Re: PEAP failure problem
Hello again! Forgiveness for having reached this situation, the result of several unfortunate events. Thank you for reply and your time - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP failure problem
This was asked many, many, times. And answered. Ok, sorry to ask about that one more time. I though that if I can work with Codigo-Reject attribute in Post-Auth type Reject for EAP-TTLS-PAP and EAP-TTLS-MsCHAPv2, I would do the same in PEAP. I read http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg56919.html Sending Reply-Message in an Access-Reject is not permitted for EAP sessions. All, EAP-TTLS-PAP, EAP-TTLS-MsCHAPv2 and PEAP are EAP methods... Go read the responses to your messages. Sory, but What responses? What messages? Do you think that if I had received any answer would have asked many times the same? If you're not going to read the list, then don't post questions here. And stop posting this question. I send this cuestion and I didn't see in the list and I didn't get a response. I assumed it would have been a problem and went to send... Sorry again and thank you for you response despite the tone you used. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
chage switch result
Hello,
I'm using FreeRADIUS Version 2.1.10 and I would like to know if I can
change the swith result to make something like that:
/etc/freeradius/sites-enable/default
...
switch %{Realm} {
case 'a' {
sql {
fail = 5
}
}
case 'b' {
ldap {
fail = 5
}
}
case {
update reply {
Codigo-Reject = Error-Dominio
reject
}
}
}
if (fail) {
update reply {
Codigo-Reject = Imposible-Contactar-Backend
}
reject
}
elsif (notfound) {
update reply {
Codigo-Reject = Usuario-Desconocido
}
reject
}
...
Actually, if for example, sql return notfound, I can set Codigo-Reject =
Usuario-Desconocido, but if sql return fail, switch return and I stop
procesing the authorize section.
Thank you in advance
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: update reply problem
','radius')
Tue Mar 27 09:36:22 2012 : Debug: rlm_sql (sql) in sql_postauth: query is
INSERT INTO radpostauth (username, mac, client,
reply, authdate,codreject,radauth) VALUES
( LOWER('02747632'),
LOWER('66:77:99:B1:A0:2F'), 'PA',
'Access-Reject', NOW(), 'Credenciales-Erroneas','radius')
Tue Mar 27 09:36:22 2012 : Debug: rlm_sql (sql): Ignoring unconnected
handle 1..
Tue Mar 27 09:36:22 2012 : Debug: rlm_sql (sql): Ignoring unconnected
handle 0..
Tue Mar 27 09:36:22 2012 : Debug: rlm_sql (sql): Ignoring unconnected
handle 4..
Tue Mar 27 09:36:22 2012 : Debug: rlm_sql (sql): Ignoring unconnected
handle 3..
Tue Mar 27 09:36:22 2012 : Debug: rlm_sql (sql): Ignoring unconnected
handle 2..
Tue Mar 27 09:36:22 2012 : Info: ++[sql] returns fail
Tue Mar 27 09:36:22 2012 : Info: ++? if (fail)
Tue Mar 27 09:36:22 2012 : Info: ? Evaluating (fail) - TRUE
Tue Mar 27 09:36:22 2012 : Info: ++? if (fail) - TRUE
Tue Mar 27 09:36:22 2012 : Info: ++- entering if (fail) {...}
Tue Mar 27 09:36:22 2012 : Info: +++[reply] returns fail
Tue Mar 27 09:36:22 2012 : Info: ++- if (fail) returns fail
Tue Mar 27 09:36:22 2012 : Info: Delaying reject of request 42 for 1 seconds
Tue Mar 27 09:36:22 2012 : Debug: Going to the next request
Tue Mar 27 09:36:22 2012 : Debug: Waking up in 0.9 seconds.
Tue Mar 27 09:36:23 2012 : Info: Sending delayed reject for request 42
Sending Access-Reject of id 163 to 10.253.40.43 port 1314
EAP-Message = 0x04090004
Message-Authenticator = 0x
*Codigo-Reject = Credenciales-Erroneas*
I don't know what is the mening of the messages:
Tue Mar 27 09:36:22 2012 : Info: [eapeduroam] Handler failed in EAP/ttls
Tue Mar 27 09:36:22 2012 : Info: [eapeduroam] Failed in EAP select
Tue Mar 27 09:36:22 2012 : Info: ++[eapeduroam] returns invalid
And, Can I do?
# inner-tunnel
post-auth {
sql{
fail=1
}
if (fail) {
update reply {
Codigo-Reject = Imposible-Contactar-Backend
* Packet-Type := Access-Reject*
}
reply_log
reject
}
Thank you for your time and sorry for my english
:: Ana Gallardo Gómez ::
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: update reply problem
Hello again,
I can't reolve my problem and I don't know if is a bug o a configuration
error...
update reply {
Codigo-Reject = Imposible-Contactar-Backend
}
Operator = act like :=
¿ideas?
thanks very much
:: Ana Gallardo Gómez ::
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
update reply problem
}
if (fail) {
update reply {
Codigo-Reject = Imposible-Contactar-Backend
* Packet-Type := Access-Reject*
}
reply_log
reject
}
Thank you very much and sorry for my english.
:: Ana Gallardo Gómez ::
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radpostauth - from client ip
Which attribute should I be using to store the same 'from client' that the radius.log is storing? I think that what you want is clientname %C :: Ana Gallardo Gómez :: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ldap
Josip, thanks for your response.
Add LDAP into the authenticate section, so that it simply tries to re-bind
with the provided credentials? Like this:
Auth-Type LDAP {
ldapPerson
}
I try this configuration too, but it doesn't work for me. Freeradius doesn't
set the value to Auth-Type attribute. I thik that this is because the
userPassword attribute is only visible to each particular user when binds.
rad_recv: Access-Request packet from host X.X.X.X port 49621, id=130,
length=58
User-Name = aigalla...@unex.es
User-Password =
server test {
# Executing section authorize from file /etc/freeradius/sites-enabled/test
+- entering group authorize {...}
[suffix] Looking up realm unex.es for User-Name = aigalla...@unex.es
[suffix] Found realm unex.es
[suffix] Adding Stripped-User-Name = aigallardo
[suffix] Adding Realm = unex.es
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[files] users: Matched entry DEFAULT at line 33
++[files] returns ok
[ldapPerson] performing user authorization for aigallardo
[ldapPerson] expand: %{Stripped-User-Name} - aigallardo
[ldapPerson] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=aigallardo)
[ldapPerson] expand: ou=people,dc=unex,dc=es - ou=people,dc=unex,dc=es
[ldapPerson] ldap_get_conn: Checking Id: 0
[ldapPerson] ldap_get_conn: Got Id: 0
[ldapPerson] attempting LDAP reconnection
[ldapPerson] (re)connect to ldap.unex.es:389, authentication 0
[ldapPerson] bind as / to ldap.unex.es:389
[ldapPerson] waiting for bind result ...
[ldapPerson] Bind was successful
[ldapPerson] performing search in ou=people,dc=unex,dc=es, with filter
(uid=aigallardo)
[ldapPerson] No default NMAS login sequence
[ldapPerson] looking for check items in directory...
[ldapPerson] looking for reply items in directory...
[ldapPerson] gecos - Nombre-Completo = Ana-Isabel Gallardo Gomez,Dpto.
Tecno. Computadores y Comuni.,,
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldapPerson] user aigallardo authorized to use remote access
[ldapPerson] ldap_release_conn: Release Id: 0
++[ldapPerson] returns ok
++[expiration] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
} # server test
Thank you very much and sorry for my english.
++ Ana Gallardo Gómez ++
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ldap
Hello again. Ok, now I can authenticate an user using LDAP.
I'm using freeradius 2.1.10 and I want to use ldap like a backend in
authorize section to take userPassword attribute (unix crypt) to
authenticate the user.
My problem is: the ldap server don't have public key that an admin user (who
bind) can take. So I have to bind in the authorize section with the user and
password (clear text) in the request.
Is this posible?
I have read that this is not ok
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg49993.html
What are my posibilities?
I think that what I can do is:
- in authorize section bind like anonymous user and take the public
attributes that I need to authorize the user.
- in authenticate section bind like the user who want to access
The configuration that work:
LDAP MODULE
ldap ldapPerson{
server = xxx
basedn = ou=people,dc=unex,dc=es
filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldapPerson.attrmap
edir_account_policy_check = no
set_auth_type = yes
}
SERVER
server test{
authorize {
suffix
files
ldapPerson
expiration
update control {
Auth-Type := LDAP
}
}
authenticate {
Auth-Type LDAP {
ldapPerson
}
}
}
DEBUG
rad_recv: Access-Request packet from host x.x.x.x port 48259, id=145,
length=58
User-Name = aigalla...@unex.es
User-Password =
server test {
# Executing section authorize from file /etc/freeradius/sites-enabled/test
+- entering group authorize {...}
[suffix] Looking up realm unex.es for User-Name = aigalla...@unex.es
[suffix] Found realm unex.es
[suffix] Adding Stripped-User-Name = aigallardo
[suffix] Adding Realm = unex.es
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[files] users: Matched entry DEFAULT at line 33
++[files] returns ok
[ldapPerson] performing user authorization for aigallardo
[ldapPerson] expand: %{Stripped-User-Name} - aigallardo
[ldapPerson] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=aigallardo)
[ldapPerson] expand: ou=people,dc=unex,dc=es - ou=people,dc=unex,dc=es
[ldapPerson] ldap_get_conn: Checking Id: 0
[ldapPerson] ldap_get_conn: Got Id: 0
[ldapPerson] attempting LDAP reconnection
[ldapPerson] (re)connect to x.x.x.x:389, authentication 0
[ldapPerson] bind as / to x.x.x.x:389
[ldapPerson] waiting for bind result ...
[ldapPerson] Bind was successful
[ldapPerson] performing search in ou=people,dc=unex,dc=es, with filter
(uid=aigallardo)
[ldapPerson] No default NMAS login sequence
[ldapPerson] looking for check items in directory...
[ldapPerson] looking for reply items in directory...
[ldapPerson] gecos - Nombre-Completo = Ana-Isabel Gallardo Gomez...
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldapPerson] user aigallardo authorized to use remote access
[ldapPerson] ldap_release_conn: Release Id: 0
++[ldapPerson] returns ok
++[expiration] returns noop
++[control] returns noop
Found Auth-Type = LDAP
# Executing group from file /etc/freeradius/sites-enabled/test
+- entering group LDAP {...}
[ldapPerson] login attempt by aigallardo with password
[ldapPerson] user DN: uid=aigallardo,ou=People,dc=unex,dc=es
[ldapPerson] (re)connect to x.x.x.x:389, authentication 1
[ldapPerson] bind as uid=aigallardo,ou=People,dc=unex,dc=es/x to
x.x.x.x:389
[ldapPerson] waiting for bind result ...
[ldapPerson] Bind was successful
[ldapPerson] user aigallardo authenticated succesfully
++[ldapPerson] returns ok
} # server test
Sending Access-Accept of id 145 to x.x.x.x port 48259
Nombre-Completo = Ana-Isabel Gallardo Gomez...
I don't know if this is the best way to solve my problem, I someone have
something better, I would like to know.
Thank you very much and sorry for my english.
