AAA Accounting Relay

2013-05-08 Thread Raithatha, Divyesh 
Newbie question for the group.  Has anyone successfully set up a Radius Relay 
for Accounting as this older article for LDAP lists?

http://freeradius.org/radiusd/doc/ldap_howto.txt

What we would like to do is to send both Auth and Accounting requests to a AAA 
server and then forward just  the accounting records to another AAA server that 
is back-ended to MySQL.

Thanks.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Free radius as Proxy EAP-PEAP-GTC User-Password is never set

2013-05-08 Thread Sankalp Dubey 
Hi Alan

Can you please provide some pointers on where to carry out code change to 
achieve this.

Thanks n regards
Sankalp Dubey

-Original Message-
From: freeradius-users-bounces+sankalp_dubey=symantec@lists.freeradius.org 
[mailto:freeradius-users-bounces+sankalp_dubey=symantec@lists.freeradius.org]
 On Behalf Of Alan DeKok
Sent: Tuesday, May 07, 2013 7:07 PM
To: FreeRadius users mailing list
Subject: Re: Free radius as Proxy EAP-PEAP-GTC User-Password is never set

Sankalp Dubey wrote:
> Can you please help out how to achieve it

  Code changes.

> or else you can point out what's wrong in our configuration.

  If it was possible via a configuration change, I would have told you.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Need help with making RPM from v2.x.x branch

2013-05-08 Thread Fajar A. Nugraha 
On Wed, May 8, 2013 at 1:50 PM, Raithatha, Divyesh
 wrote:
> Thanks, I got past the README but now I am getting the following file not 
> found errors.  They do exist, however, it looks like the build is looking for 
> version 2.2.0 of the library files yet they are listed as 2.2.1.
>
>
> error: File not found: 
> /home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/etc/raddb/certs/README.rst

That's kinda tricky. Look at %files section in the spec file.

The cleanest solution right now would probably be changing "Version:
2.2.0" in the top of the make file to 2.2.1, AND rename your source
bz2 file to freeradius-server-2.2.1.tar.bz2.

Another way would be changing the files section, from (e.g.)

%{_libdir}/freeradius/rlm_acct_unique-%{version}.so

to

%{_libdir}/freeradius/rlm_acct_unique-*.so

... or even try deleting all rlm_* lines and replace them with a one-liner

%{_libdir}/freeradius/rlm_*.so*

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AAA Accounting Relay

2013-05-08 Thread A . L . M . Buxey 
Hi,

>What we would like to do is to send both Auth and Accounting requests to a
>AAA server and then forward just  the accounting records to another AAA
>server that is back-ended to MySQL.

yes, just proxy the accounting - either using some unlang and proxy.conf
or by using eg robust accounting virtual server

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Config for 802.1x use on network switches

2013-05-08 Thread Nikolaos Milas 

On 7/5/2013 2:37 μμ, Michael Schwartzkopff wrote:


http://vuksan.com/linux/dot1x/802-1x-LDAP.html


Thank you Michael for your valuable feedback, esp. the link above.

By the way, I've been pointed to: http://www.packetfence.org for a more 
integrated system, which also supports 802.1x and it looks nice and clean.


It works with freeRadius too.

Any experience with it? Any advice?

Thanks in advance,
Nick
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Need help with making RPM from v2.x.x branch

2013-05-08 Thread Phil Mayers 

On 05/08/2013 08:19 AM, Fajar A. Nugraha wrote:


%{_libdir}/freeradius/rlm_acct_unique-*.so


FWIW this is the approach we usually take when packaging things; it 
seems pointless to me to embed version numbers into %files macros. I'm 
aware this is probably frowned on by some packaging guidelines, but it 
works well for us ;o)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Config for 802.1x use on network switches

2013-05-08 Thread Michael Schwartzkopff 
Am Mittwoch, 8. Mai 2013, 12:29:44 schrieb Nikolaos Milas:
> On 7/5/2013 2:37 μμ, Michael Schwartzkopff wrote:
> > http://vuksan.com/linux/dot1x/802-1x-LDAP.html
> 
> Thank you Michael for your valuable feedback, esp. the link above.
> 
> By the way, I've been pointed to: http://www.packetfence.org for a more
> integrated system, which also supports 802.1x and it looks nice and clean.
> 
> It works with freeRadius too.
> 
> Any experience with it? Any advice?
> 
> Thanks in advance,
> Nick

Depending on your needs it might be a little bit oversized. It seems to 
integrate everything that someone might ever need.

But if you need that functionality you might give it a try. If you only need 
802.1x for a handful of switches plain FreeRADIUS with a *SQL database in the 
backend is perhaps the right choice for you.

