Re: Framed-IP-Address null value
Hi,
> > �update reply {
> > � � � � � � � � � � � � Framed-IP-Address := "%{Client-IP-Address}"
> > � � � � � � � � }
>
>Sorry I meant� � Framed-IP-Address := "%{Framed-IP-Address}"
which, in your debug evaluated to NULL. are you sure its set/known at that
point?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-IP-Address null value
On Mon, Oct 17, 2011 at 11:26 PM, Alejandro Gandara
wrote:
>
>
>
> 2011/10/17 Alan DeKok
>>
>> Alejandro Gandara wrote:
>> > The problem cames when i use this:
>> ..
>> > update reply {
>> > Framed-IP-Address := "%{Client-IP-Address}"
>> > }
>>
> Sorry I meant Framed-IP-Address := "%{Framed-IP-Address}"
That is wrong in so many ways.
Instead of asking "why it doesn't work" (which it does, sort of. It
does something stupid because you tell it to do something stupid), why
don't you explain in detail what you're trying to do.
You mentioned LDAP. Did you look at ldap.attrmap? Did you put it on
the correct ldap attribute name? When properly configured, you
shouldn't need the update reply block.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-IP-Address null value
2011/10/17 Alan DeKok
> Alejandro Gandara wrote:
> > The problem cames when i use this:
> ..
> > update reply {
> > Framed-IP-Address := "%{Client-IP-Address}"
> > }
>
> Sorry I meantFramed-IP-Address := "%{Framed-IP-Address}"
> That is completely and totally wrong. You are telling the end user
> that he can use the IP address assigned to the NAS.
>
> > But if I change %{Framed-IP-Address} this for %{Client-IP-Address}, just
> > to check if the query is right. I got the result expected "The client IP
> > Address".
> >
> > Can someone give me some light on the issue?
>
> No idea. It works for me.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-IP-Address null value
Alejandro Gandara wrote:
> The problem cames when i use this:
..
> update reply {
> Framed-IP-Address := "%{Client-IP-Address}"
> }
That is completely and totally wrong. You are telling the end user
that he can use the IP address assigned to the NAS.
> But if I change %{Framed-IP-Address} this for %{Client-IP-Address}, just
> to check if the query is right. I got the result expected "The client IP
> Address".
>
> Can someone give me some light on the issue?
No idea. It works for me.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Framed-IP-Address null value
Hello all!
Im testing freeradius in a preproduction machine. I've configured It with
freeradius + Ldap.
At this moment I only need read from ldap these attributes: user, password
and Framed-IP-Address to assing an IP to an specific User.
The problem cames when i use this:
in /etc/freeradius/sites-enable/default
(authorize section)
update reply {
Framed-IP-Address := "%{Client-IP-Address}"
}
I got the following error in debug mode:
++? if (NAS-Port-Type == 'Ethernet')
? Evaluating (NAS-Port-Type == 'Ethernetl') -> TRUE
++? if (NAS-Port-Type == 'Ethernet') -> TRUE
++- entering if (NAS-Port-Type == 'Ethernet') {...}
expand: %{Framed-IP-Address} ->
ERROR: Failed parsing value "" for attribute Framed-IP-Address: Failed to
find IP address for
But if I change %{Framed-IP-Address} this for %{Client-IP-Address}, just to
check if the query is right. I got the result expected "The client IP
Address".
Can someone give me some light on the issue?
Thanks very much.
