Re: OpenDirectory VLAN Assignment by Group
Theparanoidone Theparanoidone wrote: We have tried to copy all configuration settings from the old server to the new (so that nothing would change). We have no desire to change any of our configurations because they previously were working. You've already said it was working previously. You said it multiple times in your last message. You say it again multiple times in this message. Why are you repeating yourself? What happened? What changed? You've been careful to avoid saying that. I suspect the biggest change is the default executable of freeradius that is currently shipping with Mountain Lion server (as opposed to Snow Leopard). (I'm guessing this version may have some Apple quirks to it???) radiusd -v radiusd: FreeRADIUS Version 2.1.12, for host i386-apple-darwin12.0, built on Jun 20 2012 at 16:50:26 You already said you are now running 2.1.12. Why are you repeating yourself? Do you think we're stupid, and we don't understand your messages? What version WERE you using before this? I asked, and you didn't say that. Instead, you repeated yourself: We're now using 2.1.12! I managed to read your previous message. I *did* see that you were running 2.1.12. Repeating that information is rude. So again... we've tried to keep all configuration files the same... if we /etc/raddb/users has the following ending entry... it does not appear to tag the VLAN anymore: You already said that. Why are you repeating yourself? DEFAULT Group-Name == testgroup Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 101, Fall-Through = no You do realize that format is incorrect, right? The extra blank line is wrong. However... if we try and set a VLAN based upon a specific user (and not a group) ... then this works: You already said that. Why are you repeating yourself? DEFAULT User-Name == testuser Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 101, Fall-Through = no The following is radius -X showing what happens when we match upon User-Name (which does work): Which is useless. I didn't ask for this debug output. I didn't suggest you were lying about it. You already said REPEATEDLY that it works with User-Name. Maybe you think it's helpful to repeat yourself, and post enough useless output? The problem here is NOT that something changed. The problem is that YOU are REFUSING to find out what changed. YOU are REFUSING to use simple debugging methods to track down what changed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MOTP-AS + Freeradius startup problem
Hello Aleksey I think this is permission problem. radiusd is running under non-root UNIX user when launched by Ubuntu-provided init script. Check that /var/www/html/radius-client.php is readable by this user. Бедняков Алексей wrote: Hi, I'm trying to configure Freeradius with MOTP http://motp.sourceforge.net/ by MOTP-AS http://motp-as.network-cube.de/index.php/project/features-information authentication framework as shown in documentation http://motp-as.network-cube.de/index.php/documentation/installation. In debugging mode this works perfectly. Here is complete output http://paste.ubuntu.com/1150699/ of radiusd -X (client 192.168.1.132 with secret word 12345 successfully authenticates with name a.bednyakov and password 929450 provided by MOTP). But starting with `service radiusd start` I get this http://paste.ubuntu.com/1150663/ error message in radius.log. Script that getting client's secret word still works: [root@motp-a radius]# php /var/www/html/radius-client.php secret 192.168.1.132 12345[root@motp-a radius]# Maybe FreeRADIUS enviroment variables work different in debugging and service modes? Or I miss something else? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dictionary.mikrotik patch
On Fri, Aug 17, 2012 at 08:56:37PM +0100, Scott Lambert wrote: +ATTRIBUTEMikrotik-Delegated-IPV6-Pool22 string I'd suggest that this should be type 'ipv6prefix'. Ben -- | Ben Brown Broadband Solutions for | Systems Engineer Home Business@ | Plusnet Plc www.plus.net | Registered Office: The Balance, 2 Pinfold Street, Sheffield, S1 2GU | Registered in England no: 3279013 + -- Plusnet - uSwitch Best Value Home Broadband 2012 - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenDirectory VLAN Assignment by Group