Greetings,

-- 

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AAA Accounting Relay

2013-05-08 Thread Fajar A. Nugraha 
On Wed, May 8, 2013 at 3:23 PM,   wrote:
> Hi,
>
>>What we would like to do is to send both Auth and Accounting requests to a
>>AAA server and then forward just  the accounting records to another AAA
>>server that is back-ended to MySQL.
>
> yes, just proxy the accounting - either using some unlang and proxy.conf
> or by using eg robust accounting virtual server

... or rlm_replicate.

https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/raddb/modules/replicate

--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Free radius as Proxy EAP-PEAP-GTC User-Password is never set

2013-05-08 Thread Alan DeKok 
Sankalp Dubey wrote:
> Can you please provide some pointers on where to carry out code change to 
> achieve this.

  Well... looking at the EAP-GTC code would be a good start.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: smbpasswd or etc_smbpasswd?

2013-05-08 Thread Alan DeKok 
Bill McGonigle wrote:
> I'm seeing the same sample configuration on el5, el6, and on git head,
> so maybe I'm doing something wrong?

  No.  It's a typo.  I've pushed a fix.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Need help with making RPM from v2.x.x branch

2013-05-08 Thread John Dennis 

On 05/08/2013 03:19 AM, Fajar A. Nugraha wrote:

On Wed, May 8, 2013 at 1:50 PM, Raithatha, Divyesh
 wrote:

Thanks, I got past the README but now I am getting the following file not found 
errors.  They do exist, however, it looks like the build is looking for version 
2.2.0 of the library files yet they are listed as 2.2.1.


error: File not found: 
/home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/etc/raddb/certs/README.rst


That's kinda tricky. Look at %files section in the spec file.

The cleanest solution right now would probably be changing "Version:
2.2.0" in the top of the make file to 2.2.1, AND rename your source
bz2 file to freeradius-server-2.2.1.tar.bz2.


The version macro in the spec file, the version embedded in tar file 
name, and the contents of tar file all *MUST* match. You have to be 
precise with what version you're building.


I assumed that was obvious as opposed to being tricky ;-)



Another way would be changing the files section, from (e.g.)

%{_libdir}/freeradius/rlm_acct_unique-%{version}.so

to

%{_libdir}/freeradius/rlm_acct_unique-*.so

... or even try deleting all rlm_* lines and replace them with a one-liner

%{_libdir}/freeradius/rlm_*.so*




--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

how to get linelog() see see packet-types other than access-request

2013-05-08 Thread Jeff Smith 
Hello,

I've got a freeradius server 2.2.0 configured to process requests, and now
I'd like to add some logging that would look something like this:

Wed May  8 14:53:16 2013 Access-Request for a...@purdue.edu from MAC
address (Calling-Station-Id) 84-3a-4b-0c-46-44 NAS lwsn-b143-wism2-11

I actually have that working, but would like for linelog to also log a line
for packet types access-challenge, access-accept, and access-reject.  My
/opt/freeradius/etc/raddb/modules/linelog has:

reference = "%{%{Packet-Type}:-format}"

#
#  Followed by a series of log messages.
Access-Request = "%t %{Packet-Type} for %{User-Name} from MAC
address (Calling-Station-Id) %{Calling-Station-Id} NAS %{NAS-IDentifier}"
Access-Reject = "Rejected access: %{User-Name}
Calling-Station-Id=%{Calling-Station-Id} NAS=%{NAS-IDentifier}"
Access-Challenge = "Sent challenge: %{User-Name}
Calling-Station-Id=%{Calling-Station-Id} NAS=%{NAS-IDentifier}"
Access-Accept = "Accepted access: %{User-Name}
Calling-Station-Id=%{Calling-Station-Id} NAS=%{NAS-IDentifier}"

That is, slight changes from the examples given.

I've added calls to linelog to the following sections in
sites-enabled/default and sites-enabled/inner-tunnel:
authorize
authenticate
preacct
accounting
post-auth
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

re: RE: how to get linelog() see see packet-types other than access-request

2013-05-08 Thread Jeff Smith 
Argh.  Please accept my apologies -- I accidentally sent the previous
message before I had finished composing it.

Jeff
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to get linelog() see see packet-types other than access-request

2013-05-08 Thread Phil Mayers 

On 08/05/2013 20:09, Jeff Smith wrote:

Hello,

I've got a freeradius server 2.2.0 configured to process requests, and
now I'd like to add some logging that would look something like this:

Wed May  8 14:53:16 2013 Access-Request for a...@purdue.edu
 from MAC address (Calling-Station-Id)
84-3a-4b-0c-46-44 NAS lwsn-b143-wism2-11

I actually have that working, but would like for linelog to also log a
line for packet types access-challenge, access-accept, and


Can't easily be done for Access-Challenge I'm afraid. The server doesn't 
pass them through post-auth.



access-reject.  My /opt/freeradius/etc/raddb/modules/linelog has:


The easiest way is to define another instance of the linelog module, and 
use "Response-Packet-Type" in the format of the 2nd module, and call 
that in any "response" sections. If this offends your sensibilities, you 
can wrap the two linelog modules in a "policy" like so:


policy {
  mylog.authorize {
linelog1
  }
  mylog.post-auth {
linelog2
  }
}

...then call "mylog". This can be useful for other reasons e.g. using 
unlang to format attributes before calling the linelog module, and is 
what we do.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Basic question to authenticate switches and Linux boxes

2013-05-08 Thread Roberto Carna 
Dear, I'm new at Freeredius as an AAA sever in a Linux box and I need to
authenticate Allied switches and Debian/Centos boxes.

