Re: radmin del client error
Hello Arran, I have built the master copy from git and tested. The result still the same. Not fixed. :) Alex -- View this message in context: http://freeradius.1045715.n5.nabble.com/radmin-del-client-error-tp4725176p4729575.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Documentation about Freeradius + Openldap
Hi list, Im new in this list and implementig Freeradius. Im installing and configuring Freeradius 2.1.10 over Linux Debian Squeeze. We have designed a quite difficult architecture to authenticate users. I've been looking for many hours for advance and specific documentation to manage freeradius, such as Roles, Access, List access Profiles , how merge everything with ldap. I didnt get the expected results in google, so ill be very gratefull if someone could give me some link or doc or even name of books to buy. Thanks list for the help and your patience. Regards, Alejandro Gándara Álvarez Junior System Administrator - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm parsing and \r = =0D
Rich Graves rgra...@carleton.edu wrote:
I've got freeradius-2.1.10-5.el6.x86_64 on fully patched RHEL6.1.
PEAP+MSCHAPv2 for wireless 802.1x, intending to federate with eduroam.
Within a day, I had the configuration I wanted, or so I thought.
Empty stanzas for realms u...@carleton.edu, ADS\user, and bare
username get authenticated with mschapv2. Otherwise, regex realm *@*.*
gets routed to the eduroam upstream radius hierarchy.
If you are going 'eduroam' you really need to reject *everything*
eduroam SSID/802.1X related that is not of the form user@realm. If you
permit combinations then you will find users can use 'eduroam' locally
with no problems but then when they go roaming, their workstation does
not tell the visited site the realm (in the form '@example.edu') and so
can only reject it.
The result, very unhappy users.
If you reject *today* NULL, then your helpdesk *have* to configure
people correctly. These are the words from a bitten before eduroam
sysadmin :)
As for your realm fun, this is what we do:
templates.conf
templates {
# PROXY
eduroam-proxy {
type= auth+acct
port= 1812
require_message_authenticator = yes
status_check= status-server
}
eduroam-proxy6 {
src_ipaddr = ${local.MY.addr.v6}
$template eduroam-proxy
}
eduroam-proxy4 {
src_ipaddr = ${local.MY.addr.v4}
$template eduroam-proxy
}
}
proxy.conf
## eduroam
# roaming0.ja.net
home_server jrs.0.v6 {
ipv6addr= ${local.jrs.0.addr.v6}
secret = ${local.jrs.0.secret}
$template eduroam-proxy6
}
home_server jrs.0.v4 {
ipaddr = ${local.jrs.0.addr.v4}
secret = ${local.jrs.0.secret}
$template eduroam-proxy4
}
# roaming1.ja.net
home_server jrs.1.v6 {
ipv6addr= ${local.jrs.1.addr.v6}
secret = ${local.jrs.1.secret}
$template eduroam-proxy6
}
home_server jrs.1.v4 {
ipaddr = ${local.jrs.1.addr.v4}
secret = ${local.jrs.1.secret}
$template eduroam-proxy4
}
# roaming2.ja.net
home_server jrs.2.v6 {
ipv6addr= ${local.jrs.2.addr.v6}
secret = ${local.jrs.2.secret}
$template eduroam-proxy6
}
home_server jrs.2.v4 {
ipaddr = ${local.jrs.2.addr.v4}
secret = ${local.jrs.2.secret}
$template eduroam-proxy4
}
home_server_pool eduroam {
type= keyed-balance
home_server = jrs.0.v6
home_server = jrs.0.v4
home_server = jrs.1.v6
home_server = jrs.1.v4
home_server = jrs.2.v6
home_server = jrs.2.v4
}
realm NULL {
}
realm LOCAL {
}
realm soas.ac.uk {
}
realm auth.virtual {
virtual_server = auth
}
realm DEFAULT {
pool= eduroam
nostrip
}
# blackhole routing
realm myabc.com {
nostrip
}
realm ~\\.3gppnetwork\\.org$ {
nostrip
}
The virtual server looks vaguely like (for *all* users onsite, the 'our
users visiting elsewhere' is simpler):
authorize {
