Re: Why Authorization before Authentication?
In general there are three steps in processing of Access-Request: - identify - authenticate - authorize First you need to identify subscriber. In general you should consult subscriber database (backend). To minimize number of round-trips with subscriber database it will be better to return whole subscriber profile to AAA server. AAA server then can consider to proceed with authentication, grant access without authentication, deny access without authentication, or just pass the matter to proxy. This is what authorize section exactly does. Subscriber profile retrieved on this step is stored ad-hoc, usually in control and reply lists of the request. To authenticate subscriber you need to check credentials it provides. This is what authenticate section does. Most of authentication modules use Cleartext-Password attribute from control list to check credentials against. To authorize subscriber you should make a decision based on both subscriber profile and authentication result. This is what post-auth section does. Put your authorization policies in this section. Edgar Fuß wrote: A probably simple question I could not find explained in the FAQ or the Concepts section: Given that Authentication is proving who I am and Authorization is checking what I'm allowed to do, I naively would have expected a RADIUS server to first authenticate me an then check my authorization. Surely for a reason, what FreeRADIUS does is the other way round: first try all authorization modules and then use one authentication module. I hope I got this right. I would like to be pointed to a document explaining the rationale behind this. It's probably obvious to anyone familiar with the matter, but that doesn't include me. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question at certificates
Hi, I'm a little bit confused, I configure radius with self signed cert, peap+mschap, so if I tried to connect with an android or apple device I get the question if I want to accept the server cert, thats ok, but with windows or linux I get the error that there is no cert, but it still works, why these clients don't download the cert? I can manually add them sure but why is that so different? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: RES: How to use radacct in two different databases
Phil, Thank you, I will test the configuration and I will make a try in real world with that. Hope it work! Regards, Nataniel Klug -- -Mensagem original- De: freeradius-users-bounces+listas.nata=cnett.com...@lists.freeradius.org [mailto:freeradius-users- bounces+listas.nata=cnett.com...@lists.freeradius.org] Em nome de Phil Mayers Enviada em: quarta-feira, 23 de novembro de 2011 17:56 Para: freeradius-users@lists.freeradius.org Assunto: Re: RES: How to use radacct in two different databases On 11/23/2011 08:42 PM, Nataniel Klug wrote: I think I did not made my self clear. I need to store radacct data on MySQL and all the rest in PostgreSQL. I was reading about multiple Ok, that's clear. instances of SQL (for redundant purposes) and I think it can be used. So in my sites-enable/client file I would have something like sql on Authorization section (and this instance would be a PostgreSQL) and a sql1 on Accounting section (this would be a MySQL). In sqlippool.conf I can set it to run over sql instance (using PostgreSQL). Is this possible? I need to acces just the data on radacct over MySQL. Yes. The config you've described should work. sqlippool will talk to your postgres install, and accounting will go into your mysql install. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question at certificates
Andreas Rudat wrote: I'm a little bit confused, I configure radius with self signed cert, peap+mschap, so if I tried to connect with an android or apple device I get the question if I want to accept the server cert, thats ok, but with windows or linux I get the error that there is no cert, but it still works, why these clients don't download the cert? I can manually add them sure but why is that so different? That's how they work. Ask Microsoft why they designed their system that way. We have no idea. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.7-7.el5 - How to get vendor specific attributes from LDAP
Jakub Pech wrote: please can anybody give me a hint how to get vendor specific atributes from LDAP and send it to the NAS? My freeradius version is 2.1.7-7.el5. See the ldap.attrmap file. This is documented. VSAs are just attributes. Use the name. Nothing else needs to be done. When I authenticate against the users file, everything works well. ... So the user is authenticated but no Juniper-Local-User-Name attribute have been sent. Well... where did you define it? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Number of queued Requests
Mohd Khaldi wrote: I have question how to find number of Access_Requests and Accounting_R_equest _are actualy in the Radius queue. You don't. In the git master branch, most of those stats are exported. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.7-7.el5 - How to get vendor specific attributes from LDAP
