Re: EAP-PSK : 16 bytes Pre shared key not configured
On 09/26/2012 10:18 PM, Alan DeKok wrote: It's gathered enough questions recently that I think we're better off deleting it. +1 Or at very least, breaking it out into a separate github repo, which should serve to convince people it's not core - maybe one of the people who so desparately needs it can maintain it ;o) I've been hassling people who use it as to which EAP method they need that's missing. A couple of them have been eap-psk (anyone know why the sudden interest in that?). I've got a 5000 word assignment to finish at the moment, but once that's done, I'm going to have a crack at just writing a native rlm_eap_psk - it doesn't look hard. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: handling win domain name in username
On 09/26/2012 09:00 PM, Crne We wrote: Here is the failure trace for this user: domain1\user1 Cleartext-Password := pass1: The backslash leads the code to think it's System auth_type when in fact it's PAP. No, it doesn't. Can you explain in simple, unambiguous terms, what you want to do? For example: 1. requests are recieved with user or DOMAIN\user 2. lookup all users in LDAP directory with DOMAIN\user form 3. Authentiate user with info returned from LDAP ...or something? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_python: no %RAD_REQUEST equivalent
Yes i confirm you cannot change the request's attributes with rlm_python. With rlm_perl you can (by using the environment variable RAD_REQUEST). I wanted to modify the username. So the only solution would be to modify and update the rlm_python code source. But it is too hard for me... regards, Laurent - Mail original - De: Alan DeKok al...@deployingradius.com À: FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé: Mardi 25 Septembre 2012 15:25:53 Objet: Re: rlm_python: no %RAD_REQUEST equivalent laurent.fe...@free.fr wrote: The tuple is a read only object. So, i cannot modify the request attributes with rlm_python. You already said that. I gave you a solution: fix the code. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PSK : 16 bytes Pre shared key not configured
Hi, I've been hassling people who use it as to which EAP method they need that's missing. A couple of them have been eap-psk (anyone know why the sudden interest in that?). I've got a 5000 word assignment some student project? the current thing that holds interest for me is EAP-FAST - and therefore, in the future EAP-FASTv2 - aka EAP-TEAP EAP-FAST is currently the mechanism buried inside Ciscos MACSEC TrustSec alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cloud Radius Server
On 09/26/2012 11:42 PM, Michael Geary wrote: Good Evening, We have several separate networks. Our main network runs PPPoE while all of the others run over DHCP. I would like to migrate the DHCP networks to use PPPoE. I assume these are Ethernet-over-ADSL lines and you want to move away from static DSLAM port config, and to @isp.com dynamic routing? Currently, our Radius server resides at the head end of our PPPoE network. I would like to remove the chance that if the Internet failed there, that no one on the separate networks would be able to authenticate. So the other networks have separate internet connectivity? Has anyone had any experience with using a Radius server in the cloud to authenticate users? Personally, I'd never do it. FreeRADIUS performs well on commodity hardware, so just build more RADIUS servers and put them in various locations e.g. one in each remote location. Presumably you have DHCP servers in those locations now - the same hardware would probably suffice, since the load should be approximately the same. However, as Fajar says, if you want to cloud it there's nothing magic - RADIUS is just UDP/IP packets, so running it in the cloud should work fine. Couple of things to watch out for: 1. RADIUS shared-secrets are keyed off source IP and destination IP/port. We occasionally see people who've painted themselves into a corner with NAT, or NASes on dynamic, unknown-prior IPs. Think carefully about how you'll avoid this issue, particularly if your NASes are on private IPs. This is not usually a problem over an internal network. 2. Normal radius doesn't encrypt (but does sign) the entire packet. Only selected fields like User-Password (and EAP payloads that are encrypted by the EAP method). Decide if you care about this - the RADIUS packet will contain things like user names, MAC addresses and so on, and they'll be flowing over an untrusted network. It's probably not a worry, but in the EU at least, I'd be concerned about data protection. In theory you can solve this with RADSEC. In practice, virtually no NAS supports RADSEC, so you are left with IPSec or some other VPN as an option, or just live with it. Likewise, not usually a problem over an internal network. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Execution of rlm code when remote server is not responding.
