Re: PEAP failure problem
Hello again! Forgiveness for having reached this situation, the result of several unfortunate events. Thank you for reply and your time - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP failure problem
This was asked many, many, times. And answered. Ok, sorry to ask about that one more time. I though that if I can work with Codigo-Reject attribute in Post-Auth type Reject for EAP-TTLS-PAP and EAP-TTLS-MsCHAPv2, I would do the same in PEAP. I read http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg56919.html Sending Reply-Message in an Access-Reject is not permitted for EAP sessions. All, EAP-TTLS-PAP, EAP-TTLS-MsCHAPv2 and PEAP are EAP methods... Go read the responses to your messages. Sory, but What responses? What messages? Do you think that if I had received any answer would have asked many times the same? If you're not going to read the list, then don't post questions here. And stop posting this question. I send this cuestion and I didn't see in the list and I didn't get a response. I assumed it would have been a problem and went to send... Sorry again and thank you for you response despite the tone you used. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
chage switch result
Hello, I'm using FreeRADIUS Version 2.1.10 and I would like to know if I can change the swith result to make something like that: /etc/freeradius/sites-enable/default ... switch %{Realm} { case 'a' { sql { fail = 5 } } case 'b' { ldap { fail = 5 } } case { update reply { Codigo-Reject = Error-Dominio reject } } } if (fail) { update reply { Codigo-Reject = Imposible-Contactar-Backend } reject } elsif (notfound) { update reply { Codigo-Reject = Usuario-Desconocido } reject } ... Actually, if for example, sql return notfound, I can set Codigo-Reject = Usuario-Desconocido, but if sql return fail, switch return and I stop procesing the authorize section. Thank you in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: update reply problem
','radius') Tue Mar 27 09:36:22 2012 : Debug: rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, mac, client, reply, authdate,codreject,radauth) VALUES ( LOWER('02747632'), LOWER('66:77:99:B1:A0:2F'), 'PA', 'Access-Reject', NOW(), 'Credenciales-Erroneas','radius') Tue Mar 27 09:36:22 2012 : Debug: rlm_sql (sql): Ignoring unconnected handle 1.. Tue Mar 27 09:36:22 2012 : Debug: rlm_sql (sql): Ignoring unconnected handle 0.. Tue Mar 27 09:36:22 2012 : Debug: rlm_sql (sql): Ignoring unconnected handle 4.. Tue Mar 27 09:36:22 2012 : Debug: rlm_sql (sql): Ignoring unconnected handle 3.. Tue Mar 27 09:36:22 2012 : Debug: rlm_sql (sql): Ignoring unconnected handle 2.. Tue Mar 27 09:36:22 2012 : Info: ++[sql] returns fail Tue Mar 27 09:36:22 2012 : Info: ++? if (fail) Tue Mar 27 09:36:22 2012 : Info: ? Evaluating (fail) - TRUE Tue Mar 27 09:36:22 2012 : Info: ++? if (fail) - TRUE Tue Mar 27 09:36:22 2012 : Info: ++- entering if (fail) {...} Tue Mar 27 09:36:22 2012 : Info: +++[reply] returns fail Tue Mar 27 09:36:22 2012 : Info: ++- if (fail) returns fail Tue Mar 27 09:36:22 2012 : Info: Delaying reject of request 42 for 1 seconds Tue Mar 27 09:36:22 2012 : Debug: Going to the next request Tue Mar 27 09:36:22 2012 : Debug: Waking up in 0.9 seconds. Tue Mar 27 09:36:23 2012 : Info: Sending delayed reject for request 42 Sending Access-Reject of id 163 to 10.253.40.43 port 1314 EAP-Message = 0x04090004 Message-Authenticator = 0x *Codigo-Reject = Credenciales-Erroneas* I don't know what is the mening of the messages: Tue Mar 27 09:36:22 2012 : Info: [eapeduroam] Handler failed in EAP/ttls Tue Mar 27 09:36:22 2012 : Info: [eapeduroam] Failed in EAP select Tue Mar 27 09:36:22 2012 : Info: ++[eapeduroam] returns invalid And, Can I do? # inner-tunnel post-auth { sql{ fail=1 } if (fail) { update reply { Codigo-Reject = Imposible-Contactar-Backend * Packet-Type := Access-Reject* } reply_log reject } Thank you for your time and sorry for my english :: Ana Gallardo Gómez :: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: update reply problem
Hello again, I can't reolve my problem and I don't know if is a bug o a configuration error... update reply { Codigo-Reject = Imposible-Contactar-Backend } Operator = act like := ¿ideas? thanks very much :: Ana Gallardo Gómez :: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
update reply problem
} if (fail) { update reply { Codigo-Reject = Imposible-Contactar-Backend * Packet-Type := Access-Reject* } reply_log reject } Thank you very much and sorry for my english. :: Ana Gallardo Gómez :: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radpostauth - from client ip
Which attribute should I be using to store the same 'from client' that the radius.log is storing? I think that what you want is clientname %C :: Ana Gallardo Gómez :: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ldap
Josip, thanks for your response. Add LDAP into the authenticate section, so that it simply tries to re-bind with the provided credentials? Like this: Auth-Type LDAP { ldapPerson } I try this configuration too, but it doesn't work for me. Freeradius doesn't set the value to Auth-Type attribute. I thik that this is because the userPassword attribute is only visible to each particular user when binds. rad_recv: Access-Request packet from host X.X.X.X port 49621, id=130, length=58 User-Name = aigalla...@unex.es User-Password = server test { # Executing section authorize from file /etc/freeradius/sites-enabled/test +- entering group authorize {...} [suffix] Looking up realm unex.es for User-Name = aigalla...