Álex
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with F5 BigIP accouting : hexadecimal attribute
Hi, add that to the following: VENDOR F5 3375 BEGIN-VENDOR F5 ATTRIBUTE F5-LTM-User-Role 1 integer ATTRIBUTE F5-LTM-User-Role-Universal 2 integer# enable/disable ATTRIBUTE F5-LTM-User-Partition3 string ATTRIBUTE F5-LTM-User-Console 4 integer# enable/disable ATTRIBUTE F5-LTM-User-Shell5 string # supported values are disable, tmsh, and bpsh ATTRIBUTE F5-LTM-User-Context-1 10 integer ATTRIBUTE F5-LTM-User-Context-2 11 integer ATTRIBUTE F5-LTM-User-Info-1 12 string ATTRIBUTE F5-LTM-User-Info-2 13 string VALUEF5-LTM-User-Role Administrator 0 VALUEF5-LTM-User-Role Resource-Admin20 VALUEF5-LTM-User-Role User-Manager 40 VALUEF5-LTM-User-Role Manager 100 VALUEF5-LTM-User-Role App-Editor 300 VALUEF5-LTM-User-Role Operator 400 VALUEF5-LTM-User-Role Guest700 VALUEF5-LTM-User-Role Policy-Editor800 VALUEF5-LTM-User-Role No-Access900 VALUEF5-LTM-User-Role-Universal Disabled 0 VALUEF5-LTM-User-Role-Universal Enabled1 VALUEF5-LTM-User-ConsoleDisabled 0 VALUEF5-LTM-User-ConsoleEnabled1 END-VENDOR F5 then it can go in the distro? PS when dealing with vendor kit I tend to actually ask the vendor what their kit is doing...what the RADIUS stuff is...what issues you may have with eg accounting (F5, like other vendors, have some very active user-forums where all sorts of things get discussed). alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with F5 BigIP accouting : hexadecimal attribute
Thanks, but I won't transfer until closer to the expiration date, so please lock it up again. also wanted to make sure somebody was on watch, hadn't been in contact since Don died. Len -- Original Message -- From: Phil Mayers Reply-To: FreeRadius users mailing list Date: Mon, 17 Oct 2011 15:51:28 +0100 >On 17/10/11 12:26, Vincent, Fabien wrote: > >> F5-Attr-14 = /[Hexa decimal output starting with 0x ]/ > >This happens when an unknown attribute is found. The attribute is >assumed to be type "octets" and is rendered at hex. > >> */++ ATTRIBUTE F5-Attr-14 14 octets/* > >This won't help at all. This is ALREADY what FreeRADIUS assumes for >unknown attributes. > >Try: > >ATTRIBUTE F5-Attr-14 14 string > >...and see if it's readable. >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with F5 BigIP accouting : hexadecimal attribute
Thanks for your replies/help. I set in the dictionary.f5 the following value : ATTRIBUTE F5-Acct 14 string First for the F5 NAS-IP-Address, it's equal to 127.1.1.1, which I suspect a strange behavior of the F5 syslog-ng / audit forwarder. But this is not a problem, I will find how to set it through tmsh or bigpipe shells. Now, I have the correct output in F5-Acct attribute I've set in the dictionary. Thanks all for your help ! If you have any experience with F5 BigIP LTM/GTM accounting, please share your feedbacks with me (in private of course). For the specific VSA provided here, is it possible to add by default in FreeRadius repo ? Fabien VINCENT Ingénieur Réseaux & Sécurité / ASSR Produits Niveau 3 - Infrastructure & Produits -Message d'origine- De : freeradius-users-bounces+fabien.vincent=coreye...@lists.freeradius.org [mailto:freeradius-users-bounces+fabien.vincent=coreye.fr@lists.freeradius.o rg] De la part de Phil Mayers Envoyé : lundi 17 octobre 2011 16:51 À : freeradius-users@lists.freeradius.org Objet : Re: Problem with F5 BigIP accouting : hexadecimal attribute On 17/10/11 12:26, Vincent, Fabien wrote: > F5-Attr-14 = /[Hexa decimal output starting with 0x ]/ This happens when an unknown attribute is found. The attribute is assumed to be type "octets" and is rendered at hex. > */++ ATTRIBUTE F5-Attr-14 14 octets/* This won't help at all. This is ALREADY what FreeRADIUS assumes for unknown attributes. Try: ATTRIBUTE F5-Attr-14 14 string ...and see if it's readable. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ce message a ete verifie par MailScanner. smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: setup freeradius to generateng COA
Hi, look in sites-available read the 'coa' virtual server enable it (link it from sites-enabled or copy) - then run the server. CoA , be default is on port 3799 ... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with F5 BigIP accouting : hexadecimal attribute
