Re: Freeradius -username for authentication is not picking from users file.
On 5 Aug 2013, at 08:20, rajeev sr rajee...@gmail.com wrote: Hello, I am trying to run the radtest on local machine which is CentOS 6.0. But am getting the following error while sending the Access Request message from client which is another machine. The user name is defined in users file under /usr/local/etc/raddb. But still am getting the error. I had provided the snapshot received on radiusd –Xx in the end. Can you please help me in figuring out the issue? Fri Aug 2 16:45:38 2013 : Debug: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! I really fail to see what's ambiguous about that error... The shared secret on the NAS and the RADIUS server is wrong and it's failing to decode the user's password correctly. Make sure the shared secret is the same on the NAS and the relevant client in clients.conf. Don't response with but they're the same, because they're not. You've either misconfigured the NAS or the RADIUS server. We can't help you figure out which. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius -username for authentication is not picking from users file.
Hi, User-Password = \334a\004\305\355x\321\332G\306\362b\226~\355+ that lineand the following in the debug: Fri Aug 2 16:45:38 2013 : Debug: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! are quite clear. incorrect shared secret. ensure that your server has an entry for your remote system in the clients.conf file and that you are using the correct shared secret on the radtest command line. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius -username for authentication is not picking from users file.
On Mon, Aug 05, 2013 at 12:50:20PM +0530, rajeev sr wrote: I am trying to run the radtest on local machine which is CentOS 6.0. But am getting the following error while sending the Access Request message from client which is another machine. The user name is defined in users file under /usr/local/etc/raddb. But still am getting the error. I had provided the snapshot received on radiusd –Xx in the end. Can you please help me in figuring out the issue? In addition to having an incorrect shared secret as already pointed out, it looks like you've commented out files from the authorize section of /usr/local/etc/raddb/sites-enabled/default. Fri Aug 2 16:45:25 2013 : Debug: client 10.100.111.0/24 { Fri Aug 2 16:45:25 2013 : Debug: require_message_authenticator = no Fri Aug 2 16:45:25 2013 : Debug: secret = ABC123 Fri Aug 2 16:45:25 2013 : Debug: shortname = BTS111 Fri Aug 2 16:45:25 2013 : Debug: } Fri Aug 2 16:45:25 2013 : Debug: client 10.100.111.2/24 { Fri Aug 2 16:45:25 2013 : Debug: ipaddr = 10.100.111.2 Fri Aug 2 16:45:25 2013 : Debug: require_message_authenticator = no Fri Aug 2 16:45:25 2013 : Debug: secret = ABC123 Fri Aug 2 16:45:25 2013 : Debug: shortname = BTS111 Fri Aug 2 16:45:25 2013 : Debug: nastype = other Fri Aug 2 16:45:25 2013 : Debug: } You've also got two netblocks that clash there. I'm not sure it will hurt, but you probably want to remove one of them, or fix the netmask. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem in freeradius 2.1.10, ldap and huntgroups
Hi, I have installed fr 2.1.10 w openldap and I can authenticate users against ldap. I have also added groups in ldap and allowed ldap module to search groups and it also works fine. Now the problem is that is huntgroups wont work. I need to restrict access to NAS for specific groups. I can see that groups match rlm_ldap::ldap_groupcmp: User found in group , huntgroup match wont work. file huntgroups: NAS-IP-Address == 172.150.0.1 file users: DEFAULT Ldap-Group == Huntgroup-Name == I am very glad for any help and if someone have better solution for this i'm happy to hear it. There is about 600 NAS (sw's and routers) for different customers and we need to provide mgmt access to customers and our NOC staff, so i think we need to use huntgroups w groups and if someone have example for this one I'm very glad for that also. Best regards, Ville Leinonen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in freeradius 2.1.10, ldap and huntgroups
Hi, file users: DEFAULT Ldap-Group == Huntgroup-Name == multiple lines? the first line is CHECK items. other lines are REPY items alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in freeradius 2.1.10, ldap and huntgroups
