date:20120927


On 09/26/2012 10:18 PM, Alan DeKok wrote:


   It's gathered enough questions recently that I think we're better off
deleting it.


+1

Or at very least, breaking it out into a separate github repo, which 
should serve to convince people it's not core - maybe one of the 
people who so desparately needs it can maintain it ;o)


I've been hassling people who use it as to which EAP method they need 
that's missing. A couple of them have been eap-psk (anyone know why the 
sudden interest in that?). I've got a 5000 word assignment to finish at 
the moment, but once that's done, I'm going to have a crack at just 
writing a native rlm_eap_psk - it doesn't look hard.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: handling win domain name in username


On 09/26/2012 09:00 PM, Crne We wrote:

Here is the failure trace for this user:  domain1\user1
Cleartext-Password := pass1:
The backslash leads the code to think it's System auth_type when in fact
it's PAP.


No, it doesn't.

Can you explain in simple, unambiguous terms, what you want to do? For 
example:


 1. requests are recieved with user or DOMAIN\user
 2. lookup all users in LDAP directory with DOMAIN\user form
 3. Authentiate user with info returned from LDAP

...or something?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_python: no %RAD_REQUEST equivalent

2012-09-27 Thread laurent . feron

Yes i confirm you cannot change the request's attributes with rlm_python. With 
rlm_perl you can (by using the environment variable RAD_REQUEST). I wanted to 
modify the username.

So the only solution would be to modify and update the rlm_python code source. 
But it is too hard for me...

regards,
Laurent


- Mail original -
De: Alan DeKok al...@deployingradius.com
À: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Envoyé: Mardi 25 Septembre 2012 15:25:53
Objet: Re: rlm_python: no %RAD_REQUEST equivalent

laurent.fe...@free.fr wrote:
 The tuple is a read only object. So, i cannot modify the request attributes 
 with rlm_python.

  You already said that.  I gave you a solution: fix the code.

  Alan Dekok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-PSK : 16 bytes Pre shared key not configured

Hi,

 I've been hassling people who use it as to which EAP method they
 need that's missing. A couple of them have been eap-psk (anyone know
 why the sudden interest in that?). I've got a 5000 word assignment

some student project?


the current thing that holds interest for me is EAP-FAST - and therefore, in 
the future
EAP-FASTv2 - aka EAP-TEAP

EAP-FAST is currently the mechanism buried inside Ciscos MACSEC TrustSec

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cloud Radius Server


On 09/26/2012 11:42 PM, Michael Geary wrote:

Good Evening,

We have several separate networks. Our main network runs PPPoE while all
of the others run over DHCP. I would like to migrate the DHCP networks
to use PPPoE.


I assume these are Ethernet-over-ADSL lines and you want to move away 
from static DSLAM port config, and to @isp.com dynamic routing?




Currently, our Radius server resides at the head end of our PPPoE
network. I would like to remove the chance that if the Internet failed
there, that no one on the separate networks would be able to authenticate.


So the other networks have separate internet connectivity?



Has anyone had any experience with using a Radius server in the cloud to
authenticate users?


Personally, I'd never do it. FreeRADIUS performs well on commodity 
hardware, so just build more RADIUS servers and put them in various 
locations e.g. one in each remote location. Presumably you have DHCP 
servers in those locations now - the same hardware would probably 
suffice, since the load should be approximately the same.


However, as Fajar says, if you want to cloud it there's nothing magic 
- RADIUS is just UDP/IP packets, so running it in the cloud should work 
fine.


Couple of things to watch out for:

 1. RADIUS shared-secrets are keyed off source IP and destination 
IP/port. We occasionally see people who've painted themselves into a 
corner with NAT, or NASes on dynamic, unknown-prior IPs. Think carefully 
about how you'll avoid this issue, particularly if your NASes are on 
private IPs.


This is not usually a problem over an internal network.