On 08/21/2012 07:08 AM, Theparanoidone Theparanoidone wrote: Hi Alan~ We have tried to copy all configuration settings from the old server to the new (so that nothing would change). We have no desire to change any of our configurations because they previously were working. What happened? What changed? You've been careful to avoid saying that. I suspect the biggest change is the default executable of freeradius that is currently shipping with Mountain Lion server (as opposed to Snow Leopard). (I'm guessing this version may have some Apple quirks to it???) radiusd -v radiusd: FreeRADIUS Version 2.1.12, for host i386-apple-darwin12.0, built on Jun 20 2012 at 16:50:26 So again... we've tried to keep all configuration files the same... if we /etc/raddb/users has the following ending entry... it does not appear to tag the VLAN anymore: You are aware how Group-Name works, and which groups it is referring to, right? Specifically, it is not a real attribute, and doesn't exist in a concrete form. Rather, when you perform a comparison, a real-time search is done against the relevant database using the value on the right-hand side. Group-Name queries the POSIX getgrnam APIs, which are normally backed by /etc/group, but can be supplemented/replaced by nsswitch. Assuming you have it installed, what does: python -c '\ import grp;\ print testuser in grp.getgrnam(testgroup).gr_mem' ...say? This fragment uses the same APIs as Group-Name. If this says True then you've mis-configured FreeRADIUS somehow. If it says False, then the user isn't in the group as reported by those APIs, and you'll need to query your group database another way. It might be the latter - maybe your new OS X machine isn't pulling Unix group from OpenDirectory, but the old one was? Usually, using Group-Name is a bad choice; if there is a backend database (LDAP, SQL, text files) you are better off querying it directly, rather than interposing the get*nam APIs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenDirectory VLAN Assignment by Group
Hi Alan~ You already said you are now running 2.1.12. Why are you repeating yourself? Do you think we're stupid, and we don't understand your messages? What version WERE you using before this? I asked, and you didn't say that. Current: radiusd: FreeRADIUS Version 2.1.12, for host i386-apple-darwin12.0, built on Jun 20 2012 at 16:50:26 (Mountain Lion) Previous: radiusd: FreeRADIUS Version 2.1.3, for host i386-apple-darwin10.0, built on Apr 11 2011 at 17:19:07 (Snow Leopard) DEFAULT Group-Name == testgroup Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 101, Fall-Through = no You do realize that format is incorrect, right? The extra blank line is wrong. Do to email pasting mistake. Actual config does not have blank line. You already said that. Why are you repeating yourself? I didn't ask for this debug output. I didn't suggest you were lying about it. You already said REPEATEDLY that it works with User-Name. Maybe you think it's helpful to repeat yourself, and post enough useless output? The problem here is NOT that something changed. The problem is that YOU are REFUSING to find out what changed. YOU are REFUSING to use simple debugging methods to track down what changed. Only tried to re-state the issue more clearly as I assumed my explanation was unclear. I have no doubt that this forum knows far more about freeradius than I do. I realize the explanation nothing changed / it doesn't work get's old... but I don't know what to tell you. I'm assuming that the Group-Name field is not being set anymore via the OpenDirectory module included in Apple's latest freeradius deployment? maybe so, maybe not? (I don't know) In the meantime... assuming the group is no longer passed back via OpenDirectory... I've attempted to perform an LDAP query via the authorize section /etc/raddb/sites-enabled/default to help retrieve the Group-Name. I have now made the following modifications: /etc/raddb/sites-enabled/default authorize { ... # uncomment ldap ldap ... } /etc/raddb/modules/ldap ldap { ... server = myserver.mydomain.com basedn = dc=myserver,dc=mydomain,dc=com filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}}) base_filter = (objectclass=posixAccount) ... groupname_attribute = cn groupmembership_filter = (memberUid=%{%{Stripped-User-Name}:-%{User-Name}}) ... ldap_debug = 0x0028 ... } /etc/raddb/users ... DEFAULT Ldap-Group == testgroup Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 101, Fall-Through = no DEFAULT Ldap-Group == testgroup2 Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 102, Fall-Through = no Preliminary testing of the above appears to work. The server appears to allow authentication via OpenDirectory, and group VLAN tagging via LDAP queries to OpenDirectory for group membership tracking. I will continue to test. I realize that the Apple platform for freeradius probably represents a minority user base. My hope is that anyone else encountering a similar issue may be helped by these posts. We have found that Apple's default OpenDirectory/OpenLDAP attribute mappings for memberUid (and etc) are slightly different than other linux distributions (so perhaps someone else can benefit from the rough draft above). Feedback and questions are welcome if any of the above configurations look blatantly wrong or could be made better. I appreciate the help and patience. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: In-Reply-To: 1345548769.34535.yahoomail...@web161005.mail.bf1.yahoo.com