@unex.es [suffix] Found realm unex.es [suffix] Adding Stripped-User-Name = aigallardo [suffix] Adding Realm = unex.es [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [files] users: Matched entry DEFAULT at line 33 ++[files] returns ok [ldapPerson] performing user authorization for aigallardo [ldapPerson] expand: %{Stripped-User-Name} - aigallardo [ldapPerson] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=aigallardo) [ldapPerson] expand: ou=people,dc=unex,dc=es - ou=people,dc=unex,dc=es [ldapPerson] ldap_get_conn: Checking Id: 0 [ldapPerson] ldap_get_conn: Got Id: 0 [ldapPerson] attempting LDAP reconnection [ldapPerson] (re)connect to ldap.unex.es:389, authentication 0 [ldapPerson] bind as / to ldap.unex.es:389 [ldapPerson] waiting for bind result ... [ldapPerson] Bind was successful [ldapPerson] performing search in ou=people,dc=unex,dc=es, with filter (uid=aigallardo) [ldapPerson] No default NMAS login sequence [ldapPerson] looking for check items in directory... [ldapPerson] looking for reply items in directory... [ldapPerson] gecos - Nombre-Completo = Ana-Isabel Gallardo Gomez,Dpto. Tecno. Computadores y Comuni.,, WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldapPerson] user aigallardo authorized to use remote access [ldapPerson] ldap_release_conn: Release Id: 0 ++[ldapPerson] returns ok ++[expiration] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. } # server test Thank you very much and sorry for my english. ++ Ana Gallardo Gómez ++ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ldap
Hello again. Ok, now I can authenticate an user using LDAP. I'm using freeradius 2.1.10 and I want to use ldap like a backend in authorize section to take userPassword attribute (unix crypt) to authenticate the user. My problem is: the ldap server don't have public key that an admin user (who bind) can take. So I have to bind in the authorize section with the user and password (clear text) in the request. Is this posible? I have read that this is not ok http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg49993.html What are my posibilities? I think that what I can do is: - in authorize section bind like anonymous user and take the public attributes that I need to authorize the user. - in authenticate section bind like the user who want to access The configuration that work: LDAP MODULE ldap ldapPerson{ server = xxx basedn = ou=people,dc=unex,dc=es filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldapPerson.attrmap edir_account_policy_check = no set_auth_type = yes } SERVER server test{ authorize { suffix files ldapPerson expiration update control { Auth-Type := LDAP } } authenticate { Auth-Type LDAP { ldapPerson } } } DEBUG rad_recv: Access-Request packet from host x.x.x.x port 48259, id=145, length=58 User-Name = aigalla...@unex.es User-Password = server test { # Executing section authorize from file /etc/freeradius/sites-enabled/test +- entering group authorize {...} [suffix] Looking up realm unex.es for User-Name = aigalla...@unex.es [suffix] Found realm unex.es [suffix] Adding Stripped-User-Name = aigallardo [suffix] Adding Realm = unex.es [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [files] users: Matched entry DEFAULT at line 33 ++[files] returns ok [ldapPerson] performing user authorization for aigallardo [ldapPerson] expand: %{Stripped-User-Name} - aigallardo [ldapPerson] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=aigallardo) [ldapPerson] expand: ou=people,dc=unex,dc=es - ou=people,dc=unex,dc=es [ldapPerson] ldap_get_conn: Checking Id: 0 [ldapPerson] ldap_get_conn: Got Id: 0 [ldapPerson] attempting LDAP reconnection [ldapPerson] (re)connect to x.x.x.x:389, authentication 0 [ldapPerson] bind as / to x.x.x.x:389 [ldapPerson] waiting for bind result ... [ldapPerson] Bind was successful [ldapPerson] performing search in ou=people,dc=unex,dc=es, with filter (uid=aigallardo) [ldapPerson] No default NMAS login sequence [ldapPerson] looking for check items in directory... [ldapPerson] looking for reply items in directory... [ldapPerson] gecos - Nombre-Completo = Ana-Isabel Gallardo Gomez... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldapPerson] user aigallardo authorized to use remote access [ldapPerson] ldap_release_conn: Release Id: 0 ++[ldapPerson] returns ok ++[expiration] returns noop ++[control] returns noop Found Auth-Type = LDAP # Executing group from file /etc/freeradius/sites-enabled/test +- entering group LDAP {...} [ldapPerson] login attempt by aigallardo with password [ldapPerson] user DN: uid=aigallardo,ou=People,dc=unex,dc=es [ldapPerson] (re)connect to x.x.x.x:389, authentication 1 [ldapPerson] bind as uid=aigallardo,ou=People,dc=unex,dc=es/x to x.x.x.x:389 [ldapPerson] waiting for bind result ... [ldapPerson] Bind was successful [ldapPerson] user aigallardo authenticated succesfully ++[ldapPerson] returns ok } # server test Sending Access-Accept of id 145 to x.x.x.x port 48259 Nombre-Completo = Ana-Isabel Gallardo Gomez... I don't know if this is the best way to solve my problem, I someone have something better, I would like to know. Thank you very much and sorry for my english. ++ Ana Gallardo Gómez ++ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ldap
Hello Josip and thank you again for your response. This is an orthogonal issue; you don't have to allow anyone to read the value of the userPassword attribute, you just have to get the FR ldap module to *bind* to the LDAP server with the username and password from the request. Ok, now I know. This is log output for an anonymous bind in authorize section (bind as / to means bind as no user/no password). What is the output for the authenticated bind, that happens in the authenticate section? There is no authenticated bind because Freeradius doesn't set Auth-Type and... ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Thanks ++ Ana Gallardo Gómez ++ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius + ldap