On 17/10/11 12:26, Vincent, Fabien wrote: F5-Attr-14 = /[Hexa decimal output starting with 0x …]/ This happens when an unknown attribute is found. The attribute is assumed to be type "octets" and is rendered at hex. */++ ATTRIBUTE F5-Attr-14 14 octets/* This won't help at all. This is ALREADY what FreeRADIUS assumes for unknown attributes. Try: ATTRIBUTE F5-Attr-14 14 string ...and see if it's readable. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
setup freeradius to generateng COA
Hi, I am trying to setup freeradius to generateng COA after receiving Access-Request packets. Is there any document on how to configure this setting? It seems I am sending Accounting packet to authorization port: After sending ... echo "User-Name=test,User-Password=abc123" | /usr/local/bin/radclient -x localhost:11812 coa testing1234 I got the following debug log: Listening on authentication address * port 11812 Listening on accounting address * port 11813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 11814 Ready to process requests. Invalid packet code 43 sent to authentication port from client localhost port 34917 : IGNORED Ready to process requests. Invalid packet code 43 sent to authentication port from client localhost port 34917 : IGNORED Ready to process requests. Invalid packet code 43 sent to authentication port from client localhost port 34917 : IGNORED Ready to process requests. Thanks, ASM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with F5 BigIP accouting : hexadecimal attribute
Vincent, Fabien wrote:\ > /Yes I have added the F5 IP address, authorize works fine using the SQL > NAS Table, but the IP returned by the F5 Accounting packet isn’t a valid > Self IPs of the corresponding F5…/ The NAS-IP-Address attribute can be ANYTHING. It has little or no correspondence to the IP address of the NAS. The reasons why aren't complicated, but aren't important here. > /I think it’s return by the F5 in hexa (as the F5-Attr-14), that’s why I > request help about this strange behavior …/ Go ask F5 what their attributes mean. If we knew, they would be in the dictionary file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with F5 BigIP accouting : hexadecimal attribute
NAS-IP-Address = [IP address unknown, not corresponding to NAS interfaces]
* Did you added your F5 IP address to NAS Table ?
Yes I have added the F5 IP address, authorize works fine using the SQL NAS
Table, but the IP returned by the F5 Accounting packet isn't a valid Self
IPs of the corresponding F5.
I think it's return by the F5 in hexa (as the F5-Attr-14), that's why I
request help about this strange behavior .
Regards
Suman
On Mon, Oct 17, 2011 at 4:56 PM, Vincent, Fabien
wrote:
Dear all,
I'm using Radius for authenticating admin users on different network
equipments. "group authorize {...}" works fine with rlm_ldap and group
management.
But I have some problem for accounting on F5 BigIP LTM / GTM.
In fact, my radius accounting server is receiving accounting-request like
this :
Accounting-Request packet from host 10.10.10.10 port 36875, id=29,
length=281
NAS-IP-Address = [IP address unknown, not corresponding to NAS interfaces]
F5-Attr-14 = [Hexa decimal output starting with 0x .]
WARNING: Empty section. Using default return values.
+- entering group accounting {...}
[sql] expand: packet has no accounting status type. [user '%{User-Name}',
nas '%{NAS-IP-Address}'] -> packet has no accounting status type. [user '',
nas '[nas IP unknown]']
[sql] packet has no accounting status type. [user '', nas '[nas IP
unknown]']
++[sql] returns invalid
Finished request 37.
Cleaning up request 37 ID
Did someone here already use accounting with F5 BigIP LTM or GTM ? I'm
looking to make this working by changing audit_forward TCL script provided
with F5 (syslog-ng) but I wasn't able to produce something different .
I also tried to edit the dictionnary for F5 in
/usr/share/freeradius/dictionary.f5
ATTRIBUTE F5-LTM-User-Info-1 12 string
ATTRIBUTE F5-LTM-User-Info-2 13 string
++ ATTRIBUTE F5-Attr-14 14 octets
Thanks in advance for your help !
Fabien VINCENT
fabien.vinc...@coreye.fr
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Ce message a ete verifie par MailScanner.
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple NAS freeradius
2011/10/4 Arran Cudbard-Bell
>
> On 4 Oct 2011, at 13:32, Alejandro Gandara wrote:
>
> Hi list,
>
> Im using freeradius 2.1.10 with ldap and I have a doubt.
>
> Im testing radius with two NAS , first one an openvpn service and the
> other one is a switch Procurve.