Bitte senden Sie mir keine Mail mit leerem Betreff. Ihr mail wird nicht zugestellt. Please do not send me mails with a empty Subject. Your mail will not be delivered. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Recording post auth sql data
Hi, Hope this is a quick request for someone to answer, been googling and can't find the reply. I've altered the post-auth sql recording data a bit from the standard schema - I wanted to record some of the details of the request packet without relying on the NAS to do proper accounting, which I haven't got into yet. I'd quite like to record the attribute ClientShortname as referred to by the clients.conf file, but expansion of '%{request:Client-Short-Name}' didn't seem to work - blank string. Can I do this? Sometimes the Nas-Identifier attribute reported by the NAS isn't all that useful and the local definition in the clients file would be better. Thanks Andy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Recording post auth sql data
On 21/08/12 13:33, Franks Andy (RLZ) IT Systems Engineer wrote: Hi, Hope this is a quick request for someone to answer, been googling and can’t find the reply. I’ve altered the post-auth sql recording data a bit from the standard schema–Iwanted to record some of the details of the request packet without relying on the NAS to do “proper” accounting, which I haven’t got into yet. I’d quite like to record the attributeClientShortname as referred to by the clients.conf file, butexpansion of‘%{request:Client-Short-Name}’didn’t seem to work – blank string. Typo; you want: Client-Shortname - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Recording post auth sql data
Franks Andy (RLZ) IT Systems Engineer wrote: ‘%{request:Client-Short-Name}’ didn’t seem to work – blank string. Use: %{client:foo} This expands to the foo entry of the relevant client section: client stuff { ipaddr = 1.2.3.4 secret = hello foo = bar bad = good black = white } Note that *will* work! %{client:black} will return the string white. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Recording post auth sql data
On Tue, Aug 21, 2012 at 01:33:00PM +0100, Franks Andy (RLZ) IT Systems Engineer wrote: got into yet. I'd quite like to record the attribute ClientShortname as referred to by the clients.conf file, but expansion of '%{request:Client-Short-Name}' didn't seem to work - blank string. Looking at dictionary.freeradius.internal (and xlat.c) - try %{Client-Shortname}. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dictionary.mikrotik patch
Ben Brown bbr...@plus.net writes: On Fri, Aug 17, 2012 at 08:56:37PM +0100, Scott Lambert wrote: +ATTRIBUTE Mikrotik-Delegated-IPV6-Pool22 string I'd suggest that this should be type 'ipv6prefix'. I don't think so. It seems this is referring to a pre-configured pool by pool name. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Recording post auth sql data
Ok, schoolboy error there! Thanks guys. Whilst on the subject, is it possible (in theory) to write different INSERT statements dependent on, for example, whether the post-auth section is based on having accepted or rejected the user. The sql modules named in the default virtual server file link through to a single post-auth section in dialup.conf with the insert statement, but is there any way of telling the module to link to a different insert statement? Or does all that not make any sense!? Thanks Andy -Original Message- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of Matthew Newton Sent: 21 August 2012 14:21 To: FreeRadius users mailing list Subject: Re: Recording post auth sql data On Tue, Aug 21, 2012 at 01:33:00PM +0100, Franks Andy (RLZ) IT Systems Engineer wrote: got into yet. I'd quite like to record the attribute ClientShortname as referred to by the clients.conf file, but expansion of '%{request:Client-Short-Name}' didn't seem to work - blank string. Looking at dictionary.freeradius.internal (and xlat.c) - try %{Client-Shortname}. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Recording post auth sql data