Hi, Thank you for your reply. It was my mistake, when i was testing. Corrected DEFAULT Ldap-Group == , Huntgroup-Name == Still not working as i want. Br, Ville Hi, file users: DEFAULT Ldap-Group == Huntgroup-Name == multiple lines? the first line is CHECK items. other lines are REPY items alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in freeradius 2.1.10, ldap and huntgroups
Hi, It was my mistake, when i was testing. Corrected DEFAULT Ldap-Group == , Huntgroup-Name == Still not working as i want. output? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Secure tunnel to freeradius
Hi We have a a supplicant that is our own box doing client 802.1x authentication using freeradius. We do not establish a TLS/IPSec connection between the supplicant and freeradius. We need to establish a secure channel between the supplicant and freeradius. Can someone please tell me whether any such thing is supported in radius? Is yes, it would be great if I you could point me to the corresponding config files and code. Thanks Rahul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in freeradius 2.1.10, ldap and huntgroups
Here comes: rlm_ldap::ldap_groupcmp: User found in group and user still access in. I noticed that if i disable ldap and put user in users file like this: vi...@.fi Cleartext-Password := , Huntgroup-Name == it works and i can filter users based on huntgroup. Br, Ville Hi, It was my mistake, when i was testing. Corrected DEFAULT Ldap-Group == , Huntgroup-Name == Still not working as i want. output? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secure tunnel to freeradius
Does freeradius support RFC 6614 for the same? On Mon, Aug 5, 2013 at 5:07 PM, Rahul Godbole rahulmg1...@gmail.com wrote: Hi We have a a supplicant that is our own box doing client 802.1x authentication using freeradius. We do not establish a TLS/IPSec connection between the supplicant and freeradius. We need to establish a secure channel between the supplicant and freeradius. Can someone please tell me whether any such thing is supported in radius? Is yes, it would be great if I you could point me to the corresponding config files and code. Thanks Rahul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secure tunnel to freeradius
On 5 Aug 2013, at 12:37, Rahul Godbole rahulmg1...@gmail.com wrote: Hi We have a a supplicant that is our own box doing client 802.1x authentication using freeradius. We do not establish a TLS/IPSec connection between the supplicant and freeradius. We need to establish a secure channel between the supplicant and freeradius. Um, yes, that'd be EAP. Can someone please tell me whether any such thing is supported in radius? Is yes, it would be great if I you could point me to the corresponding config files and code. eap.conf or mods-available/eap Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in freeradius 2.1.10, ldap and huntgroups
Hi, Here comes: rlm_ldap::ldap_groupcmp: User found in group radiusd -X its what the docs say. for a reason alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secure tunnel to freeradius
On 5 Aug 2013, at 13:11, Rahul Godbole rahulmg1...@gmail.com wrote: RFC 6614 That's encryption between the NAS and the RADIUS server, and yes FreeRADIUS 3.0 does support radsec. But chances are your NAS doesn't. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secure tunnel to freeradius
Hi, We have a a supplicant that is our own box doing client 802.1x authentication using freeradius. We do not establish a TLS/IPSec connection between the supplicant and freeradius. We need to establish a secure channel between the supplicant and freeradius. NAS or supplicant? a supplicant never talks to the RADIUS - its all done via the NAS. there are plenty of options to you - you already have thought about one method - use a VPN (DTLS/IPsec based...up to you) to tunnel the RADIUS though. or , if the NAS can do it, think about RADSEC - FreeRADIUS 3 supports RADSEC and its the way to go unless you want to forget RADIUS and use DIAMETER instead. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secure tunnel to freeradius
Hi, Does freeradius support RFC 6614 for the same? 'tls' virtual server in HEAD version of FreeRADIUS (currently version 3 in beta) if you NEED to tick to FreeRADIUS 2.x (as you 'need' to secure) - then RADSECProxy can be put in as a brudge between your remote and the FR instance alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secure tunnel to freeradius
