Re: AW: AW: How to configure freeradius client?

[Alan DeKok]

Meyer Jerome wrote:
>>  The existing documentation includes more than just the "man" pages.
>> Go read it.
> 
> You means... from wiki pages? 

  If you insist on being obtuse, you don't *have* to be on this list.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: AW: How to configure freeradius client?

[Meyer Jerome]

>Meyer Jerome wrote:
>> Should the client start the radiusd daemon too?

> I have no idea what thinking resulted in that question.

>> This file it is on the server to check which clients will be connected! Is 
>> it on the client too?

>  Uh... no.

>> Because the client should connect to the server and not the reverse!

>  Really?

 3)  How should I configure the client? Should some deamon to be start?
>> 
>>>  This is documented.
>> 
>> You means on the MAN pages?

>  The existing documentation includes more than just the "man" pages.
>Go read it.

You means... from wiki pages? 

>  Alan DeKok.
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Best regards,
Jérôme

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: How to configure freeradius client?

[Meyer Jerome]

Hi Fajar,

Thanks you very much for your explanation! Yeah, now it's make sense... and I 
understood where I should look for.

Best regards,
Jérôme

-Ursprüngliche Nachricht-
Von: freeradius-users-bounces+jerome.meyer=iwbtelekom...@lists.freeradius.org 
[mailto:freeradius-users-bounces+jerome.meyer=iwbtelekom...@lists.freeradius.org]
 Im Auftrag von Fajar A. Nugraha
Gesendet: Freitag, 6. Mai 2011 17:23
An: FreeRadius users mailing list
Betreff: Re: How to configure freeradius client?

On Fri, May 6, 2011 at 10:01 PM, Meyer Jerome
 wrote:
>
> Should the client start the radiusd daemon too?
>
> >> radclient: no response from server for ID 120 socket 3
> >>
> >> 1)      I don't know what's the NAS-IP-Address?
> >>
> >> 2)      I don't find any right document about "how to configure the 
> >> client"?
>
> >  See raddb/clients.conf.
>
> This file it is on the server to check which clients will be connected! Is it 
> on the client too?
> Because the client should connect to the server and not the reverse!
>

Let's try a different approach, to see if you can understand this better.

You said you "use freeradius to authenticate some Network Equipment,
wie Router, Switches, usw.. and all run well!". So I assume you KNOW
what to do when you need to add a new router/switch/whatever to use
radius authentication, right?  One of the proces includes configuring
freeradius to recognize the new switch/whatever as a valid radius
client (i.e. NAS).

>From freeradius perspective, the "radtest" program (or whatever
mechanism your nagios will use to test radius functionality) is just
another NAS. And you need to configure the server to recognize the new
NAS just like you usually do if you add another switch/whatever.

Does this make sense so far?

-- 
Fajar

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: How to configure freeradius client?

[Meyer Jerome]

Ok!  I'll read the complete documentation... and hope that ok. Because I've 
read some things and many about configuration and installation for server and 
don't find many thing about client...

 

Thanks for your help!

Jérôme M.

 

 

 

On Fri, May 6, 2011 at 5:01 PM, Meyer Jerome  wrote:


Thanks for reply!




>Meyer Jerome wrote:
>> # radiusd -v

>  What about "radiusd -X", as suggested in the FAQ, README, "man" page,
web pages, and daily on this list?

Should the client start the radiusd daemon too?


>> radclient: no response from server for ID 120 socket 3
>>
>> 1)  I don't know what's the NAS-IP-Address?
>>
>> 2)  I don't find any right document about "how to configure the client"?

>  See raddb/clients.conf.

This file it is on the server to check which clients will be connected! Is it 
on the client too?
Because the client should connect to the server and not the reverse!


>> 3)  How should I configure the client? Should some deamon to be start?

>  This is documented.

You means on the MAN pages?


>  Alan DeKok.
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Jérôme Meyer



Jérome,

Please, before alan freaks out :-), read the documentation. (the wiki is a nice 
place to start) 
The things you're saying clearly show that you don't understand the concept at 
all. 
 
Kind regards
Y

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure freeradius client?

[Fajar A. Nugraha]

On Fri, May 6, 2011 at 10:01 PM, Meyer Jerome
 wrote:
>
> Should the client start the radiusd daemon too?
>
> >> radclient: no response from server for ID 120 socket 3
> >>
> >> 1)      I don’t know what’s the NAS-IP-Address?
> >>
> >> 2)      I don’t find any right document about „how to configure the 
> >> client“?
>
> >  See raddb/clients.conf.
>
> This file it is on the server to check which clients will be connected! Is it 
> on the client too?
> Because the client should connect to the server and not the reverse!
>

Let's try a different approach, to see if you can understand this better.