Hello, I'm using freeradius 2.1.10 and I want to use ldap like a backend in authorize section to take userPassword attribute (unix crypt) to authenticate the user. My problem is: the ldap server don't have public key that an admin user (who bind) can take. So I have to bind in the authorize section with the user and password (clear text) in the request. Is this posible? What are my posibilities? Here is my actual configuration in my test: LDAP MODULE ldap ldapPerson{ server = ldap. basedn = ou=people,dc=unex,dc=es filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldapPerson.attrmap edir_account_policy_check = no set_auth_type = yes } SERVER server test{ authorize { suffix files ldapPerson expiration pap } authenticate { Auth-Type PAP { pap } } } DEBUG rad_recv: Access-Request packet from host X.X.X.X port 38152, id=201, length=58 User-Name = aigalla...@unex.es User-Password = pass server test { # Executing section authorize from file /etc/freeradius/sites-enabled/test +- entering group authorize {...} [suffix] Looking up realm unex.es for User-Name = aigalla...@unex.es [suffix] Found realm unex.es [suffix] Adding Stripped-User-Name = aigallardo [suffix] Adding Realm = unex.es [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [files] users: Matched entry DEFAULT at line 33 ++[files] returns ok [ldapPerson] performing user authorization for aigallardo [ldapPerson] expand: %{Stripped-User-Name} - aigallardo [ldapPerson] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=aigallardo) [ldapPerson] expand: ou=people,dc=unex,dc=es - ou=people,dc=unex,dc=es [ldapPerson] ldap_get_conn: Checking Id: 0 [ldapPerson] ldap_get_conn: Got Id: 0 [ldapPerson] attempting LDAP reconnection [ldapPerson] (re)connect to X :389, authentication 0 [ldapPerson] bind as / to :389 [ldapPerson] waiting for bind result ... [ldapPerson] Bind was successful [ldapPerson] performing search in ou=people,dc=unex,dc=es, with filter (uid=aigallardo) [ldapPerson] No default NMAS login sequence [ldapPerson] looking for check items in directory... [ldapPerson] looking for reply items in directory... [ldapPerson] gecos - Nombre-Completo = Ana-Isabel Gallardo Gomez WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldapPerson] user aigallardo authorized to use remote access [ldapPerson] ldap_release_conn: Release Id: 0 ++[ldapPerson] returns ok ++[expiration] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. } # server test Thank you very much and sorry for my eglish. ++ Ana Gallardo Gómez ++ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: %RAD_REPLY hash problem
Hello, I've tested adding my vendor specific attributes to check list, and the problem persist. Here is the debug info: rad_recv: Access-Request packet from host x.x.x.x port 32880, id=4, length=75 User-Name = a...@unex.es User-Password = 111 Calling-Station-Id = ... ... [ldap1] performing user authorization for ana [ldap1] expand: %{Stripped-User-Name} - ana [ldap1] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) - (cn=ana) ... [ldap1] Bind was successful ... [ldap1] looking for check items in directory... [ldap1] Relaciones - Relaciones += 06 [ldap1] Relaciones - Relaciones += 01 [ldap1] ntPassword - NT-Password == 0x44... [ldap1] looking for reply items in directory... [ldap1] sn - Nombre-Completo = Ana Gllardo ... [ldap1] user ana authorized to use remote access ... rlm_perl: RAD_REQUEST: User-Name = a...@unex.es rlm_perl: RAD_REQUEST: User-Password = 111 rlm_perl: RAD_REQUEST: Intentos-Reject = 0 rlm_perl: RAD_REQUEST: SQL-User-Name = ana rlm_perl: RAD_REQUEST: Realm = unex.es rlm_perl: RAD_REQUEST: Stripped-User-Name = ana rlm_perl: RAD_REQUEST: Calling-Station-Id = ... rlm_perl: RAD_CHECK: NT-Password = 0x44... rlm_perl: RAD_CHECK: Simultaneous-Use = 1 rlm_perl: RAD_CHECK: Relaciones = ARRAY(0x1d59618) rlm_perl: RAD_CHECK: Ldap-UserDn = ... rlm_perl: RAD_REREPLY: Nombre-Completo = Ana Gallardo rlm_perl: relacion: 06 rlm_perl: relacion: 01 rlm_perl: relacion: 0x44... ... Finally, my solution was delete the undesired member from the hash. # cat /etc/freeradius/perl/checkRelaciones.pm #!/usr/bin/perl use strict; use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK); use constantRLM_MODULE_REJECT=0;# /* immediately reject the request */ use constantRLM_MODULE_OK=2;# /* the module is OK, continue */ sub authorize { solucion_bug; return check_relaciones; } sub solucion_bug { my $r; my @array; if (exists $RAD_CHECK{'Relaciones'} defined $RAD_CHECK{'Relaciones'}){ $r=$RAD_CHECK{'Relaciones'}; if (ref($r) eq ARRAY) { foreach (@{$r}) { #radiusd::radlog(1, relacion: $_); if ($_ =~ /^[0-9]{2}/) { push(@array, $_); } } if ($#array 0){ $RAD_REPLY{'Relaciones'}...@array; } elsif ($#array == 0){ $RAD_REPLY{'Relaciones'}=$array[0]; } } unless (ref($r)) { #radiusd::radlog(1, relacion: $r); if ($r =~ /^[0-9]{2}/) { $RAD_REPLY{'Relaciones'}=$r; } } delete($RAD_CHECK{'Relaciones'}); } } sub check_relaciones { my $r; if (exists $RAD_REPLY{'Relaciones'} defined $RAD_REPLY{'Relaciones'}){ return RLM_MODULE_OK; } else{ $RAD_REPLY{'Codigo-Reject'}=11; #Sin-Relacion-UEX return RLM_MODULE_REJECT; } } Thank you very much. ++ Ana Gallardo Gómez ++ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: %RAD_REPLY hash problem
Hello, thank you very much for your response. I’m not sure if this will fix it, but try: use constant RLM_MODULE_UPDATED= 8;# /* OK (pairs modified) */ then change “return RLM_MODULE_OK” to: return RLM_MODULE_UPDATED; I try that but the problem persist. If this doesn’t fix it, you can always delete the undesired member from the hash before you return. Yes, I know :) but it would be better if we can solve that Thanks again -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