Hi, See the ldap.attrmap file. This is documented. I sent the rows I've added to ldap.attrmap in my previous mail. Is there anything wrong?? Well... where did you define it? First in users file for testing purposes. Worked OK. Then in LDAP. Thanks Jakub Dne 24.11.11 13:08, Alan DeKok napsal(a): Jakub Pech wrote: please can anybody give me a hint how to get vendor specific atributes from LDAP and send it to the NAS? My freeradius version is 2.1.7-7.el5. See the ldap.attrmap file. This is documented. VSAs are just attributes. Use the name. Nothing else needs to be done. When I authenticate against the users file, everything works well. ... So the user is authenticated but no Juniper-Local-User-Name attribute have been sent. Well... where did you define it? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.7-7.el5 - How to get vendor specific attributes from LDAP
On Thu, Nov 24, 2011 at 7:30 PM, Jakub Pech jakub.p...@spinoco.com wrote: Hi, See the ldap.attrmap file. This is documented. I sent the rows I've added to ldap.attrmap in my previous mail. Is there anything wrong?? Normally an ldap attribute will be translated as a radius check or reply item, not both (which is what you did). -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing Wlan
Am 20.11.2011 13:05, schrieb Alan DeKok: Andreas Rudat wrote: thats what I tried, but I get no info from the other client, only if I them ping each other. Encryption is wpa+aes and what I should see if it is encrypted? tls infos? This is a network connectivity problem. It isn't a RADIUS problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html But which? I tried my wlan on monitor mode and sniffing with wireshark I found traffic between the APs but wireshark shows only thats the wlan protocol and I dont see any clear traffic. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.7-7.el5 - How to get vendor specific attributes from LDAP
Hi, Normally an ldap attribute will be translated as a radius check or reply item, not both (which is what you did). First I had only radius check. I added radius reply later while testing. I'm almost sure that that is not the cause of my problem. Please can anybody send me the steps to get some attribute from LDAP server? Mayby I've only missed some configuration step or something like that. 1. Do I have to run the LDAP service on the same server as I'm running freeradius? 2. Do I have to add my LDAP schema to some freeradius configuration file? I did: 1/set up the connection with remote LDAP server 2/set radius check item in ldap.attrmap. Thanks for the help, I'm googling it 4th day in a row. Jakub Dne 24.11.11 13:37, Fajar A. Nugraha napsal(a): On Thu, Nov 24, 2011 at 7:30 PM, Jakub Pechjakub.p...@spinoco.com wrote: Hi, See the ldap.attrmap file. This is documented. I sent the rows I've added to ldap.attrmap in my previous mail. Is there anything wrong?? Normally an ldap attribute will be translated as a radius check or reply item, not both (which is what you did). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Technical paper how Freeradius works?
Hi, are there any and I don't see them, besides man pages/config files? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Technical paper how Freeradius works?
Hi, Hi, are there any and I don't see them, besides man pages/config files? what is it that you are after? what do you define by 'technical' ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Technical paper how Freeradius works?
Am 24.11.2011 16:04, schrieb Alan Buxey: Hi, Hi, are there any and I don't see them, besides man pages/config files? what is it that you are after? what do you define by 'technical' ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html for example how does exactly auth. works or the radius protocol works Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Technical paper how Freeradius works?
Andreas Rudat wrote: for example how does exactly auth. works or the radius protocol works We don't document RADIUS. See the RFCs for that. As for how the server works, see the doc directory. There are a lot of files there describing how the server works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.7-7.el5 - How to get vendor specific attributes from LDAP
In documentation of freeradius 1.x I found that I have to import RADIUS-LDAPv3.schema to OpenLDAP. If I understand right radius server need to know the LDAP structure to be able to get values from defined attributes. But in freeradius 2.x there is no RADIUS-LDAPv3.schema and I did not find any other schema file where I should add my LDAP attributes. Do I have to import my OpenLDAP schema to freeradius to be able to get Vendor Specific Attributes from it? Jakub Dne 24.11.11 13:08, Alan DeKok napsal(a): Well... where did you define it? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Technical paper how Freeradius works?