 2. Normal radius doesn't encrypt (but does sign) the entire packet. 
Only selected fields like User-Password (and EAP payloads that are 
encrypted by the EAP method). Decide if you care about this - the RADIUS 
packet will contain things like user names, MAC addresses and so on, and 
they'll be flowing over an untrusted network. It's probably not a worry, 
but in the EU at least, I'd be concerned about data protection.


In theory you can solve this with RADSEC. In practice, virtually no NAS 
supports RADSEC, so you are left with IPSec or some other VPN as an 
option, or just live with it.


Likewise, not usually a problem over an internal network.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Execution of rlm code when remote server is not responding.

2012-09-27 Thread Arka Sharma

Hi,

   I have a remote PPS server where I am proxying radius requests
coming from the NAS. I have a requirement like when that remote PPS goes
down(which I am simulating by setting a wrong ip in proxy.conf realm
configuration) then I have to perform a certain task in rlm code.But my
observation is when I am setting a dummy ip for PPS, the radius server
running on my machine is marking that remote server as zombie after 3
retries,now I want in this case that my rlm code to execute and handle the
scenario when remote server is down.Any help will be highly
appreciated.Also I may have used some naive terminology being a newbie
apologizing for that.

Regards,
Arka
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-PSK : 16 bytes Pre shared key not configured


On 27/09/12 09:37, alan buxey wrote:

Hi,


I've been hassling people who use it as to which EAP method they
need that's missing. A couple of them have been eap-psk (anyone know
why the sudden interest in that?). I've got a 5000 word assignment


some student project?


Yeah, I'm doing a 2nd degree in my spare time - broaden my horizons, eat 
up all my spare time, make me grit my teeth, etc. ;o)





the current thing that holds interest for me is EAP-FAST - and therefore, in 
the future
EAP-FASTv2 - aka EAP-TEAP

EAP-FAST is currently the mechanism buried inside Ciscos MACSEC TrustSec


FAST and TEAP are a bit... thorny. I guess in response to how horrible 
LEAP was, they've layered on a *lot* of stuff in there - multiple 
per-inner-exchange crypto (re)binding, and the PAC stuff.


It's not entirely clear to me that OpenSSL provides the required APIs to 
do everything that FAST/TEAP can on the server-side, but I think so, 
largely as a result of Jouni Malinen hassling the OpenSSL guys to take 
his patches:


http://rt.openssl.org/Ticket/Display.html?user=guestpass=guestid=1574

...although the sheer amount of *time* that took concerns me; if there's 
a missing API it'll be *forever* before it's corrected.


I'd like to implement TEAP, if only because it's a good tickbox. I'm 
less keen on FAST, since it's been theoretically superseded by TEAP, and 
unlike PEAP/TTLS, FAST was never widely adopted. If FAST is easy by 
re-using TEAP code, then that's good.


w.r.t. FAST/TEAP there are a couple of things to sort out conceptually, 
specifically how to handle the support for multiple inner auths, and how 
to signal which order and what the required chaining is. Until I have 
a working prototype, it's difficult to wrap my head around.


Anyway - when I get a github branch working I'll discuss on -devel. 
Unless someone beats me to it, which will make me happy ;o)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Execution of rlm code when remote server is not responding.


On 27/09/12 11:22, Arka Sharma wrote:

Hi,

I have a remote PPS server where I am proxying radius
requests coming from the NAS. I have a requirement like when that remote
PPS goes down(which I am simulating by setting a wrong ip in proxy.conf
realm configuration) then I have to perform a certain task in rlm


What task? Does it have to be in rlm code? Because rlm code only 
runs in response to packets, not server-down events.



code.But my observation is when I am setting a dummy ip for PPS, the
radius server running on my machine is marking that remote server as
zombie after 3 retries,now I want in this case that my rlm code to
execute and handle the scenario when remote server is down.Any help will
be highly appreciated.Also I may have used some naive terminology being
a newbie apologizing for that.


You've got a couple of options to respond to a down proxy.