On 21 Aug 2012, at 14:46, Franks Andy \(RLZ\) IT Systems Engineer andy.fra...@sath.nhs.uk wrote: Ok, schoolboy error there! Thanks guys. Whilst on the subject, is it possible (in theory) to write different INSERT statements dependent on, for example, whether the post-auth section is based on having accepted or rejected the user. The sql modules named in the default virtual server file link through to a single post-auth section in dialup.conf with the insert statement, but is there any way of telling the module to link to a different insert statement? Or does all that not make any sense!? Thanks Andy Well you can use SQL XLAT instead of the post-auth method, or see master:HEAD, and use Post-Auth-Type in the reference. For SQL xlat: update request { Tmp-Integer-0 := %{sql:INSERT INTO blah blah blah} } -Arran -Original Message- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of Matthew Newton Sent: 21 August 2012 14:21 To: FreeRadius users mailing list Subject: Re: Recording post auth sql data On Tue, Aug 21, 2012 at 01:33:00PM +0100, Franks Andy (RLZ) IT Systems Engineer wrote: got into yet. I'd quite like to record the attribute ClientShortname as referred to by the clients.conf file, but expansion of '%{request:Client-Short-Name}' didn't seem to work - blank string. Looking at dictionary.freeradius.internal (and xlat.c) - try %{Client-Shortname}. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenDirectory VLAN Assignment by Group
Am 21.08.2012 11:07, schrieb Theparanoidone Theparanoidone: DEFAULT Group-Name == testgroup Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 101, Fall-Through = no You do realize that format is incorrect, right? The extra blank line is wrong. Do to email pasting mistake. Actual config does not have blank line. It seems it just happened again. Could you make sure the Line DEFAULT Group-Name == testgroup is only terminated with 0x0a and not with 0x0d 0x0a You can verify that by hd /etc/raddb/users | less and looking for the 'testgroup' entry Correct: 74 65 73 74 67 72 6f 75 70 0a 09 .. .. .. .. .. |testgroup Wrong: 74 65 73 74 67 72 6f 75 70 0d 0a 09 .. .. .. .. |testgroup ^^ ^^ Cheers Klaus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about SQLcounter and reject sessions
Thanks Fajar!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ussing many MAC Address wih one user
Hi everybody!! Im using freeradius in a simple way (freeradius + MySQL). I have some users attached to some groups... it works fine!! The groups have some simple attributes like Max-All-Session in radgroupcheck table. Now I need to limit the users to some MAC Address. I mean, I have the User and I need use it only with these MAC Address: 00:23:8B:7F:47:DD 00:23:8B:7F:AA:BB 00:23:8B:7F:CC:EE I'm using the atributte Calling-Station-Id in the radcheck table, like this: Calling-Station-Id == 00:23:8B:7F:47:DD It works fine, but just for only one MAC address, If I put 2 or more MAC address It doesnt work. What can I do in order to enable some MAC Address attached to users in mysql database? (not only one?) Thanks !! -- * **Andres Gomez* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Little problem with sqlippool
Hi, I'm testing sqlippool, so far it's working well, but I'm with a exception that I haven't thought about it before. We use radius to authenticate the clients on wireless access points and with PPPoE, and now I started using sqlippool to dynamically distribute the IP's and BGP to announce the routes through the NAS'es. The problem is that radius allocates a IP for the client when he associates to an access point, (the wireless authentication is done with the MAC Address as the UserName and Password) and another IP when he connects on PPPoE, of course the IP allocated for the MAC is not used, but the record stays on the radippool table, and cannot be allocated to another user. Is there a way to do a regex or something like that before selecting a pool for the client? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Little problem with sqlippool
On 21 Aug 2012, at 16:20, Antonio Modesto mode...@isimples.com.br wrote: Hi, I'm testing sqlippool, so far it's working well, but I'm with a exception that I haven't thought about it before. We use radius to authenticate the clients on wireless access points and with PPPoE, and now I started using sqlippool to dynamically distribute the IP's and BGP to announce the routes through the NAS'es. The problem is that radius allocates a IP for the client when he associates to an access point, (the wireless authentication is done with the MAC Address as the UserName and Password) and another IP when he connects on PPPoE, of course the IP allocated for the MAC is not used, but the record stays on the radippool table, and cannot be allocated to another user. Is there a way to do a regex or something like that before selecting a pool for the client? see man unlang? :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MOTP-AS + Freeradius startup problem