++ Ana Gallardo Gómez ++
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ldap
Hello Josip and thank you again for your response. This is an orthogonal issue; you don't have to allow anyone to read the value of the userPassword attribute, you just have to get the FR ldap module to *bind* to the LDAP server with the username and password from the request. Ok, now I know. This is log output for an anonymous bind in authorize section (bind as / to means bind as no user/no password). What is the output for the authenticated bind, that happens in the authenticate section? There is no authenticated bind because Freeradius doesn't set Auth-Type and... ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Thanks ++ Ana Gallardo Gómez ++ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius + ldap
Hello,
I'm using freeradius 2.1.10 and I want to use ldap like a backend in
authorize section to take userPassword attribute (unix crypt) to
authenticate the user.
My problem is: the ldap server don't have public key that an admin user (who
bind) can take. So I have to bind in the authorize section with the user and
password (clear text) in the request.
Is this posible?
What are my posibilities?
Here is my actual configuration in my test:
LDAP MODULE
ldap ldapPerson{
server = ldap.
basedn = ou=people,dc=unex,dc=es
filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldapPerson.attrmap
edir_account_policy_check = no
set_auth_type = yes
}
SERVER
server test{
authorize {
suffix
files
ldapPerson
expiration
pap
}
authenticate {
Auth-Type PAP {
pap
}
}
}
DEBUG
rad_recv: Access-Request packet from host X.X.X.X port 38152, id=201,
length=58
User-Name = aigalla...@unex.es
User-Password = pass
server test {
# Executing section authorize from file /etc/freeradius/sites-enabled/test
+- entering group authorize {...}
[suffix] Looking up realm unex.es for User-Name = aigalla...@unex.es
[suffix] Found realm unex.es
[suffix] Adding Stripped-User-Name = aigallardo
[suffix] Adding Realm = unex.es
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[files] users: Matched entry DEFAULT at line 33
++[files] returns ok
[ldapPerson] performing user authorization for aigallardo
[ldapPerson] expand: %{Stripped-User-Name} - aigallardo
[ldapPerson] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=aigallardo)
[ldapPerson] expand: ou=people,dc=unex,dc=es - ou=people,dc=unex,dc=es
[ldapPerson] ldap_get_conn: Checking Id: 0
[ldapPerson] ldap_get_conn: Got Id: 0
[ldapPerson] attempting LDAP reconnection
[ldapPerson] (re)connect to X :389, authentication 0
[ldapPerson] bind as / to :389
[ldapPerson] waiting for bind result ...
[ldapPerson] Bind was successful
[ldapPerson] performing search in ou=people,dc=unex,dc=es, with filter
(uid=aigallardo)
[ldapPerson] No default NMAS login sequence
[ldapPerson] looking for check items in directory...
[ldapPerson] looking for reply items in directory...
[ldapPerson] gecos - Nombre-Completo = Ana-Isabel Gallardo Gomez
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldapPerson] user aigallardo authorized to use remote access
[ldapPerson] ldap_release_conn: Release Id: 0
++[ldapPerson] returns ok
++[expiration] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
} # server test
Thank you very much and sorry for my eglish.
++ Ana Gallardo Gómez ++
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: %RAD_REPLY hash problem
Hello,
I've tested adding my vendor specific attributes to check list, and the
problem persist.
Here is the debug info:
rad_recv: Access-Request packet from host x.x.x.x port 32880, id=4,
length=75
User-Name = a...@unex.es
User-Password = 111
Calling-Station-Id = ...
...
[ldap1] performing user authorization for ana
[ldap1] expand: %{Stripped-User-Name} - ana
[ldap1] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) - (cn=ana)
...
[ldap1] Bind was successful
...
[ldap1] looking for check items in directory...
[ldap1] Relaciones - Relaciones += 06
[ldap1] Relaciones - Relaciones += 01
[ldap1] ntPassword - NT-Password == 0x44...
[ldap1] looking for reply items in directory...
[ldap1] sn - Nombre-Completo = Ana Gllardo
...
[ldap1] user ana authorized to use remote access
...
rlm_perl: RAD_REQUEST: User-Name = a...@unex.es
rlm_perl: RAD_REQUEST: User-Password = 111
rlm_perl: RAD_REQUEST: Intentos-Reject = 0
rlm_perl: RAD_REQUEST: SQL-User-Name = ana
rlm_perl: RAD_REQUEST: Realm = unex.es
rlm_perl: RAD_REQUEST: Stripped-User-Name = ana
rlm_perl: RAD_REQUEST: Calling-Station-Id = ...
rlm_perl: RAD_CHECK: NT-Password = 0x44...
rlm_perl: RAD_CHECK: Simultaneous-Use = 1
rlm_perl: RAD_CHECK: Relaciones = ARRAY(0x1d59618)
rlm_perl: RAD_CHECK: Ldap-UserDn = ...
rlm_perl: RAD_REREPLY: Nombre-Completo = Ana Gallardo
rlm_perl: relacion: 06
rlm_perl: relacion: 01
rlm_perl: relacion: 0x44...
...
Finally, my solution was delete the undesired member from the hash.
# cat /etc/freeradius/perl/checkRelaciones.pm
#!/usr/bin/perl
use strict;
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);
use constantRLM_MODULE_REJECT=0;# /* immediately reject the
request */
use constantRLM_MODULE_OK=2;# /* the module is OK, continue */
sub authorize {
solucion_bug;
return check_relaciones;
}
sub solucion_bug {
my $r;
my @array;
if (exists $RAD_CHECK{'Relaciones'} defined
$RAD_CHECK{'Relaciones'}){
$r=$RAD_CHECK{'Relaciones'};
if (ref($r) eq ARRAY) {
foreach (@{$r}) {
#radiusd::radlog(1, relacion: $_);
if ($_ =~ /^[0-9]{2}/) {
push(@array, $_);
}
}
if ($#array 0){
$RAD_REPLY{'Relaciones'}...@array;
}
elsif ($#array == 0){
$RAD_REPLY{'Relaciones'}=$array[0];
}
}
unless (ref($r)) {
#radiusd::radlog(1, relacion: $r);
if ($r =~ /^[0-9]{2}/) {
$RAD_REPLY{'Relaciones'}=$r;
}
}
delete($RAD_CHECK{'Relaciones'});
}
}
sub check_relaciones {
my $r;
if (exists $RAD_REPLY{'Relaciones'} defined
$RAD_REPLY{'Relaciones'}){
return RLM_MODULE_OK;
}
else{
$RAD_REPLY{'Codigo-Reject'}=11; #Sin-Relacion-UEX
return RLM_MODULE_REJECT;
}
}
Thank you very much.
++ Ana Gallardo Gómez ++
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: %RAD_REPLY hash problem
Hello, thank you very much for your response. I’m not sure if this will fix it, but try: use constant RLM_MODULE_UPDATED= 8;# /* OK (pairs modified) */ then change “return RLM_MODULE_OK” to: return RLM_MODULE_UPDATED; I try that but the problem persist. If this doesn’t fix it, you can always delete the undesired member from the hash before you return. Yes, I know :) but it would be better if we can solve that Thanks again -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
Thank you very much for your responses.
Conversely, you could comment out/remove the use Data::Dumper line
since you're not using it. It's mainly for debugging and easily
printing the entire contents of an object/array/hash/etc.
Ok, Kevin, I don't use Data::Dumper and I can run Freeradius with my perl
module.
My problem is with the hashes that rlm_perl provide to my script ¡rlm_perl
add in the reply hash an attribute Relaciones with the value of the
attribute Nombre-Completo, and also add Nombre-Completo!
Debug:
[ldap1] performing user authorization for ana
[ldap1] expand: %{Stripped-User-Name} - ana
[ldap1] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) - (cn=ana)
...
[ldap1] looking for check items in directory...
[ldap1] ntPassword - NT-Password == 0x35...
[ldap1] looking for reply items in directory...
[ldap1] Relaciones - Relaciones += 01
[ldap1] sn - Nombre-Completo = ana
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap1] user ana authorized to use remote access
[ldap1] ldap_release_conn: Release Id: 0
[ldap1] returns ok
...
rlm_perl: Added pair User-Name = ana
rlm_perl: Added pair User-Password =
rlm_perl: Added pair Intentos-Reject = 1
rlm_perl: Added pair SQL-User-Name = ana
rlm_perl: Added pair Stripped-User-Name = ana
rlm_perl: Added pair Calling-Station-Id = xxx
rlm_perl: Added pair Nombre-Completo = ana
rlm_perl: Added pair Relaciones = 01
*rlm_perl: Added pair Relaciones = ana*
rlm_perl: Added pair NT-Password = 0x35...
rlm_perl: Added pair Simultaneous-Use = 1
rlm_perl: Added pair Ldap-UserDn = ...
Than you
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
%RAD_REPLY hash problem
Hello,
I'm working with Freeradius 2.1.10
I want to authorize an user usng a multivaluated attribute (Relaciones), so
I use perl.
The values of the attribute Relaciones are store in ldap. Nombre-Completo is
another attribute store in ldap.
Relaciones is a integer value. An user is authorize if have one attribute
Relaciones with a positive value (no + sign).
Relaciones, Nombre-Completo and Codigo-Reject are vendor specific attributes
defined in /usr/share/freeradius/dictionary.rinuex
My script perl is:
# cat /etc/freeradius/perl/checkRelaciones.pm
#!/usr/bin/perl
use strict;
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);
#use Data::Dumper;
use constantRLM_MODULE_REJECT=0;# /* immediately reject the
request */
use constantRLM_MODULE_OK=2;# /* the module is OK, continue */
sub authorize {
my $refRelaciones;
if (exists $RAD_REPLY{'Relaciones'} defined
$RAD_REPLY{'Relaciones'}){
$refRelaciones=$RAD_REPLY{'Relaciones'};
foreach (@{$refRelaciones}) {
if ($_ =~ /^[0-9]{2}/) {
return RLM_MODULE_OK;
}
}
$RAD_REPLY{'Codigo-Reject'}=11; #Sin-Relacion
}
return RLM_MODULE_REJECT;
}
Everything works fine.
My problem is that rlm_perl duplicate an attribute in %RAD_REPLY hash.
Debug:
rad_recv: Access-Request packet from host x.x.x.x port 56822, id=100,
length=75
User-Name = a...@unex.es
User-Password =
Calling-Station-Id = ...
server rinuex {
...
[ldap1] looking for check items in directory...
[ldap1] ntPassword - NT-Password == 0x3..
[ldap1] looking for reply items in directory...
[ldap1] Relaciones - Relaciones += 03
[ldap1] sn - Nombre-Completo = Ana Gallardo
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap1] user ana authorized to use remote access
[ldap1] ldap_release_conn: Release Id: 0
[ldap1] returns ok
...
rlm_perl: Added pair User-Name = a...@unex.es
rlm_perl: Added pair User-Password =
rlm_perl: Added pair Intentos-Reject = 0
rlm_perl: Added pair SQL-User-Name = ana
rlm_perl: Added pair Realm = unex.es
rlm_perl: Added pair Stripped-User-Name = ana
rlm_perl: Added pair Calling-Station-Id = ...
rlm_perl: Added pair Nombre-Completo = Ana Gallardo
rlm_perl: Added pair Relaciones = 03
rlm_perl: Added pair Relaciones = Ana Gallardo
rlm_perl: Added pair NT-Password = 0x344...
rlm_perl: Added pair Simultaneous-Use = 1
rlm_perl: Added pair Ldap-UserDn = ...
