Re: Configuring Freeradius with LDAP
I think http://wiki.freeradius.org/Rlm_ldap Has what you are after. Mark On 18 Apr 2012, at 18:53, "Wassim Zaarour" mailto:wassim.zaar...@navlink.com>> wrote: Hi List, I have installed freeradius 2.1.12, and it's working well. Now I need to configure it to authenticate with LDAP (Sun Directory Server) but I can't seem to find which file to configure in raddb, I can't find it in radiusd.conf I appreciated any help on this. Wassim C. Zaarour Systems & Network Engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nuffield College is a Registered Charity No. 1137506. Registered Office: Nuffield College, New Road, Oxford, OX1 1NF - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring Freeradius with LDAP
Am 18.04.2012 19:47, schrieb Wassim Zaarour: Now I need to configure it to authenticate with LDAP (Sun Directory Server) but I can't seem to find which file to configure in raddb, I can't find it in radiusd.conf Did you tried google or just the searchbox on wiki.freeradius.org? http://wiki.freeradius.org/search?q=ldap Tobias Hachmer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (rlm_ippool does not create DB and IDX files) rlm_ippool can not open DB/IDX files
On 04/18/2012 11:57 AM, rogiermulder wrote: Thanks Fajar! It was SELinux making trouble. Please file a bug against SELinux so the issue gets fixed. Be sure to include the AVC's from /var/log/audit/audit.log. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: regular expression grouping issue on attrs filter
Hi Phil, Thank you for your answer. I just try'd your rule but this one is refused aswell (Freeradius won't start with it, giving a parse error). Framed-IP-Address =~ /^172\.(1[6-9]|2[0-9]|3[01])\./ I still have the feeling ( ) is not accepted, when we don't use themthe grouping characters, the line is accepted. Do you have any other suggestions we can try? Best regards, Ivo On Apr 18, 2012, at 5:35 PM, Phil Mayers wrote: > On 18/04/12 15:30, Ivo Vastert wrote: >> Hi, >> >> I'm currently having a issue implementing a regular expression within the >> attrs configuration file. >> When i try to group entry's within a regular expression the configuration is >> rejected: > > What does that mean? "Rejected" how? > >> >> For example: >> >> This entry works: >> Framed-IP-Address =~ >> /^172\.1[6-9]|2[0-9]|3[0-1]\.[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]\.[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]$/ >> >> This entry doesn't work: >> Framed-IP-Address =~ >> /^172\.(1[6-9]|2[0-9]|3[0-1])\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])$/ >> > > Doesn't work how? > >> Does anyone know the correct syntax for grouping a entry within a regular >> expression? >> It looks like grouping by () is not supported by freeradius? > > Not correct; () is the grouping operator. > > I suspect you just have the syntax of your regexp wrong. Either that, or your > system regexp library is broken - FreeRADIUS just uses that. > > The regexp you list above is more complex than it needs to be IMO; > Framed-IP-Address can't have the "wrong" syntax because the server enforces > it. > > Try the simpler: > > Framed-IP-Address =~ /^172\.(1[6-9]|2[0-9]|3[01])\./ > >> freeradius: FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on >> Sep 7 2008 at 23:35:34 > > It is unrelated to your problem, but that is an old version. Upgrade to > 2.1.12. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuring Freeradius with LDAP
Hi List, I have installed freeradius 2.1.12, and it's working well. Now I need to configure it to authenticate with LDAP (Sun Directory Server) but I can't seem to find which file to configure in raddb, I can't find it in radiusd.conf I appreciated any help on this. Wassim C. Zaarour Systems & Network Engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with Cisco Wireless Controller
On Wed, Apr 18, 2012 at 12:24:46PM -0300, Martin Silvero wrote: > I use freeradius with cisco access point and vlans assignment, work fine > but now I try to use Cisco Wireless Controller and the vlan assignment dont > work. Make sure your Access-Accept packet has the following AV pairs: Tunnel-Type := 13 Tunnel-Medium-Type := 6 Tunnel-Private-Group-Id := Ensure your WLAN on the controller has AAA override, e.g. do config wlan aaa-override enable or configure it in the interface. As others have said, radiusd -X will tell you the former. Only you can check the latter. Matthew -- Matthew Newton, Ph.D. Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with Cisco Wireless Controller
