Re: Radius with Java
On Thu, Dec 22, 2011 at 3:08 PM, jeissonfabian...@gmail.com wrote: Yeah, I found a lot of problems with JRadius, and tried TinyRadius, it's easy! And It didn't present any problem. Thanks! I use this BeanShell script (www.beanshell.org) which allows for Java code to be executed from the command line without needing to be complied: Easy for remote server testing multi-platform without needing radclient and just java installed on the remote end. java -cp bsh-2.0b4.jar:TinyRadius-1.0.jar:commons-logging-1.1.1.jar bsh.Interpreter radius.bsh ---radius.bsh--- import org.tinyradius.util.*; import org.tinyradius.packet.*; String radiusHost = 192.168.0.1; String radiusSharedSecret = sharedsecret; String radiusUser = user; String radiusPassword = password; RadiusClient rc = new RadiusClient(radiusHost, radiusSharedSecret); rc.setRetryCount(1); AccessRequest ar = new AccessRequest(radiusUser, radiusPassword); ar.setAuthProtocol(AccessRequest.AUTH_PAP); try { RadiusPacket response = rc.authenticate(ar); if (response.getPacketType() == RadiusPacket.ACCESS_ACCEPT) { msg = Success: Expected radius response; } else { msg = Warning: RADIUS authentication did not return expected response + response.getPacketType(); } } catch(Exception e) { msg = Error: RADIUS authentication failed + e ; } print (msg); ---end beanshell script--- Cheers Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying to a virtual server through unlang?
Hi All, I'm trying to get into the unlang world since it seems really powerful but I can't get my hands around a simple virtual server switching scenario. I basically want to switch to a virtual server based on some attributes, Service-Type for instance. This is because on some network hardware I can't add a radius server for every type of authentication. So everything (802.1x, mac-auth, prompt auth goes to the same server) I found a thread suggesting to do the following: (http://freeradius.1045715.n5.nabble.com/virtual-servers-tt2769141.html) authorize { switch Service-Type { #MAC authentication case 'Call-Check' { update control { server[mac-auth] } } #NAS console authentication case 'NAS-Prompt-User' { update control { server[mac-auth] } } } } This works as the debug logs shows: # Executing section authorize from file /etc/freeradius/sites-enabled/nas-auth However it only executes the authorize section of the nas-auth virtual server. I could create realms for the virtual servers and proxy to them by using Proxy-To-Realm := mac-auth instead of the server[] directive. But I kind of liked the minimal unlang approach. Is there any good way of accomplishing this purely with unlang or is it still best to use the proxying approach using realms? Here's a log of the process. As you can see it only issues the authorize section of the nas-auth virtual server as apposed to going through the full server when using Proxy-To-Realm. rad_recv: Access-Request packet from host 10.6.254.62 port 1025, id=152, length=95 User-Name = testusr User-Password = testpwd NAS-IP-Address = 10.6.254.62 NAS-Identifier = ST-AN07258-412 NAS-Port-Type = Virtual Service-Type = NAS-Prompt-User Message-Authenticator = 0x63ee5e1b0f7b81e883780f9e57c2941c # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++- entering switch Service-Type {...} +++- entering case NAS-Prompt-User {...} server nas-auth { # nested call # Executing section authorize from file /etc/freeradius/sites-enabled/nas-auth +- entering group authorize {...} ++? if (Service-Type == 'NAS-Prompt-User') ? Evaluating (Service-Type == 'NAS-Prompt-User') - TRUE ++? if (Service-Type == 'NAS-Prompt-User') - TRUE ++- entering if (Service-Type == 'NAS-Prompt-User') {...} [edir-ldap] performing user authorization for testusr [edir-ldap] expand: %{Stripped-User-Name} - [edir-ldap] ... expanding second conditional [edir-ldap] expand: %{User-Name} - testusr [edir-ldap] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) - (cn=testusr) [edir-ldap] expand: ou=users,o=radius - ou=users,o=radius [edir-ldap] ldap_get_conn: Checking Id: 0 [edir-ldap] ldap_get_conn: Got Id: 0 [edir-ldap] performing search in ou=users,o=radius, with filter (cn=testusr) [edir-ldap] checking if remote access for testusr is allowed by cn [edir-ldap] Added the eDirectory password testpwd in check items as Cleartext-Password [edir-ldap] No default NMAS login sequence [edir-ldap] looking for check items in directory... [edir-ldap] looking for reply items in directory... [edir-ldap] user testusr authorized to use remote access [edir-ldap] ldap_release_conn: Release Id: 0 +++[edir-ldap] returns ok ++- if (Service-Type == 'NAS-Prompt-User') returns ok ++ ... skipping else for request 4: Preceding if was taken } # server nas-auth with nested call [server[nas-auth]] returns ok +++- case NAS-Prompt-User returns ok ++- switch Service-Type returns ok WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request is correct. Login OK: [testusr] (from client primary-network port 0) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop ++? if (%{request:Calling-Station-Id} =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i ) expand: %{request:Calling-Station-Id} - ? Evaluating (%{request:Calling-Station-Id} =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i) - FALSE ++? if (%{request:Calling-Station-Id} =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i ) - FALSE ++[callingstationid2vlanid] returns notfound ++? if (ok) ? Evaluating (ok) - FALSE ++? if (ok) - FALSE ++[reply] returns notfound Sending Access-Accept of id 152 to 10.6.254.62 port 1025 Service-Type = Framed-User Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 =
Re: Proxying to a virtual server through unlang?