1. In the master branch, there is support for triggers - see 
raddb/trigger.conf. This can execute a script when a home server goes 
down or up, and can obviously do anything you want


2. In all recent versions, you can use radmin from cron to poll home 
server status, and respond based on status change e.g.


radmin -n eduroam -e 'show home_server list'

...you can run this in a loop


It's possible you could do something in the post-proxy section like so:

post-proxy {
  Post-Proxy-Type Fail {
  }
}

...but I think this only runs for *real* requests, not the internal 
server probes, so you'll need to inject frequent test requests using 
radclient or similar. You also don't know *which* home server failed, 
so will still need to use radmin in a script to find this out (maybe 
it would be useful for this to be a control attribute added to the 
failing request).

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-PSK : 16 bytes Pre shared key not configured

2012-09-27 Thread Jouni Malinen

On Thu, Sep 27, 2012 at 12:10 AM, Tatiana DIBANDA tdiband...@yahoo.fr wrote:

 I implemented the module eap2 to make freeradius with the eap_psk .  After
 started the freeradius server (radius_output file attached to this mail), i
 launched my client openpana, the authentication failed and i have this error
 message
 EAP-PSK : 16 bytes Pre shared key not configured (refer to
 openpana_client_output file attached to this mail)

That's a client configuration issue..

 I would like to know how to configure the pre-shared key in my server?

You may find it easier to just use hostapd as the RADIUS
authentication server (e.g., proxy EAP-PSK from FreeRADIUS to hostapd
when needed) instead of trying to use rlm_eap2 to make the EAP server
implementation from hostapd to work with FreeRADIUS. That way you'll
avoid having to use experimental integration code.

- Jouni
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Execution of rlm code when remote server is not responding.

2012-09-27 Thread Alan DeKok

Arka Sharma wrote:
 Thanks a lot Phil for your reply.Now actually in my rlm code I want to
 set a flag to mark the vent of server went down and invoke a java code
 using JNI that is part of rlm.

  There is no event of server down.  There is a server failed to
respond to request.  As Phil said, see post-proxy-type Fail.

 Can you please elaborate.I searched the file trigger.conf using find
 / -name trigger.conf but did not get anything.Do I need to create it by
 my own.

  He said In the git master branch.

 1) use git, not find
 2) check out the master branch.

 In the proxy.conf I have old style realm configuration.Ip's for
 authorization and accounting hosts in the realm section.

  Fix that to use the new method of configuring home servers.  Then use
radmin.

 I was looking into default.original in sites-enabled for this.Can you
 give me some examples for this ?

  That file contains examples.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cloud Radius Server

2012-09-27 Thread Michael Geary

Thank you all for your input.

I would be managing the Radius servers hosted by like HostGator or
Rackspace or someone like that.

On Thu, Sep 27, 2012 at 4:39 AM, Phil Mayers p.may...@imperial.ac.ukwrote:

 On 09/26/2012 11:42 PM, Michael Geary wrote:

 Good Evening,

 We have several separate networks. Our main network runs PPPoE while all
 of the others run over DHCP. I would like to migrate the DHCP networks
 to use PPPoE.


 I assume these are Ethernet-over-ADSL lines and you want to move away from
 static DSLAM port config, and to @isp.com dynamic routing?


We are a fixed-terrestrial wireless internet service provider




 Currently, our Radius server resides at the head end of our PPPoE
 network. I would like to remove the chance that if the Internet failed
 there, that no one on the separate networks would be able to authenticate.


 So the other networks have separate internet connectivity?


Yes, they are located throughout Vermont, New Hampshire and Massachusetts




 Has anyone had any experience with using a Radius server in the cloud to
 authenticate users?


 Personally, I'd never do it. FreeRADIUS performs well on commodity
 hardware, so just build more RADIUS servers and put them in various
 locations e.g. one in each remote location. Presumably you have DHCP
 servers in those locations now - the same hardware would probably suffice,
 since the load should be approximately the same.

 However, as Fajar says, if you want to cloud it there's nothing magic -
 RADIUS is just UDP/IP packets, so running it in the cloud should work fine.