I already thought of this idea, Iliya :)Needed file has "readable for all" permissions:[root@motp-a ~]# ls -l /var/www/html/radius-client.php-r--r--r--. 1 radiusd root 337 Jul 19 21:43 /var/www/html/radius-client.phpAlso, I've just checked - you are right. Radius server is running under radiusd user:[root@motp-a ~]# ps aux | grep radiusradiusd 4179 0.0 0.5 60444 2748 ? Ssl 16:14 0:00 /usr/sbin/radiusd -d /etc/raddbroot 4187 0.0 0.1 4336 752 pts/0 S+ 16:15 0:00 grep radiusBut owning all needed files by this user and runing in debug mode under him give no result or additional info. Radius still works with -X flag and fails in service mode with same error.And, if this has any value, all this running on CentOS release 6.3, not Ubuntu. Sorry for confusing paste site, it's just comfortable place for sharing long files. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MOTP-AS + Freeradius startup problem
Thanks for interesting info, John. Seems that I must be ashamed for inaccurate statements. I'm trying to configure FreeRadius to use MOTP-AS, which is a set of PHP scripts and SQL database. I haven't spoke of unix enviroment, I've spoke about this, FreeRadius run-time variables. Or, if more precisely, about %{Packet-Src-IP-Address}. This variable presented in /var/log/radius/radius.log, which apparently has been accepted for apache log. There %{Packet-Src-IP-Address} variable requested by /var/www/html/radius-client.php script (this script takes clients IP and searches for this client secret word in sql database), but this script works as I demonstrated in my last post. So, can %{Packet-Src-IP-Address} be handled differently in debug and service modes and cause problems in FreeRADIUS work? 17.08.2012, 16:49, John Dennis jden...@redhat.com: On 08/17/2012 04:23 AM, Бедняков Алексей wrote: Maybe FreeRADIUS enviroment variables work different in debugging and service modes? Or I miss something else? Well, I'm not too sure what your actually doing because what you posted appears to be an apache log but to answer your question concerning environment variables, yes of course the handling of environment variables are different when run from init. Generally whatever launches daemons (there are different mechanisms) will not pass environment variables to the daemon. This is for security reasons. If memory serves me correctly there are a handful of special environment variables that do get passed, but in general the answer is system daemons with root privileges execute in a clean environment. John -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Little problem with sqlippool
On 21/08/12 16:20, Antonio Modesto wrote: Hi, I'm testing sqlippool, so far it's working well, but I'm with a exception that I haven't thought about it before. We use radius to authenticate the clients on wireless access points and with PPPoE, and now I started using sqlippool to dynamically distribute the IP's and BGP to announce the routes through the NAS'es. The problem is that radius allocates a IP for the client when he associates to an access point, (the wireless authentication is done with the MAC Address as the UserName and Password) and another IP when he connects on PPPoE, of course the IP allocated for the MAC is not used, but the record stays on the radippool table, and cannot be allocated to another user. Is there a way to do a regex or something like that before selecting a pool for the client? sqlippool only runs if you tell it to. So, you need to conditionally run it in post-auth. For example: post-auth { ... if (Huntgroup-Name == PPPoE) { # only allocate an IP on PPPoE sqlippool } } Alternatively, use virtual servers and client/listen statements to break the wireless and PPPoE policies out, and just don't use sqlippool in the wireless virtual server. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Little problem with sqlippool
2012/8/21 Phil Mayers p.may...@imperial.ac.uk On 21/08/12 16:20, Antonio Modesto wrote: Hi, I'm testing sqlippool, so far it's working well, but I'm with a exception that I haven't thought about it before. We use radius to authenticate the clients on wireless access points and with PPPoE, and now I started using sqlippool to dynamically distribute the IP's and BGP to announce the routes through the NAS'es. The problem is that radius allocates a IP for the client when he associates to an access point, (the wireless authentication is done with the MAC Address as the UserName and Password) and another IP when he connects on PPPoE, of course the IP allocated for the MAC is not used, but the record stays on the radippool table, and cannot be allocated to another user. Is there a way to do a regex or something like that before selecting a pool for the