preprocess
suffix
# detail
rewrite.called_station_id
rewrite.calling_station_id
update request {
Operator-Name := 1%{config:local.MY.realm}
}
eap {
ok = return
}
# Reject Calling-Station-Id-less authentications
if (!(Calling-Station-Id)) {
update reply {
Reply-Message := No Calling-Station-Id
}
reject
}
elsif (Calling-Station-Id =~
/^%{config:policy.mac-addr}(:(.+))?$/i) {
update control {
Local-MAC-Address := %{1}%{2}%{3}%{4}%{5}%{6}
}
}
if (!(User-Name)) {
update reply {
Reply-Message := No User-Name
}
reject
}
validate_username
# handle realmless authentications
if ((EAP-Message) Realm == NULL) {
update reply {
Reply-Message := No Realm
}
reject
}
# handle blackhole'd realms
if (Realm != NULL Realm != DEFAULT Realm !=
%{config:local.MY.realm}) {
OT: Cisco Disconnect-Request packets
Hi all, Not directly related to FreeRADIUS but I gather people here have some experience with Cisco WiSMs and 802.1x. I'm trying to use radclient to craft a Disconnect-Request packet to disconnect a user on an 802.1x network. I've checked the RFCs for the Disconnect-Request packets and I believe I am providing all the necessary attributes to disconnect a user, however the WiSM always responds: rad_recv: Disconnect-NAK packet from host 172.17.107.211 port 3799, id=219, length=26 Error-Cause = Missing-Attribute I am sending packets like these: Sending Disconnect-Request of id 219 to 172.17.107.211 port 3799 User-Name = jg4461 Calling-Station-Id = 00:1b:63:08:b4:eb Framed-IP-Address = 172.21.107.197 Called-Station-Id = 00:21:55:ac:5b:60:ResNet-Wireless NAS-Port-Id = 29 NAS-Port-Type = Async Acct-Session-Id = jg44614ddcd9e6/00:1b:63:08:b4:eb/222935 NAS-IP-Address = 172.17.107.211 NAS-Port = 29 NAS-Identifier = wism11 So, does anyone know which attributes I must send to disconnect a user in this way? Is there an easier way of doing it? Many thanks, Jonathan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radmin del client error
Ok couple of things, did you actually try radmin -e del client ipaddr 192.168.169.74? could you run it in interactive mode and see if you get the same result? -Arran On 24 Aug 2011, at 12:28, tohaikmeng wrote: Hello Arran, Thanks for double checking this. It's weird. Below is what i got. I install freeradius on a fresh linux. Is there any other file that i can verify to prove my source is identical as yours? [root@FC-O ~]# radiusd -v radiusd: FreeRADIUS Version 3.0.0, for host i686-pc-linux-gnu, built on Aug 24 2011 at 23:48:29 Copyright (C) 1999-2011 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. [root@FC-O ~]# radmin -e show client list 127.0.0.1 [root@FC-O ~]# radmin -e add client file /usr/local/etc/raddb/alex.conf [root@FC-O ~]# radmin -e show client list 127.0.0.1 192.168.169.74 [root@FC-O ~]# radmin -e del client ipaddr ERROR: Must specify ipaddr [root@FC-O ~]# radmin -e del client ipaddr ipaddr 192.168.169.74 ERROR: Client 192.168.169.74 was not dynamically defined. [root@FC-O ~]# Regards, Alex -- View this message in context: http://freeradius.1045715.n5.nabble.com/radmin-del-client-error-tp4725176p4729970.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OT: Cisco Disconnect-Request packets