Am 24.11.2011 16:33, schrieb Alan DeKok: Andreas Rudat wrote: for example how does exactly auth. works or the radius protocol works We don't document RADIUS. See the RFCs for that. As for how the server works, see the doc directory. There are a lot of files there describing how the server works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ok thanks. Andreas -- -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v2.0.17 (MingW32) mQGNBE6jHfABDACyzFkn6k+OtbRANjKZ6NEQOxnnsBSBSs6sT9EBF0U3MnnYW3/p YTW+7aUa/1FZTOWt9wb9H7t0SOqpgqUBmRo/sPteepXblnDaGEh8tzIWfaC9MKc1 QobU5zK9KcDKrs3SyGXEPOOQM8QdtE8KfSJFdUxfanFJUbfTbxq5Gqz1eaU4cWxp gR6GeVYnd11J8AdDDwkjPjx4ZJ5guZ+D646Qi3CT7KT6y8sXVPwpNA3CvGweYX0r STKyBf+nlQtOtByrgZW7BiSAxilYUL4mGE4KmuYAadJ+O6X7NOtz3OQaWgSGjqxH YxDu6orTzL4/csjoVXS9dgeGkhLJgAg72a2yxA4tx/8IXrGp3JVGYGEY2kYcq3k9 jq5hJezoy6s1N//mgm5KaB84zrU5cUcu8kXDppmnp7eXUPnBqj2g2O82buBNa48S wAtnbY4K5fbcnog8g6ouYXpAJo9yHcj+wraQ8+TNFx5nbkg3fZKuf3UeyL3dPKXf wsKehnZ3Ipqkb08AEQEAAbQiQW5kcmVhcyBSdWRhdCA8cnVkYXRAZW5kc3RlbGxl LmRlPokBuAQTAQIAIgUCTqMd8AIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA CgkQBw5gh+kRIv+yGQv5AQCRZt8wR2McgsTurZEZXz5UpxEPZB/dA/iXtPzZXJih XLRZFqcdT+c8DCLbhXjO5aLndOCIDwWmsnqX2fuGAjlM4GJAAUEARSNtWY7V+rUt PhdOz/flCZo/+p7wBi0XOJcWhysS7DV/ssSYdnuJvONUBXCQ/MpJsVXuKdgPa9IR hvi37Ang1Cxb7htKHIuA4wCuqz1/4VGNez/65qwjuYakbB4/rXkKWb17XqCZrtoo YiQSxPU7fP5lM4ybQXxP1qrptmaF9EqGTnj/xAU3tCE+PhB3baoVw6VG9nr9xYwh bqCGtTbtrkmYlgioC2fFHDgg3U1GVBIbi0AoddXSs5OekgSvt827OcyWVSyjobyn tH4/jwb8X8iOM/x8RZhzwKhpHA0k7ltTm7qXApARcL1tV6y4GIKwuy1RLZqkpNh1 teqYaxAKlxC77s6gftxqr7G6NCssgCCy2Y50LSvcQbZDPZeBdrPoGI/xAWNy4Otv 33k4P9hxJKHNqLYJN+Gn =UaS9 -END PGP PUBLIC KEY BLOCK- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.7-7.el5 - How to get vendor specific attributes from LDAP
Jakub Pech wrote: But in freeradius 2.x there is no RADIUS-LDAPv3.schema and I did not find any other schema file where I should add my LDAP attributes. See doc/examples/ Do I have to import my OpenLDAP schema to freeradius to be able to get Vendor Specific Attributes from it? You'll need to edit the schema for VSAs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl radiusd::radlog $type codes
The rlm_perl Documentation (in the Wiki) lists the $type values for radiusd::radlog($type, $message) as 0 - Debug 1 - Auth 2 - Proxy 3 - Info 4 - Error while include/radiusd.h says #define L_DBG 1 #define L_AUTH 2 #define L_INFO 3 #define L_ERR 4 #define L_PROXY 5 #define L_ACCT 6 #define L_CONS 128 and I can see no translation in src/modules/rlm_perl.c. Am I missing something or is this a documentation error? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why Authorization before Authentication?