 Couple of things to watch out for:

  1. RADIUS shared-secrets are keyed off source IP and destination IP/port.
 We occasionally see people who've painted themselves into a corner with
 NAT, or NASes on dynamic, unknown-prior IPs. Think carefully about how
 you'll avoid this issue, particularly if your NASes are on private IPs.

 This is not usually a problem over an internal network.

  2. Normal radius doesn't encrypt (but does sign) the entire packet. Only
 selected fields like User-Password (and EAP payloads that are encrypted
 by the EAP method). Decide if you care about this - the RADIUS packet will
 contain things like user names, MAC addresses and so on, and they'll be
 flowing over an untrusted network. It's probably not a worry, but in the EU
 at least, I'd be concerned about data protection.

 In theory you can solve this with RADSEC. In practice, virtually no NAS
 supports RADSEC, so you are left with IPSec or some other VPN as an option,
 or just live with it.


Thank you, I was thinking of connecting them to the internal networks via
OpenVPN or IPSec


 Likewise, not usually a problem over an internal network.

 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/**
 list/users.html http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cloud Radius Server

2012-09-27 Thread Fajar A. Nugraha

On Thu, Sep 27, 2012 at 9:34 PM, Michael Geary
mge...@greataukwireless.com wrote:
 I would be managing the Radius servers hosted by like HostGator or Rackspace
 or someone like that.


 So the other networks have separate internet connectivity?


 Yes, they are located throughout Vermont, New Hampshire and Massachusetts


 In theory you can solve this with RADSEC. In practice, virtually no NAS
 supports RADSEC, so you are left with IPSec or some other VPN as an option,
 or just live with it.


 Thank you, I was thinking of connecting them to the internal networks via
 OpenVPN or IPSec


Two last comments from me:

(1) I assume you already have a plan on how to keep your users data
synchronized between the servers?
There are many ways to do this, like db replication, LDAP multi-master
replication, or even plain-old rsync of users file.
Accounting is somewhat similar, but since (depending on your setup)
it's probably easier since you don't have to keep them synchronized.
It might be enough to just pull accounting data from all servers
regularly to do centralized processing.

(2) openvpn is good, but in my experience I had trouble reconnecting
after network failure if openvpn is run on udp (the default). Using
tcp doesn't have this problem (although it introduce other problems,
like longer retries, which in my case was acceptable).

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Execution of rlm code when remote server is not responding.

On 27/09/12 12:32, Arka Sharma wrote:

Thanks a lot Phil for your reply.Now actually in my rlm code I want to
set a flag to mark the vent of server went down and invoke a java code
using JNI that is part of rlm.

Sorry, I don't understand that. Can you elaborate?

It sounds like you have a custom module, written locally?

Modules process packets. So you can't run module code in response to a
home server down event (unless you emit a packet that your module
responds to, I guess).

Can you please elaborate.I searched the file trigger.conf using find
/ -name trigger.conf but did not get anything.Do I need to create it by
my own.

As I said, triggers are only available in the master git branch. They
are not available in the releases code (2.1.x, 2.2.0).

You will need to compile and install master to get triggers.

In the proxy.conf I have old style realm configuration.Ip's for
authorization and accounting hosts in the realm section.

Sorry, I don't understand why this is relevant.

It's possible you could do something in the post-proxy section
like so:

post-proxy {
Post-Proxy-Type Fail {
}
}

I was looking into default.original in sites-enabled for this.Can you
give me some examples for this ?

See:

https://github.com/alandekok/freeradius-server/blob/v2.1.x/raddb/sites-available/robust-proxy-accounting#L104

You'll still need to find out which server is down, and this is what
radmin does. I wouldn't bother with this post-proxy stuff - just write
a cron job (although maybe you could trigger the cron job from
post-proxy, for fast detection).