On 24 Aug 2011, at 12:31, Jonathan Gazeley wrote: Hi all, Not directly related to FreeRADIUS but I gather people here have some experience with Cisco WiSMs and 802.1x. I'm trying to use radclient to craft a Disconnect-Request packet to disconnect a user on an 802.1x network. I've checked the RFCs for the Disconnect-Request packets and I believe I am providing all the necessary attributes to disconnect a user, however the WiSM always responds: rad_recv: Disconnect-NAK packet from host 172.17.107.211 port 3799, id=219, length=26 Error-Cause = Missing-Attribute All attributes *MUST* match in the disconnect request, if you're including attributes that are not directly supported by Ciscos DM implementation, or are not in exactly the right format, you may run into issues. I'd just try it with the minimum User-Name Calling-Station-ID Acct-Session-ID NAS-IP-Address -Arran I am sending packets like these: Sending Disconnect-Request of id 219 to 172.17.107.211 port 3799 User-Name = jg4461 Calling-Station-Id = 00:1b:63:08:b4:eb Framed-IP-Address = 172.21.107.197 Called-Station-Id = 00:21:55:ac:5b:60:ResNet-Wireless NAS-Port-Id = 29 NAS-Port-Type = Async Acct-Session-Id = jg44614ddcd9e6/00:1b:63:08:b4:eb/222935 NAS-IP-Address = 172.17.107.211 NAS-Port = 29 NAS-Identifier = wism11 So, does anyone know which attributes I must send to disconnect a user in this way? Is there an easier way of doing it? Many thanks, Jonathan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radmin del client error
Arran Cudbard-Bell a.cudba...@freeradius.org writes: Hi Alex, I just built from master myself And it seems to be working fine for me... radmin del client ipaddr 192.168.1.1 ERROR: No such client radmin del client del client ipaddr ipaddr - Delete a dynamically created client radmin del client ipaddr 192.168.1.1.1.1 ERROR: Failed parsing IP address; ip_hton: nodename nor servname provided, or not known radmin Works for me as well, but I noticed that I missed this error path: radmin del client ipaddr 127.0.0.1 ERROR: Client was not dynamically defined. I've sent a new pull request (since you already pulled) for the trivial one byte fix to that as well. Feel free to merge the commits if you like. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radmin del client error
tohaikmeng tohaikm...@live.com writes:
[root@FC-O ~]# radmin -e del client ipaddr
ERROR: Must specify ipaddr
[root@FC-O ~]# radmin -e del client ipaddr ipaddr 192.168.169.74
ERROR: Client 192.168.169.74 was not dynamically defined.
Yes, that looks true even with yesterday's patch, provided ipaddr
actually resolves to a non dynamic client...
I forgot that specific error path. It's fixed by this:
diff --git a/src/main/command.c b/src/main/command.c
index 8377d21..f2d3bc2 100644
--- a/src/main/command.c
+++ b/src/main/command.c
@@ -1818,7 +1818,7 @@ static int command_del_client(rad_listen_t *listener, int
argc, char *argv[])
if (!client) return 0;
if (!client-dynamic) {
- cprintf(listener, ERROR: Client %s was not dynamically
defined.\n, argv[1]);
+ cprintf(listener, ERROR: Client %s was not dynamically
defined.\n, argv[0]);
return 0;
}
Bjørn
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radmin del client error
Hello Arran, Yes. I did. Is there anything i did wrongly? [root@FC-O ~]# radmin -e del client ipaddr 192.168.169.74 ERROR: Must specify ipaddr [root@FC-O ~]# radmin radmin 3.0.0 - FreeRADIUS Server administration tool. Copyright (C) 2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. radmin del client ipaddr 192.168.169.74 ERROR: Must specify ipaddr radmin Alex -- View this message in context: http://freeradius.1045715.n5.nabble.com/radmin-del-client-error-tp4725176p4730033.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radmin del client error
On 24 Aug 2011, at 12:50, Bjørn Mork wrote:
tohaikmeng tohaikm...@live.com writes:
[root@FC-O ~]# radmin -e del client ipaddr
ERROR: Must specify ipaddr
[root@FC-O ~]# radmin -e del client ipaddr ipaddr 192.168.169.74
ERROR: Client 192.168.169.74 was not dynamically defined.
Yes, that looks true even with yesterday's patch, provided ipaddr
actually resolves to a non dynamic client...