Hi, I have a remote PPS server where I am proxying radius requests coming from the NAS. I have a requirement like when that remote PPS goes down(which I am simulating by setting a wrong ip in proxy.conf realm configuration) then I have to perform a certain task in rlm code.But my observation is when I am setting a dummy ip for PPS, the radius server running on my machine is marking that remote server as zombie after 3 retries,now I want in this case that my rlm code to execute and handle the scenario when remote server is down.Any help will be highly appreciated.Also I may have used some naive terminology being a newbie apologizing for that. Regards, Arka - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PSK : 16 bytes Pre shared key not configured
On 27/09/12 09:37, alan buxey wrote: Hi, I've been hassling people who use it as to which EAP method they need that's missing. A couple of them have been eap-psk (anyone know why the sudden interest in that?). I've got a 5000 word assignment some student project? Yeah, I'm doing a 2nd degree in my spare time - broaden my horizons, eat up all my spare time, make me grit my teeth, etc. ;o) the current thing that holds interest for me is EAP-FAST - and therefore, in the future EAP-FASTv2 - aka EAP-TEAP EAP-FAST is currently the mechanism buried inside Ciscos MACSEC TrustSec FAST and TEAP are a bit... thorny. I guess in response to how horrible LEAP was, they've layered on a *lot* of stuff in there - multiple per-inner-exchange crypto (re)binding, and the PAC stuff. It's not entirely clear to me that OpenSSL provides the required APIs to do everything that FAST/TEAP can on the server-side, but I think so, largely as a result of Jouni Malinen hassling the OpenSSL guys to take his patches: http://rt.openssl.org/Ticket/Display.html?user=guestpass=guestid=1574 ...although the sheer amount of *time* that took concerns me; if there's a missing API it'll be *forever* before it's corrected. I'd like to implement TEAP, if only because it's a good tickbox. I'm less keen on FAST, since it's been theoretically superseded by TEAP, and unlike PEAP/TTLS, FAST was never widely adopted. If FAST is easy by re-using TEAP code, then that's good. w.r.t. FAST/TEAP there are a couple of things to sort out conceptually, specifically how to handle the support for multiple inner auths, and how to signal which order and what the required chaining is. Until I have a working prototype, it's difficult to wrap my head around. Anyway - when I get a github branch working I'll discuss on -devel. Unless someone beats me to it, which will make me happy ;o) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Execution of rlm code when remote server is not responding.
On 27/09/12 11:22, Arka Sharma wrote: Hi, I have a remote PPS server where I am proxying radius requests coming from the NAS. I have a requirement like when that remote PPS goes down(which I am simulating by setting a wrong ip in proxy.conf realm configuration) then I have to perform a certain task in rlm What task? Does it have to be in rlm code? Because rlm code only runs in response to packets, not server-down events. code.But my observation is when I am setting a dummy ip for PPS, the radius server running on my machine is marking that remote server as zombie after 3 retries,now I want in this case that my rlm code to execute and handle the scenario when remote server is down.Any help will be highly appreciated.Also I may have used some naive terminology being a newbie apologizing for that. You've got a couple of options to respond to a down proxy. 1. In the master branch, there is support for triggers - see raddb/trigger.conf. This can execute a script when a home server goes down or up, and can obviously do anything you want 2. In all recent versions, you can use radmin from cron to poll home server status, and respond based on status change e.g. radmin -n eduroam -e 'show home_server list' ...you can run this in a loop It's possible you could do something in the post-proxy section like so: post-proxy { Post-Proxy-Type Fail { } } ...but I think this only runs for *real* requests, not the internal server probes, so you'll need to inject frequent test requests using radclient or similar. You also don't know *which* home server failed, so will still need to use radmin in a script to find this out (maybe it would be useful for this to be a control attribute added to the failing request). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PSK : 16 bytes Pre shared key not configured
On Thu, Sep 27, 2012 at 12:10 AM, Tatiana DIBANDA tdiband...@yahoo.fr wrote: I implemented the module eap2 to make freeradius with the eap_psk . After started the freeradius server (radius_output file attached to this mail), i launched my client openpana, the authentication failed and i have this error message EAP-PSK : 16 bytes Pre shared key not configured (refer to openpana_client_output file attached to this mail) That's a client configuration issue.. I would like to know how to configure the pre-shared key in my server? You may find it easier to just use hostapd as the RADIUS authentication server (e.g., proxy EAP-PSK from FreeRADIUS to hostapd when needed) instead of trying to use rlm_eap2 to make the EAP server implementation from hostapd to work with FreeRADIUS. That way you'll avoid having to use experimental integration code. - Jouni - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Execution of rlm code when remote server is not responding.