Thank you very much for your responses. Conversely, you could comment out/remove the use Data::Dumper line since you're not using it. It's mainly for debugging and easily printing the entire contents of an object/array/hash/etc. Ok, Kevin, I don't use Data::Dumper and I can run Freeradius with my perl module. My problem is with the hashes that rlm_perl provide to my script ¡rlm_perl add in the reply hash an attribute Relaciones with the value of the attribute Nombre-Completo, and also add Nombre-Completo! Debug: [ldap1] performing user authorization for ana [ldap1] expand: %{Stripped-User-Name} - ana [ldap1] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) - (cn=ana) ... [ldap1] looking for check items in directory... [ldap1] ntPassword - NT-Password == 0x35... [ldap1] looking for reply items in directory... [ldap1] Relaciones - Relaciones += 01 [ldap1] sn - Nombre-Completo = ana WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap1] user ana authorized to use remote access [ldap1] ldap_release_conn: Release Id: 0 [ldap1] returns ok ... rlm_perl: Added pair User-Name = ana rlm_perl: Added pair User-Password = rlm_perl: Added pair Intentos-Reject = 1 rlm_perl: Added pair SQL-User-Name = ana rlm_perl: Added pair Stripped-User-Name = ana rlm_perl: Added pair Calling-Station-Id = xxx rlm_perl: Added pair Nombre-Completo = ana rlm_perl: Added pair Relaciones = 01 *rlm_perl: Added pair Relaciones = ana* rlm_perl: Added pair NT-Password = 0x35... rlm_perl: Added pair Simultaneous-Use = 1 rlm_perl: Added pair Ldap-UserDn = ... Than you Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
%RAD_REPLY hash problem
Hello, I'm working with Freeradius 2.1.10 I want to authorize an user usng a multivaluated attribute (Relaciones), so I use perl. The values of the attribute Relaciones are store in ldap. Nombre-Completo is another attribute store in ldap. Relaciones is a integer value. An user is authorize if have one attribute Relaciones with a positive value (no + sign). Relaciones, Nombre-Completo and Codigo-Reject are vendor specific attributes defined in /usr/share/freeradius/dictionary.rinuex My script perl is: # cat /etc/freeradius/perl/checkRelaciones.pm #!/usr/bin/perl use strict; use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK); #use Data::Dumper; use constantRLM_MODULE_REJECT=0;# /* immediately reject the request */ use constantRLM_MODULE_OK=2;# /* the module is OK, continue */ sub authorize { my $refRelaciones; if (exists $RAD_REPLY{'Relaciones'} defined $RAD_REPLY{'Relaciones'}){ $refRelaciones=$RAD_REPLY{'Relaciones'}; foreach (@{$refRelaciones}) { if ($_ =~ /^[0-9]{2}/) { return RLM_MODULE_OK; } } $RAD_REPLY{'Codigo-Reject'}=11; #Sin-Relacion } return RLM_MODULE_REJECT; } Everything works fine. My problem is that rlm_perl duplicate an attribute in %RAD_REPLY hash. Debug: rad_recv: Access-Request packet from host x.x.x.x port 56822, id=100, length=75 User-Name = a...@unex.es User-Password = Calling-Station-Id = ... server rinuex { ... [ldap1] looking for check items in directory... [ldap1] ntPassword - NT-Password == 0x3.. [ldap1] looking for reply items in directory... [ldap1] Relaciones - Relaciones += 03 [ldap1] sn - Nombre-Completo = Ana Gallardo WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap1] user ana authorized to use remote access [ldap1] ldap_release_conn: Release Id: 0 [ldap1] returns ok ... rlm_perl: Added pair User-Name = a...@unex.es rlm_perl: Added pair User-Password = rlm_perl: Added pair Intentos-Reject = 0 rlm_perl: Added pair SQL-User-Name = ana rlm_perl: Added pair Realm = unex.es rlm_perl: Added pair Stripped-User-Name = ana rlm_perl: Added pair Calling-Station-Id = ... rlm_perl: Added pair Nombre-Completo = Ana Gallardo rlm_perl: Added pair Relaciones = 03 rlm_perl: Added pair Relaciones = Ana Gallardo rlm_perl: Added pair NT-Password = 0x344... rlm_perl: Added pair Simultaneous-Use = 1 rlm_perl: Added pair Ldap-UserDn = ... ++[perl] returns ok ... ++[pap] returns ok ... } # server rinuex Sending Access-Accept of id 100 to x.x.x.x port 56822 Nombre-Completo = Ana Gallardo Relaciones += 03 Relaciones += Ana Gallardo Any ideas?? Sorry for my english and thank you in advance. Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authorize an user using a multivalue ldap attribute
Hello, I have a string attribute named Relaciones in my ldap. This attribute can have more than one value. Actually I return those values in the reply: Sending Access-Accept of id 229 to X.X.X.X port 32796 Relaciones += -11 Relaciones += 03 Relaciones += -01 I want to authorize the access only if there is one attibute Relaciones whith a positive value. So I would like to use unlang in authorize module to check all the attributes Relaciones whit a regex, but I don't know how can I check all the attributes, and how can I stop procesing the attributes if I found one wihtout a minus sign. if (%{reply:Relaciones} =~ /^([0-9]{2})/) { } Thanks very much, and sorry for my english. -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
Hello again, I have a string attribute named Relaciones in my ldap. This attribute can have more than one value. Actually I return those values in the reply: Sending Access-Accept of id 229 to X.X.X.X port 32796 Relaciones += -11 Relaciones += 03 Relaciones += -01 I want to authorize the access only if there is one attibute Relaciones whith a positive value. So I would like to use unlang in authorize module to check all the attributes Relaciones whit a regex, but I don't know how can I check all the attributes, and how can I stop procesing the attributes if I found one wihtout a minus sign. if (%{reply:Relaciones} =~ /^([0-9]{2})/) { } maybe I can check the value with a check item: #cat /etc/freeradius/ldap.attrmap checkItem NT-Password ntPassword checkItem RelacionesRelaciones ~= /^([0-9]{2})/ replyItem Nombre-Completosn replyItem Relaciones Relaciones += anyway i test both ideas, but don't work: [ldap] looking for check items in directory... [ldap] ntPassword - NT-Password == 0x3... [ldap1] looking for reply items in directory... [ldap1] Relaciones - Relaciones += -11 [ldap1] Relaciones - Relaciones += 03 [ldap1] Relaciones - Relaciones += -01 WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap1] user XXX authorized to use remote access [ldap1] ldap_release_conn: Release Id: 0 [ldap1] returns ok ? if (fail) ? Evaluating (fail) - FALSE ? if (fail) - FALSE - entering else else {...} +? if (%{reply:Relaciones} =~ /^([0-9]{2})/) expand: %{reply:Relaciones} - -11 ? Evaluating (%{reply:Relaciones} =~ /^([0-9]{2})/) - FALSE +? if (%{reply:Relaciones} =~ /^([0-9]{2})/) - FALSE - else else returns ok any ideas? thank you very much. Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