I forgot that specific error path. It's fixed by this:
diff --git a/src/main/command.c b/src/main/command.c
index 8377d21..f2d3bc2 100644
--- a/src/main/command.c
+++ b/src/main/command.c
@@ -1818,7 +1818,7 @@ static int command_del_client(rad_listen_t *listener,
int argc, char *argv[])
if (!client) return 0;
if (!client-dynamic) {
- cprintf(listener, ERROR: Client %s was not dynamically
defined.\n, argv[1]);
+ cprintf(listener, ERROR: Client %s was not dynamically
defined.\n, argv[0]);
return 0;
}
Bjørn
Thanks, pulled and merged to 2.1.x
-Arran
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radmin del client error
Alex, Could you make sure you're running 3.0 of the server as well... the validation logic is in the server not the radmin client... -Arran On 24 Aug 2011, at 12:57, tohaikmeng wrote: Hello Arran, Yes. I did. Is there anything i did wrongly? [root@FC-O ~]# radmin -e del client ipaddr 192.168.169.74 ERROR: Must specify ipaddr [root@FC-O ~]# radmin radmin 3.0.0 - FreeRADIUS Server administration tool. Copyright (C) 2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. radmin del client ipaddr 192.168.169.74 ERROR: Must specify ipaddr radmin Alex -- View this message in context: http://freeradius.1045715.n5.nabble.com/radmin-del-client-error-tp4725176p4730033.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radmin del client error
Hello Arran, The method that I use to add dynamic client is via radmin -e add client file file? I read site-available/dynamic-clients. But I can't find the link that trigger radius daemon to add the dynamic client definition file. I named the client ip as file name instructed and placed in the appointed client definition directory. Is there any steps that I missed out? Alex -- View this message in context: http://freeradius.1045715.n5.nabble.com/radmin-del-client-error-tp4725176p4730201.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radmin del client error
tohaikmeng wrote: I read site-available/dynamic-clients. But I can't find the link that trigger radius daemon to add the dynamic client definition file. I named the client ip as file name instructed and placed in the appointed client definition directory. Is there any steps that I missed out? Send the server a packet from that client IP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Documentation about Freeradius + Openldap
Alejandro Gandara wrote: Im new in this list and implementig Freeradius. Im installing and configuring Freeradius 2.1.10 over Linux Debian Squeeze. We have designed a quite difficult architecture to authenticate users. I've been looking for many hours for advance and specific documentation to manage freeradius, such as Roles, Access, List access Profiles , how merge everything with ldap. What does that mean? Can you give *concrete* examples? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Documentation about Freeradius + Openldap
Hi, Thanks for your answer. For exemple: We need to learn how assign IP or HOSTNAME ACCESS LIST to a user taken from ldap. assing Static IP or Dinamic IP to a user or group taken from ldap. integrate this with Openvpn with freeradiusplugin. know if a profile is stored in a file or in ldap. how to create profile. ( a profile is a user of ldap, or we have to link them? ) I`ve read all documentation found in freeradius.org and some other webs, but I still dont now how proceed, wich files modify... Thanks for your time Regards, Alejandro Gándara Álvarez Junior System Administrator 2011/8/24 Alan DeKok al...@deployingradius.com Alejandro Gandara wrote: Im new in this list and implementig Freeradius. Im installing and configuring Freeradius 2.1.10 over Linux Debian Squeeze. We have designed a quite difficult architecture to authenticate users. I've been looking for many hours for advance and specific documentation to manage freeradius, such as Roles, Access, List access Profiles , how merge everything with ldap. What does that mean? Can you give *concrete* examples? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Documentation about Freeradius + Openldap
Alejandro Gandara wrote: We need to learn how assign IP or HOSTNAME ACCESS LIST to a user taken from ldap. assing Static IP or Dinamic IP to a user or group taken from ldap. Read raddb/ldap.attrmap and doc/ldap_howto. The LDAP attributes map to RADIUS attributes, including IP address. integrate this with Openvpn with freeradiusplugin. It's just RADIUS. See the OpenVPN docs for how to do RADIUS with OpenVPN. know if a profile is stored in a file or in ldap. Why? Can't you just check the file / DB? how to create profile. ( a profile is a user of ldap, or we have to link them? ) FreeRADIUS leverages the normal LDAP schema for users. Just put users into LDAP, configure the LDAP portions of FreeRADIUS, and it Will Work. I`ve read all documentation found in freeradius.org http://freeradius.org and some other webs, but I still dont now how proceed, wich files modify... You must have found SOMETHING. Saying I don't know what to do is lazy. The server comes with tons of documentation which describes exactly what to do in order to configure LDAP, and exactly how LDAP works. It comes with samples of LDAP configuration, including comments saying what the configuration directives are, and how they work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling pam radius module
