Re: group search filter openLDAP
Hi.. how can i make it to read password and then accept it..for that ldap group Thank You Dhanushka On 25 March 2012 12:12, Fajar A. Nugraha wrote: > On Sun, Mar 25, 2012 at 1:35 PM, dhanushka ranasinghe > wrote: >> DEFAULT Ldap-Group == "cn=people,ou=users,dc=home,dc=com", Auth-Type := >> Accept >> Reply-Message = "You are Accepted" > >> then i face the much bigger issue, then freeradius start to ignore >> the ldap userpassword. even though i type wrong password freeradius >> granting the access. > > That's because you told it to. That's what Auth-Type := Accept does. > > -- > Fajar > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: group search filter openLDAP
On Sun, Mar 25, 2012 at 1:35 PM, dhanushka ranasinghe wrote: > DEFAULT Ldap-Group == "cn=people,ou=users,dc=home,dc=com", Auth-Type := Accept > Reply-Message = "You are Accepted" > then i face the much bigger issue, then freeradius start to ignore > the ldap userpassword. even though i type wrong password freeradius > granting the access. That's because you told it to. That's what Auth-Type := Accept does. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: group search filter openLDAP
Hi..
As you mention i able to get that ldap group work , i add two
additional entrys in /etc/freeradius/user file to filter the users ,
these are ,
DEFAULT Ldap-Group == "cn=people,ou=users,dc=home,dc=com", Auth-Type := Accept
Reply-Message = "You are Accepted"
DEFAULT Auth-Type := Reject
then i face the much bigger issue, then freeradius start to ignore
the ldap userpassword. even though i type wrong password freeradius
granting the access.
hi guys any way to slove this issue
Thank You
Dhanushka
On 24 March 2012 17:35, Phil Mayers wrote:
> On 03/24/2012 05:51 AM, dhanushka ranasinghe wrote:
>>
>> Hi guys,
>>
>> im using freeradius with LDAP , and its authentication works fine when
>> i use following configuration.
>>
>> server = "ldap.home.com"
>> identity = "cn=admin,dc=home,dc=com"
>> password = home
>> basedn = "ou=users,dc=home,dc=com"
>> filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
>> base_filter = "(objectclass=radiusprofile)"
>> access_attr = "uid"
>> authtype = ldap
>>
>> but , then i created the LDAP group, and add the members to that,
>>
>> eg :
>>
>> dn: cn=people,ou=users,dc=home,dc=com
>> objectClass: groupOfNames
>> objectClass: top
>> cn: wso2
>> member: uid=userone,ou=user,dc=home,dc=com
>> member: uid=usertwo,ou=user,dc=home,dc=com
>>
>> , then i change my ldap config as follows ,
>>
>> server = "ldap.home.com"
>> identity = "cn=admin,dc=home,dc=com"
>> password = home
>> basedn = "cn=people,ou=users,dc=home,dc=com"
>> filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
>> base_filter = "(objectclass=radiusprofile)"
>> access_attr = "uid"
>> authtype = ldap
>>
>> but this method is not working , radius debug output says, user
>> cannot be searched within that group. ,
>>
>> is there any particular search method that i need use... ? , what can
>> i do to sort out this problem ?
>
>
> This is all completely wrong. You have told the LDAP module to search for
> all objects, including users, starting from the DN of the group you have
> created.
>
> Set your LDAP back how it was, then uncomment the "groupmembership_filter"
> and "groupname_attribute" in the "ldap" module config, that comes with the
> server by default. It should just work.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: can you internally proxy a request more than once?
Phil Mayers [p.may...@imperial.ac.uk] wrote > I'm curious about what you mean here. I don't see the difference between > a single server performing attribute filter & auth, versus two separate > processes. > > Can you explain what threat model you think this addresses? It limits the exposed fuzzable surface. Any vulnerabilities present or introduced in the low level RADIUS packet processing compromise only the external server. The packets that reach the internal server post-filter have been cleanly regenerated. The option also exists at that point to place the external server on an entirely different host, for DoS mitigation. You still have some unnecessary code surface exposure what with EAP being processed on the internal server (unless you were to manage to somehow get tunneling of unwrapped MSCHAP working and do the EAP unwrap on the external server.) Normally I wouldn't be quite so bug-paranoid, but RADIUS is tied pretty tightly to the most security-sensitive and mission-critical systems we have. (As an aside, while the virtual server functionality is very useful when it comes to providing an integrated inner/outer tunnel solution, I've found it much more convenient to administer discrete usage cases with individual instances. Then you can do work on one server without worrying that a change will somehow have unintended consequences on other services when you reload the config.) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Radacct table not working properly
It might be configured...ie you edited sql.conf but did you add 'sql' to the relevant sections in the relevant virtual server? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FW: Radacct table not working properly
Hello,
SQL is configured as long as I know, and actually before, when I had
installed chillispot, I think it was working as I had values in my radacct
table.