>
> My question is the following:
>
> Can I configure the openvpn nas to read some attribute from the ldap ( as
> framedipaddress) and at the same time configure switch procurve to read the
> attribute pool-name from the radius?
> How can I tell freeradius which attribute read for each nas?
>
> For example:
>
> User1 connect trhough openvpn so it will get the ip provided from
> framedipaddress attribute.
> User 1 disconnect openvpn
> User 1 connect with wired connection so it will get the IP provided for
> ippool after read poolname attribute from ldap.
>
>
> Sure...
>
> sites-available/default
>
> authorize {
> if(Client-shortname == 'openvpn'){
> update reply {
> Framed-IP-Address := "%{ldap:my ldap query}"
> }
> }
> else {
> update reply {
> My-Other-Attribute := "%{ldap:my ldap query}"
> }
> }
> }
>
> I' ve tried this way. But It didnt resolv my problem.
if(NAS-Port-Type == 'Virtual'){
update reply {
Framed-IP-Address := "%{RadiusFramedIPAddress}"
}
}
This step goes right, but for exemple
Client Mike.
It has 2 attributes in LDAP used by Radius.
RadiusFramedIPAddress = x.x.x.x
PoolName = Admin.
If client connect against openvpn it has to take RadiusFramedIPAddress but
if it connects through the switch He will take the IP provided for the pool
Admin.
The problem is the next one: Pool override RadiusFramedIPAddress or
viceversa. I need use only one of them never both at same time.
Any solutions?
Thanks for all and sorry. Im asking too many things.
> clients.conf
>
> client {
> shortname = openvpn
> }
>
>
> Arran Cudbard-Bell
> a.cudba...@freeradius.org
>
> Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with F5 BigIP accouting : hexadecimal attribute
NAS-IP-Address = *[IP address unknown, not corresponding to NAS interfaces]
* Did you added your F5 IP address to NAS Table ?
Regards
Suman
*
On Mon, Oct 17, 2011 at 4:56 PM, Vincent, Fabien
wrote:
> Dear all,
>
> ** **
>
> I’m using Radius for authenticating admin users on different network
> equipments. “group authorize {...}” works fine with rlm_ldap and group
> management.
>
> ** **
>
> But I have some problem for accounting on F5 BigIP LTM / GTM.
>
> ** **
>
> In fact, my radius accounting server is receiving accounting-request like
> this :
>
> ** **
>
> Accounting-Request packet from host 10.10.10.10 port 36875, id=29,
> length=281
>
> NAS-IP-Address = *[IP address unknown, not corresponding to NAS
> interfaces]*
>
> F5-Attr-14 = *[Hexa decimal output starting with 0x …]*
>
> WARNING: Empty section. Using default return values.
>
> +- entering group accounting {...}
>
> [sql] expand: packet has no accounting status type. [user '%{User-Name}',
> nas '%{NAS-IP-Address}'] -> packet has no accounting status type. [user '',
> nas '*[nas IP unknown]*']
>
> [sql] packet has no accounting status type. [user '', nas '*[nas IP
> unknown]*']
>
> ++[sql] returns invalid
>
> Finished request 37.
>
> Cleaning up request 37 ID
>
> ** **
>
> Did someone here already use accounting with F5 BigIP LTM or GTM ? I’m
> looking to make this working by changing audit_forward TCL script provided
> with F5 (syslog-ng) but I wasn’t able to produce something different …
>
> ** **
>
> I also tried to edit the dictionnary for F5 in *
> /usr/share/freeradius/dictionary.f5*
>
> *ATTRIBUTE F5-LTM-User-Info-1 12 string*
>
> *ATTRIBUTE F5-LTM-User-Info-2 13 string*
>
> *++ ATTRIBUTE F5-Attr-14 14 octets*
>
> ** **
>
> Thanks in advance for your help !