I'm sure this won't surprise anyone, but the problem had nothing to do with radius. I had only entered the radius module in the pam config for ssh, but I had a kerberos config in the system auth pam config. When I enabled debug for the radius module I saw the kerberos realm info being passed in syslog. I entered the pam-radius module in the system-auth config and everything works. -- View this message in context: http://freeradius.1045715.n5.nabble.com/compiling-pam-radius-module-tp4727149p4730628.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OT: Cisco Disconnect-Request packets
On 24/08/2011 11:31, Jonathan Gazeley wrote: Hi all, Not directly related to FreeRADIUS but I gather people here have some experience with Cisco WiSMs and 802.1x. I'm trying to use radclient to craft a Disconnect-Request packet to disconnect a user on an 802.1x network. I've checked the RFCs for the Disconnect-Request packets and I believe I am providing all the necessary attributes to disconnect a user, however the WiSM always responds: rad_recv: Disconnect-NAK packet from host 172.17.107.211 port 3799, id=219, length=26 Error-Cause = Missing-Attribute I am sending packets like these: Sending Disconnect-Request of id 219 to 172.17.107.211 port 3799 User-Name = jg4461 Calling-Station-Id = 00:1b:63:08:b4:eb Framed-IP-Address = 172.21.107.197 Called-Station-Id = 00:21:55:ac:5b:60:ResNet-Wireless NAS-Port-Id = 29 NAS-Port-Type = Async Acct-Session-Id = jg44614ddcd9e6/00:1b:63:08:b4:eb/222935 NAS-IP-Address = 172.17.107.211 NAS-Port = 29 NAS-Identifier = wism11 So, does anyone know which attributes I must send to disconnect a user in this way? Is there an easier way of doing it? radclient -xs -f /tmp/disconnect.txt 172.17.107.210:3799 disconnect secret Sending Disconnect-Request of id 7 to 172.17.107.210 port 3799 User-Name = testu...@bristol.ac.uk Calling-Station-Id = 89:c6:65:99:39:52 Service-Type = Login-User rad_recv: Disconnect-ACK packet from host 172.17.107.210 port 3799, id=7, length=20 Total approved auths: 1 Total denied auths: 0 Total lost auths: 0 ...so it seems you need User-Name, Calling-Station-Id and Service-Type. -James -- James J J Hooper Senior Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OT: Cisco Disconnect-Request packets
radclient -xs -f /tmp/disconnect.txt 172.17.107.210:3799 disconnect secret Sending Disconnect-Request of id 7 to 172.17.107.210 port 3799 User-Name = testu...@bristol.ac.uk Calling-Station-Id = 89:c6:65:99:39:52 Service-Type = Login-User rad_recv: Disconnect-ACK packet from host 172.17.107.210 port 3799, id=7, length=20 Total approved auths: 1 Total denied auths: 0 Total lost auths: 0 ...so it seems you need User-Name, Calling-Station-Id and Service-Type. From RFC 3576 In Disconnect and CoA-Request messages, all Attributes are treated as mandatory. A NAS MUST respond to a CoA-Request containing one or more unsupported Attributes or Attribute values with a CoA-NAK; a Disconnect-Request containing one or more unsupported Attributes or Attribute values MUST be answered with a Disconnect-NAK. State changes resulting from a CoA-Request MUST be atomic: if the Request is successful, a CoA-ACK is sent, and all requested authorization changes MUST be made. If the CoA-Request is unsuccessful, a CoA-NAK MUST be sent, and the requested So if you do include an unsupported attribute the NAS should NaK the request. RFC Says User-Name should be present and one or more of the following may be present NAS-Port 5[RFC2865] The port on which the session is terminated. Framed-IP-Address 8[RFC2865] The IPv4 address associated with the session. Called-Station-Id 30[RFC2865] The link address to which the session is connected. Calling-Station-Id31[RFC2865] The link address from which the session is connected. Acct-Session-Id 44[RFC2866] The identifier uniquely identifying the session on the NAS. Acct-Multi-Session-Id 50[RFC2866] The identifier uniquely identifying related sessions. NAS-Port-Type 61[RFC2865] The type of port used. NAS-Port-Id 87[RFC2869] String identifying the port where the session is. Originating-Line-Info 94[NASREQ] Provides information on the characteristics of the line from which a session originated. Framed-Interface-Id 96[RFC3162] The IPv6 Interface Identifier associated with the session; always sent with Framed-IPv6-Prefix. Framed-IPv6-Prefix97[RFC3162] The IPv6 prefix associated with the session, always sent with Framed-Interface-Id. and then one of the following NAS identification attribute should be present NAS-IP-Address4[RFC2865] The IPv4 address of the NAS. NAS-Identifier 32[RFC2865] String identifying the NAS. NAS-IPv6-Address 95[RFC3162] The IPv6 address of the NAS. That service-type looks iffy to me? Are you 100% sure its required? Could you try swapping it out for another session attribute like Acct-Session-ID? It might just need 3 or more identifying attributes, some vendors have really weird implementations. -Arran -James -- James J J Hooper Senior Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adding default Realms in users without Realms
Hello everybody I have a doubt and I'm not finding answers on the Internet. I have a freeradius server operating normally, it is a proxy for several Realms, with each Realm leads the user to a different authentication database, so far okay. What I need now is to get users coming to the radius without realm, and add a default realm. I need to do this early on in the authentication processing, so that the other conditions that rely on authentication of the existence of a realm can function correctly. Can anyone help me with this issue? Thank you. -- João Paulo de Lima Barbosa - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding default Realms in users without Realms
On 24 Aug 2011, at 20:42, joao...@gmail.com wrote:
Hello everybody I have a doubt and I'm not finding answers on the Internet.
