Re: Freeradius2 and sqlite
On 31 Aug 2013, at 16:10, "Nong NgocDung" wrote: > Hi Arran, > > In sql.conf as follow: > > > sql { ># ># Set the database to one of: ># ># mysql, mssql, oracle, postgresql ># >database = "mysql" > ># ># Which FreeRADIUS driver to use. ># >driver = "rlm_sql_${database}" > ># Connection info: >server = "localhost" > . > } > > > > Where should I declare the connection to sqlite file? With the 'filename' config item, and you need to set database to 'sqlite' sql { database = 'sqlite' filename = '' } It's done properly in 3.0. It's sort of hacked into 2.x.x. Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius2 and sqlite
Hi Arran, In sql.conf as follow: sql { # # Set the database to one of: # # mysql, mssql, oracle, postgresql # database = "mysql" # # Which FreeRADIUS driver to use. # driver = "rlm_sql_${database}" # Connection info: server = "localhost" . } Where should I declare the connection to sqlite file? -Original Message- From: freeradius-users-bounces+nongdung=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+nongdung=gmail@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: Friday, August 30, 2013 10:01 PM To: FreeRadius users mailing list Subject: Re: Freeradius2 and sqlite On 30 Aug 2013, at 15:48, NgocDung Nong wrote: > Hi Arran, > > I know and I can make FR work with mysql, but I don't have any sql.conf example that works with sqlite. Could you give an example sql.conf file? The default sql.conf file will work with sqlite. The queries however may not. version 3.0.0 has queries specifically for sqlite, so you may want to try that. Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius DHCP against LDAP
On 31/8/2013 5:27 μμ, Alan DeKok wrote: ... Thank you for your clear answers. I'll look into DHCP and see how I can instruct our Cisco switches send the "Framed-IP-Address" attribute. Thanks again both for the clarifications and for providing FreeRadius to us. Regards, Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius DHCP against LDAP
On 31 Aug 2013, at 13:49, Nikolaos Milas wrote: > On 31/8/2013 12:03 πμ, Arran Cudbard-Bell wrote: > >>> 1. Is DHCP functionality supported against an LDAP Server (in v2.2.0)? >> Yes. >> >>> >2. If so, is there a planned freeradius ldap schema change (in future >>> >versions) to include DHCP-* attributes? >> No. But you're welcome to submit a pull request. > > Thanks Arran for your answers. > > Sorry, I don't know really what a "pull request" is, but googling info makes > me think it means I can submit a proposal for schema changes? Yes. > If so, I might, after I become a bit acquainted to the DHCP FreeRadius > component (and to DHCP in general). OK. > In the meantime, I've also found that I should be able to set an IP Address > to a host (connecting through our Cisco 2950/2960 switches) when doing > dot1x/MAB authentication (against FreeRadius), using the "Framed-IP-Address" > attribute in the reply (and I've also set "radius-server attribute 8 > include-in-access-req" as Cisco advises here: > http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfrdat1.html). > No. > I tried it but the NAS doesn't seem to try to push to the authorized host the > IP Address (-yet the host had already a static IP address). Should the host > (Win Vista in this test case) specify "Obtain an IP Address automatically"? > Would this functionality work without using the FreeRadius Server DHCP > component? No. It's for things like PPP tunnels not for 802.1X and Mac-Auth authentication. > Also, assuming that the authorized (using MAB) host has already a (manually > -or otherwise- preconfigured) static IP address, is there a way FreeRadius > can know which that is, so it can reject the host during reauth if that IP > Address is different than the one specified in the host's LDAP entry? No. With Wired/Wireless 802.1X/Mac-Auth authentication is performed first. Before authentication occurs all traffic (other than EAPOL frames, and wireless management frames) are blocked by the NAS. Once authentication completes the client uses DHCP to acquire an IP address. Some NAS may offer a feature to inspect the SRC IP address of incoming frames after authentication completes. It may then include that value in Accounting data which is sent after authentication completes. The RADIUS server could then in theory use a PoD (RADIUS packet of disconnect) or SNMP to disconnect the client from the NAS if it determined it was using the incorrect IP address when it received one of those accounting packets. FreeRADIUS itself does not offer any user triggable events For this it's sometimes better to use a quarantine VLAN and change that using SNMP, CoA, the Session-Timeout attribute, or PoD, once you're sure the client has the right IP. There is no out of the box solution for this. But FreeRADIUS does provide all the functionality you need. You just need to tie it all together. The solution you choose depends on your clients, your NAS, and the strictness of your policies. Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl hashes