client? sqlippool only runs if you tell it to. So, you need to conditionally run it in post-auth. For example: post-auth { ... if (Huntgroup-Name == PPPoE) { # only allocate an IP on PPPoE sqlippool } } Alternatively, use virtual servers and client/listen statements to break the wireless and PPPoE policies out, and just don't use sqlippool in the wireless virtual server. Can I test this 'if' statement against a radius attribute, such as Service-Type? Anyway, I had another idea, though it doesn't seem to be the best one. As I have two servers and just one is running radius 2.X with sqlippool, I could use one for wireless authentication and another for ppp authentication. Bad Idea? - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
user groups in ldap
Hello, I have setup freeradius with ldap lookup to authentication Cisco shell access. As if now i have 2 groups setup in the ldap database. One is for network admins who have full access to every device. The second group is for support staff that only have read access to all the devices, but within this group are some individuals who need full access to some devices. I'm trying to figure out what will be the best way to implement this? Do i create another group in ldap and make them members of that group (not sure if this will work because if one group is matched the searched will be stopped in the users file)? Do i use unlang to modify the accept-accpet based on username and NAS-ip? i trying to keep this as hands off as possible when it comes to management in the long run. If anyone has any experience dealing with such an issues, your advice will be greatly appreciated. Thanks in advance for you help. Aqdas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Little problem with sqlippool
I've configured it this way: if (Framed-Protocol == PPP) { sqlippool } It's working so far, I'll do some more tests. Thanks a lot. 2012/8/21 Antonio Modesto mode...@isimples.com.br 2012/8/21 Phil Mayers p.may...@imperial.ac.uk On 21/08/12 16:20, Antonio Modesto wrote: Hi, I'm testing sqlippool, so far it's working well, but I'm with a exception that I haven't thought about it before. We use radius to authenticate the clients on wireless access points and with PPPoE, and now I started using sqlippool to dynamically distribute the IP's and BGP to announce the routes through the NAS'es. The problem is that radius allocates a IP for the client when he associates to an access point, (the wireless authentication is done with the MAC Address as the UserName and Password) and another IP when he connects on PPPoE, of course the IP allocated for the MAC is not used, but the record stays on the radippool table, and cannot be allocated to another user. Is there a way to do a regex or something like that before selecting a pool for the client? sqlippool only runs if you tell it to. So, you need to conditionally run it in post-auth. For example: post-auth { ... if (Huntgroup-Name == PPPoE) { # only allocate an IP on PPPoE sqlippool } } Alternatively, use virtual servers and client/listen statements to break the wireless and PPPoE policies out, and just don't use sqlippool in the wireless virtual server. Can I test this 'if' statement against a radius attribute, such as Service-Type? Anyway, I had another idea, though it doesn't seem to be the best one. As I have two servers and just one is running radius 2.X with sqlippool, I could use one for wireless authentication and another for ppp authentication. Bad Idea? - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html -- Atenciosamente, * Antônio Modesto Gerente de TI* Praça Getúlio Vargas, 77 – Sala 308 – Centro Santo Antônio do Monte – MG – CEP: 35560-000 Tel:(37) 3281-2800 Contato: isimp...@isimples.com.br http://www.isimples.com.br Aviso:Esta mensagem e quaisquer arquivos em anexo podem conter informações confidenciais e/ou privilegiadas. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, por favor, não leia, copie, repasse, imprima, guarde, nem tome qualquer ação baseada nessas informações. Notifique o remetente imediatamente por e-mail e apague a mensagem permanentemente. Atenção: embora a Isimples Telecom, tome seus cuidados para garantir a ausência de vírus neste e-mail, a empresa não se responsabiliza por quaisquer perdas ou danos decorrentes do uso da mensagem e seus anexos. A segurança e ausência de erros na transmissão do e-mail não podem ser garantidas, já que as informações podem ser interceptadas, corrompidas, perdidas, destruídas, atrasadas, chegarem incompletas, ou, ainda, conter vírus. Recomendamos checar se o e-mail e seus anexos contém vírus, uma vez que nem a Isimples Telecom ou o remetente se responsabilizam pela transmissão destes. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Redundant Proxy for Authentication