I have a freeradius server operating normally, it is a proxy for
several Realms, with each Realm leads the user to a different
authentication database, so far okay.
What I need now is to get users coming to the radius without realm,
and add a default realm. I need to do this early on in the
authentication processing, so that the other conditions that rely on
authentication of the existence of a realm can function correctly.
If you mean just adding a string onto the username then yes...
if(User-Name !~ /username with realm... etc.../){
update request {
User-Name := %{User-Name}@realm
}
}
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding default Realms in users without Realms
Well the way we suggested to me you did not, however based on what you
gave me I made a small change and it worked. Put this in the
authorize.
if(User-Name !~ /@/){
update request {
Realm := myrealm
}
}
I wonder how I would do this manipulation Realm users through the file?
Thank you.
2011/8/24 Arran Cudbard-Bell a.cudba...@freeradius.org:
On 24 Aug 2011, at 20:42, joao...@gmail.com wrote:
Hello everybody I have a doubt and I'm not finding answers on the Internet.
I have a freeradius server operating normally, it is a proxy for
several Realms, with each Realm leads the user to a different
authentication database, so far okay.
What I need now is to get users coming to the radius without realm,
and add a default realm. I need to do this early on in the
authentication processing, so that the other conditions that rely on
authentication of the existence of a realm can function correctly.
If you mean just adding a string onto the username then yes...
if(User-Name !~ /username with realm... etc.../){
update request {
User-Name := %{User-Name}@realm
}
}
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
João Paulo de Lima Barbosa
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding default Realms in users without Realms
On 24 Aug 2011, at 21:34, joao...@gmail.com wrote:
Well the way we suggested to me you did not, however based on what you
gave me I made a small change and it worked. Put this in the
authorize.
The way I suggested will work if you put it at the top of authorize before
calling any of the realm modules, but anyway if you want to just set the realm,
go ahead... just sounded like you wanted the request to run through existing
logic.
Your code should really be:
if(User-Name !~ /@/){
update control {
Proxy-To-Realm := myrealm
}
}
This is the supported way of manually setting a proxy realm.
If you really wanted to do this with the users file
users file:
DEFAULT User-Name !~ /@/, Proxy-To-Realm := myrealm
Might work, no guarantees though. Not sure how special Proxy-To-Realm is
-Arran
Thank you.
2011/8/24 Arran Cudbard-Bell a.cudba...@freeradius.org:
On 24 Aug 2011, at 20:42, joao...@gmail.com wrote:
Hello everybody I have a doubt and I'm not finding answers on the Internet.
I have a freeradius server operating normally, it is a proxy for
several Realms, with each Realm leads the user to a different
authentication database, so far okay.
What I need now is to get users coming to the radius without realm,
and add a default realm. I need to do this early on in the
authentication processing, so that the other conditions that rely on
authentication of the existence of a realm can function correctly.
If you mean just adding a string onto the username then yes...
if(User-Name !~ /username with realm... etc.../){
update request {
User-Name := %{User-Name}@realm
}
}
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
João Paulo de Lima Barbosa
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding default Realms in users without Realms
OK Thanks for the tips, helped me a lot.