You said you "use freeradius to authenticate some Network Equipment,
wie Router, Switches, usw.. and all run well!". So I assume you KNOW
what to do when you need to add a new router/switch/whatever to use
radius authentication, right?  One of the proces includes configuring
freeradius to recognize the new switch/whatever as a valid radius
client (i.e. NAS).

>From freeradius perspective, the "radtest" program (or whatever
mechanism your nagios will use to test radius functionality) is just
another NAS. And you need to configure the server to recognize the new
NAS just like you usually do if you add another switch/whatever.

Does this make sense so far?

-- 
Fajar

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AW: How to configure freeradius client?

[Alan DeKok]

Meyer Jerome wrote:
> Should the client start the radiusd daemon too?

  I have no idea what thinking resulted in that question.

> This file it is on the server to check which clients will be connected! Is it 
> on the client too?

  Uh... no.

> Because the client should connect to the server and not the reverse!

  Really?

>>> 3)  How should I configure the client? Should some deamon to be start?
> 
>>  This is documented.
> 
> You means on the MAN pages?

  The existing documentation includes more than just the "man" pages.
Go read it.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure freeradius client?

[YvesDM]

On Fri, May 6, 2011 at 5:01 PM, Meyer Jerome wrote:

>
> Thanks for reply!
>
>
>
> >Meyer Jerome wrote:
> >> # radiusd -v
>
> >  What about "radiusd -X", as suggested in the FAQ, README, "man" page,
> web pages, and daily on this list?
>
> Should the client start the radiusd daemon too?
>
> >> radclient: no response from server for ID 120 socket 3
> >>
> >> 1)  I don’t know what’s the NAS-IP-Address?
> >>
> >> 2)  I don’t find any right document about „how to configure the
> client“?
>
> >  See raddb/clients.conf.
>
> This file it is on the server to check which clients will be connected! Is
> it on the client too?
> Because the client should connect to the server and not the reverse!
>
> >> 3)  How should I configure the client? Should some deamon to be
> start?
>
> >  This is documented.
>
> You means on the MAN pages?
>
> >  Alan DeKok.
> >-
> >List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> Jérôme Meyer
>


Jérome,

Please, before alan freaks out :-), read the documentation. (the wiki is a
nice place to start)
The things you're saying clearly show that you don't understand the concept
at all.

Kind regards
Y
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: How to configure freeradius client?

[Meyer Jerome]

Thanks for reply!



>Meyer Jerome wrote:
>> # radiusd -v

>  What about "radiusd -X", as suggested in the FAQ, README, "man" page,
web pages, and daily on this list?

Should the client start the radiusd daemon too?

>> radclient: no response from server for ID 120 socket 3
>> 
>> 1)  I don’t know what’s the NAS-IP-Address?
>> 
>> 2)  I don’t find any right document about „how to configure the client“?

>  See raddb/clients.conf.

This file it is on the server to check which clients will be connected! Is it 
on the client too?
Because the client should connect to the server and not the reverse!

>> 3)  How should I configure the client? Should some deamon to be start?

>  This is documented.

You means on the MAN pages?

>  Alan DeKok.
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Jérôme Meyer

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure freeradius client?

[Alan DeKok]

Meyer Jerome wrote:
> # radiusd -v

  What about "radiusd -X", as suggested in the FAQ, README, "man" page,
web pages, and daily on this list?

> radclient: no response from server for ID 120 socket 3
> 
> 1)  I don’t know what’s the NAS-IP-Address?
> 
> 2)  I don’t find any right document about „how to configure the client“?

  See raddb/clients.conf.

> 3)  How should I configure the client? Should some deamon to be start?

  This is documented.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

How to configure freeradius client?

[Meyer Jerome]

Hi,

We use freeradius to authenticate some Network Equipment, wie Router, Switches, 
usw.. and all run well!

# radiusd -v
radiusd: FreeRADIUS Version 2.1.8, for host x86_64-suse-linux-gnu, built on Sep 
 2 2010 at 13:07:57
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.

Now, I'm using "nagios" to check servers and network and I want to check up the 
freeradius server.
So, I've install freeradius on a Linux machine and try to connect to the 
freeradius Server but It doesn't run :

# radtest nagios nagios 10.28.8.133:1812  1812 outrider
Sending Access-Request of id 120 to 10.28.x.133 port 1812
User-Name = "nagios"
User-Password = "nagios"
NAS-IP-Address = 127.0.0.2
NAS-Port = 1812
Sending Access-Request of id 120 to 10.28.x.133 port 1812
User-Name = "nagios"
User-Password = "nagios"
NAS-IP-Address = 127.0.0.2
NAS-Port = 1812
Sending Access-Request of id 120 to 10.28.x.133 port 1812
User-Name = "nagios"
User-Password = "nagios"
NAS-IP-Address = 127.0.0.2
NAS-Port = 1812
radclient: no response from server for ID 120 socket 3

1)  I don't know what's the NAS-IP-Address?
2)  I don't find any right document about "how to configure the client"?
3)  How should I configure the client? Should some deamon to be start?