- identify - authenticate - authorize Ah, thanks! I understand the process much better now, replacing the section names (authorize, authenticate, post-auth) with what you gave (identify, authenticate, authorize). Put your authorization policies in [the post-auth] section. OK, now it all makes sense. But then I need to communicate things from authenticate to there. Where can I learn which Items I'm allowed/supposed to use for that? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.7-7.el5 - How to get vendor specific attributes from LDAP
Alan DeKok napsal(a): See doc/examples/ I've edited openldap.schema and add new attributetype + add new attribute to radiusprofile class. This schema I applied also to my OpenLDAP server. Does freeradius get the LDAP schema from docs/examples/openldap.schema file? The path docs/examples is confusing me. You'll need to edit the schema for VSAs. The schema have been edited but there is no change in behaviour. Do I have to import edited schema to freeradius somehow? Thanks Jakub Pech - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why Authorization before Authentication?
What are you going to send from authenticate? It should be simple, password correct or password wrong. Everything else should be in post auth, authorize or post proxy even alan -- Message may be brief as it has been sent from my mobile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.7-7.el5 - How to get vendor specific attributes from LDAP
Hi,
See doc/examples/
I've edited openldap.schema and add new attributetype + add new
attribute to radiusprofile class. This schema I applied also to my
OpenLDAP server. Does freeradius get the LDAP schema from
docs/examples/openldap.schema file? The path docs/examples is confusing me.
no. it doesnt.
docs/ is just a documentation folder...and examples are just examples within!
the server reads the configurations from its usual path
if you read the docs, the wiki and the config files, you will see that in
modules/ldap
the following is listed
dictionary_mapping = ${confdir}/ldap.attrmap
so, just edit ldap.attrmap in the raddb config directory - and use the schema
file to update your LDAP
this document might help you further
http://freeradius.org/radiusd/doc/ldap_howto.txt
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.7-7.el5 - How to get vendor specific attributes from LDAP
On Thu, Nov 24, 2011 at 9:43 PM, Jakub Pech jakub.p...@spinoco.com wrote: Hi, Normally an ldap attribute will be translated as a radius check or reply item, not both (which is what you did). First I had only radius check. I added radius reply later while testing. I'm almost sure that that is not the cause of my problem. Why are you doing that? Your working debug log says Sending Access-Accept of id 101 to 31.186.188.2 port 60528 Juniper-Local-User-Name := class2 Finished request 0. Something that you send to the NAS is a reply item. Why did you put it as radius check? And if you're sure it's not the problem (meaning you already know what the source of problem is), then why ask here? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why Authorization before Authentication?
On Thu, Nov 24, 2011 at 11:49 PM, Edgar Fuß e...@math.uni-bonn.de wrote:
- identify
- authenticate
- authorize
Ah, thanks! I understand the process much better now, replacing the section
names (authorize, authenticate, post-auth) with what you gave (identify,
authenticate, authorize).
Put your authorization policies in [the post-auth] section.
OK, now it all makes sense.
But then I need to communicate things from authenticate to there. Where can I
learn which Items I'm allowed/supposed to use for that?
One way to learn is to look at the example in sites-available/default.
Some common use for post-auth:
- logging (sql, sql_log, reply_log)
- allocate ip address (sqlippool)
Another thing you can do on post-auth is perform various checking and
attribute modification using unlang (see man unlang). Unlang can
work on some types of variables, including:
- check attributes (e.g. from radcheck table, users file, whatever)
populated during authorization phase.
- request attributes (i.e. the attributes sent by NAS)
- reply attributes (i.e. attributes that FR will send to the NAS as
the result of previous authorization and authentication phase. Can
contain data from radreply table, users file, etc)
So to answer your question, to communicate things from authenticate
to there you simply use those variables. e.g.:
- %{request:User-Password} - the password sent by user if it uses PAP
- %{control:Pool-Name} - pool-name set (for sqlippool) in radcheck
You can even get additional data directly from your backend. For
example, you want to include a custom Reply-Message attribute using
data from an SQL table. You can use this in post-auth:
update reply {
Reply-Message += %{SQL: SELECT comment FROM
comment_table WHERE username='%{User-Name}' }
}
Again, see man unlang for more details.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