Hello Alan, and thank you for your response. You can't really do that with unlang. I suggest using the perl module. I flow your suggestion and write this: # cat /etc/freeradius/perl/checkRelaciones.pm use strict; use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK); use Data::Dumper; use constantRLM_MODULE_REJECT=0;# /* immediately reject the request */ use constantRLM_MODULE_OK=2;# /* the module is OK, continue */ sub authorize { my $attr; my $valor; while (($attr,$valor)= each(%RAD_REPLY{'Relaciones'}){ if ($valor =~ /^([0-9]{2})/) { return RLM_MODULE_OK; } } return RLM_MODULE_REJECT; } and I use this in authorize section: authorize{ ... files ... perl expiration ... } but, when I try to run freeradius in debug mode: ... perl { module = /etc/freeradius/perl/checkRelaciones.pm func_authorize = authorize func_authenticate = authenticate func_accounting = accounting func_preacct = preacct func_checksimul = checksimul func_detach = detach func_xlat = xlat func_pre_proxy = pre_proxy func_post_proxy = post_proxy func_post_auth = post_auth func_recv_coa = recv_coa func_send_coa = send_coa } Can't load '/usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so' for module Data::Dumper: /usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so: undefined symbol: Perl_sv_cmp at /usr/lib/perl/5.10/XSLoader.pm line 64. at /usr/lib/perl/5.10/Data/Dumper.pm line 36 So, I think thah I need to upgrade or something like this. Thank you again. Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: return a special value in reply when simultaneous use
Hello again, I continue working on this, but I can't find the solution. Can I check the result of simul_count_query? Thank you again Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: return a special value in reply when simultaneous use
Hello again, I'm working with Freeradius 2.1.8 I'm using session (sql) to control simultaneous use. I would like to return a special value if an user try to access with credentials in use. I have it working adding a new attribute to request list whit the result of the simul_count_query, and checking this value later in post_auth section. session { if (%{Realm} == xxx.es) { update request { Num-Open-Session := %{sql:SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL} } sql } } post-auth { sql if (fail) { update reply { Codigo-Reject := Imposible-Contactar-Backend } reject } Post-Auth-Type REJECT { if (%{request:Num-Open-Session}){ update reply { Codigo-Reject = Sesion-Abierta } } else{ update reply { Codigo-Reject = Credenciales-Erroneas } } I think that this not is the better way to do, but... Thank you very much Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
return a special value in reply when simultaneous use
Hello, I'm working with Freeradius 2.1.8 I'm using session (sql) to control simultaneous use. I would like to return a special value if an user try to access with credentials in use. Group session {...} always resturns ok, so I don't know what can I do in post-auth to distinguish between all reject. I test this configuration in my default server: session { if (%{Realm} == xxx.es) { sql } } post-auth { if (fail) { update reply { Codigo-Reject := Imposible-Contactar-Backend } reject } sql Post-Auth-Type REJECT { if (simulcount) { update reply { Codigo-Reject = Sesion-Abierta } } update reply { Codigo-Reject = Credenciales-Erroneas } sql attr_filter.access_reject } } But don't work. Here is part of the debug info for an accept request: [pap] User authenticated successfully ++[pap] returns ok +- entering group session {...} ++? if (%{Realm} == xxx.es) expand: %{Realm} - xxx.es ?? Evaluating (%{Realm} == xxx.es) - TRUE ++? if (%{Realm} == xxx.es) - TRUE ++- entering if (%{Realm} == xxx.es) {...} . . . rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 +++[sql] returns ok ++- if (%{Realm} == xxx.es) returns ok +- entering group post-auth {...} And here is part of the debug info for an reject request for simultaneous use: [pap] User authenticated successfully ++[pap] returns ok +- entering group session {...} ++? if (%{Realm} == xxx.es) expand: %{Realm} - xxx.es ?? Evaluating (%{Realm} == xxx.es) - TRUE ++? if (%{Realm} == xxx.es) - TRUE ++- entering if (%{Realm} == xxx.es) {...} . . . rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released sql socket id: 3 +++[sql] returns ok ++- if (%{Realm} == xxx.es) returns ok } # server rinuex Using Post-Auth-Type Reject +- entering group REJECT {...} ++? if (simulcount) ? Evaluating (simulcount) - TRUE ++? if (simulcount) - TRUE I need help. Thank you very much and sorry for my english. -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with radtest + dictionary + Authen::Radius (perl)