On 01/03/2012 07:40 AM, Arnaud Loonstra wrote: However it only executes the authorize section of the nas-auth virtual server. Yes. That is how that feature works. I could create realms for the virtual servers and proxy to them by using Proxy-To-Realm := mac-auth instead of the server[] directive. Do this. It's works much closer to what you want, AFAICT. But I kind of liked the minimal unlang approach. Is there any good way of accomplishing this purely with unlang or is it still best to use the proxying approach using realms? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_ldap and 802.1x environment
On 01/02/2012 11:45 PM, Thorsten Scherf wrote: Hey, this is a comprehension question. When I have a ldap directory to authenticate users with pam_ldap when they login to their local workstations, how can I secure network access with radius?! I mean, isn't that a chicken egg problem? How would I be able to talk to the ldap server before I sucessfully authenticated against Radius? For sure I do miss something, would be great if somebody could enlighten me. :) If you want to use the login credentials to speak 802.1x, it can't be done currently, as far as I know; you would need some kind of PAM module that spoke to the system 802.1x supplicant. As far as I'm aware, there is no such module. This can be done under Windows. Alternatively, you could just use a machine-specific account to perform 802.1x. This can be done today with NetworkManager and a system connection profile. This eliminates the chicken/egg issue. Anyway, this is not a FreeRADIUS question - you should ask around the PAM lists, or maybe ask the Gnome/NetworkManager guys. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Framed-IP-Address not working
I have assigned static ip to some users but users still getting ip addresses from openvpn server pool. what I am missing? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_ldap and 802.1x environment
On 03/01/12 09:42, Thorsten Scherf wrote: I tried a combination of pam_radius_auth and pam_unix, that worked ok. I guess the same can be done with pam_ldap as well, needs some testing, though. Sorry, I am confused. By secure network access I assumed you meant how can I use the login credentials to login to the network with 802.1x - is this correct? Neither pam_radius_auth nor pam_ldap will do that. This can be done under Windows. Alternatively, you could just use a machine-specific account to perform 802.1x. This can be done today with NetworkManager and a system connection profile. This eliminates the chicken/egg issue. When I check the 802.1x settings in NM, I don't see where I can configure a machine account, only user-accounts which is fine. Am I missing something? Machine account is a term specific to Windows domain authentication. If you want a machine account for Linux, you'll have to create a normal account and put the credentials in a system NetworkManager connection definition. Mabye the whole question should be more general. Can you give me an example, how a desktop/notebook system (Linux or Windows based) with centralized user management (ldap/krb5/ad) has to configured in order to benefit from 802.1x benefits like dynamic vlan assignments and things like that?! No sorry, that's a huge and very vague question that doesn't make a lot of sense. You'll need to do some research yourself, or ask more specific questions. It's also not FreeRADIUS-specific. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-IP-Address not working
On Tue, Jan 3, 2012 at 5:30 PM, Azfar Hashmi azfar.has...@cloudways.com wrote: I have assigned static ip to some users but users still getting ip addresses from openvpn server pool. what I am missing? What does freeradius debug log say? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: max lenght user name
On 03/01/12 11:22, Alejandro Gándara wrote: Hi list, Using radius 2.1.10 Im having problems with lengh of user names. How can i log a user with an username higher than 17. This isn't a FreeRADIUS limit. I suspect it's probably Windows / NetBIOS name lengths, which are capped at 16 characters. If the client is only sending 16 characters, you must fix the client. I don't know how to do that, or even if it's possible. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: max lenght user name
Hi list, thanks for the answer. I've read on internet about this problem, The lenght cant be increased. Could be other way to fix this problem?. Its something weird. I always thought that netbios name was the name of the machine no the chain used for login. NetbiosName: Machine01 UserName: pepito UserDomainName: Domain\\pepito. I think Im far away from the solution. I hope you could point me to the right way. Thanks for all. Regards, Alejandro El 03/01/2012 12:42, Phil Mayers escribió: On 03/01/12 11:22, Alejandro Gándara wrote: Hi list, Using radius 2.1.10 Im having problems with lengh of user names. How can i log a user with an username higher than 17. This isn't a FreeRADIUS limit. I suspect it's probably Windows / NetBIOS name lengths, which are capped at 16 characters. If the client is only sending 16 characters, you must fix the client. I don't know how to do that, or even if it's possible. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_ldap and 802.1x environment