++[perl] returns ok
...
++[pap] returns ok
...
} # server rinuex
Sending Access-Accept of id 100 to x.x.x.x port 56822
Nombre-Completo = Ana Gallardo
Relaciones += 03
Relaciones += Ana Gallardo
Any ideas??
Sorry for my english and thank you in advance.
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authorize an user using a multivalue ldap attribute
Hello,
I have a string attribute named Relaciones in my ldap.
This attribute can have more than one value. Actually I return those values
in the reply:
Sending Access-Accept of id 229 to X.X.X.X port 32796
Relaciones += -11
Relaciones += 03
Relaciones += -01
I want to authorize the access only if there is one attibute Relaciones
whith a positive value. So I would like to use unlang in authorize module to
check all the attributes Relaciones whit a regex, but I don't know how can
I check all the attributes, and how can I stop procesing the attributes if I
found one wihtout a minus sign.
if (%{reply:Relaciones} =~ /^([0-9]{2})/) {
}
Thanks very much, and sorry for my english.
--
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
Hello again,
I have a string attribute named Relaciones in my ldap.
This attribute can have more than one value. Actually I return those values
in the reply:
Sending Access-Accept of id 229 to X.X.X.X port 32796
Relaciones += -11
Relaciones += 03
Relaciones += -01
I want to authorize the access only if there is one attibute Relaciones
whith a positive value. So I would like to use unlang in authorize module to
check all the attributes Relaciones whit a regex, but I don't know how can
I check all the attributes, and how can I stop procesing the attributes if I
found one wihtout a minus sign.
if (%{reply:Relaciones} =~ /^([0-9]{2})/) {
}
maybe I can check the value with a check item:
#cat /etc/freeradius/ldap.attrmap
checkItem NT-Password ntPassword
checkItem RelacionesRelaciones ~= /^([0-9]{2})/
replyItem Nombre-Completosn
replyItem Relaciones Relaciones +=
anyway i test both ideas, but don't work:
[ldap] looking for check items in directory...
[ldap] ntPassword - NT-Password == 0x3...
[ldap1] looking for reply items in directory...
[ldap1] Relaciones - Relaciones += -11
[ldap1] Relaciones - Relaciones += 03
[ldap1] Relaciones - Relaciones += -01
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap1] user XXX authorized to use remote access
[ldap1] ldap_release_conn: Release Id: 0
[ldap1] returns ok
? if (fail)
? Evaluating (fail) - FALSE
? if (fail) - FALSE
- entering else else {...}
+? if (%{reply:Relaciones} =~ /^([0-9]{2})/)
expand: %{reply:Relaciones} - -11
? Evaluating (%{reply:Relaciones} =~ /^([0-9]{2})/) - FALSE
+? if (%{reply:Relaciones} =~ /^([0-9]{2})/) - FALSE
- else else returns ok
any ideas?
thank you very much.
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
Hello Alan, and thank you for your response.
You can't really do that with unlang. I suggest using the perl module.
I flow your suggestion and write this:
# cat /etc/freeradius/perl/checkRelaciones.pm
use strict;
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);
use Data::Dumper;
use constantRLM_MODULE_REJECT=0;# /* immediately reject the
request */
use constantRLM_MODULE_OK=2;# /* the module is OK, continue */
sub authorize {
my $attr;
my $valor;
while (($attr,$valor)= each(%RAD_REPLY{'Relaciones'}){
if ($valor =~ /^([0-9]{2})/) {
return RLM_MODULE_OK;
}
}
return RLM_MODULE_REJECT;
}
and I use this in authorize section:
authorize{
...
files
...
perl
expiration
...
}
but, when I try to run freeradius in debug mode:
...
perl {
module = /etc/freeradius/perl/checkRelaciones.pm
func_authorize = authorize
func_authenticate = authenticate
func_accounting = accounting
func_preacct = preacct
func_checksimul = checksimul
func_detach = detach
func_xlat = xlat
func_pre_proxy = pre_proxy
func_post_proxy = post_proxy
func_post_auth = post_auth
func_recv_coa = recv_coa
func_send_coa = send_coa
}
Can't load '/usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so' for module
Data::Dumper: /usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so: undefined
symbol: Perl_sv_cmp at /usr/lib/perl/5.10/XSLoader.pm line 64.
at /usr/lib/perl/5.10/Data/Dumper.pm line 36
So, I think thah I need to upgrade or something like this.
Thank you again.
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: return a special value in reply when simultaneous use
Hello again, I continue working on this, but I can't find the solution. Can I check the result of simul_count_query? Thank you again Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: return a special value in reply when simultaneous use
Hello again,
I'm working with Freeradius 2.1.8
I'm using session (sql) to control simultaneous use.
I would like to return a special value if an user try to access with
credentials in use.
I have it working adding a new attribute to request list whit the result of
the simul_count_query, and checking this value later in post_auth section.
session {
if (%{Realm} == xxx.es) {
update request {
Num-Open-Session := %{sql:SELECT COUNT(*) FROM
radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL}
}
sql
}
}
post-auth {
sql
if (fail) {
update reply {
Codigo-Reject := Imposible-Contactar-Backend
}
reject
}
Post-Auth-Type REJECT {
if (%{request:Num-Open-Session}){
update reply {
Codigo-Reject = Sesion-Abierta
}
}
else{
update reply {
Codigo-Reject = Credenciales-Erroneas
}
}
I think that this not is the better way to do, but...
Thank you very much
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
return a special value in reply when simultaneous use
Hello,
I'm working with Freeradius 2.1.8
I'm using session (sql) to control simultaneous use.
I would like to return a special value if an user try to access with
credentials in use.
Group session {...} always resturns ok, so I don't know what can I do in
post-auth to distinguish between all reject.
I test this configuration in my default server:
session {
if (%{Realm} == xxx.es) {
sql
}
}
post-auth {
if (fail) {
update reply {
Codigo-Reject := Imposible-Contactar-Backend
}
reject
}
sql
Post-Auth-Type REJECT {
if (simulcount) {
update reply {
Codigo-Reject = Sesion-Abierta
}
}
update reply {
Codigo-Reject = Credenciales-Erroneas
}
sql
attr_filter.access_reject
}
}
But don't work.
Here is part of the debug info for an accept request:
[pap] User authenticated successfully
++[pap] returns ok
+- entering group session {...}
++? if (%{Realm} == xxx.es)
expand: %{Realm} - xxx.es
?? Evaluating (%{Realm} == xxx.es) - TRUE
++? if (%{Realm} == xxx.es) - TRUE
++- entering if (%{Realm} == xxx.es) {...}
. . .
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
+++[sql] returns ok
++- if (%{Realm} == xxx.es) returns ok
+- entering group post-auth {...}
And here is part of the debug info for an reject request for simultaneous
use:
[pap] User authenticated successfully
++[pap] returns ok
+- entering group session {...}
++? if (%{Realm} == xxx.es)
expand: %{Realm} - xxx.es
?? Evaluating (%{Realm} == xxx.es) - TRUE
++? if (%{Realm} == xxx.es) - TRUE
++- entering if (%{Realm} == xxx.es) {...}
. . .
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
+++[sql] returns ok
++- if (%{Realm} == xxx.es) returns ok
} # server rinuex
Using Post-Auth-Type Reject
+- entering group REJECT {...}
++? if (simulcount)
? Evaluating (simulcount) - TRUE
++? if (simulcount) - TRUE
I need help. Thank you very much and sorry for my english.
--
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with radtest + dictionary + Authen::Radius (perl)
Which doesn't match the error message you showed above. here is *no* ATTRIBUTE line having an option. I'm sorry, I paste my actual dictionary... $ cat /usr/share/freeradius/dictionary.rinuex # -*- text -*- # # dictionary.rinuex # # # Mayo de 2010 # Marco Jaraíz mjar...@unex.es # Ana Gallardo aigalla...@unex.es # VENDORRinuex35782 BEGIN-VENDORRinuex # Código para indicar la causa del Access-Reject ATTRIBUTECodigo-Reject8integerRinuex VALUE Codigo-RejectCredenciales-Erroneas3 VALUE Codigo-RejectCuenta-Bloqueada-Intentos-Reject4 VALUE Codigo-RejectImposible-Contactar-Backend5 VALUE Codigo-RejectError-Dominio6 VALUE Codigo-RejectCuenta-Expirada7 VALUE Codigo-RejectCuenta-Inactiva8 VALUE Codigo-RejectRadius-OK9 END-VENDORRinuex Please be *consistent*. OK, sorry and thanks for your time. Ana Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about configurable module fail-over
Hello,
I have Freeradius 2.1.8.
I want to return an error code if my freeradius can't contact with the
backend.
Here is my authorize section:
authorize {
. . .
switch %{Realm} {
case 'temp.unex.es' {
sql {
fail = 1
}
if (!fail (%D %{control:Expiration-Init})) {
update reply {
Codigo-Reject := Cuenta-Inactiva
}
reject
}
}
case 'unex.es' {
ldap {
fail = 1
}
}
case {
update reply {
Codigo-Reject := Error-Dominio
}
reject
}
}
if (fail) {
update reply {
Codigo-Reject := Imposible-Contactar-Backend
}
reject
}
expiration {
userlock = 1
}
if (userlock) {
update reply {
Codigo-Reject := Cuenta-Expirada
}
}
pap
}
My problem is when Freeradius can't contact ldap. Here is my debug info:
rad_recv: Access-Request packet from host X.X.X.X port 48454, id=116,
length=56
User-Name = usua...@unex.es
User-Password = 1631
server rinuex {
. . .
++- entering switch %{Realm} {...}
+++- entering case unex.es {...}
[ldap] performing user authorization for usuario
[ldap] expand: %{Stripped-User-Name} - usuario
[ldap] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) -
(cn=usuario)
[ldap] expand: ou=saser,dc=unex,dc=es - ou=saser,dc=unex,dc=es
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to X.X.X.X, authentication 0
[ldap] bind as cn=...
[ldap] waiting for bind result ...
[ldap] LDAP login failed: check identity, password settings in ldap
section of radiusd.conf
[ldap] (re)connection attempt failed
[ldap] search failed
[ldap] ldap_release_conn: Release Id: 0
[ldap] returns fail
+++- case unex.es returns fail
++- switch %{Realm} returns fail
} # server rinuex
Using Post-Auth-Type Reject
+- entering group REJECT {...}
++[reply] returns noop
++? if (%{reply:Codigo-Reject})
expand: %{reply:Codigo-Reject} - Credenciales-Erroneas
? Evaluating (%{reply:Codigo-Reject}) - TRUE
++? if (%{reply:Codigo-Reject}) - TRUE
++- entering if (%{reply:Codigo-Reject}) {...}
+++- if (%{reply:Codigo-Reject}) returns noop
++- group REJECT returns noop
[sql] expand: %{Stripped-User-Name} - usuario
[sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -
usuario
[sql] sql_set_user escaped user -- 'usuario'
[sql] expand: INSERT INTO radpostauth
(username, mac, client, reply, authdate,codreject)
VALUES ( '%{User-Name}',
LOWER('%{Calling-Station-Id}'),
'%C', '%{reply:Packet-Type}', NOW(),
'%{reply:Codigo-Reject}') - INSERT INTO
radpostauth (username, mac, client, reply,
authdate,codreject) VALUES
( 'usua...@unex.es', LOWER(''),
'CAU2', 'Access-Reject', NOW(),
'Credenciales-Erroneas')
rlm_sql (sql) in sql_postauth: query is INSERT INTO
radpostauth (username, mac, client, reply,
authdate,codreject) VALUES
( 'usuario
@unex.es', LOWER(''), 'CAU2',
'Access-Reject', NOW(), 'Credenciales-Erroneas')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
[attr_filter.access_reject] expand: %{User-Name} - usua...@unex.es
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 116 to X.X.X.X port 48454
Codigo-Reject = Credenciales-Erroneas
I need help. Thank you and sorry for y english.
