Re: Antwort: Re: Antwort: Re: Antwort: Re: Open Radius and Novell Certification Server
[EMAIL PROTECTED] wrote: but now i look at the openradius page and cannot find x.509 ca support. Is there a chance to switch fast to free radius ? ;) i hope so ... I assume you want to authenticate through EAP-TLS. EAP methods are now widely used in wireless networks, although you can make use of them in any scenario with 802.1x compliant devices. However, try look at this http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm it's a bit outdated, but can give you an idea Aldo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Does RADIUS also support authorization
Barath kumar wrote: Is the RADIUS server meant only for authentication (or) it can be used for authorization also which allows the user access to various resources based on the user's identity. RADIUS (as defined in RFCs, see http://www.freeradius.org/rfc/) supports Authentication, Authorization and Accounting. For general FAQs, Q&A etc see http://www.freeradius.org/faq/ Aldo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication detail logging
Simon Bryden wrote: Is there any easy way to log a detail log of attributes received in access_request messages, similar to acct logs? man radiusd OPTIONS -A Write a file detail.auth in addition to the standard detail file in the same directory. This file will contain all the authentication-request records. This can be useful for debugging, but not for normal operation. Aldo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radrelay question
Simon Bryden wrote: The problem is that I need the resulting Client-IP-Address attribute to be the address of the original client, not of my radrelay source. I do not make use of radrelay, but AFAIK it is a minimal radius client that reads accounting data from a detail file and sends it to another radius server. If it is so, I am afraid that the Client-IP-Address will always be the radrelay host address, since Client-IP-Address is extracted by the radius server from the incoming request (i.e. it is not a plain attribute which gets forwarded) You should try searching for Nas-IP-Address, which does not change when requests are proxied. Hope this helps, Aldo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic RADIUS network protocol question
Martin Olsson wrote: The length field is 16-bit, but is it big-endian or little-endian? If i receive the two bytes for the length as AB should I use the value 256*A+B or should I use the value A+B*256? You can just convert your short int from host-byte-order to network-byte-order using the function "htons" and then store it in the lenght field. see man pages for details Aldo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Suspending Users
Linda Pagillo wrote:
If you just want "suspended", then I would add a column suspended
and edit the sql query in sql.conf. If you need more complex checking
that can't be done with sql queries, then you might look at the exec
or perl modules to execute external scripts.
This means, for instance, adding a column "active" in the radcheck
table, and modify the authorize_check_query to
authorize_check_query = "SELECT id,UserName,Attribute,Value,op FROM
${authcheck_table} WHERE
Username = '%{SQL-User-Name}' AND active = 1 ORDER BY id"
by manually changing the "active" flag you actually make it possible to
skip the user's authorization (it would return a "not found", thus an
access-reject)
However, this approach is easy to implement but using an "explicit"
reject would be more correct.
To issue an "access-reject" you just have to modify the user's
"auth-type" attribute in the radcheck table to "Reject".
You then could add a reply message by adding the attribute
"Reply-Message" in the user's radreply table.
i.e.
update radcheck set Value = "Reject" where username = "joe" and
Attribute ="Auth-Type";
insert into redreply values ("", "joe", "Reply-Message", "=", "You did
not pay your bills!!");
more complex solutions:
1) use an external program/script that checks for the user status and
returns the appropriate replies to freeradius (module rlm_exec, see
radiusd.conf for details, it is pretty much explained there).
this approach lets you define an external program which reads the
request attributes from the standard input and can add replies by
writing to the standard output.
2) if you need more specific functions to be performed, you can soil
your hands by writing a freeradius module, and putting in there the
right decision logic. This should give you better results in terms of
performance, but it is not an easy task, as it requires you to know the
freeradius' internals (and several hours to discover why it segfaults
randomly)
Ok, here is exactly what i need -- The only reason i would want to
prevent a user from logging on would be because they did not pay their
bill. All i want to do is make it so that they can't log on to the
internet. The above post states that i need to "add a column called
"suspended" and edit the sql query in sql.conf." Here are my
2 questions.. in which mysql table do i need to add the column? And
what do i need to edit in the sql.conf file? Thank you.
Linda Pagillo
Director of Technical Services
N2 The Net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