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

suffix not work for me

hi again... i try to get suffix work but i guess missing something... here
some debugs and confs

rad_recv: Access-Request packet from host 10.10.64.67 port 16829, id=53,
length=208
Framed-Protocol = PPP
User-Name = *usert...@my.domain.cu*
User-Password = *secret*
NAS-Port-Type = Async
Calling-Station-Id = 123456789
Called-Station-Id = 987654321
Connect-Info = 44000/28800 V90/V44/LAPM
Cisco-AVPair = v92-info=V.92 QC/QC Short Train Success/0/0
NAS-Port = 443
NAS-Port-Id = Async3/11*E1 7/0:7
Service-Type = Framed-User
NAS-IP-Address = 10.10.64.67
# Executing section authorize from file
/etc/freeradius/sites-available/default
+- entering group authorize {...}
[preprocess]   hints: Matched DEFAULT at 36
++[preprocess] returns ok
++- entering policy filter_username {...}
+++? if (User-Name =~ /^ /)
? Evaluating (User-Name =~ /^ /) - FALSE
+++? if (User-Name =~ /^ /) - FALSE
+++? if (User-Name =~ / $$/)
? Evaluating (User-Name =~ / $$/) - FALSE
+++? if (User-Name =~ / $$/) - FALSE
+++? if (User-Name != %{tolower:%{User-Name}})
expand: %{User-Name} - *usert...@my.domain.cu*
expand: %{tolower:%{User-Name}} - *usert...@my.domain.cu*
? Evaluating (User-Name != %{tolower:%{User-Name}}) - FALSE
+++? if (User-Name != %{tolower:%{User-Name}}) - FALSE
++- policy filter_username returns ok
*[suffix] No '@' in User-Name = usertest, looking up realm NULL
 ---why not found '@' if is coming in radius packet and check in
the conf???*
[suffix] No such realm NULL
++[suffix] returns noop
[ldap] performing user authorization for *usertest*
[ldap]  expand: %{Stripped-User-Name} - *usertest*
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=*
usertest*)   *-- this works stripped-user-name OK*
[ldap]  expand: ou=group,ou=my,dc=domain,dc=cu -
ou=group,ou=my,dc=domain,dc=cu
.
*checking user/pass works fine... now check monthlycounter to compare
hours..*
.
[monthlycounter1] sql_xlat
[monthlycounter1] WARNING: Deprecated conditional expansion :-.  See man
unlang for details
[monthlycounter1]   expand:
%{Stripped-User-Name:-%{User-Name:-DEFAULT}} - *usertest*
[monthlycounter1] sql_set_user escaped user -- '*usertest*'

*IF stripped-user-name works here at monthlycounter why the query not use
it! and use user with realm??/*

[monthlycounter1]   expand: SELECT SUM(acctsessiontime -
   GREATEST((1346472000 - UNIX_TIMESTAMP(acctstarttime)), 0))
   FROM radacct WHERE username='*usert...@my.domain.cu*' AND
   UNIX_TIMESTAMP(acctstarttime) + acctsessiontime  '1346472000' - SELECT
SUM(acctsessiontime -  GREATEST((1346472000 -
UNIX_TIMESTAMP(acctstarttime)), 0))  FROM radacct WHERE
username='*usert...@my.domain.cu*' AND
 UNIX_TIMESTAMP(acctstarttime) + acctsessiontime  '1346472000'
rlm_sql (sql1): Reserving sql socket id: 4
[monthlycounter1] row[0] returned NULL
rlm_sql (sql1): Released sql socket id: 4
[monthlycounter1]   expand: %{sql1:SELECT SUM(acctsessiontime -
 GREATEST((1346472000 - UNIX_TIMESTAMP(acctstarttime)), 0))
 FROM radacct WHERE username='*usert...@my.domain.cu*' AND
 UNIX_TIMESTAMP(acctstarttime) + acctsessiontime  '1346472000'} -
*rlm_sqlcounter: No integer found in string - must be
found integer to compare with max-monthly-session, in database i have only
usernames, not with realms*
+++[monthlycounter1] returns noop