Any help would be appreciated and thanks in advance,

Best regards




Freundliche Grüsse
_
Jérôme M. Meyer 
Network Engineer
IWB Telekom, Margarethenstrasse 40, 4002 Basel
Telefon 061 275 52 66
Fax 061 275 59 40
E-Mail jerome.me...@iwbtelekom.ch  
www.iwbtelekom.ch   
Partner von Swisspower
www.swisspower.ch   

(Bitte bedenken Sie die Folgen für die Umwelt, bevor Sie diese E-Mail 
ausdrucken.)


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Nexus Configurations

[David Mitchell]

On May 6, 2011, at 2:50 AM, Darren Shaw wrote:

> Good morning David,
> 
> To answer your questions
> 
> We do have a local username; all our switches have, 500 of them.

Is the user you are testing with configured on the switch? If so, as what type
of user? Have you tried a username which is not configured on the switch?

> 
> I have traced the request and response between the FreeRadius server and the 
> N5K, the server returns a service-type (6) AVP of Shell user (6) which 
> according to the Free Radius documentation at 
> http://freeradius.org/rfc/attributes.html is an Administrative user.

Is the Cisco-AVPair also in that response packet? Also, I put the syntax for 
adding those
attributes into the 'users' file. It's probably possible to get them crammed in 
via the
'default' configuration but it's not necessarily the right place. It may also 
be the case that
you need to make sure you are *not* sending the Cisco-AVPair 
'shell:priv-lvl=15'. I know that
I needed to put my IOS and NX-OS devices into different huntgroups so that I 
could assign
different AVPair's. I tried just sending both values to both types of devices 
and did not
get the desired effect.

-David Mitchell

> 
> The syntax that I have placed into the following file
> 
> Cisco-AVPair += "shell:roles=network-admin",
>>   Service-Type := Administrative-User,
> 
> I have also tried
> 
>  Hint == "XX", Auth-Type := Accept
>Reply-Message = "ACCEPT: Authorizing enable access",
>Cisco-AVPair = "shell:roles*\"network-admin\"",
>Cisco-AVPair += "shell:priv-lvl=15",
>Service-Type = Administrative-User,
>Fall-Through = No
> 
> Cisco-AVPair = "shell:roles=\"network-operator vdc-admin\""
>>> Cisco-AVPair = "shell:roles*\"network-operator vdc-admin\""
>>> Cisco-AVPair = "shell:roles=\"network-admin vdc-admin\""
>>> Cisco-AVPair = "shell:roles*\"network-admin\""
> 
> The configuration I have on the 5K
> 
> radius-server host  key 7 "XX" authentication accounting
> aaa group server radius FreeRadius
>server x
>use-vrf management
> aaa authentication login default group FreeRadius
> source address x
> 
> It looks as though the 5K is not interpreting the attribute correctly, or I 
> am not editing the correct file. Whatever syntax I use I get the same 
> results, I get authenticated but the nexus places me as an operator.
> 
> The file I am editing is  /usr/local/etc/raddb/sites-available/default
> 
> Rgds
> Darren Shaw
> The Network Team
> Computing Services
> University of Huddersfield
> Queensgate
> Huddersfield
> HD1 3DH
> 
> TEL: 01484 471317
> MOBILE: 07792 773807
> 
> 
> -Original Message-
> From: freeradius-users-bounces+d.shaw=hud.ac...@lists.freeradius.org 
> [mailto:freeradius-users-bounces+d.shaw=hud.ac...@lists.freeradius.org] On 
> Behalf Of David Mitchell
> Sent: 05 May 2011 15:35
> To: FreeRadius users mailing list
> Subject: Re: Nexus Configurations
> 
> 
> On May 5, 2011, at 4:47 AM, Darren Shaw wrote:
> 
>> Hello David,
>> 
>> Thanks for the syntax. Sadly this still does not work. The free radius 
>> server will authenticate me as a user but the 5K wants me as an operator and 
>> not admin.
>> 
>> If you have the 5K working, could I be cheeky and ask if you could mail me 
>> the radius config on your 5K
> 
> There isn't anything in the radius config that enables this as far as I can 
> tell. Do you have a
> local account on the 5K? That might override the info from the RADIUS server. 
> Run the command
> 'show user-account' after logging in. For me, it indicates that the account 
> was created via remote
> authentication. I assume you have run the radius server in debug mode to 
> verify that the attributes
> are actually in the access accept packets sent back to the switch?
> 
> 
> -David Mitchell
> 
>> 
>> thanks
>> 
>> Rgds
>> Darren Shaw
>> The Network Team
>> Computing Services
>> University of Huddersfield
>> Queensgate
>> Huddersfield
>> HD1 3DH
>> 
>> TEL: 01484 471317
>> MOBILE: 07792 773807
>> 
>> -Original Message-
>> From: freeradius-users-bounces+d.shaw=hud.ac...@lists.freeradius.org 
>> [mailto:freeradius-users-bounces+d.shaw=hud.ac...@lists.freeradius.org] On 
>> Behalf Of David Mitchell
>> Sent: 04 May 2011 15:14
>> To: FreeRadius users mailing list
>> Subject: Re: Nexus Configurations
>> 
>> 
>> On May 4, 2011, at 4:48 AM, Darren Shaw wrote:
>> 
>>> Good Morning
>>> 
>>> I am new to this forum and to the workings of FreeRadius and I have a query 
>>> around the Cisco Nexus family.
>>> 
>>> Currently we have all our switches and routers authentication to FreeRadius 
>>> and all seems to be working. The problem comes when I want to authenticate 
>>> my Nexus 7K and 5K's.  The 7Ks and 5Ks will authenticated me but the Nexus 
>>> puts me in an operator role and not in an administrator's role.
>>> 
>>> According to Cisco I have to place the following into
>>> 
>>> /usr/local/etc/raddb/sites-available/default
>>> 
>>> Cisco-AVPair =