>
> ** **
>
> *Fabien VINCENT*
>
> fabien.vinc...@coreye.fr
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ippool giving gateway addresses
2011/10/17 Fajar A. Nugraha > On Mon, Oct 17, 2011 at 4:21 PM, Alejandro Gandara > wrote: > >> > 2º How I could check the bind addresses in db.* files? > >> > >> try http://wiki.freeradius.org/Rlm_ippool_tool > >> I'd recommend you use rlm_sqlippool instead though. > > > > When I use this tool I got users identified by keys, where could I find > the map (or relation) of keys with users?. I need know which Users is > conneceted which each IP. > > I don't think you can with ippool. Try sqlippool instead, which has > "username" column. > Ok I will try. > > > > >> > >> > > >> > 3º Radiuis-Framed-Routing is used to configure a gateway for each > profile? > >> > >> See http://freeradius.org/rfc/rfc2865.html for a description on what > >> > >> each attribute is for. > >> > > I' ve seen i can manage Radius-Framed-Route to fix my problem. > > You mean Framed-Route? > Yes, Framed-Route is called by ldap as RadiusFramedRouteIP. > > Mixing this with ippool could be a right solutions.( I hope). > > I've seen too i can configure default gateways with this attribute such > as: 0.0.0.0 10.0.2.1 . where the first element is the network (default) and > the second one is the gateway used. > > > > Is this true? > > Does your NAS support Framed-Route attribute? > Im checking the documentation but I didnt find out anything about freeradius attributes. We are using 5 switches HP Procurve2510G in stack. > > -- > Fajar > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with my radrelay configuration?
Thanks again with your answer. When you speak about "an external mechanism" to synchronize user data for authentication, this means that for example, I should to do a mysql replica with this table? I want to get to synchronize both concepts, authentication and accounting data because I want to get two servers with identical data and functionality in real time. So, I have it clear. I should to get to write accounting records into a detail file. I have tested it with radlogin client, in authentication mode and accounting mode and both works fine. Thanks for your answer again. I am going to begin with a original configuration files, with basic functionality and I'm going to work to get write accounting records in detail file. Regards, -- View this message in context: http://freeradius.1045715.n5.nabble.com/Problems-with-my-radrelay-configuration-tp4876089p4909812.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with my radrelay configuration?
On Mon, Oct 17, 2011 at 6:42 PM, tonimanel wrote: > Thank you for your answer. I am going to follow this guide. I think that > there are some points that maybe it isn't necessary for the objective. > > I can tell you that: > 1.- I thought that the achieve of this configuration was to have two > services with authentication and accounting data synchronized. ... and there you have it, your FIRST main problem. You don't understand what it does. You still mention authentication. This configuration does NOTHING to synchronize authentication data. With this configuration, you need to synchronize user data (for authentication) separately, with an external mechanism. > First service > writes in database and in detail file and second service would make the same > and both would read from detail file and then write to database. only accounting records get written in file/database. Again, nothing about authentication. > 2.- Yes, I think the same. Great phrase. ;) > 2.1- I have configured a simple freeradius, logging with database, with nas > and writting account data in database too. I don't know if getting this, > data would write in detail file or not. > 2.2- I don't know how to get that service writes records into detail file. It was mentioned many times as answer to your question. Go back, read the archive. Do NOT go any further until you can write accounting records to a detail file. > 2.3- I have used "Radius test client" to test the authentication and > accounting processes. Not more. What radius test client? radtest? radclient? Have you verified that the authentication process work? Have you verified that the accounting record gets written? Again, do NOT go any further until you can write accouting records to a detail file. > 2.4- I don't know how to read accounting records (because I don't know how > to write it) ... and that is your SECOND main problem. Re-read all the answers that's been given (open list archive if necessary). Do NOT go any further until you can write accouting records to a detail file. (probably I sound like a broken record by now, but that seems to be necessary in this case). -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with my radrelay configuration?
Thank you for your answer. I am going to follow this guide. I think that there are some points that maybe it isn't necessary for the objective. I can tell you that: 1.- I thought that the achieve of this configuration was to have two services with authentication and accounting data synchronized. First service writes in database and in detail file and second service would make the same and both would read from detail file and then write to database. 2.- Yes, I think the same. Great phrase. ;) 2.1- I have configured a simple freeradius, logging with database, with nas and writting account data in database too. I don't know if getting this, data would write in detail file or not. 2.2- I don't know how to get that service writes records into detail file. 2.3- I have used "Radius test client" to test the authentication and accounting processes. Not more. 2.4- I don't know how to read accounting records (because I don't know how to write it) and I don't know how to forward it to a remote radius server (I think that this is my objective. Do you agree?) I have read copy-acct-to-home-server and robust-proxy-accounting files. Now, I think that I'm at a point wich I don't know what I should to do. I have modified the configuration files, maybe I should to restore original files and start again, but I will spend time doing this. I would like know if with these modifications, I have got a more or less good configuration or not. For this reason, I think that is necessary for me your help. Thanks. I hope your answers. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Problems-with-my-radrelay-configuration-tp4876089p4909625.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with F5 BigIP accouting : hexadecimal attribute
Dear all,
I'm using Radius for authenticating admin users on different network
equipments. "group authorize {...}" works fine with rlm_ldap and group
management.