Which doesn't match the error message you showed above. here is *no* ATTRIBUTE line having an option. I'm sorry, I paste my actual dictionary... $ cat /usr/share/freeradius/dictionary.rinuex # -*- text -*- # # dictionary.rinuex # # # Mayo de 2010 # Marco Jaraíz mjar...@unex.es # Ana Gallardo aigalla...@unex.es # VENDORRinuex35782 BEGIN-VENDORRinuex # Código para indicar la causa del Access-Reject ATTRIBUTECodigo-Reject8integerRinuex VALUE Codigo-RejectCredenciales-Erroneas3 VALUE Codigo-RejectCuenta-Bloqueada-Intentos-Reject4 VALUE Codigo-RejectImposible-Contactar-Backend5 VALUE Codigo-RejectError-Dominio6 VALUE Codigo-RejectCuenta-Expirada7 VALUE Codigo-RejectCuenta-Inactiva8 VALUE Codigo-RejectRadius-OK9 END-VENDORRinuex Please be *consistent*. OK, sorry and thanks for your time. Ana Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about configurable module fail-over
Hello, I have Freeradius 2.1.8. I want to return an error code if my freeradius can't contact with the backend. Here is my authorize section: authorize { . . . switch %{Realm} { case 'temp.unex.es' { sql { fail = 1 } if (!fail (%D %{control:Expiration-Init})) { update reply { Codigo-Reject := Cuenta-Inactiva } reject } } case 'unex.es' { ldap { fail = 1 } } case { update reply { Codigo-Reject := Error-Dominio } reject } } if (fail) { update reply { Codigo-Reject := Imposible-Contactar-Backend } reject } expiration { userlock = 1 } if (userlock) { update reply { Codigo-Reject := Cuenta-Expirada } } pap } My problem is when Freeradius can't contact ldap. Here is my debug info: rad_recv: Access-Request packet from host X.X.X.X port 48454, id=116, length=56 User-Name = usua...@unex.es User-Password = 1631 server rinuex { . . . ++- entering switch %{Realm} {...} +++- entering case unex.es {...} [ldap] performing user authorization for usuario [ldap] expand: %{Stripped-User-Name} - usuario [ldap] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) - (cn=usuario) [ldap] expand: ou=saser,dc=unex,dc=es - ou=saser,dc=unex,dc=es [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to X.X.X.X, authentication 0 [ldap] bind as cn=... [ldap] waiting for bind result ... [ldap] LDAP login failed: check identity, password settings in ldap section of radiusd.conf [ldap] (re)connection attempt failed [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 [ldap] returns fail +++- case unex.es returns fail ++- switch %{Realm} returns fail } # server rinuex Using Post-Auth-Type Reject +- entering group REJECT {...} ++[reply] returns noop ++? if (%{reply:Codigo-Reject}) expand: %{reply:Codigo-Reject} - Credenciales-Erroneas ? Evaluating (%{reply:Codigo-Reject}) - TRUE ++? if (%{reply:Codigo-Reject}) - TRUE ++- entering if (%{reply:Codigo-Reject}) {...} +++- if (%{reply:Codigo-Reject}) returns noop ++- group REJECT returns noop [sql] expand: %{Stripped-User-Name} - usuario [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} - usuario [sql] sql_set_user escaped user -- 'usuario' [sql] expand: INSERT INTO radpostauth (username, mac, client, reply, authdate,codreject) VALUES ( '%{User-Name}', LOWER('%{Calling-Station-Id}'), '%C', '%{reply:Packet-Type}', NOW(), '%{reply:Codigo-Reject}') - INSERT INTO radpostauth (username, mac, client, reply, authdate,codreject) VALUES ( 'usua...@unex.es', LOWER(''), 'CAU2', 'Access-Reject', NOW(), 'Credenciales-Erroneas') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, mac, client, reply, authdate,codreject) VALUES ( 'usuario @unex.es', LOWER(''), 'CAU2', 'Access-Reject', NOW(), 'Credenciales-Erroneas') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok [attr_filter.access_reject] expand: %{User-Name} - usua...@unex.es attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 116 to X.X.X.X port 48454 Codigo-Reject = Credenciales-Erroneas I need help. Thank you and sorry for y english. -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with radtest + dictionary + Authen::Radius (perl)
$ cat /usr/share/freeradius/dictionary.rinuex ... BEGIN-VENDORRinuex Which says all of the following attributes are for this vendor OK # Código para indicar la causa del Access-Reject ATTRIBUTECodigo-Reject8integerRinuex Which *duplicates* the vendor name. Do one of the following: a) delete the vendor name from the ATTRIBUTE line b) delete the BEGIN/END-VENDOR lines I choose to delete the BEGIN/END-VENDOR lines for compatibility with Authen::Radius perl package. Thank you very much. Everything it's ok now. -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with radtest + dictionary + Authen::Radius (perl)
Hello, I'm working with Freeradius 2.1.8 and I have created my vendor dictionary. I need to use Authen::Radius (perl). This package needs 'vendor' declaration in every 'ATTRIBUTE' line in vendor dictionaries. Following man RADIUS dictionary file http://freeradius.org/radiusd/man/dictionary.html *ATTRIBUTE name number type [vendor|options]* that is possible. But when I use radtest, I have this problem: $ radtest u...@realm pass radius 0 claveClient radclient: dict_init: /usr/share/freeradius/dictionary.XXX: unknown option XXX Thank you and sorry for my english Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with radtest + dictionary + Authen::Radius (perl)
Hello Alan, $ radtest u...@realm pass radius 0 claveClient radclient: dict_init: /usr/share/freeradius/dictionary.XXX: unknown option XXX You didn't define XXX as a vendor. I think I did... $ cat /usr/share/freeradius/dictionary.rinuex # -*- text -*- # # dictionary.rinuex # # # Mayo de 2010 # Marco Jaraíz mjar...@unex.es # Ana Gallardo aigalla...@unex.es # VENDOR Rinuex 35782 BEGIN-VENDORRinuex # Código para indicar la causa del Access-Reject ATTRIBUTE Codigo-Reject 8 integer VALUE Codigo-Reject Credenciales-Erroneas 3 VALUE Codigo-Reject Cuenta-Bloqueada-Intentos-Reject4 VALUE Codigo-Reject Imposible-Contactar-Backend 5 VALUE Codigo-Reject Error-Dominio 6 VALUE Codigo-Reject Cuenta-Expirada 7 VALUE Codigo-Reject Cuenta-Inactiva 8 VALUE Codigo-Reject Radius-OK 9 END-VENDORRinuex And there's no reason to keep the vendor name a secret. The name/number for the vendor is available in public registries. it's truth Alan DeKok. Thanks again -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