Re: Radius Database

[akinpelu emmanuel]

Hi Fajar,
 
If I understand your problem, you created a database of your own on phpmyadmin 
which you would like Freeradius to use?
 
First, FR has sql module and it has the schemas defined in modules/sql
 
For you to make interaction betweeen your web apps and FR database backend, you 
may have to use the schema and expand same. Also you may need to expand the 
sql.conf file.
 
Regards

Emmanuel

--- On Fri, 5/6/11, Fajar A. Nugraha  wrote:


From: Fajar A. Nugraha 
Subject: Re: Radius Database
To: "FreeRadius users mailing list" 
Date: Friday, May 6, 2011, 9:56 AM



On Fri, May 6, 2011 at 8:40 PM, SC@  wrote:


I think you didn't understand my problem...



I think you didn't understand the hints everyone is trying to give you.
The answers are all there, but only if you have enough basic knowledge to 
understand them.
 
I have no problem with one software particularly... I have installed
freeradius, i have imported its database, i have written in, i have
connected my computer to a switch to test and all is right.
In an other hand, I have created a website to manage a database, i have
create a database with phpmyadmin to test and all is right... but i don't
know how to connect both... the database of freeradius is in a file, the
database of phpmy admin is in an other... when i modify my website's code to
manage my radius database it is not find because it is not at the right
place... that's why I want freeradius to create its database at another
place... but i don't think it is a problem of knowledge with that softwares,
it is way to change but where and how ? 


Let me repeat my answer "From your questions, you don't even know about 
connecting to MySQL server via TCP-IP"


The solution to that, was given by Alan "This is a question for MySQL, and has 
nothing to do with FreeRADIUS"


Have you asked there?


Here's another hint:
- you can have many mysql servers on the same computer, on any directroy you 
choose, accessible by tcp/ip, as long as they use different ip address/port 
combination. The usual setup is to bind to all IP address, and use different 
port (documentation 
example: http://dev.mysql.com/doc/refman/5.1/en/multiple-unix-servers.html)
- an application can connect to different database servers by connecting to 
different ip address/port combinations (documentation 
example: http://www.php.net/manual/en/mysqli.connect.php)


Let me repeat another part of my answer:
"(4) If you still have no idea what I'm talking about, then perhaps it's better 
to enlist professional, paid support for implementation."


-- 
Fajar




-Inline Attachment Follows-


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius Database

[Alexander Clouter]

SC@  wrote:
> 
> I know this website but I didn't find... maybe it is in but where ? i 
> think i have asked kindly...
>
> This is a forum, when someone have difficulties we help him...
>
The people who occupy a forum though are generally not paid to help out 
and do so with their free time.  Saying "I have a problem tell me what 
to do" without showing *any* effort at all at your end or how far your 
attempts have got you so far is not the way to encourage people to help 
you out.