Hi, I want to know if it's possible to proxy authentication request in a redundant fashion (just like we can do with ldap or mysql modules in a redundant block). On each requests, we want to proxy it to a primary server, if it's succeeding, move on, but if the authentication fails, we need to proxy to a secondary server. It's not fail-over we are looking for. Thanks! -- Francois Gaudreault, ing. jr fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenDirectory VLAN Assignment by Group
Hi Phil~ You are aware how Group-Name works, and which groups it is referring to, right? Specifically, it is not a real attribute, and doesn't exist in a concrete form. Rather, when you perform a comparison, a real-time search is done against the relevant database using the value on the right-hand side. Group-Name queries the POSIX getgrnam APIs, which are normally backed by /etc/group, but can be supplemented/replaced by nsswitch. Thank you, this is helpful information. Since the groups we are testing are not actual unix groups but openldap/OpenDirectory groups... I'm assuming there must have been some nsswitch configurations on the old server that helped with this. Apple appears to use the directory service utils to handle this as there is no nsswitch.conf. I'm currently looking into nsswitch equivlants for apple (things like dscl localhost -read /Search) Assuming you have it installed, what does: python -c '\ import grp;\ print testuser in grp.getgrnam(testgroup).gr_mem' ...say? This fragment uses the same APIs as Group-Name.If this says True then you've mis-configured FreeRADIUS somehow. If it says False, then the user isn't in the group as reported by those APIs, and you'll need to query your group database another way. It might be the latter - maybe your new OS X machine isn't pulling Unix group from OpenDirectory, but the old one was? Thank you for that test code, that is extremely helpful. The output on the NEW server returns: False The output on the OLD server returns: True From the behavior observed, plus the information you provided above... I agree that it looks like I will have to pull this information in another way. I just missed your email late last night... in my prior reply I have a working prototype that queries opendirectory for the user authentication ... and queries the group via openldap (via opendirectory). It appears to be working; I plan to test it more today. Usually, using Group-Name is a bad choice; if there is a backend database (LDAP, SQL, text files) you are better off querying it directly, rather than interposing the get*nam APIs. Thank you for this... I did not know that Group-Name is not always the best choice. I seem to be missing an obvious piece of documentation... but neither http://freeradius.org/rfc/attributes.html or http://freeradius.org/radiusd/man/users.html or http://freeradius.org/radiusd/man/rlm_unix.html mention anything about Group-Name. Can you point me towards a document describing this? (tried searching, I must be missing it) Thanks again. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenDirectory VLAN Assignment by Group
Hi Klaus~ DEFAULT Group-Name == testgroup Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 101, Fall-Through = no You do realize that format is incorrect, right? The extra blank line is wrong. Do to email pasting mistake. Actual config does not have blank line. It seems it just happened again. Could you make sure the Line DEFAULT Group-Name == testgroup is only terminated with 0x0a and not with 0x0d 0x0a Good eye... I believe this yahoo web mail pasting related. But this is a valid point (if it pastes wrong into a browser, maybe it is wrong?). However, I checked it with xxd and can confirm the lines only end in 0x0a From Phil's prior post, it looks like we have narrowed in on a different handling of OpenDirectory groups in old Snow Leopard versus new Mountain Lion ... the output of python -c '\ import grp;\ print testuser in grp.getgrnam(testgroup).gr_mem' is different between the two machines. If I can locate what is causing the different behavior in nsswitch/directoryservice (or some other core config) ... I'll post it back. Thank you Klaus, Phil, and Alan for you help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Best way to cope with multiple SSIDs and MAC auth