But I have some problem for accounting on F5 BigIP LTM / GTM.
In fact, my radius accounting server is receiving accounting-request like
this :
Accounting-Request packet from host 10.10.10.10 port 36875, id=29,
length=281
NAS-IP-Address = [IP address unknown, not corresponding to NAS interfaces]
F5-Attr-14 = [Hexa decimal output starting with 0x .]
WARNING: Empty section. Using default return values.
+- entering group accounting {...}
[sql] expand: packet has no accounting status type. [user '%{User-Name}',
nas '%{NAS-IP-Address}'] -> packet has no accounting status type. [user '',
nas '[nas IP unknown]']
[sql] packet has no accounting status type. [user '', nas '[nas IP
unknown]']
++[sql] returns invalid
Finished request 37.
Cleaning up request 37 ID
Did someone here already use accounting with F5 BigIP LTM or GTM ? I'm
looking to make this working by changing audit_forward TCL script provided
with F5 (syslog-ng) but I wasn't able to produce something different .
I also tried to edit the dictionnary for F5 in
/usr/share/freeradius/dictionary.f5
ATTRIBUTE F5-LTM-User-Info-1 12 string
ATTRIBUTE F5-LTM-User-Info-2 13 string
++ ATTRIBUTE F5-Attr-14 14 octets
Thanks in advance for your help !
Fabien VINCENT
fabien.vinc...@coreye.fr
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP Testing - Newbie
Hi Alan, Thanks for your reply. That's all ... after the following lines: EAP-Message = 0x737420526f6f742043412028 Message-Authenticator = 0x State = 0x26b3a7ae27b1b26bc177f1c70c867315 I just get: Finished request 1 Going to the next request Waking up in 4.8 seconds Cleaning up request 0 ID 0 with timestamp . Waking up in 0.1 seconds Cleaning up request 1 ID 1 with timestamp Ready to process requests. That's all. No more output! Any help is greatly appreciated! Ciao. > Date: Mon, 17 Oct 2011 11:56:34 +0100 > From: a.l.m.bu...@lboro.ac.uk > To: sfhac...@hotmail.com > CC: tim.sylves...@networkradius.com; freeradius-users@lists.freeradius.org > Subject: Re: EAP Testing - Newbie > > hi, > > your radiusd -X output was not all there... it just stopped. need to see it > all > to see where/when the fail is occuring. > > alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP Testing - Newbie
hi, your radiusd -X output was not all there... it just stopped. need to see it all to see where/when the fail is occuring. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to configure
Dear all, How to configure freeradius server with netgear WNR3500L access point with these three entities. Authentication server (Freeradius)- Access Pint(Netgear)Mobile Terminal (My PC). -- Warm Regards Harish Mandowara -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ippool giving gateway addresses
On Mon, Oct 17, 2011 at 4:21 PM, Alejandro Gandara wrote: >> > 2º How I could check the bind addresses in db.* files? >> >> try http://wiki.freeradius.org/Rlm_ippool_tool >> I'd recommend you use rlm_sqlippool instead though. > > When I use this tool I got users identified by keys, where could I find the > map (or relation) of keys with users?. I need know which Users is conneceted > which each IP. I don't think you can with ippool. Try sqlippool instead, which has "username" column. > >> >> > >> > 3º Radiuis-Framed-Routing is used to configure a gateway for each profile? >> >> See http://freeradius.org/rfc/rfc2865.html for a description on what >> >> each attribute is for. >> > I' ve seen i can manage Radius-Framed-Route to fix my problem. You mean Framed-Route? > Mixing this with ippool could be a right solutions.( I hope). > I've seen too i can configure default gateways with this attribute such as: > 0.0.0.0 10.0.2.1 . where the first element is the network (default) and the > second one is the gateway used. > > Is this true? Does your NAS support Framed-Route attribute? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ippool giving gateway addresses