Maybe if you actually did the following we would be more eager:
 1. clearly stated what you want to do
 2. say "I have been reading x, y and z..."
 3. show us the debug and configuration you are using
 4. explain what you think is wrong and why you are unable to fix it

So, you can ask as politely as you want but it's not going to actually 
get you anywhere.  You have to see it from our point of view, so far it 
seems to us, the problem is not important enough to you to detail here 
its specifics or for you to actually read the documentation, so 
obviously is not important enough for us all to burn our *free* and 
*volunteered* time on?

Cheers

-- 
Alexander Clouter
.sigmonster says: You will be misunderstood by everyone.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius Database

[Fajar A. Nugraha]

On Fri, May 6, 2011 at 8:40 PM, SC@  wrote:

>
> I think you didn't understand my problem...
>

I think you didn't understand the hints everyone is trying to give you.
The answers are all there, but only if you have enough basic knowledge to
understand them.


> I have no problem with one software particularly... I have installed
> freeradius, i have imported its database, i have written in, i have
> connected my computer to a switch to test and all is right.
> In an other hand, I have created a website to manage a database, i have
> create a database with phpmyadmin to test and all is right... but i don't
> know how to connect both... the database of freeradius is in a file, the
> database of phpmy admin is in an other... when i modify my website's code
> to
> manage my radius database it is not find because it is not at the right
> place... that's why I want freeradius to create its database at another
> place... but i don't think it is a problem of knowledge with that
> softwares,
> it is way to change but where and how ?


Let me repeat my answer "From your questions, you don't even know about
connecting to MySQL server via TCP-IP"

The solution to that, was given by Alan "This is a question for MySQL, and
has nothing to do with FreeRADIUS"

Have you asked there?

Here's another hint:
- you can have many mysql servers on the same computer, on any directroy you
choose, accessible by tcp/ip, as long as they use different ip address/port
combination. The usual setup is to bind to all IP address, and use different
port (documentation example:
http://dev.mysql.com/doc/refman/5.1/en/multiple-unix-servers.html)
- an application can connect to different database servers by connecting to
different ip address/port combinations (documentation example:
http://www.php.net/manual/en/mysqli.connect.php)

Let me repeat another part of my answer:
"(4) If you still have no idea what I'm talking about, then perhaps it's
better to enlist professional, paid support for implementation."

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Radius Database

[Marius Pesé]

Try the file sql.conf in your radius root directory for setting which database 
to use.
As for manipulating individual queries try sql/mysql/dialup.conf


Kind regards

Marius Pesé
Mindspring Computing


-Original Message-
From: freeradius-users-bounces+marius=mindspring.co...@lists.freeradius.org 
[mailto:freeradius-users-bounces+marius=mindspring.co...@lists.freeradius.org] 
On Behalf Of SC@
Sent: Friday, May 06, 2011 3:40 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: Radius Database


I think you didn't understand my problem...
I have no problem with one software particularly... I have installed
freeradius, i have imported its database, i have written in, i have
connected my computer to a switch to test and all is right.
In an other hand, I have created a website to manage a database, i have
create a database with phpmyadmin to test and all is right... but i don't
know how to connect both... the database of freeradius is in a file, the
database of phpmy admin is in an other... when i modify my website's code to
manage my radius database it is not find because it is not at the right
place... that's why I want freeradius to create its database at another
place... but i don't think it is a problem of knowledge with that softwares,
it is way to change but where and how ? I know this website
(http://wiki.freeradius.org/SQL_HOWTO) because i have installed freeradius
with that, but when they talk about mysql it is to import the database of
freeradius (schema.sql) !!!
so... someone can help me ?

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Radius-Database-tp4375341p4375938.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius Database

[SC@]

I think you didn't understand my problem...
I have no problem with one software particularly... I have installed
freeradius, i have imported its database, i have written in, i have
connected my computer to a switch to test and all is right.
In an other hand, I have created a website to manage a database, i have
create a database with phpmyadmin to test and all is right... but i don't
know how to connect both... the database of freeradius is in a file, the
database of phpmy admin is in an other... when i modify my website's code to
manage my radius database it is not find because it is not at the right
place... that's why I want freeradius to create its database at another
place... but i don't think it is a problem of knowledge with that softwares,
it is way to change but where and how ? I know this website
(http://wiki.freeradius.org/SQL_HOWTO) because i have installed freeradius
with that, but when they talk about mysql it is to import the database of
freeradius (schema.sql) !!!
so... someone can help me ?

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Radius-Database-tp4375341p4375938.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius Database

[Phil Mayers]

On 06/05/11 14:07, SC@ wrote:


I know this website but I didn't find... maybe it is in but where ? i think
i have asked kindly...
This is a forum, when someone have difficulties we help him...


This the the *wrong* forum.

You're asking for advice on writing a web interface to a MySQL database. 
This is *not* a FreeRADIUS question.