What package/module do I have to install in adition to freeradius ??? And
what authentication procedure do I have ti use in order to let universal
AAA ???

Thanks a lot,

Roberto
"the locu abierto"
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Basic question to authenticate switches and Linux boxes

2013-05-08 Thread Matt Zagrabelny 
On Wed, May 8, 2013 at 3:26 PM, Roberto Carna  wrote:
> Dear, I'm new at Freeredius as an AAA sever in a Linux box and I need to
> authenticate Allied switches and Debian/Centos boxes.
>
> What package/module do I have to install in adition to freeradius ???

For the Debian clients you might want:

libpam-radius-auth

You can use apt-cache to search for things:

% apt-cache search radius pam
freeradius - high-performance and highly configurable RADIUS server
libpam-radius-auth - The PAM RADIUS authentication module
yardradius - YARD Radius Authorization and Accounting Server

And
> what authentication procedure do I have ti use in order to let universal AAA
> ???

I don't understand this question.

-mz
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Need help with making RPM from v2.x.x branch

2013-05-08 Thread Divyesh Raithatha 
Thanks everyone.  Finally got the RPM build to work by doing the following:

Version:  2.2.0" in the top of the freeradius.spec file to 2.2.1, and
renaming source
bz2 file to freeradius-server-2.2.1.tar.**bz2

Along with commenting out patches 2 and 5
#Patch2: freeradius-radtest.patch
#Patch5: freeradius-radeapclient-ipv6.patch


Changing the README line to README.rst
# install doc files omitted by standard install
for f in COPYRIGHT CREDITS INSTALL README.rst; do
cp $f $RPM_BUILD_ROOT/%{docdir}
diff freeradius.spec ~/freeradius-server-2.2.1/redhat/freeradius.spec
3c3
< Version: 2.2.0
---
> Version: 2.2.1
15c15
< Patch2: freeradius-radtest.patch
---
> #Patch2: freeradius-radtest.patch
18c18
< Patch5: freeradius-radeapclient-ipv6.patch
---
> #Patch5: freeradius-radeapclient-ipv6.patch
152c152
< %patch2 -p1 -b .radtest
---
> #%patch2 -p1 -b .radtest
155c155
< %patch5 -p1 -b .radeapclient-ipv6
---
> #%patch5 -p1 -b .radeapclient-ipv6
239c239
< for f in COPYRIGHT CREDITS INSTALL README; do
---
> for f in COPYRIGHT CREDITS INSTALL README.rst; do
By commenting out patch 2 and patch 5 what am I missing, if anything?

On Wed, May 8, 2013 at 8:20 AM, John Dennis  wrote:

> On 05/08/2013 03:19 AM, Fajar A. Nugraha wrote:
>
>> On Wed, May 8, 2013 at 1:50 PM, Raithatha, Divyesh
>>  wrote:
>>
>>> Thanks, I got past the README but now I am getting the following file
>>> not found errors.  They do exist, however, it looks like the build is
>>> looking for version 2.2.0 of the library files yet they are listed as 2.2.1.
>>>
>>>
>>> error: File not found: /home/test/rpmbuild/BUILDROOT/**
>>> freeradius-2.2.0-1.el6.x86_64/**etc/raddb/certs/README.rst
>>>
>>
>> That's kinda tricky. Look at %files section in the spec file.
>>
>> The cleanest solution right now would probably be changing "Version:
>> 2.2.0" in the top of the make file to 2.2.1, AND rename your source
>> bz2 file to freeradius-server-2.2.1.tar.**bz2.
>>
>
> The version macro in the spec file, the version embedded in tar file name,
> and the contents of tar file all *MUST* match. You have to be precise with
> what version you're building.
>
> I assumed that was obvious as opposed to being tricky ;-)
>
>
>> Another way would be changing the files section, from (e.g.)
>>
>> %{_libdir}/freeradius/rlm_**acct_unique-%{version}.so
>>
>> to
>>
>> %{_libdir}/freeradius/rlm_**acct_unique-*.so
>>
>> ... or even try deleting all rlm_* lines and replace them with a one-liner
>>
>> %{_libdir}/freeradius/rlm_*.**so*
>>
>>
>
> --
> John Dennis 
>
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html 
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html