Those logs don't show anything useful. Cisco wireless controllers work fine with freeradius, we've been using them since day 1 with our FR through the years. What attributes are you sending and is the WLAN configured for vlan override if you are assigning vlan by FR? alan -- This smartphone has free WiFi worldwide with eduroam, now that IS smart - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (rlm_ippool does not create DB and IDX files) rlm_ippool can not open DB/IDX files
Thanks Fajar! It was SELinux making trouble. Yes, that was a cut&paste error rgrds rgr -- View this message in context: http://freeradius.1045715.n5.nabble.com/rlm-ippool-does-not-create-DB-and-IDX-files-tp5647557p5649522.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with Cisco Wireless Controller
On 18/04/12 16:24, Martin Silvero wrote: Hi, I use freeradius with cisco access point and vlans assignment, work fine but now I try to use Cisco Wireless Controller and the vlan assignment dont work. Can you help me? If you are sending the VLAN attributes, then FreeRADIUS is working. Check the attributes are being sent. If not, configure FreeRADIUS to send them. If they are being sent, look at the wireless controller. I send the logs: These logs are useless. Please send a full debug, with "radiusd -X" as described on the list daily. However, before you send it, please READ it. The debug will probably show you the problem. freeradius work with cisco wireless controller? Yes. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: regular expression grouping issue on attrs filter
On 18/04/12 15:30, Ivo Vastert wrote: Hi, I'm currently having a issue implementing a regular expression within the attrs configuration file. When i try to group entry's within a regular expression the configuration is rejected: What does that mean? "Rejected" how? For example: This entry works: Framed-IP-Address =~ /^172\.1[6-9]|2[0-9]|3[0-1]\.[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]\.[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]$/ This entry doesn't work: Framed-IP-Address =~ /^172\.(1[6-9]|2[0-9]|3[0-1])\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])$/ Doesn't work how? Does anyone know the correct syntax for grouping a entry within a regular expression? It looks like grouping by () is not supported by freeradius? Not correct; () is the grouping operator. I suspect you just have the syntax of your regexp wrong. Either that, or your system regexp library is broken - FreeRADIUS just uses that. The regexp you list above is more complex than it needs to be IMO; Framed-IP-Address can't have the "wrong" syntax because the server enforces it. Try the simpler: Framed-IP-Address =~ /^172\.(1[6-9]|2[0-9]|3[01])\./ freeradius: FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Sep 7 2008 at 23:35:34 It is unrelated to your problem, but that is an old version. Upgrade to 2.1.12. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius with Cisco Wireless Controller
Hi,
I use freeradius with cisco access point and vlans assignment, work fine
but now I try to use Cisco Wireless Controller and the vlan assignment dont
work.
Can you help me?
I send the logs:
Many thanks!
Log without acces points and wireless controller:
server inner-tunnel {
+- entering group authorize {...}
++[preprocess] returns ok
++? if (!Huntgroup-Name)
? Evaluating !(Huntgroup-Name) -> TRUE
++? if (!Huntgroup-Name) -> TRUE
++- entering if (!Huntgroup-Name) {...}
+++[reply] returns ok
++- if (!Huntgroup-Name) returns ok
++? if (Huntgroup-Name == "list")
(Attribute Huntgroup-Name was not found)
dont check groups.
Log with acces points only:
server inner-tunnel {
+- entering group authorize {...}
++[preprocess] returns ok
++? if (!Huntgroup-Name)
? Evaluating !(Huntgroup-Name) -> FALSE
++? if (!Huntgroup-Name) -> FALSE
++? if (Huntgroup-Name == "list")
? Evaluating (Huntgroup-Name == "list") -> TRUE
++? if (Huntgroup-Name == "list") -> TRUE
++- entering if (Huntgroup-Name == "list") {...}
+++? if (Ldap-Group == "WIFI-Direccion")
rlm_ldap: Entering ldap_groupcmp()
In this case check each group
The config is the same.
freeradius work with cisco wireless controller?