What should I check then, because the data is logged, at least part of it
but in a file, not in the radacct table.
Regards
-Original Message-
From: freeradius-users-bounces+fruiz002=hotmail@lists.freeradius.org
[mailto:freeradius-users-bounces+fruiz002=hotmail@lists.freeradius.org]
On Behalf Of Phil Mayers
Sent: sábado, 24 de marzo de 2012 13:02
To: freeradius-users@lists.freeradius.org
Subject: Re: FW: Radacct table not working properly
On 03/23/2012 11:07 PM, Javier Ruiz Escalante wrote:
> I have realized that my radius system does not record the logging
> information in my radius Data base, in radacct table, but nevertheless
> creates a folder in /var/log/freeradius for every NAS which is called
> radacct inside this folder there is another folder with the ip of
> the NAS and inside it there is a txt file with the info that I should
> have
"radacct" or "detail" file logging is configured by default in the server.
SQL is not.
Have you configured SQL accounting?
> in the radacct table, furthermore I get the following error in radius
debug:
What error? There is no error. All you show is debug output from the server
startup. There is no error.
>
> Module: Instantiating module "attr_filter.access_reject" from file
> /etc/freeradius/modules/attr_filter
>
> attr_filter attr_filter.access_reject {
>
> attrsfile = "/etc/freeradius/attrs.access_reject"
>
> Any clue?
Any clue about *what*?
You need to ask better questions.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Zombie Clarification
On 24/03/2012 13:13, Alan Buxey wrote:
Hi,
there was never any more on this thread, so just to add some final info
Now, for whatever reason, the Windows box decides to discard some
requests. Unfortunately, the error reporting is pretty weak
("discarding invalid request"). Our Windows guys are digging into
this. It seems to be client specific, we suspect something with our
recently changed certificate.
I don't see how. Normal RADIUS doesn't use certificates.
And if your home server *randomly* discards requests, then your
priority should be to fix that. No amount of poking FreeRADIUS will
make the home server magically work. No amount of poking FreeRADIUS
will work around the fact that the home server is broken.
Microsoft decided, in their wisdom, to just discard packets that arent right.
this affects IAS and NPS. if your policy says, for example,
NAS-Port-Type = Wireless-802.11
an the packet doesnt have that attribute...or its not Wireless-802.11..then the
packet
is just silently dropped. the RADIUS proxies throughout the proxy chain then
think the server is dead status-server kicks in oh, guess what. they
dont support
that, so it stays marked dead. the remote proxies might be lucky...as their
status-server will be answered by the proxy above them...which, if its
FreeRADIUS
or RADIATOR *will* respond in some way to show they are alive.
IAS and NPS are a mess with proxied RADIUS - especially when there are policies
involved.
Further to what Alan says above IAS/NPS can report "invalid request" if it
contains an attribute not in their dictionaries, or an attribute where the
value does not match the type in their dictionaries.
As NPS and IAS dictionaries are old, don't match the RFCs, and it seems MS
never update the dictionaries, this means NPS and IAS discard a lot of
valid packets!
If you are proxying to IAS or NPS, filter the attributes very carefully
before they hit the MS radius servers.
Regards,
James
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Zombie Clarification
Alan Buxey wrote: > Microsoft decided, in their wisdom, to just discard packets that arent right. > this affects IAS and NPS. if your policy says, for example, > > NAS-Port-Type = Wireless-802.11 > > an the packet doesnt have that attribute...or its not Wireless-802.11..then > the packet > is just silently dropped. This violates RFC 2865. Not that they care. > IAS and NPS are a mess with proxied RADIUS - especially when there are > policies > involved. This should be on the Wiki, in a "what's wrong with other RADIUS servers" section. :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Zombie Clarification
Hi,
there was never any more on this thread, so just to add some final info
> > Now, for whatever reason, the Windows box decides to discard some
> > requests. Unfortunately, the error reporting is pretty weak
> > ("discarding invalid request"). Our Windows guys are digging into
> > this. It seems to be client specific, we suspect something with our
> > recently changed certificate.