Even if it was the right forum, your question is so vague as to be 
meaningless.


What language are you writing your web interface in?

What framework are you using?

What have you tried? Why didn't it work? What error messages did you get?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius Database

[Fajar A. Nugraha]

On Fri, May 6, 2011 at 8:07 PM, SC@  wrote:

>
> I know this website but I didn't find... maybe it is in but where ? i think
> i have asked kindly...
> This is a forum, when someone have difficulties we help him...
>
>
You need to know some basic knowledge first before asking.

For example:
(1) Which software are you having problem with? Ask in the relevant forum.
(2) Do you have some basic knowldege about software in (1)? From your
questions, you don't even know about connecting to MySQL server via TCP-IP.
Learn about that first, or ask in MySQL forum/list for best documentation
about it.
(3) Have you read the relevant documentation? Which part of the
documentation are you having problems with? If you've read it but absolutely
have no idea what it's all about, then maybe you should refer back to (1)
and (2)
(4) If you still have no idea what I'm talking about, then perhaps it's
better to enlist professional, paid support for implementation.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius Database

[SC@]

I know this website but I didn't find... maybe it is in but where ? i think
i have asked kindly...
This is a forum, when someone have difficulties we help him... 

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Radius-Database-tp4375341p4375837.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius Database

[SC@]

ok !

And can I have a real help please ? or a link... if i had already find i
would not be here...

thank you.

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Radius-Database-tp4375341p4375799.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FR 2.1.x git + SoH: ASSERT FAILED xlat.c[1048]: outlen > 0

[Alan DeKok]

Phil Mayers wrote:
> Could you spot any code path which can lead to length < 0? I looked and
> couldn't see how it was possible.

  I don't see how it's possible, either.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius Database

[Alan DeKok]

SC@ wrote:
> But one of the possibilities is to modify a configuration file of freeradius
> to tell it to write in another database, or to put its database in another
> file. No ?

  Yes.

  This is documented.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FR 2.1.x git + SoH: ASSERT FAILED xlat.c[1048]: outlen > 0

[Phil Mayers]

On 06/05/11 10:17, Alan DeKok wrote:

   I've committed a fix which changes the assert to a run-time check.

   It won't correct the underlying issue, but it will keep the server
running.


Could you spot any code path which can lead to length < 0? I looked and 
couldn't see how it was possible.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius Database

[SC@]

But one of the possibilities is to modify a configuration file of freeradius
to tell it to write in another database, or to put its database in another
file. No ?

Thank you

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Radius-Database-tp4375341p4375577.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FR 2.1.x git + SoH: ASSERT FAILED xlat.c[1048]: outlen > 0

[Alan DeKok]

  I've committed a fix which changes the assert to a run-time check.

  It won't correct the underlying issue, but it will keep the server
running.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius Database

[Alan DeKok]

SC@ wrote:
> I can modify those tables by way of " mysql -uroot -p " in my terminal but
> if I modify the code of my website to put the name of these database radius
> it does not work. I think that it comes from the way which is different.
> I would like to know what I have to write in the code of my pages (or maybe
> in a configuration file of mysql or xampp or raddb) so that my website
> manages my radius database.

  This is a question for MySQL, and has nothing to do with FreeRADIUS.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: NAS-Port ID

[Alexander Clouter]

Lars Witter  wrote:
> 
> i've a question about the database fileds "NASPortId" and 
> "NASPortType" for radius in radacct.
> 
> what's the meaning oder those fields?
> 
> NASPortType is always filled with "Async" ...
> NASPortId is filled with different Integers.
> 
> I've read the sources of ppp, but i didn't found out anything. :-(
> 
Best place to look is in the actual RFC's to be honest:

http://tools.ietf.org/html/rfc2865#section-5.41 - NAS-Port-Type
http://tools.ietf.org/html/rfc2869#section-5.17 - NAS-Port-Id

For a list of valid types either grep the dictionaries or look at:

http://www.iana.org/assignments/radius-types/radius-types.txt

Cheers

-- 
Alexander Clouter
.sigmonster says: You auto buy now.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Nexus Configurations

[Darren Shaw]

Good morning David,

To answer your questions

We do have a local username; all our switches have, 500 of them.

I have traced the request and response between the FreeRadius server and the 
N5K, the server returns a service-type (6) AVP of Shell user (6) which 
according to the Free Radius documentation at 
http://freeradius.org/rfc/attributes.html is an Administrative user.