--
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with radtest + dictionary + Authen::Radius (perl)
$ cat /usr/share/freeradius/dictionary.rinuex ... BEGIN-VENDORRinuex Which says all of the following attributes are for this vendor OK # Código para indicar la causa del Access-Reject ATTRIBUTECodigo-Reject8integerRinuex Which *duplicates* the vendor name. Do one of the following: a) delete the vendor name from the ATTRIBUTE line b) delete the BEGIN/END-VENDOR lines I choose to delete the BEGIN/END-VENDOR lines for compatibility with Authen::Radius perl package. Thank you very much. Everything it's ok now. -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with radtest + dictionary + Authen::Radius (perl)
Hello, I'm working with Freeradius 2.1.8 and I have created my vendor dictionary. I need to use Authen::Radius (perl). This package needs 'vendor' declaration in every 'ATTRIBUTE' line in vendor dictionaries. Following man RADIUS dictionary file http://freeradius.org/radiusd/man/dictionary.html *ATTRIBUTE name number type [vendor|options]* that is possible. But when I use radtest, I have this problem: $ radtest u...@realm pass radius 0 claveClient radclient: dict_init: /usr/share/freeradius/dictionary.XXX: unknown option XXX Thank you and sorry for my english Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with radtest + dictionary + Authen::Radius (perl)
Hello Alan, $ radtest u...@realm pass radius 0 claveClient radclient: dict_init: /usr/share/freeradius/dictionary.XXX: unknown option XXX You didn't define XXX as a vendor. I think I did... $ cat /usr/share/freeradius/dictionary.rinuex # -*- text -*- # # dictionary.rinuex # # # Mayo de 2010 # Marco Jaraíz mjar...@unex.es # Ana Gallardo aigalla...@unex.es # VENDOR Rinuex 35782 BEGIN-VENDORRinuex # Código para indicar la causa del Access-Reject ATTRIBUTE Codigo-Reject 8 integer VALUE Codigo-Reject Credenciales-Erroneas 3 VALUE Codigo-Reject Cuenta-Bloqueada-Intentos-Reject4 VALUE Codigo-Reject Imposible-Contactar-Backend 5 VALUE Codigo-Reject Error-Dominio 6 VALUE Codigo-Reject Cuenta-Expirada 7 VALUE Codigo-Reject Cuenta-Inactiva 8 VALUE Codigo-Reject Radius-OK 9 END-VENDORRinuex And there's no reason to keep the vendor name a secret. The name/number for the vendor is available in public registries. it's truth Alan DeKok. Thanks again -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
expiration module and reply items
Hello,
I'm working with freeradius 2.1.8 and I want to return an attribute when
eexpiration module return 'userlock'.
I try to add the item in expiration module:
/etc/freeradius# cat modules-enabled/expiration
# -*- text -*-
#
# $Id$
expiration {
Reply-Message = LA CUENTA HA EXPIRADO PARA
%{%{Stripped-User-Name}:-%{User-Name}}
Codigo-Reject := Cuenta-Expirada
}
But it doesn't work.
I also try using unlang in authorize section:
authorize {
. . .
expiration
if (userlock){
update reply {
Codigo-Reject := Cuenta-Expirada
}
}
pap
}
My debug info:
rad_recv: Access-Request packet from host port 59252, id=177, length=71
User-Name = pru...@temp.xxx.es
User-Password = prueba
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
server XXX {
. . .
[expiration] Checking Expiration time: '1 Jun 2010'
[expiration] Account has expired
[expiration] expand: Password Has Expired - Password Has Expired
++[expiration] returns userlock
}
Using Post-Auth-Type Reject
+- entering group REJECT {...}
. . .
Sending Access-Reject of id 177 to 158.49.247.199 port 59252
Reply-Message = Password Has Expired\r\n
Somebody can help me. Thak you and sorry for my english.
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: expiration module and reply items
Thanks a lot.
Reply-Message = LA CUENTA HA EXPIRADO PARA
%{%{Stripped-User-Name}:-%{User-Name}}
Codigo-Reject := Cuenta-Expirada
}
But it doesn't work.
Nothing in the documentation suggests that will work.
Sometimes I don't know where can I found what I'm looking for, so I try
different things :)
Yes. Once the module returns reject or userlock, the server stops
processing the section and returns. The solution is:
expiration {
userlock = 1
}
if (userlock) {
update reply {
Codigo-Reject := Curenta-Expirada
}
}
This is documented in doc/configurable_failover, and to a lesser
extent in man unlang.
Thanks Alan, I love Freeradius and your answers :D
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: expired user accounts between two dates
Hello again,
eventually the solution for me is:
-- MYSQL
mysql select * from radcheck where username = prueba;
+-+--+++-+
| id | username | attribute | op | value |
+-+--+++-+
| 228 | prueba | Cleartext-Password | := | prueba |
| 227 | prueba | Expiration | := | 10 Jun 2010 |
| 231 | prueba | Expiration-Init| := | 20100604|
+-+--+++-+
3 rows in set (0.00 sec)
mysql select * from radreply where username = prueba;
+-+--+--++-+
| id | username | attribute| op | value |
+-+--+--++-+
+-+--+--++-+
0 rows in set (0.00 sec)
-- /etc/freeradius/sites-enable/default
authorize {
...
switch %{Realm} {
case 'temp.XXX.es' {
sql
if (%D %{control:Expiration-Init}){
reject
}
}
Thanks
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: expired user accounts between two dates
Hello,
I'm working around that and I my solution isn't ok, so I need help.
As you already may know the expiration module only works for expiration
date.
yes
When I had this need (a long time ago and with FR1) I just did the
following:
* I added a new personnal/local attribute in /etc./raddb/dictionnary
ATTRIBUTE My-Local-Date 3000string
* setup the hint module to add the Date for incomming requests:
DEFAULT NAS-IP-ADDRESS == 192.168.1.4
My-Local-Date = `%D`
* Then I use the local attribute to check the date (for instance if you use
the rlm_sql module):
mysql select UserName,Attribute,op,Value from radcheck where
UserName='myloginname';
+-++++
| UserName| Attribute | op | Value |
+-++++
| myloginname | NAS-IP-Address | =~ | 192.168.1.[4]{1} |
| myloginname | My-Local-Date | = | 20090731 |
| myloginname | My-Local-Date | = | 20090526 |
| myloginname | Login-Time | := | Wk0700-2200|
| myloginname | Cleartext-Password | := | THEPASS|
+-++++
5 rows in set (0.00 sec)
I do something similar, but doesn't work.
-- /etc/freeradius/sites-enable/default
authorize {
switch %{Realm} {
case 'temp.xxx.es' {
update request {
Expiration-Init := %D
}
sql
}
-- MYSQL
mysql select * from radcheck where username =prueba;
+-+--+++-+
| id | username | attribute | op | value |
+-+--+++-+
| 228 | prueba | Cleartext-Password | := | prueba |
| 227 | prueba | Expiration | := | 10 Jun 2010 |
| 226 | prueba | Expiration-Init| = | 20100604|
+-+--+++-+
3 rows in set (0.00 sec)
mysql select * from radreply where username =prueba;
+-+--+--++-+
| id | username | attribute| op | value |
+-+--+--++-+
| 374 | prueba | Contact | = | XXX|
| 375 | prueba | Mail-Contact | = | XXX |
| 376 | prueba | Description | = | Usuario de pruebas |
+-+--+--++-+
-- DEBUG INFO
rad_recv: Access-Request packet from host x.x.x.x port 42954, id=253,
length=71
User-Name = pru...@temp.unex.es
User-Password = prueba
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
. . .
+- entering group authorize {...}
. . .
++- entering switch %{Realm} {...}
+++- entering case temp.unex.es {...}
expand: %D - 20100602
[request] returns noop
[sqlradiuscc] expand: %{Stripped-User-Name} - prueba
[sqlradiuscc] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}
- prueba
[sqlradiuscc] sql_set_user escaped user -- 'prueba'
rlm_sql (sqlradiuscc): Reserving sql socket id: 2
[sqlradiuscc] expand: SELECT id, username, attribute, value,
op FROM radcheck WHERE username =
'%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute,
value, op FROM radcheck WHERE username =
'prueba' ORDER BY id
[sqlradiuscc] User found in radcheck table
[sqlradiuscc] expand: SELECT id, username, attribute, value,
op FROM radreply WHERE username =
'%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute,
value, op FROM radreply WHERE username =
'prueba' ORDER BY id
rlm_sql (sqlradiuscc): Released sql socket id: 2
[sqlradiuscc] returns ok
+++- case temp.unex.es returns ok
++- switch %{Realm} returns ok
[expiration] Checking Expiration time: '10 Jun 2010'
++[expiration] returns ok
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password prueba
[pap] Using clear text password prueba
[pap] User authenticated successfully
. . .
Sending Access-Accept of id 253 to x.x.x.x port 42954
Session-Timeout = 653611
I don't understand why this work :(
Thanks in advance and sorry for my english.
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem whit home_server template
Hello,
I'm workimg with Freeradius 2.1.8.
I would like to use templates in my proxy.conf file to define some home
servers.
My templates.conf file is:
/etc/freeradius# cat templates.conf
templates {
home_server tldrediris {
type = auth+acct
port =1812
secret =
#src_ipaddr = 127.0.0.1
require_message_authenticator = no
response_window = 20
#no_response_fail = no
zombie_period = 40
revive_interval = 60
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
}
}
Then, in radiusd.conf I include this file:
$INCLUDE templates.conf
And, if I have in proxy.conf file template = tldrediris, when FreeRADIUS
starts doest take the values defines in templates.conf:
/etc/freeradius# cat proxy.conf
home_server tld-rediris1 {
template = tldrediris
ipaddr = X.X.X.X
}
/etc/freeradius# freeradius -X
FreeRADIUS Version 2.1.8, for host x86_64-pc-linux-gnu, built on Jan 3 2010
at 14:14:04
. . .
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/templates.conf
including configuration file /etc/freeradius/proxy.conf
. . .
home_server tld-rediris1 {
ipaddr = X.X.X.X
port = 0
response_window = 30
max_outstanding = 65536
zombie_period = 40
status_check = none
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 300
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
/etc/freeradius/proxy.conf[26]: No port, or invalid port defined for home
server tld-rediris1.
In the other hand, if I use $template tldrediris in templates.conf,
FreeRADIUS doesn't know tldrediris:
/etc/freeradius# cat proxy.conf
home_server tld-rediris1 {
$template tldrediris
ipaddr = X.X.X.X
}
/etc/freeradius# freeradius -X
FreeRADIUS Version 2.1.8, for host x86_64-pc-linux-gnu, built on Jan 3 2010
at 14:14:04
. . .