Rather I need a secure channel between a 802.1x Network Access Device ( like an access point ) and freeradius. On Mon, Aug 5, 2013 at 5:59 PM, a.l.m.bu...@lboro.ac.uk wrote: Hi, We have a a supplicant that is our own box doing client 802.1x authentication using freeradius. We do not establish a TLS/IPSec connection between the supplicant and freeradius. We need to establish a secure channel between the supplicant and freeradius. NAS or supplicant? a supplicant never talks to the RADIUS - its all done via the NAS. there are plenty of options to you - you already have thought about one method - use a VPN (DTLS/IPsec based...up to you) to tunnel the RADIUS though. or , if the NAS can do it, think about RADSEC - FreeRADIUS 3 supports RADSEC and its the way to go unless you want to forget RADIUS and use DIAMETER instead. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Limit internet bandwidth but not local
Hi to all, i'm using FreeRADIUS Version 2.1.10 with rp-pppoe-3.11 as NAS. I would like to configure this system to be able to limit the user internet bandwidth ( this is possible by WISPr-Bandwidth-Max-Down and WISPr-Bandwidth-Max-Up attributes ) but at the same time allow local user's traffic (i.e. to my smtp or ftp server) to be guaranteed at maximum speed. How can i do this? Below a simple schema of the my configuration. PPPoE machine: |eth0|-|eth1|-|eth2|-|pppX| | | | | |Internet| |to Servers| |PPPoE| |interface created on users connection| |(SMTP,| |radius)| Any suggestions are appreciated. Fabrizio Pappolla. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit internet bandwidth but not local
On 05/08/13 16:34, Fabrizio wrote: Hi to all, i'm using FreeRADIUS Version 2.1.10 with rp-pppoe-3.11 as NAS. I would like to configure this system to be able to limit the user internet bandwidth ( this is possible by WISPr-Bandwidth-Max-Down and WISPr-Bandwidth-Max-Up attributes ) but at the same time allow local user's traffic (i.e. to my smtp or ftp server) to be guaranteed at maximum speed. How can i do this? Read the docs for your NAS. Find out if it has this feature. If it does, send the required attributes. If it doesn't, you can't do it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in freeradius 2.1.10, ldap and huntgroups
Here: rad_recv: Access-Request packet from host 172.150.0.62 port 25196, id=194, length=63 User-Name = testu...@.fi User-Password = testpass NAS-IP-Address = 172.150.0.62 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/freeradius/radacct/172.150.0.62/auth-detail-20130805 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.150.0.62/auth-detail-20130805 [auth_log] expand: %t - Mon Aug 5 19:03:20 2013 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm .fi for User-Name = testu...@.fi [suffix] No such realm .fi ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [ldap] Entering ldap_groupcmp() [files] expand: dc=demonet,dc=local - dc=demonet,dc=local [files] expand: %{Stripped-User-Name} - [files] ... expanding second conditional [files] expand: %{User-Name} - testu...@.fi [files] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=testu...@.fi) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=demonet,dc=local, with filter (uid=testu...@.fi) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) - (|((objectClass=GroupOfNames)(member=cn\3dTauno Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=demonet,dc=local, with filter ((cn=)(|((objectClass=GroupOfNames)(member=cn\3dTauno Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Tauno Testaaja,ou=,ou=Customers,dc=demonet,dc=local, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: User found in group [ldap] ldap_release_conn: Release Id: 0 [ldap] Entering ldap_groupcmp() [files] expand: dc=demonet,dc=local - dc=demonet,dc=local [files] expand: (|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) - (|((objectClass=GroupOfNames)(member=cn\3dTauno Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=demonet,dc=local, with filter ((cn=disabled)(|((objectClass=GroupOfNames)(member=cn\3dTauno Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Tauno Testaaja,ou=,ou=Customers,dc=demonet,dc=local, with filter (objectclass=*) rlm_ldap::groupcmp: Group disabled not found or user not a member [ldap] ldap_release_conn: Release Id: 0 ++[files] returns noop [ldap] performing user authorization for testu...@.fi [ldap] expand: %{Stripped-User-Name} - [ldap] ... expanding second conditional [ldap] expand: %{User-Name} - testu...@.fi [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=testu...@.fi) [ldap] expand: dc=demonet,dc=local - dc=demonet,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=demonet,dc=local, with filter (uid=testu...@.fi) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword - Password-With-Header == {SSHA}g5PDm9CrOOQu+XjbMGHTPnY43mifXND0 [ldap] looking for reply items in directory... [ldap] Setting Auth-Type = LDAP [ldap] user testu...@.fi authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing SSHA1-Password from base64 encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns
Re: Diffrent authentication based by SSID
Hello. In that situation i need to have active, both sql and ldap, authorization modules in inner-tunnel. So users, who should identify by login/pass in guest SSID, can be authenticate via inner-tunnel ldap module. I don't want this. Regards Marcin Dnia 25 lipca 2013 21:31 Marcin lt;bieri...@o2.plgt; napisał(a): Do I realy need database? When I should use it? Can You explain a little bit more? Regards Marcin Dnia 25 lipca 2013 14:26 Alan DeKok lt;al...@deployingradius.comgt; napisał(a): Marcin wrote: gt; I'm new with FreeRadius. I would like to use FreeRadius to authenticate gt; two groups of users. One group for local staff based on eap-tls, second gt; group to others based on OpenLdap authentication. My AP's have 2 SSID's gt; broadcasting. One for the staff, second for others. Is there a gt; possibility, to use one radius server to handle this scenario? Yes. Just update the SQL queries to include the SSID. And update the SQL database to include the SSID. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Diffrent authentication based by SSID
Hi, In that situation i need to have active, both sql and ldap, authorization modules in inner-tunnel. So users, who should identify by login/pass in guest SSID, can be authenticate via inner-tunnel ldap module. I don't want this. use whatever you want to use. what do you use now? all you need to do is distinguish between the two types of requests. and handle them how you want. will the guest SSID be 802.1X if so, inner-tunnel is available by default (as thats used for EAP) - if not, then you wont configure anything in there. each SSID will be presented to your RADIUS server with particular attributes...you will be able to use those to decide what to do eg if (%{whatever-attribute} =~ /sometext/ ) { ldap } else { sql } that sort of thing. and to be honest. you WILL need some decent data source for advancing your RADIUS into something scalable and usable...ie SQL or LDAP - sticking with a flat users file will end up with tears in most systems. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Auth by NAS-Identifier using unlang
I was thinking this should be easy, but it's been two weeks and I give up... This is what I want to do: My NAS, (a WiFi AP), has two SSIDs: staff and guests. I want mutual exclusivity. My /etc/raddb/users file contains something like this: abc Cleartext-Password:=xyz Local-Group=staff I've created an attribute in my /etc/raddb/dictionary file: ATTRIBUTE Local-Group 3000string In my /etc/raddb/sites-enabled/default file, in the authorize section, I've got this: if ( Local-Group != NAS-Identifier ) { update reply { Reply-Message := You may not connect to %{NAS-Identifier} AP.\r\n } reject } My access request looks something like this: (edited for brevity.) User-Name = abc NAS-IP-Address = 192.168.8.253 NAS-Port = 0 NAS-Identifier = guests NAS-Port-Type = Wireless-802.11 Calling-Station-Id = ... Called-Station-Id = ... Service-Type = Login-User Framed-MTU = 1100 EAP-Message =... State = ... Aruba-Essid-Name = test Aruba-Location-Id = wifi Aruba-AP-Group = Our WiFi Running radiusd -X I get: : ++? if (Local-Group != NAS-Identifier ) (Attribute Local-Group was not found) ? Evaluating (Local-Group != NAS-Identifier ) - FALSE ++? if (Local-Group != NAS-Identifier ) - FALSE : And it's clear Local-Group is always empty. :-( Some things I've tried: -Moved code to post-auth section instead of authorize. -Different attributes instead of private dictionary. (i.e. Group-Name) -Running an executable, (actually works, but selinux appears to be a problem?) -Changing the test from != to == makes things work as expected, so if the comparison will actually work, I'm good. I'm clearly not understanding something -Joseph - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