Arka Sharma wrote: Thanks a lot Phil for your reply.Now actually in my rlm code I want to set a flag to mark the vent of server went down and invoke a java code using JNI that is part of rlm. There is no event of server down. There is a server failed to respond to request. As Phil said, see post-proxy-type Fail. Can you please elaborate.I searched the file trigger.conf using find / -name trigger.conf but did not get anything.Do I need to create it by my own. He said In the git master branch. 1) use git, not find 2) check out the master branch. In the proxy.conf I have old style realm configuration.Ip's for authorization and accounting hosts in the realm section. Fix that to use the new method of configuring home servers. Then use radmin. I was looking into default.original in sites-enabled for this.Can you give me some examples for this ? That file contains examples. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cloud Radius Server
Thank you all for your input. I would be managing the Radius servers hosted by like HostGator or Rackspace or someone like that. On Thu, Sep 27, 2012 at 4:39 AM, Phil Mayers p.may...@imperial.ac.ukwrote: On 09/26/2012 11:42 PM, Michael Geary wrote: Good Evening, We have several separate networks. Our main network runs PPPoE while all of the others run over DHCP. I would like to migrate the DHCP networks to use PPPoE. I assume these are Ethernet-over-ADSL lines and you want to move away from static DSLAM port config, and to @isp.com dynamic routing? We are a fixed-terrestrial wireless internet service provider Currently, our Radius server resides at the head end of our PPPoE network. I would like to remove the chance that if the Internet failed there, that no one on the separate networks would be able to authenticate. So the other networks have separate internet connectivity? Yes, they are located throughout Vermont, New Hampshire and Massachusetts Has anyone had any experience with using a Radius server in the cloud to authenticate users? Personally, I'd never do it. FreeRADIUS performs well on commodity hardware, so just build more RADIUS servers and put them in various locations e.g. one in each remote location. Presumably you have DHCP servers in those locations now - the same hardware would probably suffice, since the load should be approximately the same. However, as Fajar says, if you want to cloud it there's nothing magic - RADIUS is just UDP/IP packets, so running it in the cloud should work fine. Couple of things to watch out for: 1. RADIUS shared-secrets are keyed off source IP and destination IP/port. We occasionally see people who've painted themselves into a corner with NAT, or NASes on dynamic, unknown-prior IPs. Think carefully about how you'll avoid this issue, particularly if your NASes are on private IPs. This is not usually a problem over an internal network. 2. Normal radius doesn't encrypt (but does sign) the entire packet. Only selected fields like User-Password (and EAP payloads that are encrypted by the EAP method). Decide if you care about this - the RADIUS packet will contain things like user names, MAC addresses and so on, and they'll be flowing over an untrusted network. It's probably not a worry, but in the EU at least, I'd be concerned about data protection. In theory you can solve this with RADSEC. In practice, virtually no NAS supports RADSEC, so you are left with IPSec or some other VPN as an option, or just live with it. Thank you, I was thinking of connecting them to the internal networks via OpenVPN or IPSec Likewise, not usually a problem over an internal network. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cloud Radius Server
On Thu, Sep 27, 2012 at 9:34 PM, Michael Geary mge...@greataukwireless.com wrote: I would be managing the Radius servers hosted by like HostGator or Rackspace or someone like that. So the other networks have separate internet connectivity? Yes, they are located throughout Vermont, New Hampshire and Massachusetts In theory you can solve this with RADSEC. In practice, virtually no NAS supports RADSEC, so you are left with IPSec or some other VPN as an option, or just live with it. Thank you, I was thinking of connecting them to the internal networks via OpenVPN or IPSec Two last comments from me: (1) I assume you already have a plan on how to keep your users data synchronized between the servers? There are many ways to do this, like db replication, LDAP multi-master replication, or even plain-old rsync of users file. Accounting is somewhat similar, but since (depending on your setup) it's probably easier since you don't have to keep them synchronized. It might be enough to just pull accounting data from all servers regularly to do centralized processing. (2) openvpn is good, but in my experience I had trouble reconnecting after network failure if openvpn is run on udp (the default). Using tcp doesn't have this problem (although it introduce other problems, like longer retries, which in my case was acceptable). -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Execution of rlm code when remote server is not responding.