>
> I don't see how. Normal RADIUS doesn't use certificates.
>
> And if your home server *randomly* discards requests, then your
> priority should be to fix that. No amount of poking FreeRADIUS will
> make the home server magically work. No amount of poking FreeRADIUS
> will work around the fact that the home server is broken.
Microsoft decided, in their wisdom, to just discard packets that arent right.
this affects IAS and NPS. if your policy says, for example,
NAS-Port-Type = Wireless-802.11
an the packet doesnt have that attribute...or its not Wireless-802.11..then the
packet
is just silently dropped. the RADIUS proxies throughout the proxy chain then
think the server is dead status-server kicks in oh, guess what. they
dont support
that, so it stays marked dead. the remote proxies might be lucky...as their
status-server will be answered by the proxy above them...which, if its
FreeRADIUS
or RADIATOR *will* respond in some way to show they are alive.
IAS and NPS are a mess with proxied RADIUS - especially when there are policies
involved.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: group search filter openLDAP
On 03/24/2012 05:51 AM, dhanushka ranasinghe wrote:
Hi guys,
im using freeradius with LDAP , and its authentication works fine when
i use following configuration.
server = "ldap.home.com"
identity = "cn=admin,dc=home,dc=com"
password = home
basedn = "ou=users,dc=home,dc=com"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
access_attr = "uid"
authtype = ldap
but , then i created the LDAP group, and add the members to that,
eg :
dn: cn=people,ou=users,dc=home,dc=com
objectClass: groupOfNames
objectClass: top
cn: wso2
member: uid=userone,ou=user,dc=home,dc=com
member: uid=usertwo,ou=user,dc=home,dc=com
, then i change my ldap config as follows ,
server = "ldap.home.com"
identity = "cn=admin,dc=home,dc=com"
password = home
basedn = "cn=people,ou=users,dc=home,dc=com"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
access_attr = "uid"
authtype = ldap
but this method is not working , radius debug output says, user
cannot be searched within that group. ,
is there any particular search method that i need use... ? , what can
i do to sort out this problem ?
This is all completely wrong. You have told the LDAP module to search
for all objects, including users, starting from the DN of the group you
have created.
Set your LDAP back how it was, then uncomment the
"groupmembership_filter" and "groupname_attribute" in the "ldap" module
config, that comes with the server by default. It should just work.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Radacct table not working properly
On 03/23/2012 11:07 PM, Javier Ruiz Escalante wrote:
I have realized that my radius system does not record the logging
information in my radius Data base, in radacct table, but nevertheless
creates a folder in /var/log/freeradius for every NAS which is called
“radacct” inside this folder there is another folder with the ip of the
NAS and inside it there is a txt file with the info that I should have
"radacct" or "detail" file logging is configured by default in the server.
SQL is not.
Have you configured SQL accounting?
in the radacct table, furthermore I get the following error in radius debug:
What error? There is no error. All you show is debug output from the
server startup. There is no error.
Module: Instantiating module "attr_filter.access_reject" from file
/etc/freeradius/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
Any clue?
Any clue about *what*?
You need to ask better questions.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radacct table not working properly
On 03/23/2012 04:16 PM, Javier Ruiz Escalante wrote: Hello, Despite taht my user is authenticated, I don't get the data in RADACCT table, my output is this one. Can anybody help me? Your NAS didn't send any accounting packets. So no accounting packets were logged to the database. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: can you internally proxy a request more than once?
On 03/23/2012 04:02 PM, Brian Julin wrote: Not sure, but you should consider running non-virtual instances (not that hard to do) and using privilage separation such that there is little potential for exposure of your internal authentication structure or internally-utilized crypto material to an externally presented service. I'm curious about what you mean here. I don't see the difference between a single server performing attribute filter & auth, versus two separate processes. Can you explain what threat model you think this addresses? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: can you internally proxy a request more than once?
On 03/23/2012 02:12 PM, mark.le...@stfc.ac.uk wrote: isn’t possible, do I have any other options? Would a solution be to make the virtual servers listen on two different IP addresses, and configure the NAS to use a different RADIUS server IP address for each SSID? That is the common solution, based on what I've seen. It's what we do. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