2011/10/17 Fajar A. Nugraha > On Mon, Oct 17, 2011 at 2:18 PM, Alejandro Gandara > wrote: > > > > Hi List, > > > > > > I have two doubts which I couldn't resolv properly. I'll be so pleased if > > someone could give me a hand. > > > > 1º There is any way to configure ippool to give a gateway for each > > configured pool? > > Short version: no. > > Long answer: > AFAIK rlm_ipool and rlm_sqlippool only hand-out IP addresses in > Framed-IP-Address attribute. > However, if you use rlm_sqlippool, it should be easy enough to have an > additional custom sql table (or additional column) which (for example) > store the default gateway for each IP address. You can then use unlang > to send this information in Framed-Route attribute. Your NAS has to > support it though, otherwise the attribute will be silently ignored. > > > > > 2º How I could check the bind addresses in db.* files? > > try http://wiki.freeradius.org/Rlm_ippool_tool > I'd recommend you use rlm_sqlippool instead though. > When I use this tool I got users identified by keys, where could I find the map (or relation) of keys with users?. I need know which Users is conneceted which each IP. > > > > > 3º Radiuis-Framed-Routing is used to configure a gateway for each > profile? > > See http://freeradius.org/rfc/rfc2865.html for a description on what > each attribute is for. > > I' ve seen i can manage Radius-Framed-Route to fix my problem. Mixing this with ippool could be a right solutions.( I hope). I've seen too i can configure default gateways with this attribute such as: 0.0.0.0 10.0.2.1 . where the first element is the network (default) and the second one is the gateway used. Is this true? Thanks for your time and your faster answer. Regards Alejandro > -- > Fajar > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP Testing - Newbie
First of all, thanks for your help.
radiusd.conf - eap section :
eap {
default_eap_type = ttls
md5 {
}
mschapv2 {
}
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
pem_file_type = yes
include_length = yes
CA_path = ${db_dir}/certs
CA_file = ${db_dir}/certs/rootca.pem
certificate_file = ${db_dir}/certs/server.pem
private_key_file = ${db_dir}/certs/server-key.pem
random_file = ${db_dir}/certs/random
dh_file = ${db_dir}/certs/dh
check_crl = no
verify_depth = 0
cipher_list = "DEFAULT"
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
}
peap {
default_eap_type = mschapv2
}
}
-
users file: the first line reads: testuser Cleartext-Password := "testpw"
Reply-Message = "Hello,
%{User-Name}"
then, i type: eapol_test -c md5.conf -s testing123 ; I'm using md5.conf from
here: http://deployingradius.com/scripts/eapol_test/
Find below radiusd -X output:
Starting - reading configuration files ...
including configuration file ..\etc\raddb/radiusd.conf
including configuration file ../etc/raddb/clients.conf
including configuration file ../etc/raddb/policy.conf
including dictionary file ..\etc\raddb/dictionary
main {
name = "radiusd"
prefix = ".."