Running radiusd -X I get: : ++? if (Local-Group != NAS-Identifier ) (Attribute Local-Group was not found) ? Evaluating (Local-Group != NAS-Identifier ) - FALSE ++? if (Local-Group != NAS-Identifier ) - FALSE : And it's clear Local-Group is always empty. :-( Yeah you've inserted it into the reply list, and you're looking for it in the request list abc Cleartext-Password:=xyz, Local-Group := 'NAS-Identifier' if (control:Local-Group != 'NAS-Identifier') -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
Hi, I was thinking this should be easy, but it's been two weeks and I give up... well, depends how you do itif you do it easy it is easy, no? users file abc Cleartext-Password := xyz, NAS-Identifier = staff Reply-Message Welcome on-board staff member dont forget, if this is 802.1X etc then your users wont see the reply-message...so dont rely on it for telling them things! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
Changing the Local-Group into the request still makes control:Local-Group empty. abc Cleartext-Password:=xyz, Local-Group:=staff NAS Sends this: User-Name = abc : NAS-Identifier = resident if ( control:Local-Group != NAS-Identifier ) { Diagnostic says: ++? if (control:Local-Group != NAS-Identifier ) - FALSE (staff != resident) should be True, but control:Local-Group is empty. :-( On Mon, Aug 5, 2013 at 4:14 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: Running radiusd -X I get: : ++? if (Local-Group != NAS-Identifier ) (Attribute Local-Group was not found) ? Evaluating (Local-Group != NAS-Identifier ) - FALSE ++? if (Local-Group != NAS-Identifier ) - FALSE : And it's clear Local-Group is always empty. :-( Yeah you've inserted it into the reply list, and you're looking for it in the request list abc Cleartext-Password:=xyz, Local-Group := 'NAS-Identifier' if (control:Local-Group != 'NAS-Identifier') -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
Diagnostic says: ++? if (control:Local-Group != NAS-Identifier ) - FALSE Assuming you're not looking for a literal value 'NAS-Identifier', you want %{NAS-Identifier}. If this is a new deployment you should use current HEAD revision in Master. Then you can use the debug_attr expansion to look at list state. update request { Tmp-String-0 := %{debug_attr:control:} } Also could you please stop posting snippets of debug output and paste the whole thing... Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
The following appears to now work, but I don't understand some things: files if (control:Local-Group != %{NAS-Identifier} ) { Why does control:Local-Group not need to be enclosed in %{ }, but NAS-Identifier does? And why does %{ } content need to be within quotes, when the documentation doesn't say anything about them needing to be in quotes? It's clear I must have a call to files prior to this in order to populate the control list, right? On Mon, Aug 5, 2013 at 5:03 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: Diagnostic says: ++? if (control:Local-Group != NAS-Identifier ) - FALSE Assuming you're not looking for a literal value 'NAS-Identifier', you want %{NAS-Identifier}. If this is a new deployment you should use current HEAD revision in Master. Then you can use the debug_attr expansion to look at list state. update request { Tmp-String-0 := %{debug_attr:control:} } Also could you please stop posting snippets of debug output and paste the whole thing... Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
On 5 Aug 2013, at 22:37, Joseph Perrin jos...@lifeonthestreet.org wrote: The following appears to now work, but I don't understand some things: files if (control:Local-Group != %{NAS-Identifier} ) { Why does control:Local-Group not need to be enclosed in %{ }, but NAS-Identifier does? In 2.x.x bareword left operand is assumed to be an attribute reference. Right bareword operand is assumed to be a number literal, or a member of the set of string values associated with an integer attribute. LHS/RHS operands are not interchangeable in their roles. And why does %{ } content need to be within quotes It's a string expansion, string expansions only function inside double quotes. This is similar to variable expansion in most scripting languages. , when the documentation doesn't say anything about them needing to be in quotes? Man unlang VARIABLES Run-time variables are referenced using the following syntax %{Variable-Name} Note that unlike C, there is no way to declare variables, or to refer to them outside of a string context. All references to variables MUST be contained inside of a double-quoted or back-quoted string. It's clear I must have a call to files prior to this in order to populate the control list, right? Yes. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