On [Tue, 03.01.2012 11:24], Phil Mayers wrote: On 03/01/12 09:42, Thorsten Scherf wrote: I tried a combination of pam_radius_auth and pam_unix, that worked ok. I guess the same can be done with pam_ldap as well, needs some testing, though. Sorry, I am confused. By secure network access I assumed you meant how can I use the login credentials to login to the network with 802.1x - is this correct? Neither pam_radius_auth nor pam_ldap will do that. Ok, I should be more precise. Let's try it again. Let's say I have a FreeRadius server with LDAP backend. The LDAP backend contains user and machine objects with RADIUS and POSIX specific attributes. I now want to use that LDAP box to act as a backend for 802.1x access as well as authentication server for logins based on pam_ldap. With LDAP only I should have a PAM config like this: ... auth sufficient pam_ldap.so ... ... In a 802.1x I won't have network access before my local supplicant sends proper login credentials to a NAS in order to get access to the network. With my understanding, what would require another PAM module that is called before pam_ldap. Something like this: ... auth required pam_radius_auth.so ... auth sufficient pam_ldap.so ... ... IMHO, the pam_radius_auth is responsible to get proper network access that would help pam_ldap to talk to the LDAP server in order to do a second level of authentication, in order to benefit from things like password policy and things like that. Maybe I'm completely wrong here, that's why I asked for some clarification. Mabye the whole question should be more general. Can you give me an example, how a desktop/notebook system (Linux or Windows based) with centralized user management (ldap/krb5/ad) has to configured in order to benefit from 802.1x benefits like dynamic vlan assignments and things like that?! No sorry, that's a huge and very vague question that doesn't make a lot of sense. You'll need to do some research yourself, or ask more specific questions. OK, I'll try it again. User foo works for company BAR. Company BAR uses central organized user accounts hosted on a LDAP server. User foo has a notebook that doesn't have a local foo account available. In order to login, foo has to talk to the central LDAP server (via PAM/NSS) in order to authenticate and receive informations like uid, gid, homeDir, shell and things like that. Company BAR uses 802.1x to secure all ethernet ports. Now, when user foo plugs his notebook into an ethernet port that is secured by 802.1x, he first has to authenticate using 802.1x before he can talk to the LDAP server. Question now is, how does this work when user foo logs into his notebook by GDM or something similar?! The machine would have to lookup the provided user crendentials on a LDAP server - that would not work since no access to the network is possible at that time, thus another action has to take place to authenticate using 802.1x. Again, maybe I'm completely wrong with my assumptions, if so, please tell me how to setup a environment like the one described above. Also, if this is not the right list to ask, can you point me to a proper list? Thanks. Thorsten - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple values for reply attributes in radreply
Hello, I am trying to send back the same attribute in radreply and /or radgroupreply with different values to the NAS example : NAS send a Auth Request. Freeradius accept the request and send back attributes in radreply (or radgroupreply) (via sql table) Problem : sending back the same attributes with different values seems to not be possible. only the first attribute is sent back radreply table (id/username/attribute/op/value) content: 2totoCisco-AVPair= h323-ivr-in=Routing:192.168.1.10;expires=30;np_expires=40 3totoCisco-AVPair= h323-ivr-in=Routing:192.168.1.20;expires=30;np_expires=40 I tried also without cisco-avpair in the same radreply table: 4totoh323-ivr-in= Routing:192.168.1.10;expires=30;np_expires=40 5totoh323-ivr-in= Routing:192.168.1.20;expires=30;np_expires=40 Both case the received attributes on NAS side h323-ivr-in=Routing:192.168.1.10;expires=30;np_expires=40 Before these tests I tried simply the radtest tool for the same user and apparently Freeradius is sending back ONLY the oldest ID from the table radreply and NOT all the IDs matched by the select request. Also tested using USERS file with the same replies : h323-ivr-in=Routing:192.168.1.10;expires=30;np_expires=40, h323-ivr-in=Routing:192.168.1.20;expires=30;np_expires=40, Fall-Through = Yes There is something to do in the configuration to fix /allow that? regards -- Christian Thomas Mobile +55 (48) 8446 3575 Landline +55 (48) 3717 5005 Paris +33 1 8197 9899 USA +1 303 997 3242 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: max lenght user name
On 03/01/12 12:10, Alejandro Gándara wrote: Hi list, thanks for the answer. I've read on internet about this problem, The lenght cant be increased. Could be other way to fix this problem?. I don't know. The client is sending a short username. You need to fix the client. Its something weird. I always thought that netbios name was the name of the machine no the chain used for login. I agree. It's a stupid thing for windows to do. NetbiosName: Machine01 UserName: pepito UserDomainName: Domain\\pepito. I think Im far away from the solution. I hope you could point me to the right way. You need to fix the client. It is quite odd, because I have seen windows machines working with longer usernames. Are you using the use login credentials option under the 802.1x profile? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-IP-Address not working
Azfar Hashmi wrote: I have assigned static ip to some users but users still getting ip addresses from openvpn server pool. what I am missing? If it's being sent to OpenVPN in an Access-Accept, then the problem is in OpenVPN. Ask them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: max lenght user name
Alejandro Gándara wrote: I've read on internet about this problem, The lenght cant be increased. Could be other way to fix this problem?. Ask Microsoft how to fix their software. Its something weird. I always thought that netbios name was the name of the machine no the chain used for login. Ask Microsoft how their software works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_ldap and 802.1x environment
