Re: Case statement error
Hi, Ah... a fix wasn't pulled over from v3.0.x to master. I've just done that now. server now starts with such switch/case config present. cheers! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Username format
I think I know the answer to this question but I wanted to check with the Gurus! Does FreeRADIUS give a fig about what the username is? If it were all numeric, say 123456789 I guess it is happy with that? It's just a string to FreeRADIUS? If there was to be an issue, it would be the back end authentication system Unix/LDAP/AD etc and what it finds acceptable right? Thanks as always... Barry Dean Principal Programmer/Analyst Networks Team Computing Service Department - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Case statement error
Thank both, that's great news. I really need to teach myself some C.. Cheers Andy -Original Message- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of a.l.m.bu...@lboro.ac.uk Sent: 14 October 2013 07:27 To: FreeRadius users mailing list Subject: Re: Case statement error Hi, Ah... a fix wasn't pulled over from v3.0.x to master. I've just done that now. server now starts with such switch/case config present. cheers! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment depending on LDAP user group and MAC address
On Fri, Oct 11, 2013 at 05:41:07PM +0100, Fabrizio Vecchi wrote: As you can see, the device wasn't listed in the file, the authentication went fine, saying that the tunnel that I should get has ID 40, but that wasn't overwritten by the authorized_macs check... Add DEFAULT Auth-Type := Reject to the bottom of your authorized_macs file. You might as well move the mac address check up above eap in the authorize section. There's no point going through all the eap processing if you're just going to reject afterwards based on something that could easily have been done first. Cheers Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment depending on LDAP user group and MAC address
On Mon, Oct 14, 2013 at 10:40:19AM +0100, Matthew Newton wrote: On Fri, Oct 11, 2013 at 05:41:07PM +0100, Fabrizio Vecchi wrote: As you can see, the device wasn't listed in the file, the authentication went fine, saying that the tunnel that I should get has ID 40, but that wasn't overwritten by the authorized_macs check... DEFAULT Auth-Type := Reject I misread (and replied before I'd seen the other thread from your duplicate message...) - to set the vlan for any users that *don't* match other entries, then add this at the bottom: DEFAULT Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := 999 To Reject, you can do it in authorize. To set the VLAN, as Alan said, post-auth is the better place. Use := to force the values to be set. = will not change the values if already set by the inner tunnel, etc. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Username format
Hi, Does FreeRADIUS give a fig about what the username is? If it were all numeric, say 123456789 I guess it is happy with that? It's just a string to FreeRADIUS? FreeRADIUS is just a RADIUS serverand hence any decisions made by it are all down to defined policies. so if you have a policy that cares about username format, case sensitivity etc...or have a backend that has such feelings and emotions then you will find out :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Case statement error
Franks Andy (RLZ) IT Systems Engineer wrote: Hi again, Sorry to bang on about this, but I'm struggling still. Brand new machine, Ubuntu 13.04 server, never had freeradius installed on it. Pulled from git, - (FreeRADIUS Version 3.1.0 (git #209982d), I didn't see the 3.1.0... At this point, you may want to be running from the 3.0.0 release, or the v3.0.x branch. There are NO new features in master (3.1.0) over 3.0.0. Our plan for 3.1.0 is to finish the conversion to talloc, which may introduce instabilities. In contrast, 2.2.x and 3.0.x will have minimal changes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Terminate dsl ppp sessions daily
Hi list, we use freeradius for our dsl user authentication. We want to disconnect some users via radius at fixed times, e.g. 04:00 am. Which attribute and value should / can i use? Session-Timeout doesnt do the job. Regards, Volker Lieder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
On 10/10/13 15:03, a.l.m.bu...@lboro.ac.uk wrote: Samba 4 is lurvely... apparently 100% compatible with existing AD installations, although, as always, it's a bit finicky and info is a bit thin on the ground (and I've not written up a guide when I set my test environment up that uses an S4 server for EAP-MSCHAPv2). But at least it exists on RHEL/CentOS as a package. it can also BE an AD master etc. anyway, you dont know how tempting it was to yum install samba4 on our production system;-) I'd certainly like to see some samba3.x versus samba4 benchmarks in this sort of context This morning I upgraded a couple of our radius servers from samba 3.6.9 to 4.0.0-rc4. It works, but it's not yet clear how much of an improvement it makes. Early indication is that it helps spread the load more evenly between domain controllers at peak times, but it is by no means the magic bullet. Cheers, Jonathan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate dsl ppp sessions daily
On 14 Oct 2013, at 15:52, Volker Lieder v.lie...@uvensys.de wrote: Hi list, we use freeradius for our dsl user authentication. We want to disconnect some users via radius at fixed times, e.g. 04:00 am. Which attribute and value should / can i use? Session-Timeout doesnt do the job. Calculate time difference between now at 04:00am and insert it into Session-Timeout? If your NAS doesn't implement Session-Timeout then you can use CoA/DM or SNMP. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
3.0.0 return code priority / change?
