Re: free radius with cisco asa and password change feature

2012-02-06 Thread Alan DeKok 
Will Richmond wrote:
> Hi, does free radius support password change feature

  No.

> when authenticating cisco asa vpn users via the radius server? authentication 
> method doesnt matter, I am just wondering if its possible to force a local 
> radius DB user to change their password via a vpn login with the cisco 
> product devices? This is support for example with Microsoft IAS, but user has 
> to live in Microsoft AD DB.

  MS does it via an MS-CHAP change password method.

  Feel free to submit a patch to rlm_mschap which implements this.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

free radius with cisco asa and password change feature

2012-02-06 Thread Will Richmond 
Hi, does free radius support password change feature when authenticating cisco 
asa vpn users via the radius server? authentication method doesnt matter, I am 
just wondering if its possible to force a local radius DB user to change their 
password via a vpn login with the cisco product devices? This is support for 
example with Microsoft IAS, but user has to live in Microsoft AD DB.

thx in advance,

Will



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: mulitipule connections

2012-02-06 Thread ousmane sanogo 
Hi,
look in /etc/freeradius/sites-enable/default" and uncomment
#sradutmp

2012/2/6 Marinko Tarlac 

> Here we go again
>
>
> On 2/6/2012 10:08 PM, Ski Mountain wrote:
>
>>Hello, I have searched quite a bit.  I am looking for a answer on the
>> best way to disable mulitipule logins by the same user.
>>
>> I have been reading
>> http://freeradius.org/radiusd/**doc/Simultaneous-Use
>>
>> One problem is I get a error when I try to run
>>  radwho
>> radwho: Error reading /var/log/freeradius/sradutmp: No such file or
>> directory
>>
>>
>> This checkrad.pl scrpt I can not find it anywhere on my ubuntu 10.04
>> server.  Where would if find a copy.
>> I do have a
>>
>> radutmp file.  Should there be entries in it when no one is connected?
>>
>> So is the only way,to run snmp on the server, or has that way outdated
>> now?
>>
>> Thanks for the help
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
>> list/users.html 
>>
>>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html 
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: mulitipule connections

2012-02-06 Thread Marinko Tarlac 

Here we go again

On 2/6/2012 10:08 PM, Ski Mountain wrote:

Hello, I have searched quite a bit.  I am looking for a answer on the best 
way to disable mulitipule logins by the same user.

I have been reading
http://freeradius.org/radiusd/doc/Simultaneous-Use

One problem is I get a error when I try to run
  radwho
radwho: Error reading /var/log/freeradius/sradutmp: No such file or directory


This checkrad.pl scrpt I can not find it anywhere on my ubuntu 10.04 server.  Where would if find a copy. 


I do have a

radutmp file.  Should there be entries in it when no one is connected?

So is the only way,to run snmp on the server, or has that way outdated now?

Thanks for the help

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

mulitipule connections

2012-02-06 Thread Ski Mountain 
   Hello, I have searched quite a bit.  I am looking for a answer on the best 
way to disable mulitipule logins by the same user.

I have been reading
http://freeradius.org/radiusd/doc/Simultaneous-Use

One problem is I get a error when I try to run
 radwho
radwho: Error reading /var/log/freeradius/sradutmp: No such file or directory


This checkrad.pl scrpt I can not find it anywhere on my ubuntu 10.04 server.  
Where would if find a copy.  

I do have a 

radutmp file.  Should there be entries in it when no one is connected? 

So is the only way,to run snmp on the server, or has that way outdated now? 

Thanks for the help 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Returning Filter-Id based on LDAP group

2012-02-06 Thread Cornelius Kölbel 
Hi Phil,
I thought so.

But thanks a lot for clarifying this.
Kind regards
Cornelius


Am 06.02.2012 17:21, schrieb Phil Mayers:
> On 06/02/12 15:53, Cornelius Kölbel wrote:
>
>> ... but it seems that the ldap_groupcmp does not support pattern
>> matching?
>> Am I right or does anybody has another idea?
>
> Ldap-Group isn't a "real" attribute. It is a virtual attribute, that
> triggers a search in the directory when you compare to it.
>
> So you can't do this.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html




signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Returning Filter-Id based on LDAP group

2012-02-06 Thread Phil Mayers 

On 06/02/12 15:53, Cornelius Kölbel wrote:


... but it seems that the ldap_groupcmp does not support pattern matching?
Am I right or does anybody has another idea?


Ldap-Group isn't a "real" attribute. It is a virtual attribute, that 
triggers a search in the directory when you compare to it.


So you can't do this.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Returning Filter-Id based on LDAP group

2012-02-06 Thread Cornelius Kölbel 
Hello list,

I'd like to set the Filter-Id in the response based on an LDAP group.

authorize {



if ( Ldap-Group =~ /CN=group1,ou=groups,dc=company,dc=com/  ) {
update control {
Tmp-String-1 := "group1"
}



}

post-auth {

update reply {
Filter-Id := "%{control:Tmp-String-1}"
}

}

This works like a charme!