The syntax that I have placed into the following file

Cisco-AVPair += "shell:roles=network-admin",
>Service-Type := Administrative-User,

I have also tried

  Hint == "XX", Auth-Type := Accept
Reply-Message = "ACCEPT: Authorizing enable access",
Cisco-AVPair = "shell:roles*\"network-admin\"",
Cisco-AVPair += "shell:priv-lvl=15",
Service-Type = Administrative-User,
Fall-Through = No

Cisco-AVPair = "shell:roles=\"network-operator vdc-admin\""
>> Cisco-AVPair = "shell:roles*\"network-operator vdc-admin\""
>> Cisco-AVPair = "shell:roles=\"network-admin vdc-admin\""
>> Cisco-AVPair = "shell:roles*\"network-admin\""

The configuration I have on the 5K

radius-server host  key 7 "XX" authentication accounting
aaa group server radius FreeRadius
server x
use-vrf management
aaa authentication login default group FreeRadius
source address x

It looks as though the 5K is not interpreting the attribute correctly, or I am 
not editing the correct file. Whatever syntax I use I get the same results, I 
get authenticated but the nexus places me as an operator.

The file I am editing is  /usr/local/etc/raddb/sites-available/default

Rgds
Darren Shaw
The Network Team
Computing Services
University of Huddersfield
Queensgate
Huddersfield
HD1 3DH

TEL: 01484 471317
MOBILE: 07792 773807


-Original Message-
From: freeradius-users-bounces+d.shaw=hud.ac...@lists.freeradius.org 
[mailto:freeradius-users-bounces+d.shaw=hud.ac...@lists.freeradius.org] On 
Behalf Of David Mitchell
Sent: 05 May 2011 15:35
To: FreeRadius users mailing list
Subject: Re: Nexus Configurations


On May 5, 2011, at 4:47 AM, Darren Shaw wrote:

> Hello David,
>
> Thanks for the syntax. Sadly this still does not work. The free radius server 
> will authenticate me as a user but the 5K wants me as an operator and not 
> admin.
>
> If you have the 5K working, could I be cheeky and ask if you could mail me 
> the radius config on your 5K

There isn't anything in the radius config that enables this as far as I can 
tell. Do you have a
local account on the 5K? That might override the info from the RADIUS server. 
Run the command
'show user-account' after logging in. For me, it indicates that the account was 
created via remote
authentication. I assume you have run the radius server in debug mode to verify 
that the attributes
are actually in the access accept packets sent back to the switch?


-David Mitchell

>
> thanks
>
> Rgds
> Darren Shaw
> The Network Team
> Computing Services
> University of Huddersfield
> Queensgate
> Huddersfield
> HD1 3DH
>
> TEL: 01484 471317
> MOBILE: 07792 773807
>
> -Original Message-
> From: freeradius-users-bounces+d.shaw=hud.ac...@lists.freeradius.org 
> [mailto:freeradius-users-bounces+d.shaw=hud.ac...@lists.freeradius.org] On 
> Behalf Of David Mitchell
> Sent: 04 May 2011 15:14
> To: FreeRadius users mailing list
> Subject: Re: Nexus Configurations
>
>
> On May 4, 2011, at 4:48 AM, Darren Shaw wrote:
>
>> Good Morning
>>
>> I am new to this forum and to the workings of FreeRadius and I have a query 
>> around the Cisco Nexus family.
>>
>> Currently we have all our switches and routers authentication to FreeRadius 
>> and all seems to be working. The problem comes when I want to authenticate 
>> my Nexus 7K and 5K's.  The 7Ks and 5Ks will authenticated me but the Nexus 
>> puts me in an operator role and not in an administrator's role.
>>
>> According to Cisco I have to place the following into
>>
>> /usr/local/etc/raddb/sites-available/default
>>
>> Cisco-AVPair = "shell:roles=\"network-operator vdc-admin\""
>> Cisco-AVPair = "shell:roles*\"network-operator vdc-admin\""
>> Cisco-AVPair = "shell:roles=\"network-admin vdc-admin\""
>> Cisco-AVPair = "shell:roles*\"network-admin\""
>
> This is what I'm adding to the replies for Nexus 5K's. I don't have any 7K's 
> but I'd be surprised if
> they were any different. I have not tried to send two roles so I can't 
> confirm the syntax for that.
>
>Cisco-AVPair += "shell:roles=network-admin",
>Service-Type := Administrative-User,
>
> -David Mitchell
>
>>
>>
>> The current service type is = Administrative -User
>>
>> I have tried each AVPair and nothing works. Has anyone else had this issue?
>>
>> If anyone has any advice I would be really grateful.
>>
>> Thanks
>>
>>
>>
>> Rgds
>> Darren Shaw
>> The Network Team
>> Computing Services
>> University of Huddersfield
>> Queensgate
>> Huddersfield
>> HD1 3DH
>>
>> TEL: 01484 471317
>> MOBILE: 07792 773807
>>
>>
>>
>>  
>>
>> -