All,
Seems that the return code priority is behaving different in 3.0 -
specifically the following config:
authorize {
updated
files
if (noop) {
...
}
}
...gives:
(0) authorize {
(0) [updated] = updated
(0) [files] = noop
(0) ? if (noop)
(0) ? if (noop) - FALSE
i.e. the noop from the files module is ignored. This is a change from
2.x where the most recent module return code can be checked.
Have I missed the change, or is this not intentional?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
On 14/10/13 16:01, Jonathan Gazeley wrote: On 10/10/13 15:03, a.l.m.bu...@lboro.ac.uk wrote: Samba 4 is lurvely... apparently 100% compatible with existing AD installations, although, as always, it's a bit finicky and info is a bit thin on the ground (and I've not written up a guide when I set my test environment up that uses an S4 server for EAP-MSCHAPv2). But at least it exists on RHEL/CentOS as a package. it can also BE an AD master etc. anyway, you dont know how tempting it was to yum install samba4 on our production system;-) I'd certainly like to see some samba3.x versus samba4 benchmarks in this sort of context This morning I upgraded a couple of our radius servers from samba 3.6.9 to 4.0.0-rc4. It works, but it's not yet clear how much of an improvement it makes. Early indication is that it helps spread the load more evenly between domain controllers at peak times, but it is by no means the magic bullet. I am wondering if using ntlm_auth in pipe mode, in the same way Squid does, would improve this, as it would avoid forkexec. I might try and knock up a PoC patch. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate dsl ppp sessions daily
Hi, we tried to calculate it via expr. How would you calculate it? Regards, Volker Am 14.10.2013 um 17:03 schrieb Arran Cudbard-Bell: On 14 Oct 2013, at 15:52, Volker Lieder v.lie...@uvensys.de wrote: Hi list, we use freeradius for our dsl user authentication. We want to disconnect some users via radius at fixed times, e.g. 04:00 am. Which attribute and value should / can i use? Session-Timeout doesnt do the job. Calculate time difference between now at 04:00am and insert it into Session-Timeout? If your NAS doesn't implement Session-Timeout then you can use CoA/DM or SNMP. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate dsl ppp sessions daily
On 14 Oct 2013, at 16:27, Volker Lieder v.lie...@uvensys.de wrote: Hi, we tried to calculate it via expr. How would you calculate it? Pretty sure the expiration module does exactly this. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3.0.0 return code priority / change?
On 14/10/13 16:18, Phil Mayers wrote: i.e. the noop from the files module is ignored. This is a change from 2.x where the most recent module return code can be checked. Have I missed the change, or is this not intentional? Looks like this happened in the modcall.c rewrite (d0aa96709cea) and has been ported to 2.x as well, so it'll change there too? https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/main/modcall.c#L959 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3.0.0 return code priority / change?
On 14/10/13 17:15, Phil Mayers wrote: On 14/10/13 16:18, Phil Mayers wrote: i.e. the noop from the files module is ignored. This is a change from 2.x where the most recent module return code can be checked. Have I missed the change, or is this not intentional? Looks like this happened in the modcall.c rewrite (d0aa96709cea) and has been ported to 2.x as well, so it'll change there too? Fix seems easy; assuming the old behaviour is what's wanted: https://github.com/philmayers/freeradius-server/commit/51c43419 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
configure freeradius to use UPN instead of samaccountname
We have our freeradius setup to authenticate with Active Directory for EAP. Currently, it uses the samaccountname but we want to use UPN instead. We get NT_STATUS_NO_SUCH_USER when testing with ntlm through command line. ntlm_auth --request-nt-key --domain=test.local --username=tu...@pub.com Can you please let us know what needs to be configured to support the UPN? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configure freeradius to use UPN instead of samaccountname
Angelica Delgado wrote: We have our freeradius setup to authenticate with Active Directory for EAP. Currently, it uses the samaccountname but we want to use UPN instead. We get NT_STATUS_NO_SUCH_USER when testing with ntlm through command line. ntlm_auth --request-nt-key --domain=test.local --username=tu...@pub.com Can you please let us know what needs to be configured to support the UPN? ntlm_auth is from Samba. It's not part of FreeRADIUS. Ask the Samba people how it works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: configure freeradius to use UPN instead of samaccountname
You might want to do an LDAP lookup first on your UPN to find the samAccountName, then use that with ntlm_auth. Stefan From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Angelica Delgado Sent: 14 October 2013 21:51 To: FreeRadius users mailing list Subject: configure freeradius to use UPN instead of samaccountname We have our freeradius setup to authenticate with Active Directory for EAP. Currently, it uses the samaccountname but we want to use UPN instead. We get NT_STATUS_NO_SUCH_USER when testing with ntlm through command line. ntlm_auth --request-nt-key --domain=test.local --username=tu...@pub.commailto:tu...@pub.com Can you please let us know what needs to be configured to support the UPN? Thanks. -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