On 03/01/12 12:26, Thorsten Scherf wrote: Ok, I should be more precise. Let's try it again. Let's say I have a FreeRadius server with LDAP backend. The LDAP backend contains user and machine objects with RADIUS and POSIX specific attributes. I now want to use that LDAP box to act as a backend for 802.1x access as well as authentication server for logins based on pam_ldap. With LDAP only I should have a PAM config like this: ... auth sufficient pam_ldap.so ... ... In a 802.1x I won't have network access before my local supplicant sends proper login credentials to a NAS in order to get access to the network. With my understanding, what would require another PAM module that is called before pam_ldap. Something like this: ... auth required pam_radius_auth.so ... auth sufficient pam_ldap.so ... ... IMHO, the pam_radius_auth is responsible to get proper network access that would help pam_ldap to talk to the LDAP server in order to do a second level of authentication, in order to benefit from things like password policy and things like that. Maybe I'm completely wrong here, that's why I asked for some clarification. I'm sorry, but you *are* completely wrong. You've misunderstood how PAM works, and what pam_radius_auth does. pam_radius_auth is just like pam_ldap - it checks login credentials against a radius server, instead of an LDAP server. pam_radius_auth DOES NOT perform 802.1x, or have anything to do with network connectivity. Currently, Linux systems do not integrate the 802.1x authentication with the PAM login system. What you want to do can't be done. The best you can do is either a) 1. Install NetworkManager 2. Create a user account per-machine 3. Define a system connection, using the per-machine account 4. Use that system connection for 802.1x, and pam_ldap for login or b) 1. Use some kind of cached login to login before network is up e.g. sssd or pam_ccreds 2. After login, use per-user 802.1x connections Ideally, there would be a 3rd option, where a mythical PAM module communicates the username/password to NetworkManager at login, waits for NetworkManager to perform 802.1x, and then continues with pam_ldap and similar - but that module does not exist. the LDAP server. Question now is, how does this work when user foo logs into his notebook by GDM or something similar?! The machine would have to lookup the provided user crendentials on a LDAP server - that would not work since no access to the network is possible at that time, thus another action has to take place to authenticate using 802.1x. As above - 802.1x and login authentication are not integrated on Linux. What you want to do, can't be done currently. And again, this is not really a FreeRADIUS question. You might want to ask on the NetworkManager or PAM mailing list(s) whether there are any plans to provide single signon 802.1x login authentication. Cheers, Phil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_ldap and 802.1x environment
Thorsten Scherf wrote: Ok, I should be more precise. Let's try it again. Let's say I have a FreeRadius server with LDAP backend. The LDAP backend contains user and machine objects with RADIUS and POSIX specific attributes. I now want to use that LDAP box to act as a backend for 802.1x access as well as authentication server for logins based on pam_ldap. Based on the rest of your message, you've confused a lot of topics. 802.1X means that the PC does EAP (PEAP, etc.) to the RADIUS server. The RADIUS server talks to LDAP in order to authenticate the user. The machine has network access AFTER 802.1X succeeds. In a 802.1x I won't have network access before my local supplicant sends proper login credentials to a NAS in order to get access to the network. Yes. With my understanding, what would require another PAM module that is called before pam_ldap. Something like this: No. You need a supplicant. e.g. wpa_supplicant. PAM *will not* help you. Looking at PAM for a solution means you are wasting your time. IMHO, the pam_radius_auth is responsible to get proper network access that would help pam_ldap to talk to the LDAP server in order to do a second level of authentication, in order to benefit from things like password policy and things like that. Maybe I'm completely wrong here, that's why I asked for some clarification. pam_radius_auth uses IPv4 networking to send RADIUS packets. Therefore, it *cannot* be used before the user has network access. PAM will not help you. Discard it. OK, I'll try it again. User foo works for company BAR. Company BAR uses central organized user accounts hosted on a LDAP server. User foo has a notebook that doesn't have a local foo account available. In order to login, foo has to talk to the central LDAP server (via PAM/NSS) in order to authenticate and receive informations like uid, gid, homeDir, shell and things like that. Company BAR uses 802.1x to secure all ethernet ports. Now, when user foo plugs his notebook into an ethernet port that is secured by 802.1x, he first has to authenticate using 802.1x before he can talk to the LDAP server. That is how 802.1X works. What you're missing is that 802.1X (network access) is *completely separate* from logging into the machine. Question now is, how does this work when user foo logs into his notebook by GDM or something similar?! The machine would have to lookup the provided user crendentials on a LDAP server - that would not work since no access to the network is possible at that time, Exactly. thus another action has to take place to authenticate using 802.1x. I have no idea what that means. Again, maybe I'm completely wrong with my assumptions, if so, please tell me how to setup a environment like the one described above. Also, if this is not the right list to ask, can you point me to a proper list? For Windows, the local machines cache credentials. So users can log in *without* accessing LDAP / AD / whatever. For Linux systems... I don't know. This is exactly the same as them taking the laptop home and logging in to it there. If that doesn't work right now, then solve that problem first. The same solution will apply to 802.1X in the corporate environment. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple values for reply attributes in radreply