returning a HEX String as a HEX String (bit string) instead of the decimal equivalent - FreeRADIUS 2.1.10
Hello, This is my first post here so please excuse any missed etiquette. I have read through the wiki's and googled a lot and not found anything. I have been trying configure our switch ports (HP 2910al) with Tagged VLANs via Egress-VLANID and Egress-VLAN-Name. The Radius backend is OpenLDAP, and I have tried setting the data type in OpenLDAP to binary, UTF-8 and IA5, but no matter what I do, the value returned by RADIUS is the decimal equivalent of the HEX bit string I enter :( For example I'm trying to store and send 0x3112 to indicate a tagged VLAN (0x31) on VLAN 12. But looking at freeradius -X output I can see it sending the decimal number, when the switch wants the bit string as it was stored, and hence throws an error! Is this a FreeRADIUS thing or an OpenLDAP data type thing? Any help and advice would be greatly appreciated as I'm stuck. Thanks in advance, Andy. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: returning a HEX String as a HEX String (bit string) instead of the decimal equivalent - FreeRADIUS 2.1.10
On 5 Aug 2013, at 23:39, Andy a...@brandwatch.com wrote: Hello, This is my first post here so please excuse any missed etiquette. I have read through the wiki's and googled a lot and not found anything. http://wiki.freeradius.org/vendor/HP#RFC-4675-(multiple-tagged/untagged-VLAN)-Assignment *sigh* I have been trying configure our switch ports (HP 2910al) with Tagged VLANs via Egress-VLANID and Egress-VLAN-Name. The Radius backend is OpenLDAP, and I have tried setting the data type in OpenLDAP to binary, UTF-8 and IA5, but no matter what I do, the value returned by RADIUS is the decimal equivalent of the HEX bit string I enter :( For example I'm trying to store and send 0x3112 to indicate a tagged VLAN (0x31) on VLAN 12. But looking at freeradius -X output I can see it sending the decimal number, when the switch wants the bit string as it was stored, and hence throws an error! No. The HP switch does not care that FreeRADIUS displayed (but later encoded correctly) your hex string as an integer. It does care that you don't seem to understand how to convert decimal numbers to hex and are actually specifying VLAN 18 tagged, which probably doesn't exist if you're getting errors. You want 0x310C for VLAN 12 tagged. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
Thank you. I now understand. A stock install of freeRadius in Fedora, (i.e. via yum), does not provide a man page for unlang. Had you not helped me, I'd simply not know. On Mon, Aug 5, 2013 at 6:00 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 5 Aug 2013, at 22:37, Joseph Perrin jos...@lifeonthestreet.org wrote: The following appears to now work, but I don't understand some things: files if (control:Local-Group != %{NAS-Identifier} ) { Why does control:Local-Group not need to be enclosed in %{ }, but NAS-Identifier does? In 2.x.x bareword left operand is assumed to be an attribute reference. Right bareword operand is assumed to be a number literal, or a member of the set of string values associated with an integer attribute. LHS/RHS operands are not interchangeable in their roles. And why does %{ } content need to be within quotes It's a string expansion, string expansions only function inside double quotes. This is similar to variable expansion in most scripting languages. , when the documentation doesn't say anything about them needing to be in quotes? Man unlang VARIABLES Run-time variables are referenced using the following syntax %{Variable-Name} Note that unlike C, there is no way to declare variables, or to refer to them outside of a string context. All references to variables MUST be contained inside of a double-quoted or back-quoted string. It's clear I must have a call to files prior to this in order to populate the control list, right? Yes. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
On 08/05/2013 08:49 PM, Joseph Perrin wrote: Thank you. I now understand. A stock install of freeRadius in Fedora, (i.e. via yum), does not provide a man page for unlang. Had you not helped me, I'd simply not know. Nonsense, the freeradius rpm installs the unlang man page. Please provide the exact installed rpm if you think otherwise. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html