On 27/09/12 12:32, Arka Sharma wrote: Thanks a lot Phil for your reply.Now actually in my rlm code I want to set a flag to mark the vent of server went down and invoke a java code using JNI that is part of rlm. Sorry, I don't understand that. Can you elaborate? It sounds like you have a custom module, written locally? Modules process packets. So you can't run module code in response to a home server down event (unless you emit a packet that your module responds to, I guess). Can you please elaborate.I searched the file trigger.conf using find / -name trigger.conf but did not get anything.Do I need to create it by my own. As I said, triggers are only available in the master git branch. They are not available in the releases code (2.1.x, 2.2.0). You will need to compile and install master to get triggers. In the proxy.conf I have old style realm configuration.Ip's for authorization and accounting hosts in the realm section. Sorry, I don't understand why this is relevant. It's possible you could do something in the post-proxy section like so: post-proxy { Post-Proxy-Type Fail { } } I was looking into default.original in sites-enabled for this.Can you give me some examples for this ? See: https://github.com/alandekok/freeradius-server/blob/v2.1.x/raddb/sites-available/robust-proxy-accounting#L104 You'll still need to find out which server is down, and this is what radmin does. I wouldn't bother with this post-proxy stuff - just write a cron job (although maybe you could trigger the cron job from post-proxy, for fast detection). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
suffix not work for me
hi again... i try to get suffix work but i guess missing something... here some debugs and confs rad_recv: Access-Request packet from host 10.10.64.67 port 16829, id=53, length=208 Framed-Protocol = PPP User-Name = *usert...@my.domain.cu* User-Password = *secret* NAS-Port-Type = Async Calling-Station-Id = 123456789 Called-Station-Id = 987654321 Connect-Info = 44000/28800 V90/V44/LAPM Cisco-AVPair = v92-info=V.92 QC/QC Short Train Success/0/0 NAS-Port = 443 NAS-Port-Id = Async3/11*E1 7/0:7 Service-Type = Framed-User NAS-IP-Address = 10.10.64.67 # Executing section authorize from file /etc/freeradius/sites-available/default +- entering group authorize {...} [preprocess] hints: Matched DEFAULT at 36 ++[preprocess] returns ok ++- entering policy filter_username {...} +++? if (User-Name =~ /^ /) ? Evaluating (User-Name =~ /^ /) - FALSE +++? if (User-Name =~ /^ /) - FALSE +++? if (User-Name =~ / $$/) ? Evaluating (User-Name =~ / $$/) - FALSE +++? if (User-Name =~ / $$/) - FALSE +++? if (User-Name != %{tolower:%{User-Name}}) expand: %{User-Name} - *usert...@my.domain.cu* expand: %{tolower:%{User-Name}} - *usert...@my.domain.cu* ? Evaluating (User-Name != %{tolower:%{User-Name}}) - FALSE +++? if (User-Name != %{tolower:%{User-Name}}) - FALSE ++- policy filter_username returns ok *[suffix] No '@' in User-Name = usertest, looking up realm NULL ---why not found '@' if is coming in radius packet and check in the conf???* [suffix] No such realm NULL ++[suffix] returns noop [ldap] performing user authorization for *usertest* [ldap] expand: %{Stripped-User-Name} - *usertest* [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=* usertest*) *-- this works stripped-user-name OK* [ldap] expand: ou=group,ou=my,dc=domain,dc=cu - ou=group,ou=my,dc=domain,dc=cu . *checking user/pass works fine... now check monthlycounter to compare hours..* . [monthlycounter1] sql_xlat [monthlycounter1] WARNING: Deprecated conditional expansion :-. See man unlang for details [monthlycounter1] expand: %{Stripped-User-Name:-%{User-Name:-DEFAULT}} - *usertest* [monthlycounter1] sql_set_user escaped user -- '*usertest*' *IF stripped-user-name works here at monthlycounter why the query not use it! and use user with realm??/* [monthlycounter1] expand: SELECT SUM(acctsessiontime - GREATEST((1346472000 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username='*usert...@my.domain.cu*' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime '1346472000' - SELECT SUM(acctsessiontime - GREATEST((1346472000 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username='*usert...@my.domain.cu*' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime '1346472000' rlm_sql (sql1): Reserving sql socket id: 4 [monthlycounter1] row[0] returned NULL rlm_sql (sql1): Released sql socket id: 4 [monthlycounter1] expand: %{sql1:SELECT SUM(acctsessiontime - GREATEST((1346472000 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username='*usert...