Christian Thomas wrote: I am trying to send back the same attribute in radreply and /or radgroupreply with different values to the NAS This is documented. See doc/rlm_sql, or man unlang. The operators section describes what you want. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_ldap and 802.1x environment
On [Tue, 03.01.2012 14:21], Phil Mayers wrote: Currently, Linux systems do not integrate the 802.1x authentication with the PAM login system. What you want to do can't be done. Ok, great, that's what I wanted to hear. I haven't worked with pam_radius_auth, it was just my assumption that it behaves like describes earlier, if this is not the case - fine. The best you can do is either a) 1. Install NetworkManager 2. Create a user account per-machine 3. Define a system connection, using the per-machine account 4. Use that system connection for 802.1x, and pam_ldap for login or b) 1. Use some kind of cached login to login before network is up e.g. sssd or pam_ccreds 2. After login, use per-user 802.1x connections Yeah, I already had this in mind, using sssd for a cached login or something, but this of course introduces other problems (like the initial login of a user, things like that). I thought there might be a more robust and easier solution. Seems I was wrong. :) Ideally, there would be a 3rd option, where a mythical PAM module communicates the username/password to NetworkManager at login, waits for NetworkManager to perform 802.1x, and then continues with pam_ldap and similar - but that module does not exist. See, my assumption was, that a combination of pam_radius_auth and pam_ldap can be used to accomplish such a task. Thanks for making clear that this doesn't work. the LDAP server. Question now is, how does this work when user foo logs into his notebook by GDM or something similar?! The machine would have to lookup the provided user crendentials on a LDAP server - that would not work since no access to the network is possible at that time, thus another action has to take place to authenticate using 802.1x. As above - 802.1x and login authentication are not integrated on Linux. What you want to do, can't be done currently. Ok, no prob. Good to now have some clarification about that. Thanks. Cheers, Thorsten - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need basic help with accouting
Hello radius users, I need some basic info/redirection to start using accounting with freeradius. I already learned how to use authentication, but i'm unable to figure out from details in configurations files how to do some accounting - basic stuff like when a user logs in or out for start. Can anyone point me to some documentation on how to do basic accounting for beginners? -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need basic help with accouting
Cosmin Neagu wrote: I already learned how to use authentication, but i'm unable to figure out from details in configurations files how to do some accounting - basic stuff like when a user logs in or out for start. Can anyone point me to some documentation on how to do basic accounting for beginners? Do *what* with accounting? The NAS sends the server accounting packets. By default, the server logs them to the detail file. What *else* do you want to do? Once you know that, the documentation should be easy to find. Log them to SQL? -- Read the SQL documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_ldap and 802.1x environment
On [Tue, 03.01.2012 09:28], Alan DeKok wrote: Thorsten Scherf wrote: thus another action has to take place to authenticate using 802.1x. I have no idea what that means. Well, what I meant was, before I can talk to LDAP via IP using pam_ldap, another action has to be performed BEFORE to get network access. I wrongly assumed, that pam_radius_auth acts like a supplicant. Lesson learned, that this is not the case. I'm looking for something PAM-related that asks for 802.1x credentials to get network access (using wpa_supplicant or something) before the actual login (eg, via pam_ldap) happens. Looks like this piece of code doesn't exists so far. Again, maybe I'm completely wrong with my assumptions, if so, please tell me how to setup a environment like the one described above. Also, if this is not the right list to ask, can you point me to a proper list? For Windows, the local machines cache credentials. So users can log in *without* accessing LDAP / AD / whatever. For Linux systems... I don't know. The only solution I see so far, is to use cached credentials as you described above. For Linux systems there compontents available like sssd that can cache credentials, but, as said already in another mail, that introduces other problems. Thanks for all your feedback, much appreciated. Will stop the discussion now, since, as Phil already mentioned a couple of times, this is not really freeradius specific. Cheers, Thorsten - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting not working
Hello All, I have 4 servers setup exactly the same at 4 different locations. Each server is using the exact same configs and is working perfectly well doing what I want it to do. The only issue I have is at the 1 location, I am not getting any accounting requests and therefor nothing is being updated in the radacct table. Starting radiusd in debug mode -X shows that its listening for accounting requests the exact same as the 3 other locations, just no accounting requests are coming through. Is there any way to do a test to see if its even listening and working at all? I have been racking my brain over this the last few days, checking switch and router configs etc but that is all the same as the other 3 locations as well, everything is the same at all 4 locations, just this one location isn't doing the accounting. Any help would be great :) Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-IP-Address not working