hints confs

*DEFAULT Suffix == @my.domain.cu, Strip-User-Name = Yes*
Hint = userdefault,
Service-Type = Framed-User,
Framed-Protocol = PPP,

site-available/default

# cat sites-available/default | egrep -v '\#|^$'
authorize {
preprocess
filter_username
*suffix*
ldap
redundant-load-balance {
monthlycounter1
monthlycounter2
}
checkval1
checkval2
checkval3

expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type LDAP {
ldap
}
}
preacct {
preprocess
acct_unique
*suffix*
}
accounting {
redundant-load-balance {
sql1
sql2
}
}
session {
load-balance {
sql1
sql2
}
}
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
}


thanxs for any help.

-- 
Antonio Peña
Secure email with PGP 0x8B021001 available at http://pgp.mit.edu
 Fingerprint: 74E6 2974 B090 366D CE71  7BB2 6476 FA09 8B02 1001
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: suffix not work for me

Hi,

        User-Name = [1]usert...@my.domain.cu

okay..

[preprocess]   hints: Matched DEFAULT at 36
++[preprocess] returns ok

and what is in your hints file?

++- policy filter_username returns ok

and what is in this policy?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: suffix not work for me

i put the hint file more below after radiusd -X.. check again please...
i miss policyfilter...
i send again both.

/etc/freeradius/hints

DEFAULT Suffix == @my.domain.cu, Strip-User-Name = Yes
 Hint = userdefault,
Service-Type = Framed-User,
Framed-Protocol = PPP,

/etc/freeradius/policy.conf   (is the original file, i just activate
uncommented # ) anyway here is

policy {
forbid_eap {
 if (EAP-Message) {
reject
}
 }
permit_only_eap {
if (!EAP-Message) {
 if (!%{outer.request:EAP-Message}) {
reject
}
 }
}
deny_realms {
 if (User-Name =~ /@|\\/) {
reject
}
 }
do_not_respond {
update control {
 Response-Packet-Type := Do-Not-Respond
}
handled
 }
filter_username {
if (User-Name =~ /^ /) {
 reject
}
if (User-Name =~ / $$/) {
 reject
}
if (User-Name != %{tolower:%{User-Name}}) {
 reject
}
}
 cui_authorize {
update request {
Chargeable-User-Identity:='\\000'
 }
}
cui_postauth {
 if (FreeRadius-Proxied-To == 127.0.0.1) {
if (outer.request:Chargeable-User-Identity) {
 update outer.reply {
Chargeable-User-Identity:=%{md5:%{config:cui_hash_key}%{User-Name}}
 }
}
}
 else {
if (Chargeable-User-Identity) {
update reply {
 Chargeable-User-Identity=%{md5:%{config:cui_hash_key}%{User-Name}}
}
 }
}
}
 cui_updatedb {
if (reply:Chargeable-User-Identity) {
cui
 }
}
cui_accounting {
 if (!Chargeable-User-Identity) {
update control {
Chargable-User-Identity := %{cui: SELECT cui FROM cui WHERE
clientipaddress = '%{Client-IP-Address}' AND callingstationid =
'%{Calling-Station-Id}' AND username = '%{User-Name}'}
 }
}
if (Chargeable-User-Identity  (Chargeable-User-Identity != )) {
 cui
}
}
 mac-addr =
([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})
rewrite.called_station_id {
 if((Called-Station-Id)  %{Called-Station-Id} =~
/^%{config:policy.mac-addr}(:(.+))?$/i) {
update request {
 Called-Station-Id := %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
}
 if (%{8}) {
update request {
Called-Station-Id := %{Called-Station-Id}:%{8}
 }
}
updated
 }
else {
noop
 }
}
rewrite.calling_station_id {
 if((Calling-Station-Id)  %{Calling-Station-Id} =~
/^%{config:policy.mac-addr}$/i) {
update request {
 Calling-Station-Id := %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
}
 updated
}
else {
 noop
}
}
}




2012/9/27 alan buxey a.l.m.bu...@lboro.ac.uk

 Hi,

 User-Name = [1]usert...@my.domain.cu

 okay..

