_configUsePAM yes
Above mentioned is my configuration. when i try to connect client with SSH it
is not sending a request for authenticating user to RADIUS server. kindly let
me know what else configuration i have to do, or if there are any mistakes in
my configuration plz help to correcr it.
Thank you.
Regards,
VIJAY S.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
reset sql counter every 30 minute
Hi Is that possible to reset the sql counter every 30 minute? Basically, i need to get user free access of 20 minutes, after 20 minutes NAS will logout the user. And the user is allow to login again after 30 minute. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