The same thing happens with Mikrotik. If you send the pool name then assigned ip address is ignored... On 1/3/2012 3:19 PM, Alan DeKok wrote: Azfar Hashmi wrote: I have assigned static ip to some users but users still getting ip addresses from openvpn server pool. what I am missing? If it's being sent to OpenVPN in an Access-Accept, then the problem is in OpenVPN. Ask them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authorization with Active Directory
Hi, I have configured freeradius server to authenticate authorize user with the supplied username and password against active directory. Till this stage; The user can be authenticated and authorized successfully with credentials provided. For this purpose; user is just authenticated and authorized depending upon the filter of LDAP module which I have set. My LDAP module filter configuration is as: filter = (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) But Now, I want to go deep on authenticating and authorizing user to allow or reject VPN or Wifi access, etc. For this purpose I have created extension attribute in Active directory and has assigned the value as VPN , Wifi, etc. Now my question is: How can I set the filter in Ldap module of FreeRadius to just allow the user belonging to VPN or wifi ? Should I need to add the extension attribute filter to the above mentioned filter? OR should I need to define 2 filters: the above one and another for extension attribute? I tried defining 2 filters separately; it didn't work. I know some people use the concept of Group for this purpose. In my case, I can't use Group. I just have to authenticate and authorize user just using Active Directory attribute. I don't know whether this is way to do or not. Any idea would be really helpful. This forum has really helped a lot to the beginner like me to reach till this stage. Thanks everyone -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authorization-with-Active-Directory-tp5117364p5117364.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization with Active Directory
On 03/01/12 16:55, suggestme wrote: Hi, I have configured freeradius server to authenticate authorize user with the supplied username and password against active directory. Till this stage; The user can be authenticated and authorized successfully with credentials provided. For this purpose; user is just authenticated and authorized depending upon the filter of LDAP module which I have set. My LDAP module filter configuration is as: filter = (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) But Now, I want to go deep on authenticating and authorizing user to allow or reject VPN or Wifi access, etc. For this purpose I have created extension attribute in Active directory and has assigned the value as VPN , Wifi, etc. Now my question is: How can I set the filter in Ldap module of FreeRadius to just allow the user belonging to VPN or wifi ? Should I need to add the extension attribute filter to the above mentioned filter? OR Yes. Since the filter is dynamically expanded you can set: filter = ((extensionAttrX=%{control:Tmp-String-0})(..original..)) ...and then: authorize { ... if (Some-Condition == Some-Value) { update control { Tmp-String-0 := VPN } } else { update control { Tmp-String-0 := Wifi } } ldap if (notfound) { reject } ... } should I need to define 2 filters: the above one and another for extension attribute? I tried defining 2 filters separately; it didn't work. No. 2 filters won't work - filter is a singleton config item of the ldap module. I know some people use the concept of Group for this purpose. In my case, I can't use Group. I just have to authenticate and authorize user just using Active Directory attribute. The *other* option is to query the attribute from the LDAP directory, then check it in FreeRADIUS, like so: authorize { ... ldap update request { Tmp-String-0 := %{ldap:///%{Ldap-UserDN}?extensionAttrX?base?objectClass=*}; } if ((Tmp-String-0 == Wifi) (...)) { ... } } Which is best will depend on your tastes and needs. The first might be slightly quicker, because it will only use 1 LDAP query instead of 2. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with EAP-SIM
Alan, Please, correct me if I'm wrong. radeapclient should start the AAA conversation sending the Access-Request to the Radius server, right? What I have described is that my radeapclient, instead of sending an Access-Request, is WAITING for some response from the server. Does it make sense? Just remember that I'm trying to simulate an EAP-SIM authentication with FreeRadius. I don't have a real SS7 Proxy or SIM authentication server, ok? Thanks in advance. 2011/11/16 Alan Buxey a.l.m.bu...@lboro.ac.uk Ready to process requests. ...and that's it. Where's the incoming query to be dealt with? alan -- Message may be brief as it has been sent from my mobile -- Ronaldo Afonso www.vexcorp.com +55 11 4932-5971 ronaldo.afo...@vexcorp.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: max lenght user name
Hi list, thanks for all. Ive fixed it. I've configured network interface from client to take out the domain prefix from windows clients. Regards, Alejandro Gndara. El 03/01/2012 15:20, Alan DeKok escribi: Alejandro Gndara wrote: I've read on internet about this problem, The lenght cant be increased. Could be other way to fix this problem?. Ask Microsoft how to fix their software. Its something weird. I always thought that netbios name was the name of the machine no the chain used for login. Ask Microsoft how their software works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Alejandro Gndara | System Administrator T/ + 34 986 410 091 (ext) 210 www.optaresolutions.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting not working