 [preprocess]   hints: Matched DEFAULT at 36
 ++[preprocess] returns ok

 and what is in your hints file?

 ++- policy filter_username returns ok

 and what is in this policy?

 alan
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
Antonio Peña
Secure email with PGP 0x8B021001 available at http://pgp.mit.edu
 Fingerprint: 74E6 2974 B090 366D CE71  7BB2 6476 FA09 8B02 1001
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: suffix not work for me

2012-09-27 Thread Fajar A. Nugraha

On Thu, Sep 27, 2012 at 10:34 PM, Tony Peña emperor...@gmail.com wrote:
 hi again... i try to get suffix work but i guess missing something... here

 [preprocess]   hints: Matched DEFAULT at 36

 [suffix] No '@' in User-Name = usertest, looking up realm NULL
 ---why not found '@' if is coming in radius packet and check in the conf???

because you edit the config file and broke it


 hints confs

 DEFAULT Suffix == @my.domain.cu, Strip-User-Name = Yes

... and most likely that's where you broke it. Return that file to the
default and you should have it working correctly.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: suffix not work for me

Hi,

DEFAULT Suffix == @[1]my.domain.cu, Strip-User-Name = Yes

there you go.

strip-user-name = yes

this means that u...@blahblah.com becomes just user

do you WANT or intend to strip the user-name?  If you are trying to use the 
suffix
for other things then stripping it isnt going to help

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: suffix not work for me

I want when username is user@my.domain

the suffix out @my.domain to only get: user

that only need.

2012/9/27 alan buxey a.l.m.bu...@lboro.ac.uk

 Hi,

 DEFAULT Suffix == @[1]my.domain.cu, Strip-User-Name = Yes

 there you go.

 strip-user-name = yes

 this means that u...@blahblah.com becomes just user

 do you WANT or intend to strip the user-name?  If you are trying to use
 the suffix
 for other things then stripping it isnt going to help

 alan
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
Antonio Peña
Secure email with PGP 0x8B021001 available at http://pgp.mit.edu
Fingerprint: 74E6 2974 B090 366D CE71  7BB2 6476 FA09 8B02 1001
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: suffix not work for me

anyway... my problem is exactly at monthlycounter because i need
stripped-user-name and module stripped when try to use but in the queries
use username complete including realm.

2012/9/27 Tony Peña emperor...@gmail.com

 I want when username is user@my.domain

 the suffix out @my.domain to only get: user

 that only need.


 2012/9/27 alan buxey a.l.m.bu...@lboro.ac.uk

 Hi,

 DEFAULT Suffix == @[1]my.domain.cu, Strip-User-Name = Yes

 there you go.

 strip-user-name = yes

 this means that u...@blahblah.com becomes just user

 do you WANT or intend to strip the user-name?  If you are trying to use
 the suffix
 for other things then stripping it isnt going to help

 alan
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




 --
 Antonio Peña
 Secure email with PGP 0x8B021001 available at http://pgp.mit.edu
 Fingerprint: 74E6 2974 B090 366D CE71  7BB2 6476 FA09 8B02 1001




-- 
Antonio Peña
Secure email with PGP 0x8B021001 available at http://pgp.mit.edu
 Fingerprint: 74E6 2974 B090 366D CE71  7BB2 6476 FA09 8B02 1001
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: suffix not work for me


On 27/09/12 17:06, Tony Peña wrote:

i put the hint file more below after radiusd -X.. check again please...
i miss policyfilter...
i send again both.

/etc/freeradius/hints

DEFAULT Suffix == @my.domain.cu, Strip-User-Name


Don't do this. It doesn't work reliably, because you modify the 
username, which breaks some things.