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/templates.conf
including configuration file /etc/freeradius/proxy.conf
WARNING: No such configuration item tldrediris
/etc/freeradius/proxy.conf[27]: Reference tldrediris not found
Errors reading /etc/freeradius/radiusd.conf
I remember this:
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg59018.html
Sorry for my english and thankyou very much.
--
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Looking for an editor for FreeRADIUS documentation
I would like to do this job, but my english is poor, so I can't do it :( 2010/5/18 Alan DeKok al...@deployingradius.com Nyamul Hassan wrote: Not meaning any disrespect to the paid offer, you could also reconsider to put up the current documentation in a Wiki style webpage, and from there everyone can work on the text that they think needs reworking. We already have a Wiki. Few people edit it. We already have a publicly available doc directory. Few people submit changes. Putting the existing docs into a Wiki won't magically make people submit changes. We're looking for an editor. All we want is someone who can organize and format the existing documentation. There is no need for in depth knowledge of RADIUS. There is no need for to write *new* documentation. That is work which is normally seen as not fun. But it's needed. Therefore, the offer to pay for services rendered. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Set NoCat user class in Access-Accept
] returns ok
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password claveAna
[pap] Using clear text password claveAna
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
[sql] expand: %{User-Name} - ana
[sql] sql_set_user escaped user -- 'ana'
[sql] expand: INSERT INTO radpostauth
(username, mac, client, nas, reply, authdate)
VALUES ( '%{User-Name}',
'%{Calling-Station-Id}', '%C',
'%{Nas-IP-Address}', '%{reply:Packet-Type}',
NOW()) - INSERT INTO radpostauth
(username, mac, client, nas, reply, authdate)
VALUES ( 'ana', '',
'pcCAU1', '127.0.1.1',
'Access-Accept', NOW())
[sql] expand: /var/log/freeradius/sqltrace.sql -
/var/log/freeradius/sqltrace.sql
rlm_sql (sql) in sql_postauth: query is INSERT INTO
radpostauth (username, mac, client, nas, reply,
authdate) VALUES (
'ana', '', 'pcCAU1',
'127.0.1.1', 'Access-Accept', NOW())
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql_mysql: query: INSERT INTO radpostauth
(username, mac, client, nas, reply, authdate)
VALUES ( 'ana', '',
'pcCAU1', '127.0.1.1',
'Access-Accept', NOW())
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
Sending Access-Accept of id 250 to X port 33606
Reply-Message += Hola Anita
Session-Timeout = 18189945
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 250 with timestamp +6
Ready to process requests.
I have found the attribute Class but I think that is more complex than I
need.
Some sugestion??
Thank you very much and sorry for my english.
--
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: R: R: NAS-Identifier and radgroupcheck table
Hmm... that will cause all of the users to be rejected. Delete it. Yes I follow this howto http://wiki.freeradius.org/SQL_Huntgroup_HOWTO and, *DEFAULT Auth-Type := Reject That's not necessary. It should be deleted from the page. Thanks -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: R: R: NAS-Identifier and radgroupcheck table
Hello Alan, thank you for your response.
Where is this coming from?
I put a default entry at the button of users file.
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg51143.html
My users file:
debian:/etc/freeradius# cat users
DEFAULT Auth-Type := Reject
bobCleartext-Password := hello
Reply-Message = Hola %{User-Name}
The default configuration has *no* Auth-Type = Reject setting. You
have added this locally.
I follow this howto http://wiki.freeradius.org/SQL_Huntgroup_HOWTO and, at
the button said:
*Note: If you want to reject authentication by default then edit the
raddb/users file and add this: *
*DEFAULT Auth-Type := Reject
*
*Then add Auth-Type Accept with := as op in radgroupcheck for each group. *
Sorry to ask again about that, but I can't get the correct configuration.
Thank you.
--
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: R: R: NAS-Identifier and radgroupcheck table
WHERE username = BINARY 'ana' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = BINARY 'ana' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = BINARY '%{SQL-User-Name}' ORDER BY priority - SELECT
groupname FROM radusergroup WHERE username = BINARY
'ana' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup
WHERE username = BINARY 'ana' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value,
op FROM radgroupcheck WHERE groupname =
'%{Sql-Group}' ORDER BY id - SELECT id, groupname,
attribute, Value, op FROM radgroupcheck WHERE
groupname = 'CAU1' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute, Value,
op FROM radgroupcheck WHERE groupname = 'CAU1'
ORDER BY id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
[expiration] Checking Expiration time: '02 Dec 2010'
++[expiration] returns ok
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = Reject
Auth-Type = Reject, rejecting user
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[sql] expand: %{User-Name} - ana
[sql] sql_set_user escaped user -- 'ana'
[sql] expand: INSERT INTO radpostauth
(username, mac, client, nas, reply, authdate)
VALUES ( '%{User-Name}',
'%{Calling-Station-Id}', '%C',
'%{Nas-IP-Address}', '%{reply:Packet-Type}',
NOW()) - INSERT INTO radpostauth
(username, mac, client, nas, reply, authdate)
VALUES ( 'ana', '',
'pcCAU1', '127.0.1.1',
'Access-Reject', NOW())
[sql] expand: /var/log/freeradius/sqltrace.sql -
/var/log/freeradius/sqltrace.sql
rlm_sql (sql) in sql_postauth: query is INSERT INTO
radpostauth (username, mac, client, nas, reply,
authdate) VALUES (
'ana', '', 'pcCAU1',
'127.0.1.1', 'Access-Reject', NOW())
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql_mysql: query: INSERT INTO radpostauth
(username, mac, client, nas, reply, authdate)
VALUES ( 'ana', '',
'pcCAU1', '127.0.1.1',
'Access-Reject', NOW())
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
[attr_filter.access_reject] expand: %{User-Name} - ana
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 133 to X.X.X.X port 45281
Reply-Message += Hola Anita
Sorry for my english.
--
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting auth from a specific realm
Sorry,
if (Realm == 'your.realm') {
update control {
Auth-Type = Reject
}
}
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting auth from a specific realm
Sorry if I mistaken and sorry for my english. I think you can use one of the
next two options. Correct me if I'm wrong.
OPTION A
You can use unlang doing something like that:
### /etc/freeradius/proxy.conf
realm your.realm {
# authhost = LOCAL # not strictly necessary
# accthost = LOCAL # not strictly necessary
# nostrip
}
### /etc/freeradius/sites-enable/default
authorize {
. . .
suffix
if (%{Realm} == /your\.realm$/){
update control {
Auth-Type = Reject
}
}
OPTION B
Using hints and users files:
### /etc/freeradius/hints
DEFAULTSuffix == your.realm
Hint = MYUSERS,
### /etc/freeradius/users
DEFAULTHint == MYUSERS, Auth-Type := RejectB
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with template.conf in proxy.conf
Thank you very much Alan. 2009/11/14 Alan DeKok al...@deployingradius.com Ana Gallardo wrote: WARNING: No such configuration item tld-rediris /etc/freeradius/proxy.conf[28]: Reference tld-rediris not found Errors reading /etc/freeradius/radiusd.conf I've committed a fix to git. It will be in 2.1.8. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with server atribute in NAS table with mysql
which means you havent updated the SQL qeuery to use that column.
nas_query = SELECT id, nasname, shortname, type, secret, server
FROM ${nas_table}
That was the problem. Thank you very much Alan.
--
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with server atribute in NAS table with mysql
Hello, I'm using Freeradius 2.0.4-3 an Debian.
My clients are in a MySQL database (nas table).
++--+---+---+-++-+---+---+
| id | nasname | shortname | type | ports| secret | server
| community | description|
++--+---+---+-++-+---+---+
| 1 | XXX | NODO1 | other | NULL | secretN1 | nodes |
nodo | Nodo Wifi |
| 2 | YYY | NODO2 | other | NULL | secretN2 | nodes |
nodo | Nodo Wifi |
I want to process some clients through one virtual server (server nodes{}),
so I have the name of the virtual server in the server column, but this
doesn't work.
When I receive a request from those clients, the default server proccess
them.
I test to change the column name to virtual_server with same result.
I have to put the clients with value in virtual_server in clients.conf
file and the clients without value in nas table from MySQL.
I test to put them in server section:
##/etc/freeradius/sites-enabled/nodes
server nodes{
client nodo1{
}
...
}
but this doesn't work. I have to put them out of server section, like this:
##/etc/freeradius/sites-enabled/nodes
client nodo1{
}
server nodes{
...
}
and I think that this is the same that put them in clients files ¿?
Thank you very much and sorry for my english.
--
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 55, Issue 32
I have a problem which I and a friend here have been trying to solve for some days now. ¿what is your problem? After we have run in terminal ./configure ; make sudo make install and afterwards try to run radius with radiusd -X (same as freeradius -X if youre using freeradius installed through Synaptic Package Manager). and when you run in debug mode?? You can try this howto that works fine http://www.linuxinsight.com/building-debian-freeradius-package-with-eap-tls-ttls-peap-support.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with template.conf in proxy.conf
Read raddb/templates.conf. Use:
$template name
NOT
template = name
In templates.conf I can read (sorry to paste here the text):
# A section can reference a template by using $template name
. . .
# Then, each home_server section in proxy.conf would
# only list the IP address of that home server, and a
# line saying
#
# template = example.com
I use the way you told me:
### /etc/freeradius/proxy.conf
home_server tld-rediris1 {
$template tld-rediris
ipaddr = YYY
}
But doesn't work;
/etc/freeradius# freeradius -X
FreeRADIUS Version 2.0.4, for host x86_64-pc-linux-gnu, built on Oct 20 2009
at 11:45:11
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/templates.conf
including configuration file /etc/freeradius/proxy.conf
WARNING: No such configuration item tld-rediris
/etc/freeradius/proxy.conf[28]: Reference tld-rediris not found
Errors reading /etc/freeradius/radiusd.conf
Thank you very much and sorry for my english.
--
Ana Gallardo
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Differencent assigments in users files
http://freeradius.org/radiusd/man/users.html 2009/11/4 Nicolas Goutte nicolas.gou...@extragroup.de Am 04.11.2009 um 11:12 schrieb verhoem: Hello, I'am a newbee in freeradius but after reading o'reilly's Radius book for dummies i still can't figure out what the difference is between := == and = in the usersfile. steve Auth-Type := Local, User-Password == Testing etc. It should read Cleartext-Password := Testing In FreeRadius passwords are assigned ( := ) not compared ( == ). I also see notations like Jonathan Password = Unix-PW. In the end my config seems to work but I'm wondering if i'm missing out on something important. Explanation or an url would be very appreciated ! Greetings Marcel -- View this message in context: http://old.nabble.com/Differencent-assigments-in-users-files-tp26193201p26193201.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: regular expressions in proxy.conf
Sorry to ask again the same, but I don't know if it's OK that Freeradius add
the attribute Realm with the regex value.
Thank you very mutch.
rad_recv: Access-Request packet from host 127.0.0.1 port 60112, id=208,
length=68
User-Name = x...@domain.es
User-Password = YYY
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
rlm_realm: Looking up realm domain.es for User-Name = x...@domain.es
rlm_realm: Found realm ~(domain)+
rlm_realm: Adding Stripped-User-Name = XXX
rlm_realm: Adding Realm = ~(domain)+
rlm_realm: Authentication realm is LOCAL.