On Tue, Jan 3, 2012 at 4:44 PM, John Corps env...@gmail.com wrote: Hello All, I have 4 servers setup exactly the same at 4 different locations. Each server is using the exact same configs and is working perfectly well doing what I want it to do. The only issue I have is at the 1 location, I am not getting any accounting requests and therefor nothing is being updated in the radacct table. Starting radiusd in debug mode -X shows that its listening for accounting requests the exact same as the 3 other locations, just no accounting requests are coming through. Is there any way to do a test to see if its even listening and working at all? I have been racking my brain over this the last few days, checking switch and router configs etc but that is all the same as the other 3 locations as well, everything is the same at all 4 locations, just this one location isn't doing the accounting. Any help would be great :) Thanks. - Hi, Is port 1813 open to the server? Kr Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting not working
Doing an nmap scan on the server it does show both 1812 and 1813 open UDP. The auth is working fine on 1812 so i don't understand why accounting isn't working. On Tue, Jan 3, 2012 at 2:09 PM, YvesDM ydm...@gmail.com wrote: On Tue, Jan 3, 2012 at 4:44 PM, John Corps env...@gmail.com wrote: Hello All, I have 4 servers setup exactly the same at 4 different locations. Each server is using the exact same configs and is working perfectly well doing what I want it to do. The only issue I have is at the 1 location, I am not getting any accounting requests and therefor nothing is being updated in the radacct table. Starting radiusd in debug mode -X shows that its listening for accounting requests the exact same as the 3 other locations, just no accounting requests are coming through. Is there any way to do a test to see if its even listening and working at all? I have been racking my brain over this the last few days, checking switch and router configs etc but that is all the same as the other 3 locations as well, everything is the same at all 4 locations, just this one location isn't doing the accounting. Any help would be great :) Thanks. - Hi, Is port 1813 open to the server? Kr Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting not working
are the clients also properly configured? On 1/3/2012 11:18, John Corps wrote: Doing an nmap scan on the server it does show both 1812 and 1813 open UDP. The auth is working fine on 1812 so i don't understand why accounting isn't working. On Tue, Jan 3, 2012 at 2:09 PM, YvesDMydm...@gmail.com wrote: On Tue, Jan 3, 2012 at 4:44 PM, John Corpsenv...@gmail.com wrote: Hello All, I have 4 servers setup exactly the same at 4 different locations. Each server is using the exact same configs and is working perfectly well doing what I want it to do. The only issue I have is at the 1 location, I am not getting any accounting requests and therefor nothing is being updated in the radacct table. Starting radiusd in debug mode -X shows that its listening for accounting requests the exact same as the 3 other locations, just no accounting requests are coming through. Is there any way to do a test to see if its even listening and working at all? I have been racking my brain over this the last few days, checking switch and router configs etc but that is all the same as the other 3 locations as well, everything is the same at all 4 locations, just this one location isn't doing the accounting. Any help would be great :) Thanks. - Hi, Is port 1813 open to the server? Kr Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with EAP-SIM
Ronaldo Afonso wrote: radeapclient should start the AAA conversation sending the Access-Request to the Radius server, right? Yes. What I have described is that my radeapclient, instead of sending an Access-Request, is WAITING for some response from the server. Does it make sense? Because you didn't read the documentation for radeapclient. radeapclient reads the attributes from stdin. So... if you don't give it a file via -f, it will wait for input. Just remember that I'm trying to simulate an EAP-SIM authentication with FreeRadius. I don't have a real SS7 Proxy or SIM authentication server, ok? See src/tests/eapsim-* Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple values for reply attributes in radreply
Alan, Thanks for the info. Found the operators section. Very useful. Christian Thomas On 3 January 2012 12:30, Alan DeKok al...@deployingradius.com wrote: Christian Thomas wrote: I am trying to send back the same attribute in radreply and /or radgroupreply with different values to the NAS This is documented. See doc/rlm_sql, or man unlang. The operators section describes what you want. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Christian Thomas Mobile +55 (48) 8446 3575 Landline +55 (48) 3717 5005 Paris +33 1 8197 9899 USA +1 303 997 3242 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Active Directory with Radius Accounting
I have setup FreeRadius to work with Active Directory for User name Authentication. My next step is going to be to start authenticating the MAC address as well. I have setup my sql database and created the required schema. I have uncommented the lines in radiusd.conf and sql.conf and sites-available/default.conf to start doing radius accounting. My access point is pointing the radius server for accounting. Would it be the acme of foolishness on my part to assume that is all I need to do for my radius server to start logging the information from my connecting clients? Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory with Radius Accounting