Stop using the hints file, and instead do something like this:

authorize {
 ...
 if (User-Name =~ /^(.+)@my.domain.co/) {
   update request {
 Stripped-User-Name := %{1}
   }
 }
 ...
}


As Alan has pointed out, you can also do this with the realm module:

authorize {
  ...
  suffix
  ...
}

...but to do that, you ALSO need to edit proxy.conf and define a fake 
local realm. Personally I find this confusing and like to separate proxy 
realms from username realms.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: suffix not work for me

ok.. the suffix patch works and get out the @realm...

but monthlycounter is my trouble more bigger... because not
stripped-user-name in the queries...

is possible to do the same patch, in sql/mysql/counter.conf ?? where said.

sqlcounter monthlycounter1 {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
 reply-name = Session-Timeout
sqlmod-inst = sql1
key = User-Name use the if { your patch} ???
 reset = monthly


2012/9/27 Phil Mayers p.may...@imperial.ac.uk

 On 27/09/12 17:06, Tony Peña wrote:

 i put the hint file more below after radiusd -X.. check again please...
 i miss policyfilter...
 i send again both.

 /etc/freeradius/hints

 DEFAULT Suffix == @my.domain.cu, Strip-User-Name


 Don't do this. It doesn't work reliably, because you modify the username,
 which breaks some things.

 Stop using the hints file, and instead do something like this:

 authorize {
  ...
  if (User-Name =~ /^(.+)@my.domain.co/) {
update request {
  Stripped-User-Name := %{1}
}
  }
  ...
 }


 As Alan has pointed out, you can also do this with the realm module:

 authorize {
   ...
   suffix
   ...
 }

 ...but to do that, you ALSO need to edit proxy.conf and define a fake
 local realm. Personally I find this confusing and like to separate proxy
 realms from username realms.

 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/**
 list/users.html http://www.freeradius.org/list/users.html




-- 
Antonio Peña
Secure email with PGP 0x8B021001 available at http://pgp.mit.edu
Fingerprint: 74E6 2974 B090 366D CE71  7BB2 6476 FA09 8B02 1001
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

read ldap groups for a user not specified in User-Name

2012-09-27 Thread David Aldwinckle

Hi list,

I've been given a set of requirements and I am having a hard time wrapping my 
head around what needs to happen in order to make things work.

Here is the scenario:

1. External to FreeRadius, a user can sponsor the creation of a guest account. 
The sponsor and guest accounts are in separate LDAP databases. 
2. Normally, I just need to handle authentication for the guest accounts. That 
part is easy, I have PEAP configured with LDAP and NT hashes.
3. the special requirement is that IF the sponsor account gets locked (deleted, 
expired, etc), then the guest account can no longer login either.

So, what I was thinking I could do was an LDAP group check on the sponsor 
userid (which would be put into a new attribute stored in the guest LDAP db), 
and then check the sponsors group memberships.

The problem with that is that I don't know how to get FreeRadius to read the 
groups for an arbitrary user that is not %User-Name. Can I copy another 
variable into the User-Name attribute in Post-Auth, and then do the group check 
there? 

Any suggestions? 

Thanks, 
Dave

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Load-Balance-Key usage

2012-09-27 Thread lscrlstld

Hi,

Can I use the Load-Balance-Key to choose a specific home_server?

For sample:
home_server_pool pool {
  type = keyed-balance
  home_server = server1
  home_server = server2
}

realm test {
  auth_pool = pool
  acct_pool = pool
}

authorize { 
...
  if ( ... ) { 
update control { Load-Balance-Key := 1} #sends to server1 
  }
  else {
update control { Load-Balance-Key := 2} #sends to server2
  }
...
}

Thanks!
JJP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: suffix not work for me

Hi,

key = User-Name     use the if { your patch} ???

either change this to Stripped-User-Name insteador if you ONLY want this to
be the full realm when its NOT the realm of interest, then create a new SQL 
query
and then wrap unlang around it eg

if (%{User-Name} =~ /\@realm.you.want$/i ){
monthlycounter1
}
else {
monthlycounter2
}


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: suffix not work for me