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++? if (%{Realm} =~ /(temp\.)?domain\.es$/)
expand: %{Realm} - ~(domain)+
? Evaluating (%{Realm} =~ /(temp\.)?domain\.es$/) - FALSE
++? if (%{Realm} =~ /(temp\.)?domain\.es$/) - FALSE
++[files] returns noop
expand: %{Realm} - ~(domain)+
++- entering switch %{Realm}
+++- entering case
[control] returns noop
+++- case returns noop
++- switch %{Realm} returns noop
I can resolve this adding this to proxy.conf:
### /etc/freeradius/proxy.conf
realm domain.es {
authhost = LOCAL # not strictly necessary
accthost = LOCAL # not strictly necessary
}
realm temp.domain.es {
authhost = LOCAL # not strictly necessary
accthost = LOCAL # not strictly necessary
}
realm ~(domain)+ {
authhost = LOCAL # not strictly necessary
accthost = LOCAL # not strictly necessary
}
But I don't know if that is the best way to resolve my problem, so I would
like to reinforce my decision.
Thanks in advance and sorry for my english.
--
Ana Gallardo Gómez
--
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem regular expressions in hints file
Sorry, but I don't understand. I need to add an attribute to the request
Yes. The unlang documentation explains how to do that.
It is truth, the unlang documentation explains how to do that very well :)
Thanks for quoting the documentation. Did you think we didn't know
about it?
Sorry, I only wanted to justify why I put this in hints file.
No. In the authorize section, before the files module. There are
examples of this in the configuration files.
OK, now it's fine.
#/etc/freeradius/sites-available/default
authorize {
preprocess
mschap
suffix
eap {
ok = return
}
if (%{Realm} =~ /(temp\.)?domain\.es$/){
update control {
Intentos-Reject = ...
}
}
files
...
}
Thank you very mutch, Alan
--
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
regular expressions in proxy.conf
Hello, I'm using Debian and Freeradius 2.0.4-3.
I want to use a regular expression in proxy.conf file to match any request
that contain the word domain in the realm (suffix mode).
### /etc/freeradius/proxy.conf
realm ~(domain)+ {
# authhost = LOCAL # not strictly necessary
# accthost = LOCAL # not strictly necessary
}
Then, in authorize section I have:
### /etc/freeradius/sites-available/default
authorize {
preprocess
mschap
suffix
eap {
ok = return
}
if (%{Realm} =~ /(temp\.)?domain\.es$/){
update control {
Intentos-Reject = ...
}
}
files
switch %{Realm} {
case temp.domain.es {
sql
}
case domain.es {
redundant {
ldap2
ldap1
ldap3
}
}
case {
update control {
Auth-Type := Reject
}
}
}
expiration
pap
}
And, in users file:
### /etc/freeradius/proxy.conf
DEFAULT Intentos-Reject 10, Auth-Type := Reject
Reply-Message = NUMERO DE INTENTOS FALLIDOS(%{Intentos-Reject})
EXCEDIDO PARA %{%{Stripped-User-Name}:-%{User-Name}}
My problem is: the Realm that Freeradius add to the request is the regular
expression... Here is my debug information:
rad_recv: Access-Request packet from host 127.0.0.1 port 60112, id=208,
length=68
User-Name = x...@domain.es
User-Password = YYY
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
rlm_realm: Looking up realm domain.es for User-Name = x...@domain.es
rlm_realm: Found realm ~(domain)+
rlm_realm: Adding Stripped-User-Name = XXX
rlm_realm: Adding Realm = ~(domain)+
rlm_realm: Authentication realm is LOCAL.
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++? if (%{Realm} =~ /(temp\.)?domain\.es$/)
expand: %{Realm} - ~(domain)+
? Evaluating (%{Realm} =~ /(temp\.)?domain\.es$/) - FALSE
++? if (%{Realm} =~ /(temp\.)?domain\.es$/) - FALSE
++[files] returns noop
expand: %{Realm} - ~(domain)+
++- entering switch %{Realm}
+++- entering case
[control] returns noop
+++- case returns noop
++- switch %{Realm} returns noop
I can resolve this adding this to proxy.conf:
### /etc/freeradius/proxy.conf
realm domain.es {
authhost = LOCAL # not strictly necessary
accthost = LOCAL # not strictly necessary
}
realm temp.domain.es {
authhost = LOCAL # not strictly necessary
accthost = LOCAL # not strictly necessary
}
realm ~(domain)+ {
authhost = LOCAL # not strictly necessary
accthost = LOCAL # not strictly necessary
}
But I don't know if that is the best way to resolve my problem, so I would
like to reinforce my decision.
Thanks in advance and sorry for my english.
--
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Database Problem
I would really appriciate if you would be able to tell me how the simplest (user/password with nothing extra returned back) authentication can be done using database backend. Insert in radcheck table: username - username attribute - Cleartext-Password op - := value - cleartext password Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Database Problem
Insert in radcheck table: username - username attribute - Cleartext-Password op - := value - cleartext password Unfortunatelly Cleartext-Password is not working in version 1.1.3 Try with User-Password Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Database Problem
Can you tell me if there is tool that I can use to test mschap authentication rahter than use local radtest it can be linux or windows app. http://deployingradius.com/scripts/eapol_test/ Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Asking to Ana Gallardo
:( Me temo que esta lista no es para establecer comunicaciones privadas Creo que es más adecuado que realices una pregunta más específica dirigida a la lista. Un saludo. El 30 de octubre de 2009 13:20, C. Diego Raffaelli A. c.diegoraffae...@gmail.com escribió: Querida Ana: Un gusto compartir contigo un mailing list. Lamentablemente, no tengo la solucion a tu problema, se que seguramente esperas eso, lo siento :( Mas al contrario tengo una pregunta. Has instalado FreeRadius en Debian y ademas has creado un NAS (Netw. autentication server? ) Esto te servira para que, por ejemplo usuarios tuyos se autentiquen en el Radius y el NAS les de acceso a ciertos dispositivos? te pregunto esto porque yo necesito implementar algo asi, tengo una red LAN que se extiende por la ciudad y necesito brindar nombre de usuario y contraseña para gestionar no tanto el tiempo, sino el ancho de banda que se les provee y ademas poder dar de baja o reconectar su usuario. Nosotros usamos esto para brindar internet. Yo estoy intentando hacerlo en OpenBSD ya que tengo un manual que indica casi todos los servicios (DHCP; DNS... y varios otros,,, EXCEPTO FREE RADIUS! ) :( Me gustaria saber no el como lo instalaste en Debian, sino para que lo estas usando y si estas usando un NAS.,,, una base de datos. Gracias por tu respuesta. PD.- Sorry for my.. SPANISH xD -- = = = = = Carlos Diego Raffaelli A. MSN: carlosdiego...@hotmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem regular expressions in hints file
Hello, I'm using Debian and Freeradius 2.0.4-3 I want to use the hints file to add an attribute named Intentos-Reject. I would like to use only one DEFAULT entry to match with @domain.es and with @ temp.domain.es If I use this DEFAULT entry the request don't match: #/etc/freeradius/hints DEFAULT Suffix =~ @(temp\.)?domain.es$, Strip-User-Name = Yes Intentos-Reject = ... ###DEFAULT Suffix == @domain.es ###Intentos-Reject = ... ###DEFAULT Suffix == @temp.domain.es ###Intentos-Reject = ... If I use this other DEFAULT entry the request match but Freeradius doesn't add Stripped-User-Name and I can't authenticate: DEFAULT User-Name =~ @(temp\.)?domain.es$, Strip-User-Name = Yes Intentos-Reject = ... ###DEFAULT Suffix == @domain.es ###Intentos-Reject = ... ###DEFAULT Suffix == @temp.domain.es ###Intentos-Reject = ... I don't know if I can use regular expressions with Suffix/Preffix atributes. Thank you very much and sorry for my english. -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem regular expressions in hints file
Hello, I'm using Debian and Freeradius 2.0.4-3
I want to use the hints file to add an attribute named Intentos-Reject.
I would like to use only one DEFAULT entry to match with @domain.es
and with @temp.domain.es
Don't use hints for that.
Sorry, but I don't understand. I need to add an attribute to the request
# /etc/freeradius/hints
# The hints file. This file is used *to match*
# *a request, and then add attributes to it*. This ...
I use this attribute later, in users file, to reject users:
# /etc/freeradius/users
DEFAULT Intentos-Reject 10, Auth-Type := Reject
Reply-Message = NUMERO DE INTENTOS FALLIDOS(%{Intentos-Reject})
EXCEDIDO
The Suffix attribute matches a suffix, not a regular expression.
OK
Use unlang for this kind of matching. See man unlang
I saw unlang, but, Where must I use unlang? In hints file?
This it not OK:
# /etc/freeradius/hints
DEFAULT (Suffix == @domain.es || Suffix == @temp.domain.es)
Intentos-Reject = ...
Sorry if my questions are stupid and sorry for my english.
Thanks Alan
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem regular expressions in hints file
I'm really sorry, this is stupid, I thougth || was OR: # /etc/freeradius/hints DEFAULT (Suffix == @domain.es || Suffix == @temp.domain.es) Intentos-Reject = ... Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with default configuration in 2.0.4-3 version
testing123 Sending Access-Request of id 186 to 127.0.0.1 port 1812 User-Name = bob User-Password = hello NAS-IP-Address = 127.0.1.1 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=186, length=20 Thankyou very much and sorry for my english -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with default configuration in 2.0.4-3 version
2009/10/22 Alan DeKok al...@deployingradius.com Ana Gallardo wrote: Hello, I have installed debian lenny with freeradius 2.0.4-3: ... /etc/freeradius# freeradius -X ... Starting - reading configuration files ... ... including files in directory /etc/freeradius/sites-enabled/ There are no files in that directory. You either deleted them, or they were not installed by the package. I delete nothing in my sites-enabled directory, it was empty. I create a soft link and everithing is ok now. /etc/freeradius# ls -l sites-enabled/ total 0 lrwxrwxrwx 1 root freerad 39 oct 22 12:29 default - /etc/freeradius/sites-available/default Thankyou very much Alan. -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Openldap and FreeRadius2
Hi Dave, I would like to see what you learn :) 2009/6/25 Dave Rummel daverum...@boothcreek.com Would like to make a request for an account to the wiki so I can add to it. Dave Rummel wrote: If anyone needs help in getting there openldap to work with freeradius2 please reply back. I finally was able to figure it out and then used unlang to authorize my groups and would like to share what I have learned. Christopher Sheldon wrote: Does anyone else who subscribes to the list specifically read every email Alan sends just to chuckle at him berating the poor, confused people seeking help? It's like reality TV. ;-) Chris. Alan DeKok wrote: jpablorp wrote: I replace eap.conf with the Default eap.conf file and this is my debug: Where you have *deleted* the real cause of the error. [peap] Had sent TLV failure. User was rejected earlier in this session. Look EARLIER in the debug log for the failure. It's really not hard. Look for words like reject, or fail, or error. The messages will tell you what is wrong, and why. All you need to do is read them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
response_window and zombie_period problem
Hello, first of all, sorry for my english.