2011/8/24 Arran Cudbard-Bell a.cudba...@freeradius.org:
On 24 Aug 2011, at 20:42, joao...@gmail.com wrote:
Hello everybody I have a doubt and I'm not finding answers on the Internet.
I have a freeradius server operating normally, it is a proxy for
several Realms, with each Realm leads the user to a different
authentication database, so far okay.
What I need now is to get users coming to the radius without realm,
and add a default realm. I need to do this early on in the
authentication processing, so that the other conditions that rely on
authentication of the existence of a realm can function correctly.
If you mean just adding a string onto the username then yes...
if(User-Name !~ /username with realm... etc.../){
update request {
User-Name := %{User-Name}@realm
}
}
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
João Paulo de Lima Barbosa
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: Auth configuration help
Original Message
Subject:Auth configuration help
Date: Wed, 24 Aug 2011 21:53:46 -0400
From: Dom dvers...@tekcorner.ca
To: freeradius-users@lists.freeradius.org
I was hoping someone could help. We have a cisco 3825 with radius
server pointed to our freeradius installation. When I test radius
authentication using NTRadping using CHAP authentication everything
works fine. However when we try to connect via a standard dsl
connection we get these failures. I was hoping someone could help point
me in the right direction to fix the issue.
Thanks
rad_recv: Access-Request packet from host 64.34.66.5 port 1645, id=26,
length=134
Framed-Protocol = PPP
User-Name = aew...@domain.ca
User-Password = password
Calling-Station-Id = bas10530096
Connect-Info = 10
NAS-Port-Type = Virtual
NAS-Port = 26
NAS-Port-Id = Uniq-Sess-ID26
Service-Type = Framed-User
NAS-IP-Address = 64.34..
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm tekcorner.ca for User-Name = aew...@domain.ca
[suffix] No such realm domain.ca
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request:
Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - aew...@domain.ca
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 26 to 64.34.xxx.xxx port 1645
Waking up in 4.9 seconds.
Cleaning up request 0 ID 26 with timestamp +97
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: Auth configuration help
Dom wrote: I was hoping someone could help. We have a cisco 3825 with radius server pointed to our freeradius installation. When I test radius authentication using NTRadping using CHAP authentication everything works fine. However when we try to connect via a standard dsl connection we get these failures. I was hoping someone could help point me in the right direction to fix the issue. You haven't posted the debug log from the CHAP authentication. For some reason, you're treating CHAP *differently* from PAP. This is not part of the default config, so it's something you've done. [pap] WARNING! No known good password found for the user. Authentication may fail because of this. Maybe that's a clue? Reading the debug log helps. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Auth configuration help
You NAS is sending the password in clear text and is not doing CHAP, so the
RADIUS server needs to find either a clear text password or a hashed
password. Where are you storing usernames/passwords? Make sure that you have
an entry with for User-Name = aew...@domain.ca and Cleartext-Password :=
password.
Original Message
Subject:
Auth configuration help
Date:
Wed, 24 Aug 2011 21:53:46 -0400
From:
Dom mailto:dvers...@tekcorner.ca dvers...@tekcorner.ca
To:
freeradius-users@lists.freeradius.org
I was hoping someone could help. We have a cisco 3825 with radius
server pointed to our freeradius installation. When I test radius
authentication using NTRadping using CHAP authentication everything
works fine. However when we try to connect via a standard dsl
connection we get these failures. I was hoping someone could help point
me in the right direction to fix the issue.
Thanks
rad_recv: Access-Request packet from host 64.34.66.5 port 1645, id=26,
length=134
Framed-Protocol = PPP
User-Name = mailto:aew...@domain.ca aew...@domain.ca
User-Password = password
Calling-Station-Id = bas10530096
Connect-Info = 10
NAS-Port-Type = Virtual
NAS-Port = 26
NAS-Port-Id = Uniq-Sess-ID26
Service-Type = Framed-User
NAS-IP-Address = 64.34..
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm tekcorner.ca for User-Name =
mailto:aew...@domain.ca aew...@domain.ca
[suffix] No such realm domain.ca
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. --- The PAP
module could not find a password for the user.
Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request:
Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - aew...@domain.ca
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 26 to 64.34.xxx.xxx port 1645
Waking up in 4.9 seconds.
Cleaning up request 0 ID 26 with timestamp +97
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