McSparin, Joe wrote: My access point is pointing the radius server for accounting. Would it be the acme of foolishness on my part to assume that is all I need to do for my radius server to start logging the information from my connecting clients? Is the NAS sending accounting packets? As always, see radiusd -X Or, raddebug. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Active Directory with Radius Accounting
I believe so this is what radiusd -X gives me Connect-Info = CONNECT 65Mbps 802.11bgn State = 0x6fd1eb6166daf2ab2cc99f2d96a12ef7 EAP-Message = 0x020b002b19001703010020494bbeb5128850193bb913fc2ebde8f217dc417b16a86d8f b4c069fadeb273a9 Message-Authenticator = 0xd0ed28ddf1e93ec30aec44eb77fe19b2 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = jmcsparin, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 11 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default +- entering group post-auth {...} [sql] expand: %{Stripped-User-Name} - [sql] sql_set_user escaped user -- '' [sql] expand: %{User-Password} - [sql] ... expanding second conditional [sql] expand: %{Chap-Password} - [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') - INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'jmcsparin', '', 'Access-Accept', '2012-01-03 23:15:13') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'jmcsparin', '', 'Access-Accept', '2012-01-03 23:15:13') rlm_sql (sql): Reserving sql socket id: 1 rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 220 to 10.1.1.50 port 48413 MS-MPPE-Recv-Key = 0xd612e2541f86229b505d7bc7cc0a1423f13cc4207e38118f6028ad675ae8aaa9 MS-MPPE-Send-Key = 0x4acf4ecf8ae8cbb6dae26b5804298d0caba90a92fa977420352fcd97bc885c64 EAP-Message = 0x030b0004 Message-Authenticator = 0x User-Name = jmcsparin Finished request 10. Going to the next request Waking up in 2.6 seconds. rad_recv: Accounting-Request packet from host 10.1.1.50 port 51199, id=22, length=214 User-Name = jmcsparin Acct-Status-Type = Start Acct-Session-Id = 0B085386-485D60B0DA91-21 Calling-Station-Id = 48-5D-60-B0-DA-91 Called-Station-Id = 5C-0E-8B-07-6F-F0:HCMHMobile NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-IP-Address = 10.1.1.202 NAS-Identifier = ap6511-085386 NAS-Port-Id = 5C-0E-8B-08-53-86-2.4GHz-wlan Event-Timestamp = Dec 31 2009 21:21:30 CST Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 1001 Acct-Authentic = RADIUS # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 1,Client-IP-Address = 10.1.1.50,NAS-IP-Address = 10.1.1.50,Acct-Session-Id = 0B085386-485D60B0DA91-21,User-Name = jmcsparin' [acct_unique] Acct-Unique-Session-ID = e8a1f6abbcf7c891. ++[acct_unique] returns ok [suffix] No '@' in User-Name = jmcsparin, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +- entering group accounting {...} [detail]expand: %{Packet-Src-IP-Address} - 10.1.1.50 [detail]expand: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} /detail-%Y%m%d - /var/log/radacct/10.1.1.50/detail-20120103 [detail] /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} /detail-%Y%m%d expands to /var/log/radacct/10.1.1.50/detail-20120103 [detail]expand: %t - Tue Jan 3 23:15:13 2012 ++[detail] returns ok [radutmp] expand: /var/log/radutmp - /var/log/radutmp [radutmp] expand: %{User-Name} - jmcsparin rlm_radutmp: Error accessing file /var/log/radutmp: Permission denied ++[radutmp] returns fail Finished request 11. Cleaning up request 11 ID 22 with timestamp +27 Going to the next request Waking up in 2.5 seconds. Cleaning up request 0 ID 210 with timestamp +25 Cleaning up request 1 ID 211 with timestamp +25 Cleaning up request 2 ID 212
RE: Active Directory with Radius Accounting
Never mind I got it the radutmp wasn't in the var/log directory Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -Original Message- From: freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists.freerad ius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists .freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, January 03, 2012 5:00 PM To: FreeRadius users mailing list Subject: Re: Active Directory with Radius Accounting McSparin, Joe wrote: My access point is pointing the radius server for accounting. Would it be the acme of foolishness on my part to assume that is all I need to do for my radius server to start logging the information from my connecting clients? Is the NAS sending accounting packets? As always, see radiusd -X Or, raddebug. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-IP-Address not working
2012/1/3 Marinko Tarlać mangi...@gmail.com: The same thing happens with Mikrotik. If you send the pool name then assigned ip address is ignored... ... except that with openvpn radius plugin, there's no attribute to send the pool name. It's usually either: - misconfigured radius, which doesn't send Framed-IP-Address attribute correctly (which is why I asked what the debug log says), or - misconfigured openvpn radius plugin (cause it works just fine when configured correctly), or - misconfigured openvpn, in that it doesn't use radius plugin, but some other method that doesn't support framed-ip-address (e.g. pam+libpam-radius-auth) -- Fajar On 1/3/2012 3:19 PM, Alan DeKok wrote: Azfar Hashmi wrote: I have assigned static ip to some users but users still getting ip addresses from openvpn server pool. what I am missing? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-IP-Address not working
Solved, problem was in openvpn. On 1/3/2012 3:30 PM, Azfar Hashmi wrote: I have assigned static ip to some users but users still getting ip addresses from openvpn server pool. what I am missing? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-IP-Address not working
And what was the problem ? On 1/4/2012 6:55 AM, Azfar Hashmi wrote: Solved, problem was in openvpn. On 1/3/2012 3:30 PM, Azfar Hashmi wrote: I have assigned static ip to some users but users still getting ip addresses from openvpn server pool. what I am missing? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html