I'm testing Freeradius 2.0.4+dfsg-6 in Debian. I want to configure proxy
like this (proxy.conf):
# radiusxx authentication
home_server radiusxx_auth {
type = auth
ipaddr = 1.2.3.4
port = 1812
secret = secret
response_window = 50
zombie_period = 20
status_check = request
username = user
password = pass
check_interval = 30
num_answers_to_alive = 3
}
# radiusxx accounting
home_server radiusxx_acct {
type = acct
ipaddr = 1.2.3.4
port = 1813
secret = secret
response_window = 50
zombie_period = 20
status_check = request
username = user
password = pass
check_interval = 30
num_answers_to_alive = 3
}
# radiusyy authentication
home_server radiusyy_auth {
type = auth
ipaddr = 1.2.3.5
port = 1812
secret = secret
response_window = 50
zombie_period = 20
status_check = request
username = user
password = pass
check_interval = 30
num_answers_to_alive = 3
}
# radiusyy accounting
home_server radiusyy_acct {
type = acct
ipaddr = 1.2.3.5
port = 1813
secret = secret
response_window = 50
zombie_period = 20
status_check = request
username = user
password = pass
check_interval = 30
num_answers_to_alive = 3
}
#authentication pool
home_server_pool my_auth {
type = fail-over
home_server = radiusxx_auth
home_server = radiusyy_auth
}
#accounting pool
home_server_pool my_acct {
type = fail-over
home_server = radiusxx_acct
home_server = radiusyy_acct
}
realm myrealm.my {
auth_pool = my_auth
acct_pool = my_acct
# nostrip
}
My problem is when I'm going to test failover: I stop Freeradius in xx
server and I send a authentication request.
Sending Access-Request of id 143 to 1.2.3.4 port 1812
User-Name =
User-Password = 111
Calling-Station-Id = 00:11:22:33:44:55
NAS-IP-Address = 1.2.2.2
Proxy-State = 0x3238
Proxying request 0 to home server 1.2.3.4 port 1812
Sending Access-Request of id 143 to 1.2.3.4 port 1812
User-Name =
User-Password = 111
Calling-Station-Id = 00:11:22:33:44:55
NAS-IP-Address = 1.2.2.2
Proxy-State = 0x3238
Going to the next request
Waking up in 0.9 seconds.
Waking up in 28.9 seconds.
rad_recv: Access-Request packet from host 1.2.2.2 port 39710, id=28,
length=75
Sending duplicate proxied request to home server 1.2.3.4 port 1812 - ID: 143
Sending Access-Request of id 143 to 1.2.3.4 port 1812
User-Name =
User-Password = 111
Calling-Station-Id = 00:11:22:33:44:55
NAS-IP-Address = 1.2.2.2
Proxy-State = 0x3238
Waking up in 26.9 seconds.
rad_recv: Access-Request packet from host 1.2.2.2 port 39710, id=28,
length=75
Sending duplicate proxied request to home server 1.2.3.4 port 1812 - ID: 143
Sending Access-Request of id 143 to 1.2.3.4 port 1812
User-Name =
User-Password = 111
Calling-Station-Id = 00:11:22:33:44:55
NAS-IP-Address = 1.2.2.2
Proxy-State = 0x3238
Waking up in 23.9 seconds.
. . .
WARNING: Marking home server 1.2.3.4 port 1812 as zombie (it looks like it
is dead).
After 30 seconds I always get an accept_reject the first time. But if my
zombie_period = 20, don't must mark radiusxx as zombie after 20 seconds and
proxy my request to radiusyy. My response_window = 50 and Freeradius must
wait 50 seconds before consider the request dead.
Then, when I send another authentication request:
Sending Access-Request of id 129 to 1.2.3.4 port 1812
User-Name =
User-Password = 111
Calling-Station-Id = 00:11:22:33:44:55
NAS-IP-Address = 1.2.2.2
Proxy-State = 0x31
Proxying request 1 to home server 1.2.3.4 port 1812
Sending Access-Request of id 129 to 1.2.3.4 port 1812
User-Name =
User-Password = 111
Calling-Station-Id = 00:11:22:33:44:55
NAS-IP-Address = 1.2.2.2
Proxy-State = 0x31
Going to the next request
Waking up in 0.9 seconds.
Waking up in 28.9 seconds.
rad_recv: Access-Request packet from host 1.2.2.2 port 59850, id=1,
length=75
FAILURE: Marking home server 1.2.3.4 port 1812 as dead.
Sending Access-Request of id 118 to 1.2.3.5 port 1812
User-Name =
User-Password = 111
Calling-Station-Id = 00:11:22:33:44:55
NAS-IP-Address = 1.2.2.2
Proxy-State = 0x31
Proxying request 1 to home server 1.2.3.5 port 1812
Sending Access-Request of id 118 to 1.2.3.5 port 1812
User-Name =
User-Password = 111
Calling-Station-Id = 00:11:22:33:44:55
NAS-IP-Address = 1.2.2.2
Proxy-State = 0x31
Waking up in 26.9 seconds.
rad_recv: Access-Accept packet from host 1.2.3.5 port 1812, id=118,
length=23
Proxy-State = 0x31
I don't know why Freeradius doesn't send me an acces-accept, when I send the
first request, after mark radiusxx (zombie_period = 20) as zombie and proxy
the request to radiusyy.
Thank you and sorry for my english.
-
List info/subscribe/unsubscribe? See
Re: response_window and zombie_period problem
Thank you to for you response. Certainly in the proxy.conf file we can read # If the home server doesn't respond to the request within # this time, this server will consider the request dead, and # respond to the NAS with an Access-Reject. # # Useful range of values: 5 to 60 response_window = 20 # If the home server does not respond to ANY packets for # a certain time, consider it dead. This time period is # called the zombie period, because the server is neither # alive nor dead. # # Useful range of values: 20 to 120 zombie_period = 40 My response_window = 50 zombie_period=20. So, after 20 seconds, my radiusxx Freeradius must consider it dead, and then, I think that Freeradius can proxy the request until the response_window = 50 time gone. Maybe I'm mitaked, so I would like to know how if I'm in an error. When a home server does not respond to an Access-Request, the proxy process has failed and the default behavior is to reject the users Access-Request. The proxy server marks the home server as a zombie and after another 40 seconds has passed, the proxy server marks the home server as dead. Once a server is marked dead, the proxy server will not send requests to that server. Access-Requests that are sent to the proxy server after the home server is marked dead, will skip the dead home server and fail-over to the next home server. Since an Access-Reject is sent to the NAS, the NAS will deny the user/device access. This will happen to all users/devices that try to authenticate when the proxy server was marked alive but it is actually dead. You can lessen the impact of a dead server by using type=load-balance instead of fail-over for the home server pool. Why is lessen the impact using load-balance? In 2.1.6 the server can be configured to not respond when it does not receive a response from a home server. This will cause the NAS to retry the request multiple times, which will eventually cause the proxy server to send the request to the alive home server. Let me know if you want to try this and I can send an example configuration. Yes, I want to try. Tim Thank you very much Tim. Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: response_window and zombie_period problem
My response_window = 50 zombie_period=20. So, after 20 seconds, my radiusxx Freeradius must consider it dead, and then, I think that Freeradius can proxy the request until the response_window = 50 time gone. Maybe I'm mitaked, so I would like to know how if I'm in an error. You are mistaken. Server will be considered dead for requests *recieved* after the zombie period. It doesn't apply for ongoing requests. Ok, thanks When a home server does not respond to an Access-Request, the proxy process has failed and the default behavior is to reject the users Access-Request. ... You can lessen the impact of a dead server by using type=load-balance instead of fail-over for the home server pool. Why is lessen the impact using load-balance? The idea is that only one will die at the time. Fewer request go to the dead server before it's marked dead - fewer rejects and retries. Ok, thanks again. In 2.1.6 the server can be configured to not respond when it does not receive a response from a home server. This will cause the NAS to retry the request multiple times, which will eventually cause the proxy server to send the request to the alive home server. Let me know if you want to try this and I can send an example configuration. Yes, I want to try. It's there already, you just need to use the policy. See do_not_respond in policy.conf. Thank you very much Ivan. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
reject_relay and freeradius as a daemon
- Freeradius 1.1.7 - Debian Sarge (kernel 2.6.18-5-686) - IBM x3550 Hello! When I run freeradius in debug mode the Access-Reject is sent after the delay time indicated by the reject_delay setting. When I run freeradius as a daemos, the Access-Reject is delayed too many time when reject_delay 0. If I set reject_delay to 0 and run as a daemon, there is no delay. In radiusd.conf I can read: # reject_delay: When sending an Access-Reject, it can be # delayed for a few seconds. This may help slow down a DoS # attack. It also helps to slow down people trying to brute-force # crack a users password. # # Setting this number to 0 means send rejects immediately # # If this number is set higher than 'cleanup_delay', then the # rejects will be sent at 'cleanup_delay' time, when the request # is deleted from the internal cache of requests. # # Useful ranges: 1 to 5 I have seen this thread in the mailing-list in 2004 (http://lists.freeradius.org/mailman/htdig/freeradius-users/2004-September/035812.html), but I find the same problem right now. I don´t know if the global delayed time is reject_delay + max_session_time. I can´t find max_session_time. Maybe reject_delay + max_request_time ? I don´t know what can I do: 1. delay_reject = 0 2. small max_request_time ... Thank you and sorry for my english. _ Prueba algunos de los nuevos servicios en línea que te ofrece Windows Live Ideas: tan nuevos que ni siquiera se han publicado oficialmente todavía. http://ideas.live.com- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxying based on SSID
I think you have to use the attribute Stripped-User-Name to authenticate the user. Date: Wed, 24 Jan 2007 14:21:59 +0800 From: [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Subject: Proxying based on SSID Hi, Sorry if the questions have been asked. I have done a lot of searches, but could not find the answer. Normally, I proxy a PEAP request whenever the realm is unknown to us (i.e. using the DEFAULT realm without stripping user name). However, for some SSIDs, I want requests to be handled locally with ldap, independent of what the realm is (and with the user name stripped). What I did is to find those SSIDs in Called-Station-ID and set proxy-to-realm to a local realm. But the problem (I guess) is that when freeradius processes the realm file, the user name is not stripped. When later on processed by the local realm, the request fails because the user name still contains the domain. Any suggestions to solve it is appreciated. Thanks in advance. Best Regards, Lai Users = DEFAULT NAS-Port-Type == Wireless-802.11, Called-Station-Id =~ MY-SSID$, St rip-User-Name := Yes, Autz-Type := usePlainTextPwd, Proxy-to-realm := hku.hk DEFAULT NAS-Port-Type == Wireless-802.11, Autz-Type := usePlainTextPwd Radiusd -X = rad_recv: Access-Request packet from host 17.18.28.26:20002, id=136, length=152 NAS-Port-Id = 2098/1 Calling-Station-Id = 00-18-DE-83-3E-1B Called-Station-Id = 00-16-E0-FD-47-40:VIP-peap Service-Type = Framed-User EAP-Message = 0x02010012017063637732406173642e636f6d User-Name = [EMAIL PROTECTED] NAS-Port-Type = Wireless-802.11 NAS-Identifier = 3Com NAS-IP-Address = 17.18.28.26 Message-Authenticator = 0x46e6da4a3ad7d253157a9f21a110807b Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_realm: Looking up realm asd.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm DEFAULT rlm_realm: Proxying request from user pcw2 to realm DEFAULT rlm_realm: Adding Realm = DEFAULT rlm_realm: Preparing to proxy authentication request to realm DEFAULT modcall[authorize]: module suffix returns updated for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 users: Matched entry DEFAULT at line 171 users: Matched entry DEFAULT at line 244 modcall[authorize]: module files returns ok for request 0 rlm_eap: EAP packet type response id 1 length 18 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 modcall: leaving group authorize (returns updated) for request 0 Found Autz-Type usePlainTextPwd Processing the authorize section of radiusd.conf modcall: entering group usePlainTextPwd for request 0 modcall: entering group redundant for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for [EMAIL PROTECTED] radius_xlat: '(([EMAIL PROTECTED])))' radius_xlat: 'ou=ldap,o=hku,c=hk' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap1.hku.hk:389, authentication 0 rlm_ldap: starting TLS rlm_ldap: bind as cn=net,o=hku,c=hk/M134aNaa to ldap1.hku.hk:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=ldap,o=hku,c=hk, with filter (([EMAIL PROTECTED])) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module withNTPwd returns notfound for request 0 modcall: leaving group redundant (returns notfound) for request 0 modcall: leaving group usePlainTextPwd (returns notfound) for request 0 WARNING: You set Proxy-To-Realm = hku.hk, but it is a LOCAL realm! Cancelling invalid proxy request. rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 WARNING: Cancelling proxy to Realm hku.hk, as the realm is local. Sending Access-Challenge of id 136 to 17.18.28.26 port 20002 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0xfd7f032f1c3ed7e8e39bf1872727e771 Finished request 0 Going to the next request - List info/subscribe/unsubscribe? See
authorize and authenticate in proxy
Hello!I want to use Freeradius as a proxy Radius server, and I think that my
Freeradius don´t have to do authorize and authenticate: my Freeradius have to
proccess request with realm @unex.es, the others request have to be proxyed.