@my.domain.cu*' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime '1346472000'} - *rlm_sqlcounter: No integer found in string - must be found integer to compare with max-monthly-session, in database i have only usernames, not with realms* +++[monthlycounter1] returns noop hints confs *DEFAULT Suffix == @my.domain.cu, Strip-User-Name = Yes* Hint = userdefault, Service-Type = Framed-User, Framed-Protocol = PPP, site-available/default # cat sites-available/default | egrep -v '\#|^$' authorize { preprocess filter_username *suffix* ldap redundant-load-balance { monthlycounter1 monthlycounter2 } checkval1 checkval2 checkval3 expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type LDAP { ldap } } preacct { preprocess acct_unique *suffix* } accounting { redundant-load-balance { sql1 sql2 } } session { load-balance { sql1 sql2 } } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { } thanxs for any help. -- Antonio Peña Secure email with PGP 0x8B021001 available at http://pgp.mit.edu Fingerprint: 74E6 2974 B090 366D CE71 7BB2 6476 FA09 8B02 1001 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: suffix not work for me
Hi, User-Name = [1]usert...@my.domain.cu okay.. [preprocess] hints: Matched DEFAULT at 36 ++[preprocess] returns ok and what is in your hints file? ++- policy filter_username returns ok and what is in this policy? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: suffix not work for me
i put the hint file more below after radiusd -X.. check again please... i miss policyfilter... i send again both. /etc/freeradius/hints DEFAULT Suffix == @my.domain.cu, Strip-User-Name = Yes Hint = userdefault, Service-Type = Framed-User, Framed-Protocol = PPP, /etc/freeradius/policy.conf (is the original file, i just activate uncommented # ) anyway here is policy { forbid_eap { if (EAP-Message) { reject } } permit_only_eap { if (!EAP-Message) { if (!%{outer.request:EAP-Message}) { reject } } } deny_realms { if (User-Name =~ /@|\\/) { reject } } do_not_respond { update control { Response-Packet-Type := Do-Not-Respond } handled } filter_username { if (User-Name =~ /^ /) { reject } if (User-Name =~ / $$/) { reject } if (User-Name != %{tolower:%{User-Name}}) { reject } } cui_authorize { update request { Chargeable-User-Identity:='\\000' } } cui_postauth { if (FreeRadius-Proxied-To == 127.0.0.1) { if (outer.request:Chargeable-User-Identity) { update outer.reply { Chargeable-User-Identity:=%{md5:%{config:cui_hash_key}%{User-Name}} } } } else { if (Chargeable-User-Identity) { update reply { Chargeable-User-Identity=%{md5:%{config:cui_hash_key}%{User-Name}} } } } } cui_updatedb { if (reply:Chargeable-User-Identity) { cui } } cui_accounting { if (!Chargeable-User-Identity) { update control { Chargable-User-Identity := %{cui: SELECT cui FROM cui WHERE clientipaddress = '%{Client-IP-Address}' AND callingstationid = '%{Calling-Station-Id}' AND username = '%{User-Name}'} } } if (Chargeable-User-Identity (Chargeable-User-Identity != )) { cui } } mac-addr = ([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2}) rewrite.called_station_id { if((Called-Station-Id) %{Called-Station-Id} =~ /^%{config:policy.mac-addr}(:(.+))?$/i) { update request { Called-Station-Id := %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} } if (%{8}) { update request { Called-Station-Id := %{Called-Station-Id}:%{8} } } updated } else { noop } } rewrite.calling_station_id { if((Calling-Station-Id) %{Calling-Station-Id} =~ /^%{config:policy.mac-addr}$/i) { update request { Calling-Station-Id := %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} } updated } else { noop } } } 2012/9/27 alan buxey a.l.m.bu...@lboro.ac.uk Hi, User-Name = [1]usert...@my.domain.cu okay.. [preprocess] hints: Matched DEFAULT at 36 ++[preprocess] returns ok and what is in your hints file? ++- policy filter_username returns ok and what is in this policy? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Antonio Peña Secure email with PGP 0x8B021001 available at http://pgp.mit.edu Fingerprint: 74E6 2974 B090 366D CE71 7BB2 6476 FA09 8B02 1001 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: suffix not work for me
On Thu, Sep 27, 2012 at 10:34 PM, Tony Peña emperor...@gmail.com wrote: hi again... i try to get suffix work but i guess missing something... here [preprocess] hints: Matched DEFAULT at 36 [suffix] No '@' in User-Name = usertest, looking up realm NULL ---why not found '@' if is coming in radius packet and check in the conf??? because you edit the config file and broke it hints confs DEFAULT Suffix == @my.domain.cu, Strip-User-Name = Yes ... and most likely that's where you broke it. Return that file to the default and you should have it working correctly. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: suffix not work for me