expiration module and reply items
Hello, I'm working with freeradius 2.1.8 and I want to return an attribute when eexpiration module return 'userlock'. I try to add the item in expiration module: /etc/freeradius# cat modules-enabled/expiration # -*- text -*- # # $Id$ expiration { Reply-Message = LA CUENTA HA EXPIRADO PARA %{%{Stripped-User-Name}:-%{User-Name}} Codigo-Reject := Cuenta-Expirada } But it doesn't work. I also try using unlang in authorize section: authorize { . . . expiration if (userlock){ update reply { Codigo-Reject := Cuenta-Expirada } } pap } My debug info: rad_recv: Access-Request packet from host port 59252, id=177, length=71 User-Name = pru...@temp.xxx.es User-Password = prueba NAS-IP-Address = 127.0.1.1 NAS-Port = 0 server XXX { . . . [expiration] Checking Expiration time: '1 Jun 2010' [expiration] Account has expired [expiration] expand: Password Has Expired - Password Has Expired ++[expiration] returns userlock } Using Post-Auth-Type Reject +- entering group REJECT {...} . . . Sending Access-Reject of id 177 to 158.49.247.199 port 59252 Reply-Message = Password Has Expired\r\n Somebody can help me. Thak you and sorry for my english. Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: expiration module and reply items
Thanks a lot. Reply-Message = LA CUENTA HA EXPIRADO PARA %{%{Stripped-User-Name}:-%{User-Name}} Codigo-Reject := Cuenta-Expirada } But it doesn't work. Nothing in the documentation suggests that will work. Sometimes I don't know where can I found what I'm looking for, so I try different things :) Yes. Once the module returns reject or userlock, the server stops processing the section and returns. The solution is: expiration { userlock = 1 } if (userlock) { update reply { Codigo-Reject := Curenta-Expirada } } This is documented in doc/configurable_failover, and to a lesser extent in man unlang. Thanks Alan, I love Freeradius and your answers :D Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: expired user accounts between two dates
Hello again, eventually the solution for me is: -- MYSQL mysql select * from radcheck where username = prueba; +-+--+++-+ | id | username | attribute | op | value | +-+--+++-+ | 228 | prueba | Cleartext-Password | := | prueba | | 227 | prueba | Expiration | := | 10 Jun 2010 | | 231 | prueba | Expiration-Init| := | 20100604| +-+--+++-+ 3 rows in set (0.00 sec) mysql select * from radreply where username = prueba; +-+--+--++-+ | id | username | attribute| op | value | +-+--+--++-+ +-+--+--++-+ 0 rows in set (0.00 sec) -- /etc/freeradius/sites-enable/default authorize { ... switch %{Realm} { case 'temp.XXX.es' { sql if (%D %{control:Expiration-Init}){ reject } } Thanks Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: expired user accounts between two dates
Hello, I'm working around that and I my solution isn't ok, so I need help. As you already may know the expiration module only works for expiration date. yes When I had this need (a long time ago and with FR1) I just did the following: * I added a new personnal/local attribute in /etc./raddb/dictionnary ATTRIBUTE My-Local-Date 3000string * setup the hint module to add the Date for incomming requests: DEFAULT NAS-IP-ADDRESS == 192.168.1.4 My-Local-Date = `%D` * Then I use the local attribute to check the date (for instance if you use the rlm_sql module): mysql select UserName,Attribute,op,Value from radcheck where UserName='myloginname'; +-++++ | UserName| Attribute | op | Value | +-++++ | myloginname | NAS-IP-Address | =~ | 192.168.1.[4]{1} | | myloginname | My-Local-Date | = | 20090731 | | myloginname | My-Local-Date | = | 20090526 | | myloginname | Login-Time | := | Wk0700-2200| | myloginname | Cleartext-Password | := | THEPASS| +-++++ 5 rows in set (0.00 sec) I do something similar, but doesn't work. -- /etc/freeradius/sites-enable/default authorize { switch %{Realm} { case 'temp.xxx.es' { update request { Expiration-Init := %D } sql } -- MYSQL mysql select * from radcheck where username =prueba; +-+--+++-+ | id | username | attribute | op | value | +-+--+++-+ | 228 | prueba | Cleartext-Password | := | prueba | | 227 | prueba | Expiration | := | 10 Jun 2010 | | 226 | prueba | Expiration-Init| = | 20100604| +-+--+++-+ 3 rows in set (0.00 sec) mysql select * from radreply where username =prueba; +-+--+--++-+ | id | username | attribute| op | value | +-+--+--++-+ | 374 | prueba | Contact | = | XXX| | 375 | prueba | Mail-Contact | = | XXX | | 376 | prueba | Description | = | Usuario de pruebas | +-+--+--++-+ -- DEBUG INFO rad_recv: Access-Request packet from host x.x.x.x port 42954, id=253, length=71 User-Name = pru...@temp.unex.es User-Password = prueba NAS-IP-Address = 127.0.1.1 NAS-Port = 0 . . . +- entering group authorize {...} . . . ++- entering switch %{Realm} {...} +++- entering case temp.unex.es {...} expand: %D - 20100602 [request] returns noop [sqlradiuscc] expand: %{Stripped-User-Name} - prueba [sqlradiuscc] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} - prueba [sqlradiuscc] sql_set_user escaped user -- 'prueba' rlm_sql (sqlradiuscc): Reserving sql socket id: 2 [sqlradiuscc] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'prueba' ORDER BY id [sqlradiuscc] User found in radcheck table [sqlradiuscc] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'prueba' ORDER BY id rlm_sql (sqlradiuscc): Released sql socket id: 2 [sqlradiuscc] returns ok +++- case temp.unex.es returns ok ++- switch %{Realm} returns ok [expiration] Checking Expiration time: '10 Jun 2010' ++[expiration] returns ok ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password prueba [pap] Using clear text password prueba [pap] User authenticated successfully . . . Sending Access-Accept of id 253 to x.x.x.x port 42954 Session-Timeout = 653611 I don't understand why this work :( Thanks in advance and sorry for my english. Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem whit home_server template