My configuration is:radiusd.conf:
authorize {
preprocess
suffix
files
Autz-Type LDAP_UNEX_ES{
ldap_unex_es
}
mschap
eap
}
authenticate {
ldap_unex_es
Auth-Type MS-CHAP {
mschap
}
eap
}
users:
DEFAULT Autz-Type = LDAP_UNEX_ES
proxy.conf:
realm unex.es {
type= radius
authhost= LOCAL
accthost= LOCAL
}
realm NULL {
type= radius
authhost= LOCAL
accthost= LOCAL
}
realm DEFAULT {
type= radius
authhost= other_server_1
accthost= LOCAL
secret = **
nostrip
}
realm DEFAULT {
type= radius
authhost= other_server_2
accthost= LOCAL
secret = **
nostrip
}- I want to define two instances of realm DEFAULT, in case one of then
fails. It is posible?- Have my freeradius to do authorize and autheticate when
request have to be proxyed?- I think that in users file I have to distinguish
between request with realm @unex.es to set Autz-Type = LDAP_UNEX_ES and the
others...I´m lost with proxy... I need help. Thank you.Sorry for my english.
_
Prueba algunos de los nuevos servicios en línea que te ofrece Windows Live
Ideas: tan nuevos que ni siquiera se han publicado oficialmente todavía.
http://ideas.live.com-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: problem with NT-Password and LDAP
OK, use the perl module to re-write the attribute. There is an
example.pl distributed with the server that should be a good start.
Alan DeKok.
I 'm trying to use the perl module to authenticate users removing white spaces
from NT-Password. This is my remove_white_spaces.pl:
use strict;
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK %RAD_CONFIG %RAD_PROXY
%RAD_PROXY_REPLY);
use Data::Dumper;
use constantRLM_MODULE_REJECT=0;# /* immediately reject the
request */
use constantRLM_MODULE_FAIL= 1;# /* module failed, don't
reply */
use constantRLM_MODULE_OK=2;# /* the module is OK,
continue */
use constantRLM_MODULE_HANDLED= 3;# /* the module handled the
request, so stop. */
use constantRLM_MODULE_INVALID= 4;# /* the module considers the
request invalid. */
use constantRLM_MODULE_USERLOCK= 5;# /* reject the request (user
is locked out) */
use constantRLM_MODULE_NOTFOUND= 6;# /* user not found */
use constantRLM_MODULE_NOOP= 7;# /* module succeeded without
doing anything */
use constantRLM_MODULE_UPDATED= 8;# /* OK (pairs modified) */
use constantRLM_MODULE_NUMCODES= 9;# /* How many return codes
there are */
sub hex_to_ascii ($)
{
# Convert each two-digit hex number back to an ASCII character.
(my $str = shift) =~ s/([a-fA-F0-9]{2})/chr(hex $1)/eg;
return $str;
}
sub ascii_to_hex ($)
{
## Convert each ASCII character to a two-digit hex number.
(my $str = shift) =~ s/(.|\n)/sprintf(%02lx, ord $1)/eg;
return $str;
}
# Function to handle authorize
sub authorize {
my $h_str = $RAD_CHECK{'NT-Password'};
radiusd::radlog(1, NT-Password (hex) . $h_str);
my $a_str = hex_to_ascii $h_str;
$a_str=~s/(\s)+$//;
$a_str=~s/(0x)//;
radiusd::radlog(1, NT-Password (ascii) . $a_str);
$h_str = ascii_to_hex $a_str;
$RAD_CHECK{'NT-Password'}=$h_str;
radiusd::radlog(1, NT-Password . $RAD_CHECK{'NT-Password'});
return RLM_MODULE_OK;
}
In radiusd.conf...
perl {
module = /usr/local/radius/scripts_perl/quitar_espacios.pl
max_clones = 32
start_clones = 5
min_spare_clones = 3
max_spare_clones = 3
cleanup_delay = 5
max_request_perl_clone = 0
}
authorize {
preprocess
suffix
files
Autz-Type LDAP_UNEX_ES{
ldap_unex_es
perl
}
mschap
eap
}
The debug information is:
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap_unex_es returns ok for request 6
perl_pool: item 0x835eb10 asigned new request. Handled so far: 3
found interpetator at address 0x835eb10
rlm_perl: NT-Password (hex) .
0x303642313145334439343130323145314135433531433638363846324630453620202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020
rlm_perl: NT-Password (ascii) . 06B11E3D941021E1A5C51C6868F2F0E6
rlm_perl: NT-Password .
3036423131453344393431303231453141354335314336383638463246304536
rlm_perl: Added pair NT-Password =
3036423131453344393431303231453141354335314336383638463246304536
rlm_perl: Added pair User-Password = 76027476
rlm_perl: Added pair Autz-Type = LDAP_UNEX_ES
rlm_perl: Added pair Simultaneous-Use = 1
rlm_perl: Added pair Auth-Type = EAP
perl_pool total/active/spare [3/0/3]
Unreserve perl at address 0x835eb10
modcall[authorize]: module perl returns ok for request 6
modcall: leaving group LDAP_UNEX_ES (returns ok) for request 6
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 6
rlm_mschap: Invalid NT-Password
rlm_mschap: Told to do MS-CHAPv2 for 02747632 with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module mschap returns reject for request 6
modcall: leaving group MS-CHAP (returns reject) for request 6
rlm_eap: Freeing handler
modcall[authenticate]: module eap returns reject for request 6
modcall: leaving group authenticate (returns reject)
RE: problem with NT-Password and LDAP
Date: Thu, 28 Dec 2006 08:44:22 -0800
From: [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Subject: Re: problem with NT-Password and LDAP
Ana Gallardo Gómez wrote:
Well, I can not modify the LDAP server, I only can use it,
so, while I ask the LDAP administrator to modify this atribute,
I would like to modify in Freeradius server.
OK, use the perl module to re-write the attribute. There is an
example.pl distributed with the server that should be a good start.
Alan DeKok.
--
I'm goint to use the perl module, but first, and while I learn to use it, I
probed the attr_rewrite module:
attr_rewrite quitar_espacios {
attribute = NT-Password
# may be packet, reply, proxy, proxy_reply or config
searchin = config
searchfor =
replacewith =
ignore_case = no
new_attribute = no
max_matches = 220
## If set to yes then the replace string will be appended to
the original string
append = no
}
I don't know if I can use regular expressions in searcfor field, and, in this
case, what is the regular expressions grammar; or if is better with
max_matches = 220 and searchfor = ...
I use this module in authorize section:
authorize {
preprocess
suffix
files
Autz-Type LDAP_LOCAL{
ldap_local
}
Autz-Type LDAP_UNEX_ES{
ldap_unex_es
quitar_espacios
}
mschap
eap
}
and I can authenticate users:
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap_unex_es returns ok for request 7
radius_xlat: '
'
rlm_attr_rewrite: Changed value for attribute NT-Password from
'06B11E3D941021E1A5C51C6868F2F0E6
' to '06B11E3D941021E1A5C51C6868F2F0E6'
modcall[authorize]: module quitar_espacios returns ok for request 7
modcall: leaving group LDAP_UNEX_ES (returns ok) for request 7
Thank you
_
¡Ya está aquí Windows Live Spaces! Ahora podrás crear fácilmente tu propio
sitio Web.
http://spaces.live.com/signup.aspx
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with NT-Password and LDAP
Ana Gallardo Gómez wrote: Hello, my problem is, i have a Freeradius server that retrieves the authentication information from an OpenLDAP server; in this server the NT-Password atributte has 252 characters (32 characters from NT-hash + white spaces) Why not just update the entries in LDAP to remove the space? Alan DeKok. Well, I can not modify the LDAP server, I only can use it, so, while I ask the LDAP administrator to modify this atribute, I would like to modify in Freeradius server. I have read that there is a module to rewrite the value of an atribute on fly, but I can´t find how to use it. I have a regular expression to modify... I have a ssript perl to modify... but I don´t know how to use it. Thank you _ Consigue el nuevo Windows Live Messenger http://get.live.com/messenger/overview - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with NT-Password and LDAP
Hello, my problem is, i have a Freeradius server that retrieves the authentication information from an OpenLDAP server; in this server the NT-Password atributte has 252 characters (32 characters from NT-hash + white spaces), and the NT-Password generated in ms-chap has 32 characters. How can I remove the white spaces from NT-Password in the ldap module?Debug information:...rlm_ldap: performing search in ou=xxx,dc=xxx,dc=xxx, with filter (cn=) rlm_ldap: Added password xxx in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding ntPassword as NT-Password, value 06B11E3D941021E1A5C51C6868F2F0E6 op=21...After that LOGIN INCORRECT.Sorry for my english.Thank you very much. _ ¡Ya está aquí Windows Live Spaces! Ahora podrás crear fácilmente tu propio sitio Web. http://spaces.live.com/signup.aspx- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[RE]Freeradius-Users Digest, Vol 18, Issue 98
Sorry for my english...I had the same problem with Freeradius-OpenSSL. I´m running a Debian Sarge 3.1. My installation is:/usr/local/openssl -- OpenSSL binaries/usr/local/radius -- Freeradius binaries/usr/local/freeradius-1.1.3 -- Freeradius source/usr/local/openssl-0.9.7k -- OpenSSL sourceTo compile and install OpenSSL:/usr/local/openssl-0.9.7k/.config shared --prefix=/usr/local/openssl/usr/local/openssl-0.9.7k/make/usr/local/openssl-0.9.7k/make installCopy OpenSSL library and include files to /usr/local/lib and /usr/local/include.To compile and install Freeradius:/usr/local/freeradius-1.1.3/.configure --prefix=/usr/local/radius /usr/local/freeradius-1.1.3/make /usr/local/freeradius-1.1.3/make install :)Consigue el nuevo Windows Live Messenger Pruébalo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