Thanks!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
regular expression grouping issue on attrs filter
Hi, I'm currently having a issue implementing a regular expression within the attrs configuration file. When i try to group entry's within a regular expression the configuration is rejected: For example: This entry works: Framed-IP-Address =~ /^172\.1[6-9]|2[0-9]|3[0-1]\.[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]\.[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]$/ This entry doesn't work: Framed-IP-Address =~ /^172\.(1[6-9]|2[0-9]|3[0-1])\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])$/ Does anyone know the correct syntax for grouping a entry within a regular expression? It looks like grouping by () is not supported by freeradius? We are using the following version: freeradius: FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Sep 7 2008 at 23:35:34 Best regards, Ivo Vastert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type Fall-Through & ldap timeouts
Am 18.04.2012 14:36, schrieb Phil Mayers: On 18/04/12 13:16, Tobias Hachmer wrote: Ok, I configure the same users, these are about 10-15 users, which are stored in Active Directory, in the sql database. The sql database schould be used for authentication only if the ldap servers are not available. So the SQL server contains an "emergency" subset of the real users? Yes, that's what I tried to explain. So I just sniffed the network for packets and recognized that my freeradius machine sends out a lot of arp packets for the dns server. Then I added the ldap server to the hosts file and now the net_timeout = 1 seems to work. The timeouts now are ok and the first radius-request is answered in time. Ok, that's good to know. This is sort of what I mean when I refer to libldap having an API that is sub-optimal in some cases; the net_timeout should really apply to an entire connection attempt, not just the connect() or read() calls. It's hard to know what FreeRADIUS can do about this; maybe there is scope for some kind of long-lived helper process that pools and polls the LDAP servers, pro-actively detecting failures. But it seems a complex solution. I worried about this, so I asked for any other opportunities. Tobias Hachmer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type Fall-Through & ldap timeouts
Am 18.04.2012 14:32, schrieb Alan DeKok: Tobias Hachmer wrote: Simply as a fallback, in case there is a maintanance on the network where the ldap servers are conected to. In this case we need to log on to our switches though. "Hi, I want my network to keep working when I take my network down." That doesn't really make sense. You're trying to work around a problem that can't be worked around. Hacking the RADIUS server is a bad choice. Hi, well, I think it's not. In a big network, there's a backbone and multiple networks connected to that backbone. The network the active directory servers are connected to is on of them. When there is a maintenance on this network, e.g. switching the ospf area or whatever, I want that the network administrators can administer the network devices in the other networks, which are not under maintenance and still working. Tobias Hachmer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using DHCP
May be I am going beyond here overthinking this. This is a custom hotspot system so each group pretends to a plan (1 hour, 1 day, 5 days etc), these groups have no timeout or idle timeout. What I want to avoid is leasing a different ip to a user who is part of the 5 days group as the Captiveportal checks for a match of ip+mac after authentication. Hence I wanted to specify a lease time equal to the Max-All-Session-Time so the user does not get prompted for his credentials on every ip change. thank you for your help. i will play arround with unlang to specify a lease time equal to the info in radcheck/radgroupcheck -- View this message in context: http://freeradius.1045715.n5.nabble.com/Using-DHCP-tp5558126p5648959.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type Fall-Through & ldap timeouts
On 18/04/12 13:16, Tobias Hachmer wrote: Ok, I configure the same users, these are about 10-15 users, which are stored in Active Directory, in the sql database. The sql database schould be used for authentication only if the ldap servers are not available. So the SQL server contains an "emergency" subset of the real users? I guess that makes sense. Which LDAP client libraries are you using, and which version? I use debian squeeze with libldap package libldap-2.4-2, an apt-cache show libldap-2.4-2 shows the Version: 2.4.23-7.2 Which version of FreeRADIUS? FreeRADIUS 2.1.12 What does a "tcpdump" show for port 389 during your tests? Do you get TCP RSTs, ICMP errors, or what? So I just sniffed the network for packets and recognized that my freeradius machine sends out a lot of arp packets for the dns server. Then I added the ldap server to the hosts file and now the net_timeout = 1 seems to work. The timeouts now are ok and the first radius-request is answered in time. Ok, that's good to know. This is sort of what I mean when I refer to libldap having an API that is sub-optimal in some cases; the net_timeout should really apply to an entire connection attempt, not just the connect() or read() calls. It's hard to know what FreeRADIUS can do about this; maybe there is scope for some kind of long-lived helper process that pools and polls the LDAP servers, pro-actively detecting failures. But it seems a complex solution. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type Fall-Through & ldap timeouts
Tobias Hachmer wrote: > Simply as a fallback, in case there is a maintanance on the network > where the ldap servers are conected to. In this case we need to log on > to our switches though. "Hi, I want my network to keep working when I take my network down." That doesn't really make sense. You're trying to work around a problem that can't be worked around. Hacking the RADIUS server is a bad choice. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type Fall-Through & ldap timeouts
Am 18.04.2012 12:33, schrieb Phil Mayers:
On 18/04/12 09:40, Tobias Hachmer wrote:
I'm using a sql database for authorization and ldap for
authentication.