As I got a lot of groups, I'd like to do some pattern matching...

if ( Ldap-Group =~ /CN=(xyz),ou=groups,dc=company,dc=com/  ) {
update control {
Tmp-String-1 := "%{1}"
}



... but it seems that the ldap_groupcmp does not support pattern matching?
Am I right or does anybody has another idea?

Thanks a lot and kind regards
Cornelius


signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication according NAS

2012-02-06 Thread Alan Buxey 
Hi,

> user admin with password toto could connect to NAS1/2/3/4 of Factory2
> user admin with password coco could connect to NAS1/2/3 of Factory1

if you want to keep it this simple, simply use hunt-groups. define
each NAS in seperate hunt-groups and add a hunt-group check item (eg
to users file or to sql check table)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: More than one client

2012-02-06 Thread Alan Buxey 
Hi,

> I need a few information. We have to softswtichs, both are working with 
> freeradius perfectly.
> 
> There is no problem to use to different clinets (softswitchs) to use one 
> freeradious server. Problem is that softswitchs would need a different 
> dialup.conf (for sql entry) and different default configuration for 
> different AVP packets.
> 
> How to set to different dialup.conf and defult configuration?

use virtual servers and in each virtual server call a different instance
of the sql module

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: More than one client

2012-02-06 Thread Miha Zoubek 

Hi @Fajar,

yes that what I meant:)

Thanks!

Regards,
Miha

On 2/6/2012 12:05 PM, Fajar A. Nugraha wrote:

On Mon, Feb 6, 2012 at 5:53 PM, Miha Zoubek  wrote:

Hi,

I need a few information. We have to softswtichs, both are working with
freeradius perfectly.

Do you mean "two" softswtiches? Taking time to double-check what you
write can help others understand your needs better.


There is no problem to use to different clinets (softswitchs) to use one
freeradious server. Problem is that softswitchs would need a different
dialup.conf (for sql entry) and different default configuration for
different AVP packets.

I find it hard to understand what you meant there. Did you mean:
- you want two softswitches to use one freeradius
- each softswitch requires a different sql query

is that correct?


How to set to different dialup.conf and defult configuration?

If you use FR2 (you should), see unlang:
http://freeradius.org/radiusd/man/unlang.html

Create two different instances of sql, each with its own dialup.conf.
Then check for a unique attribute that the NAS sends (e.g.
NAS-IP-Address) in authorize and accounting section (and whatever
other sections you use).




--
Best regards / Lep Pozdrav
Miha Zoubek
Softnet d.o.o.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Authentication according NAS

2012-02-06 Thread ebrnospam 
Hello,

I've got this infrastructure : 

FACTORY 1
  NAS1
  NAS2
  NAS3

FACTORY 2
  NAS1
  NAS2
  NAS3
  NAS4

I just want this : 

user admin with password toto could connect to NAS1/2/3/4 of Factory2
user admin with password coco could connect to NAS1/2/3 of Factory1

or if it's more simple :

user admin could connect to NAS1/2/3/4 of Factory2 and NAS1/2/3 of Factory1
user adm_f1 could connect to NAS1/2/3 of Factory1 but can't connect to NAS of 
Factory2
user adm_f2 could connect to NAS1/2/3/4 of Factory2 but can't connect to NAS of 
Factory1

How can I do that ?

Thanks

Eric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: More than one client

2012-02-06 Thread Fajar A. Nugraha 
On Mon, Feb 6, 2012 at 5:53 PM, Miha Zoubek  wrote:
> Hi,
>
> I need a few information. We have to softswtichs, both are working with
> freeradius perfectly.

Do you mean "two" softswtiches? Taking time to double-check what you
write can help others understand your needs better.

>
> There is no problem to use to different clinets (softswitchs) to use one
> freeradious server. Problem is that softswitchs would need a different
> dialup.conf (for sql entry) and different default configuration for
> different AVP packets.

I find it hard to understand what you meant there. Did you mean:
- you want two softswitches to use one freeradius
- each softswitch requires a different sql query

is that correct?

> How to set to different dialup.conf and defult configuration?

If you use FR2 (you should), see unlang:
http://freeradius.org/radiusd/man/unlang.html

Create two different instances of sql, each with its own dialup.conf.
Then check for a unique attribute that the NAS sends (e.g.
NAS-IP-Address) in authorize and accounting section (and whatever
other sections you use).

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More than one client

2012-02-06 Thread Miha Zoubek 

Hi,

I need a few information. We have to softswtichs, both are working with 
freeradius perfectly.


There is no problem to use to different clinets (softswitchs) to use one 
freeradious server. Problem is that softswitchs would need a different 
dialup.conf (for sql entry) and different default configuration for 
different AVP packets.


How to set to different dialup.conf and defult configuration?

Thanks!

Miha

--
Best regards / Lep Pozdrav
Miha Zoubek
Softnet d.o.o.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Eduroam F-ticks and syslog

2012-02-06 Thread absenthe160 
Hi Matthew Newton,

Thank you very much for quick response!
The problem is solved by patching the rlm_linelog.  Now everything is fine!



--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Eduroam-F-ticks-and-syslog-tp5457972p5459564.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html