Re: Re[2]: can not build FreeRadius 2.2.0
On Sun, Dec 16, 2012 at 3:21 AM, Eugen Konkov kes-...@yandex.ru wrote: AD Eugen Konkov wrote: Building freeradiusd on # uname -a FreeBSD aki 10.0-CURRENT FreeBSD 10.0-CURRENT #0: Wed Jun 13 13:46:00 EEST 2012 adm@aki:/usr/obj/usr/src/sys/AKI i386 /usr/bin/ld: attempted static link of dynamic object `/usr/local/lib/libgdbm.so' AD Don't do ./configure --disable-shared I do same as on FreeBSD 9: cd /usr/ports/net/freeradius2 make install clean Are you interested in FIXING your problem, or are you interested in saying I'm not doing anything wrong, freebsd ports are perfect, so it must be that your software is broken? If it's the FIRST one, the configure FR manually (i.e. by NOT using freebsd ports), and follow Allan's advice: - if that works, file a bug report to freebsd (or whoever is managing FR ports) that they messed up the recipe - If DOESN'T work, paste your configure line as well the make output here. Now if it's the SECOND one, you better ask in freebsd's list. It's VERY unlikely that you'd get anymore help here, seeing that you snubbed the help you already got. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[4]: can not build FreeRadius 2.2.0
Здравствуйте, Fajar. Вы писали 16 декабря 2012 г., 14:28:34: FAN On Sun, Dec 16, 2012 at 3:21 AM, Eugen Konkov kes-...@yandex.ru wrote: AD Eugen Konkov wrote: Building freeradiusd on # uname -a FreeBSD aki 10.0-CURRENT FreeBSD 10.0-CURRENT #0: Wed Jun 13 13:46:00 EEST 2012 adm@aki:/usr/obj/usr/src/sys/AKI i386 from /usr/ports/net/freeradius2 (2.2.0 version) cause error: /usr/bin/ld: attempted static link of dynamic object `/usr/local/lib/libgdbm.so' AlanD AD Don't do ./configure --disable-shared I do same as on FreeBSD 9: cd /usr/ports/net/freeradius2 make install clean FAN Are you interested in FIXING your problem, or are you interested in FAN saying I'm not doing anything wrong, freebsd ports are perfect, so it FAN must be that your software is broken? FAN If it's the FIRST one, the configure FR manually (i.e. by NOT using FAN freebsd ports), and follow Allan's advice: FAN - if that works, file a bug report to freebsd (or whoever is managing FAN FR ports) that they messed up the recipe FAN - If DOESN'T work, paste your configure line as well the make output here. FAN Now if it's the SECOND one, you better ask in freebsd's list. It's FAN VERY unlikely that you'd get anymore help here, seeing that you FAN snubbed the help you already got. I do not expect you will help me. I just submit a problem report. In any case thank you very much for your answers. and for the clue/advice. I will try to build by hand and send PR to freebsd ports also. -- С уважением, Eugen mailto:kes-...@yandex.ru - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Return Access-Accept/-Reject depending on other active sessions during post-authentication
Matthias Nagel wrote: Now, I would like to write some kind of RADIUS policy to prevent this behaviour. (a) store information in a database (b) use unlang to query the database This policy is supposed to do the following during the post-authentication phase: 1) If there is no active session on the NAS port, just return Access-Accept You may need to create a new table which stores active sessions. INSERT data into it on authentication / accounting start. DELETE data on accounting stop. 2) If there is at least one active session on the NAS port and the 'Tunnel-Private-Group-ID' of that session equals the 'Tunnel-Private-Group-ID' of the new request, return Access-Accept. Store the Tunnel-Private-Group-ID of a session on INSERT. Query it on the next session authentication. 3) If there is at least one active session on the NAS port and the 'Tunnel-Private-Group-ID' of that session DOES NOT equal the 'Tunnel-Private-Group-ID' of the new request, return Access-Reject. Query the DB. If it doesn't match, reject. Is this possible to do? I have the accounting information in a SQL database, hence I know, if there are active sessions on some port. But I do not know, which would be the correct RADIUS configuration section and I do not know if unlang or some other configuration directive can perform such a check. unlang is just a way to write policies. It does NOT store data. SQL databases store data. The two together can solve this problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Return Access-Accept/-Reject depending on other active sessions during post-authentication
Hello together, my NAS supports used-based authentication, this means it is possible to have multiple sessions on the same ethernet port (same user multiple times and/or different users). Each attached supplicant must authenticate itsself. The switch prohibits a supplicant to use piggy-backing on top of some other already authenticated supplicant. Moreover I use RADIUS-assigned VLANs. If the same user or different users that are assigned to the same VLAN are authenticated on the same port, everything is fine. The trouble starts, if an additional user with a different VLAN than the VLAN that is already assigned to the port is sucessfully authenticated. In the past an additional user was denied access by the switch, if such a VLAN mismatch occured. This means is was impossible to have serveral different untagged VLANs on the same port. But my current NAS also grants access to the addtional user and assignes this user's VLAN to the port, too. This means there are more than one untagged VLAN on the same port at the same time and the result is some kind of short-circuit fault between the affected VLANs. Now, I would like to write some kind of RADIUS policy to prevent this behaviour. This policy is supposed to do the following during the post-authentication phase: 1) If there is no active session on the NAS port, just return Access-Accept 2) If there is at least one active session on the NAS port and the 'Tunnel-Private-Group-ID' of that session equals the 'Tunnel-Private-Group-ID' of the new request, return Access-Accept. 3) If there is at least one active session on the NAS port and the 'Tunnel-Private-Group-ID' of that session DOES NOT equal the 'Tunnel-Private-Group-ID' of the new request, return Access-Reject. Is this possible to do? I have the accounting information in a SQL database, hence I know, if there are active sessions on some port. But I do not know, which would be the correct RADIUS configuration section and I do not know if unlang or some other configuration directive can perform such a check. Best regards, Matthias -- Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 e-Mail: matthias.h.na...@gmail.com ICQ: 499797758 Skype: nagmat84 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html