For fail-over reasons I want to authenticate against user-password
information stored in my sql database if my ldap servers are not
available (all ldap modules return fail).
Why would you do this?
Simply as a fallback, in case there is a maintanance on the network
where the ldap servers are conected to. In this case we need to log on
to our switches though.
If SQL contains the users, just auth to SQL, surely?
If you can explain your use-case, people might be able to make better
suggestions.
Ok, I configure the same users, these are about 10-15 users, which are
stored in Active Directory, in the sql database.
The sql database schould be used for authentication only if the ldap
servers are not available.
So I set the network interfaces of my ldap servers manually to down
and
startet testing. But the timeouts for every ldap module are too big
(circa 50 seconds).
I noticed the timeout directives in the ldap module. In all three
ldap
modules the net_timeout is set to "1".
Question 1: How can I reduce these timeouts?
Which LDAP client libraries are you using, and which version?
I use debian squeeze with libldap package libldap-2.4-2, an apt-cache
show libldap-2.4-2 shows the Version: 2.4.23-7.2
Which version of FreeRADIUS?
FreeRADIUS 2.1.12
What does a "tcpdump" show for port 389 during your tests? Do you get
TCP RSTs, ICMP errors, or what?
So I just sniffed the network for packets and recognized that my
freeradius machine sends out a lot of arp packets for the dns server.
Then I added the ldap server to the hosts file and now the net_timeout
= 1 seems to work. The timeouts now are ok and the first radius-request
is answered in time.
After that I changed my configuration to this:
Auth-Type LDAP {
redundant {
redundant-load-balance {
ldap1
ldap2
ldap3
}
pap
}
}
and it works now as expected.
My questions are answered and my problems seems to be solved. If anyone
has any further suggestions please let me know, either.
Thank you for your reply. You pointed me the right direction.
Regards,
Tobias Hachmer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type Fall-Through & ldap timeouts
On 18/04/12 09:40, Tobias Hachmer wrote:
Hello list,
I'm using a sql database for authorization and ldap for authentication.
For fail-over reasons I want to authenticate against user-password
information stored in my sql database if my ldap servers are not
available (all ldap modules return fail).
Why would you do this?
If SQL contains the users, just auth to SQL, surely?
If you can explain your use-case, people might be able to make better
suggestions.
For authentication I configured:
Auth-Type LDAP {
redundant-load-balance {
ldap1
ldap2
ldap3
}
if(fail) {
pap
}
}
So I set the network interfaces of my ldap servers manually to down and
startet testing. But the timeouts for every ldap module are too big
(circa 50 seconds).
I noticed the timeout directives in the ldap module. In all three ldap
modules the net_timeout is set to "1".
Question 1: How can I reduce these timeouts?
Which LDAP client libraries are you using, and which version?
Which version of FreeRADIUS?
What does a "tcpdump" show for port 389 during your tests? Do you get
TCP RSTs, ICMP errors, or what?
Question 2: Can I check earlier my ldap servers are available and if not
skip Auth-Type LDAP or setting Auth-Type to PAP?
Not natively in FreeRADIUS.
LDAP is problematic in this regard; the libldap APIs are pretty weak,
and don't offer good asynchronous support, or timely error notification
in some failure modes.
It's difficult for me to see what FreeRADIUS can do in situations like this.
Question 3: Are there any other opportunities to do Auth-Type PAP if
Auth-Type LDAP fails?
I'm not sure what you're asking here.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Auth-Type Fall-Through & ldap timeouts
Hello list,
I'm using a sql database for authorization and ldap for authentication.
For fail-over reasons I want to authenticate against user-password
information stored in my sql database if my ldap servers are not
available (all ldap modules return fail).
For authentication I configured:
Auth-Type LDAP {
redundant-load-balance {
ldap1
ldap2
ldap3
}
if(fail) {
pap
}
}
So I set the network interfaces of my ldap servers manually to down and
startet testing. But the timeouts for every ldap module are too big
(circa 50 seconds).
I noticed the timeout directives in the ldap module. In all three ldap
modules the net_timeout is set to "1".
Question 1: How can I reduce these timeouts?
Question 2: Can I check earlier my ldap servers are available and if
not skip Auth-Type LDAP or setting Auth-Type to PAP?
Question 3: Are there any other opportunities to do Auth-Type PAP if
Auth-Type LDAP fails?
Thanks in advance,
Tobias Hachmer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