Radius Database

[SC@]

Hello,

I have created a website which manages a database, this one put itself
automatically in " / opt / lampp / var / mysql ".
But my final goal is to manage, through this website, a database FreeRadius
(Add, Modify, Look for, delete data by the way of the address MAC) and
radius uses databases and very specific tables that's why I have imported
them and they are in " / var / lib / mysql ".
I can modify those tables by way of " mysql -uroot -p " in my terminal but
if I modify the code of my website to put the name of these database radius
it does not work. I think that it comes from the way which is different.
I would like to know what I have to write in the code of my pages (or maybe
in a configuration file of mysql or xampp or raddb) so that my website
manages my radius database.

Thank you very much:) 

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Radius-Database-tp4375341p4375341.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help Compiling ikev2, EVP_sha256 and tncs: Freeradius 3.0

[akinpelu emmanuel]

Hi Alan,
 
Thanks, I find a fix. 
 
Incase anyone needs same help, he could follow this documentation here 
http://trust.inform.fh-hannover.de/wiki/index.php/Howto_build_a_tnc@fhh-Server_on_Linux.
 
Thank you
 
--- On Wed, 4/27/11, Alan DeKok  wrote:


From: Alan DeKok 
Subject: Re: Help Compiling ikev2, EVP_sha256 and tncs: Freeradius 3.0
To: "FreeRadius users mailing list" 
Date: Wednesday, April 27, 2011, 12:33 PM


akinpelu emmanuel wrote:
> Hi Alan,
>  
> I have set the CFLAGS and LDFLAGS 

  To what?

> I think the problem is with the ikev2_set_log_callback in -leap-ikev2... no
>  
> Is there a way I can handle this?

  Fix the software so it works.

  I don't run EAP-IKEv2, so I don't pay much attention to it.  The
source code for that module contains email addresses of the people who
wrote it.  Ask them what to do.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with LDAP and ntlm_auth

[Alan DeKok]

Robert Mc Cready wrote:
> The computer authentication is working fine but the users authentication
> with LDAP fails if ntlm_auth is configured. If I don't use ntlm_auth the
> users authentication works. Is there a way to have both of them working
> together?

  Upgrade Samba.  See the comments in eap.conf.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: can policy.conf be used to create an access control list

[Alan DeKok]

michael lamborn wrote:
> I am using version freeRadius 1.1.7.

  Upgrade.

> Please see my policy.conf example below. 

  1.1.7 doesn't support policy.conf.

  My guess is that you saw it in the recent release, and copied the file
to your 1.1.7 installation.  That won't help, software doesn't work that
way.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Is ECC supported in freeradius?

[Alan DeKok]

re est wrote:
> Hello,
> 
> We have compiled openssl 1.0.0d and freeradius 2.1.10 hoping to use ECC
> ciphers in TLS.
> Is ECC supported in freeradius?

  FreeRADIUS doesn't do crypto.  See the OpenSSL documentation for how
to configure ECC.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Adding Vendor Specific Attribute to the Access-Accept

[Alan DeKok]

normal ozone wrote:
> Correct me if I'm wrong but the NAS is the one sending authentication
> requests to the radius server?

  If you don't know that, it's not a good idea to be customizing a
RADIUS system.

> In my setup's case the one sending radius requests is a PC. I'm using
> the TinyRadius library.

  So ask them what to do.

> So technically I can use any of the radius attributes. I plan to use a
> company's vendor specific
> attribute. But will this have other repercussions? Legally, technically?

  No.

  But this isn't really a FreeRADIUS question.  You're trying to design
NAS software.  So... go do it.  The appropriate questions for this list
are questions about FreeRADIUS, not about your custom NAS software.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

can policy.conf be used to create an access control list

[michael lamborn]

Hi,

I am using version freeRadius 1.1.7.  I am trying to create an access control 
list via radius, to prevent specific PC's/locations from accessing my network.  


Please see my policy.conf example below.  My freeRadius server keeps sending an 
access-accept, when I try to login in from my office as a test, which has the 
IP 
address 10.2.222.35.  


I don't understand why the server is allowing the login.  It seems logical to 
me 
the way that I have approached an implementation, but I can't find any specific 
info from the wiki or in internet searches.  So I am not sure if I am still 
misconfigured or if it just doesn't work for some other reason.

Thanks,
Mike

In policy.conf, I have the following, but it doesn't have any affect ( I do have
'$INCLUDE ${confdir}/policy.conf' in my radiusd.conf file):

policy {
   forbid_login_ip_hosts {
  %{request:Login-IP-Host} =~ /^10.2./ {
 reject
  }
   }
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html