Hi again, Thanks for everyone's input on the last question I asked today. I have another : we are running cisco 1100/1200 series Aps with multiple SSIDs. Depending on ldap groups users are assigned a VLAN which corresponds to the internal or DMZ based network. The issue is that if a user is in both groups, I either have to assign a most important one or do something else. With some devices I'd like the opportunity to join either vlan. Because I am not aware that the cisco IOS can send an SSID attribute to the radius server (if someone knows how to do this PLEASE tell me!), I need to either send the authentication request to another radius server and proxy from there so that all the traffic appears from one ip address, or choose a different port and create a separate virtual server that listens on that port and contains perhaps a different files section, perhaps users_ssid or something that has separate rules. Anybody got any bright ideas or opinions which would be best? Thanks Andy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Best way to cope with multiple SSIDs and MAC auth
Hi, Because I am not aware that the cisco IOS can send an “SSID” attribute to the radius server (if someone knows how to do this PLEASE tell me!), I yes, it does - the attribute will depend on model and IOS version - but if you run the server in full debug mode then you will see the attribute arrive in the access-request - with the SSID you are looking for present. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Best way to cope with multiple SSIDs and MAC auth
Hi - thanks for the reply I have a relatively new version of IOS and I can't see the attribute coming through, either on freeradius or using the debug radius command on the AP. I wonder if it's something you have to set in the AP that's non default. As an aside, I wonder if there's an internal freeradius attribute that can tell me the port number that an auth request comes through on? If I use the radtest program, I see the NAS-Port being set to 1812, but the Aps don't do this - the NAS-Port attribute is often a random number, not the destination port number.. -Original Message- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org] On Behalf Of alan buxey Sent: 21 August 2012 22:21 To: FreeRadius users mailing list Subject: Re: Best way to cope with multiple SSIDs and MAC auth Hi, Because I am not aware that the cisco IOS can send an “SSID” attribute to the radius server (if someone knows how to do this PLEASE tell me!), I yes, it does - the attribute will depend on model and IOS version - but if you run the server in full debug mode then you will see the attribute arrive in the access-request - with the SSID you are looking for present. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Best way to cope with multiple SSIDs and MAC auth
Just an update : I do see something on the IOS interface : RADIUS: AAA Unsupported Attr: ssid [263] 8 *May 17 16:47:01.236: RADIUS: 52 53 48 5F 57 69 [RSH_Wi] I didn't notice it as it's above the actual sent attribute section. The attribute doesn't make it through to the radius server. Anyone any ideas? -Original Message- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org] On Behalf Of Franks Andy (RLZ) IT Systems Engineer Sent: 21 August 2012 22:34 To: FreeRadius users mailing list Subject: RE: Best way to cope with multiple SSIDs and MAC auth Hi - thanks for the reply I have a relatively new version of IOS and I can't see the attribute coming through, either on freeradius or using the debug radius command on the AP. I wonder if it's something you have to set in the AP that's non default. As an aside, I wonder if there's an internal freeradius attribute that can tell me the port number that an auth request comes through on? If I use the radtest program, I see the NAS-Port being set to 1812, but the Aps don't do this - the NAS-Port attribute is often a random number, not the destination port number.. -Original Message- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org] On Behalf Of alan buxey Sent: 21 August 2012 22:21 To: FreeRadius users mailing list Subject: Re: Best way to cope with multiple SSIDs and MAC auth Hi, Because I am not aware that the cisco IOS can send an “SSID” attribute to the radius server (if someone knows how to do this PLEASE tell me!), I yes, it does - the attribute will depend on model and IOS version - but if you run the server in full debug mode then you will see the attribute arrive in the access-request - with the SSID you are looking for present. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant Proxy for Authentication
Francois Gaudreault wrote: On each requests, we want to proxy it to a primary server, if it's succeeding, move on, but if the authentication fails, we need to proxy to a secondary server. It's not fail-over we are looking for. RADIUS doesn't really work that way. The only way to do it is via some severe re-architecting of the server internals. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html