localstatedir = "../var"
sbindir = "../sbin"
logdir = "../var/log/radius"
run_dir = "../var/run/radiusd"
libdir = "../lib"
radacctdir = "../var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "../var/run/radiusd/radiusd.pid"
checkrad = "../sbin/checkrad"
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 30
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 300
status_check_timeout = 4
}
realm LOCAL {
}
radiusd: Loading Clients
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file ..\etc\raddb/radiusd.conf
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file ..\etc\raddb/radiusd.conf
}
radiusd: Loading Virtual Servers
server { # from file ..\etc\raddb/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file ..\etc\raddb/radiusd.conf
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file ..\etc\raddb/radiusd.conf
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file ..\etc\raddb/radiusd.conf
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "auth_log" from file ..\etc\raddb/radiusd.conf
Module: Linked to module rlm_files
Module: Instantiating module "files" from file ..\etc\raddb/radiusd.conf
Module: Checking accounting {...} for more modules to load
Module: Instantiating module "detail" from file ..\etc\raddb/radiusd.conf
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file ..\etc\raddb/radiusd.conf
} # modules
} # server
radiusd: Opening IP addresses and Ports
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Ready to p
Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Hi, > Thanks for that. > I had left some previous versions of files in the modules directory not > knowing that they are still active. > Moving them to another location progressed me to the following error: yes, FreeRADIUS will read ALL files in sites-enabled/ and ALL files in modules/ directory. never leave 'backups' or editor backups (tilde emacs files) or RCS etc versions lying around in those directories (this is a common problem) > This was fixed by issuing this command: > > 'chgrp radiusd /var/lib/samba/winbindd_privileged' yep > The next problem I got was > > "EAP-MSCHAPV2: Received success > EAP-MSCHAPV2: Invalid authenticator response in success request" > > Googling this suggests there is a bug in the version of Samba I'm using and > that I need to install version 3.0.30. the latest SAMBA release in 3.5.x should work fine. I note you are runninging 2.1.9 - why that version? 2.1.10 should be available for CentOS 6 with yum. if self-compiling, use 2.1.12 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP Testing - Newbie
hi, ...please dont send eapol_test output - send the output from radiusd -X from the log sent it looks like the client isnt get a response from the server (note the 3 default timeouts at the end) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with my radrelay configuration?
On Mon, Oct 17, 2011 at 2:50 PM, tonimanel wrote: > Any body can help me? Please!! I need to get a good configuration! Step back for a moment. You want to run when you can't even walk. Try answering these questions: (1) Do you REALLY understand what this configuration will achieve? On one of your mail you asked how to proxy authentication. You should only need to copy accounting packets, and handle authentication locally. If you're hoping that this setup will automagically synchronize your user authentication data accross several independent mysql instances, then your understanding is wrong. (2) Divide and conquer. Start with simple steps: 2.a. Do you know how to configure a simple freeradius setup that uses users file for authentication and stores accounting record in detail file? 2.b. Do you know how to configure a simple freeradius setup that uses database for authentication dan accounting? 2.c. Do you know how to store accounting records in BOTH database and detail file? 2.d. Do you know how to generate authentication and accounting packets, either through a simulator (e.g. radclient, radperf) or by using a NAS directly (e.g. chillispot, pptp, whatever). 2.e. Do you know how to read accounting records from a detail file and forward it to a remote radius server? sites-available/copy-acct-to-home-server and sites-available/robust-proxy-accounting are good place to start. If on any of those points the answer is NO, then spend some time to learn about it. If you have a problem in a SPECIFIC task, then ask, but be specific on what you ask about, and give enough information. Simply modifying config file without knowing what it does, then asking "help I'm in trouble" is simply rude. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ippool giving gateway addresses
On Mon, Oct 17, 2011 at 2:18 PM, Alejandro Gandara wrote: > > Hi List, > > > I have two doubts which I couldn't resolv properly. I'll be so pleased if > someone could give me a hand. > > 1º There is any way to configure ippool to give a gateway for each > configured pool? Short version: no. Long answer: AFAIK rlm_ipool and rlm_sqlippool only hand-out IP addresses in Framed-IP-Address attribute. However, if you use rlm_sqlippool, it should be easy enough to have an additional custom sql table (or additional column) which (for example) store the default gateway for each IP address. You can then use unlang to send this information in Framed-Route attribute. Your NAS has to support it though, otherwise the attribute will be silently ignored. > > 2º How I could check the bind addresses in db.* files? try http://wiki.freeradius.org/Rlm_ippool_tool I'd recommend you use rlm_sqlippool instead though. > > 3º Radiuis-Framed-Routing is used to configure a gateway for each profile? See http://freeradius.org/rfc/rfc2865.html for a description on what each attribute is for. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with my radrelay configuration?
Any body can help me? Please!! I need to get a good configuration! Thanks! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Problems-with-my-radrelay-configuration-tp4876089p4909025.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ippool giving gateway addresses
Hi List, I have two doubts which I couldn't resolv properly. I'll be so pleased if someone could give me a hand. 1º There is any way to configure ippool to give a gateway for each configured pool? 2º How I could check the bind addresses in db.* files? 3º Radiuis-Framed-Routing is used to configure a gateway for each profile? Thanks for your time and your patience. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