Hi, DEFAULT Suffix == @[1]my.domain.cu, Strip-User-Name = Yes there you go. strip-user-name = yes this means that u...@blahblah.com becomes just user do you WANT or intend to strip the user-name? If you are trying to use the suffix for other things then stripping it isnt going to help alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: suffix not work for me
I want when username is user@my.domain the suffix out @my.domain to only get: user that only need. 2012/9/27 alan buxey a.l.m.bu...@lboro.ac.uk Hi, DEFAULT Suffix == @[1]my.domain.cu, Strip-User-Name = Yes there you go. strip-user-name = yes this means that u...@blahblah.com becomes just user do you WANT or intend to strip the user-name? If you are trying to use the suffix for other things then stripping it isnt going to help alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Antonio Peña Secure email with PGP 0x8B021001 available at http://pgp.mit.edu Fingerprint: 74E6 2974 B090 366D CE71 7BB2 6476 FA09 8B02 1001 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: suffix not work for me
anyway... my problem is exactly at monthlycounter because i need stripped-user-name and module stripped when try to use but in the queries use username complete including realm. 2012/9/27 Tony Peña emperor...@gmail.com I want when username is user@my.domain the suffix out @my.domain to only get: user that only need. 2012/9/27 alan buxey a.l.m.bu...@lboro.ac.uk Hi, DEFAULT Suffix == @[1]my.domain.cu, Strip-User-Name = Yes there you go. strip-user-name = yes this means that u...@blahblah.com becomes just user do you WANT or intend to strip the user-name? If you are trying to use the suffix for other things then stripping it isnt going to help alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Antonio Peña Secure email with PGP 0x8B021001 available at http://pgp.mit.edu Fingerprint: 74E6 2974 B090 366D CE71 7BB2 6476 FA09 8B02 1001 -- Antonio Peña Secure email with PGP 0x8B021001 available at http://pgp.mit.edu Fingerprint: 74E6 2974 B090 366D CE71 7BB2 6476 FA09 8B02 1001 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: suffix not work for me
On 27/09/12 17:06, Tony Peña wrote: i put the hint file more below after radiusd -X.. check again please... i miss policyfilter... i send again both. /etc/freeradius/hints DEFAULT Suffix == @my.domain.cu, Strip-User-Name Don't do this. It doesn't work reliably, because you modify the username, which breaks some things. Stop using the hints file, and instead do something like this: authorize { ... if (User-Name =~ /^(.+)@my.domain.co/) { update request { Stripped-User-Name := %{1} } } ... } As Alan has pointed out, you can also do this with the realm module: authorize { ... suffix ... } ...but to do that, you ALSO need to edit proxy.conf and define a fake local realm. Personally I find this confusing and like to separate proxy realms from username realms. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: suffix not work for me
ok.. the suffix patch works and get out the @realm... but monthlycounter is my trouble more bigger... because not stripped-user-name in the queries... is possible to do the same patch, in sql/mysql/counter.conf ?? where said. sqlcounter monthlycounter1 { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session reply-name = Session-Timeout sqlmod-inst = sql1 key = User-Name use the if { your patch} ??? reset = monthly 2012/9/27 Phil Mayers p.may...@imperial.ac.uk On 27/09/12 17:06, Tony Peña wrote: i put the hint file more below after radiusd -X.. check again please... i miss policyfilter... i send again both. /etc/freeradius/hints DEFAULT Suffix == @my.domain.cu, Strip-User-Name Don't do this. It doesn't work reliably, because you modify the username, which breaks some things. Stop using the hints file, and instead do something like this: authorize { ... if (User-Name =~ /^(.+)@my.domain.co/) { update request { Stripped-User-Name := %{1} } } ... } As Alan has pointed out, you can also do this with the realm module: authorize { ... suffix ... } ...but to do that, you ALSO need to edit proxy.conf and define a fake local realm. Personally I find this confusing and like to separate proxy realms from username realms. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html -- Antonio Peña Secure email with PGP 0x8B021001 available at http://pgp.mit.edu Fingerprint: 74E6 2974 B090 366D CE71 7BB2 6476 FA09 8B02 1001 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
read ldap groups for a user not specified in User-Name