Mehdi Ravanbakhsh wrote: > If i remove SQL module in default (site enable) in any section then > "%RAD_CHECK" hashes is still available in rlm_perl ? Yes. The modules are completely independent. > In my plan i need to transfer all policy mechanism to my database > (PostgreSQL) function but we have some limitation in xlat , so i need to > pass all value pairs from request to SQL function and get > all reply value pairs in function return . in this case my function > read all check value pairs directly from database so i think no need > SQL module any more ... Uh the SQL module *connects* to the SQL database. Without the SQL module, you can't access your stored procedures. > So can i transfer all SQL module Task to SQL function in my database ? Programming. Read the Postgres documentation to see how to use it's embedded language. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius DHCP against LDAP
Nikolaos Milas wrote: > Sorry, I don't know really what a "pull request" is, but googling info > makes me think it means I can submit a proposal for schema changes? If > so, I might, after I become a bit acquainted to the DHCP FreeRadius > component (and to DHCP in general). A "pull request" means submitting patches via github.com. > In the meantime, I've also found that I should be able to set an IP > Address to a host (connecting through our Cisco 2950/2960 switches) when > doing dot1x/MAB authentication (against FreeRadius), using the > "Framed-IP-Address" attribute in the reply (and I've also set > "radius-server attribute 8 include-in-access-req" as Cisco advises here: > http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfrdat1.html). That's only for PPP. > I tried it but the NAS doesn't seem to try to push to the authorized > host the IP Address (-yet the host had already a static IP address). > Should the host (Win Vista in this test case) specify "Obtain an IP > Address automatically"? Would this functionality work without using the > FreeRadius Server DHCP component? "Obtain an IP Address automatically" means "use DHCP". > Also, assuming that the authorized (using MAB) host has already a > (manually -or otherwise- preconfigured) static IP address, is there a > way FreeRadius can know which that is, so it can reject the host during > reauth if that IP Address is different than the one specified in the > host's LDAP entry? Only if the NAS does Accounting packets which contain the Framed-IP-Address attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius DHCP against LDAP
On 31/8/2013 12:03 πμ, Arran Cudbard-Bell wrote: 1. Is DHCP functionality supported against an LDAP Server (in v2.2.0)? Yes. >2. If so, is there a planned freeradius ldap schema change (in future versions) to include DHCP-* attributes? No. But you're welcome to submit a pull request. Thanks Arran for your answers. Sorry, I don't know really what a "pull request" is, but googling info makes me think it means I can submit a proposal for schema changes? If so, I might, after I become a bit acquainted to the DHCP FreeRadius component (and to DHCP in general). In the meantime, I've also found that I should be able to set an IP Address to a host (connecting through our Cisco 2950/2960 switches) when doing dot1x/MAB authentication (against FreeRadius), using the "Framed-IP-Address" attribute in the reply (and I've also set "radius-server attribute 8 include-in-access-req" as Cisco advises here: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfrdat1.html). I tried it but the NAS doesn't seem to try to push to the authorized host the IP Address (-yet the host had already a static IP address). Should the host (Win Vista in this test case) specify "Obtain an IP Address automatically"? Would this functionality work without using the FreeRadius Server DHCP component? Also, assuming that the authorized (using MAB) host has already a (manually -or otherwise- preconfigured) static IP address, is there a way FreeRadius can know which that is, so it can reject the host during reauth if that IP Address is different than the one specified in the host's LDAP entry? I would appreciate some clarifications on the above. Best Regards, Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html