Hi list, I've been given a set of requirements and I am having a hard time wrapping my head around what needs to happen in order to make things work. Here is the scenario: 1. External to FreeRadius, a user can sponsor the creation of a guest account. The sponsor and guest accounts are in separate LDAP databases. 2. Normally, I just need to handle authentication for the guest accounts. That part is easy, I have PEAP configured with LDAP and NT hashes. 3. the special requirement is that IF the sponsor account gets locked (deleted, expired, etc), then the guest account can no longer login either. So, what I was thinking I could do was an LDAP group check on the sponsor userid (which would be put into a new attribute stored in the guest LDAP db), and then check the sponsors group memberships. The problem with that is that I don't know how to get FreeRadius to read the groups for an arbitrary user that is not %User-Name. Can I copy another variable into the User-Name attribute in Post-Auth, and then do the group check there? Any suggestions? Thanks, Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Load-Balance-Key usage
Hi, Can I use the Load-Balance-Key to choose a specific home_server? For sample: home_server_pool pool { type = keyed-balance home_server = server1 home_server = server2 } realm test { auth_pool = pool acct_pool = pool } authorize { ... if ( ... ) { update control { Load-Balance-Key := 1} #sends to server1 } else { update control { Load-Balance-Key := 2} #sends to server2 } ... } Thanks! JJP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: suffix not work for me
Hi, key = User-Name use the if { your patch} ??? either change this to Stripped-User-Name insteador if you ONLY want this to be the full realm when its NOT the realm of interest, then create a new SQL query and then wrap unlang around it eg if (%{User-Name} =~ /\@realm.you.want$/i ){ monthlycounter1 } else { monthlycounter2 } alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: suffix not work for me
ok.. I do some testing about new sql... and with your unlang if idea.. could be thanxs to all 2012/9/27 alan buxey a.l.m.bu...@lboro.ac.uk Hi, key = User-Name use the if { your patch} ??? either change this to Stripped-User-Name insteador if you ONLY want this to be the full realm when its NOT the realm of interest, then create a new SQL query and then wrap unlang around it eg if (%{User-Name} =~ /\@realm.you.want$/i ){ monthlycounter1 } else { monthlycounter2 } alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Antonio Peña Secure email with PGP 0x8B021001 available at http://pgp.mit.edu Fingerprint: 74E6 2974 B090 366D CE71 7BB2 6476 FA09 8B02 1001 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_cache
Hi All, I've looked around the internet a bit and obviously looked at the wiki page and configuration page for rlm_cache and can't quite understand how it works. Does anyone have any practical examples of simply storing an attribute/value pair or pairs and then check the value later in the processing? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_cache
On 27 Sep 2012, at 21:59, Franks Andy \(RLZ\) IT Systems Engineer andy.fra...@sath.nhs.uk wrote: Hi All, I’ve looked around the internet a bit and obviously looked at the wiki page and configuration page for rlm_cache and can’t quite understand how it works. Does anyone have any practical examples of simply storing an attribute/value pair or pairs and then check the value later in the processing? 1) Key is expanded 2) If key matches, attributes listed in update subsection are merged into the attribute lists of the current packet 3) If key doesn't match, values in update section are expanded, cache entry is created, and attributes are merged into the current request. For example: cache { key = %{State} ttl = 300 update { control:OTP-Password := %{randstr:} } } If state is not found in cache, OTP-Password is created and added to the cache against the state value, next time cache is accessed state matches and the value stored for OTP-Password is added back into the request. You probably won't find much on the internet, as it was only written about a month ago. -Arrran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: read ldap groups for a user not specified in User-Name
Hi, On Thu, Sep 27, 2012 at 05:47:06PM +, David Aldwinckle wrote: The problem with that is that I don't know how to get FreeRadius to read the groups for an arbitrary user that is not %User-Name. Can I copy another variable into the User-Name attribute in Post-Auth, and then do the group check there? Look at the filter option for the ldap module. You can set it to search for anything, not necessarily just User-Name. Use a second instantiation of the ldap module to do your locked user checks on the main LDAP server after you've first searched for User-Name on the guest LDAP server (and pulled back the local user's account name - see ldap.attrmap). Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html