Hello, I'm workimg with Freeradius 2.1.8. I would like to use templates in my proxy.conf file to define some home servers. My templates.conf file is: /etc/freeradius# cat templates.conf templates { home_server tldrediris { type = auth+acct port =1812 secret = #src_ipaddr = 127.0.0.1 require_message_authenticator = no response_window = 20 #no_response_fail = no zombie_period = 40 revive_interval = 60 status_check = status-server check_interval = 30 num_answers_to_alive = 3 } } Then, in radiusd.conf I include this file: $INCLUDE templates.conf And, if I have in proxy.conf file template = tldrediris, when FreeRADIUS starts doest take the values defines in templates.conf: /etc/freeradius# cat proxy.conf home_server tld-rediris1 { template = tldrediris ipaddr = X.X.X.X } /etc/freeradius# freeradius -X FreeRADIUS Version 2.1.8, for host x86_64-pc-linux-gnu, built on Jan 3 2010 at 14:14:04 . . . including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/templates.conf including configuration file /etc/freeradius/proxy.conf . . . home_server tld-rediris1 { ipaddr = X.X.X.X port = 0 response_window = 30 max_outstanding = 65536 zombie_period = 40 status_check = none ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 300 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } /etc/freeradius/proxy.conf[26]: No port, or invalid port defined for home server tld-rediris1. In the other hand, if I use $template tldrediris in templates.conf, FreeRADIUS doesn't know tldrediris: /etc/freeradius# cat proxy.conf home_server tld-rediris1 { $template tldrediris ipaddr = X.X.X.X } /etc/freeradius# freeradius -X FreeRADIUS Version 2.1.8, for host x86_64-pc-linux-gnu, built on Jan 3 2010 at 14:14:04 . . . including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/templates.conf including configuration file /etc/freeradius/proxy.conf WARNING: No such configuration item tldrediris /etc/freeradius/proxy.conf[27]: Reference tldrediris not found Errors reading /etc/freeradius/radiusd.conf I remember this: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg59018.html Sorry for my english and thankyou very much. -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Looking for an editor for FreeRADIUS documentation
I would like to do this job, but my english is poor, so I can't do it :( 2010/5/18 Alan DeKok al...@deployingradius.com Nyamul Hassan wrote: Not meaning any disrespect to the paid offer, you could also reconsider to put up the current documentation in a Wiki style webpage, and from there everyone can work on the text that they think needs reworking. We already have a Wiki. Few people edit it. We already have a publicly available doc directory. Few people submit changes. Putting the existing docs into a Wiki won't magically make people submit changes. We're looking for an editor. All we want is someone who can organize and format the existing documentation. There is no need for in depth knowledge of RADIUS. There is no need for to write *new* documentation. That is work which is normally seen as not fun. But it's needed. Therefore, the offer to pay for services rendered. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Set NoCat user class in Access-Accept
] returns ok ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password claveAna [pap] Using clear text password claveAna [pap] User authenticated successfully ++[pap] returns ok +- entering group post-auth {...} [sql] expand: %{User-Name} - ana [sql] sql_set_user escaped user -- 'ana' [sql] expand: INSERT INTO radpostauth (username, mac, client, nas, reply, authdate) VALUES ( '%{User-Name}', '%{Calling-Station-Id}', '%C', '%{Nas-IP-Address}', '%{reply:Packet-Type}', NOW()) - INSERT INTO radpostauth (username, mac, client, nas, reply, authdate) VALUES ( 'ana', '', 'pcCAU1', '127.0.1.1', 'Access-Accept', NOW()) [sql] expand: /var/log/freeradius/sqltrace.sql - /var/log/freeradius/sqltrace.sql rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, mac, client, nas, reply, authdate) VALUES ( 'ana', '', 'pcCAU1', '127.0.1.1', 'Access-Accept', NOW()) rlm_sql (sql): Reserving sql socket id: 1 rlm_sql_mysql: query: INSERT INTO radpostauth (username, mac, client, nas, reply, authdate) VALUES ( 'ana', '', 'pcCAU1', '127.0.1.1', 'Access-Accept', NOW()) rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok Sending Access-Accept of id 250 to X port 33606 Reply-Message += Hola Anita Session-Timeout = 18189945 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 250 with timestamp +6 Ready to process requests. I have found the attribute Class but I think that is more complex than I need. Some sugestion?? Thank you very much and sorry for my english. -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: R: R: NAS-Identifier and radgroupcheck table
Hmm... that will cause all of the users to be rejected. Delete it. Yes I follow this howto http://wiki.freeradius.org/SQL_Huntgroup_HOWTO and, *DEFAULT Auth-Type := Reject That's not necessary. It should be deleted from the page. Thanks -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: R: R: NAS-Identifier and radgroupcheck table
Hello Alan, thank you for your response. Where is this coming from? I put a default entry at the button of users file. http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg51143.html My users file: debian:/etc/freeradius# cat users DEFAULT Auth-Type := Reject bobCleartext-Password := hello Reply-Message = Hola %{User-Name} The default configuration has *no* Auth-Type = Reject setting. You have added this locally. I follow this howto http://wiki.freeradius.org/SQL_Huntgroup_HOWTO and, at the button said: *Note: If you want to reject authentication by default then edit the raddb/users file and add this: * *DEFAULT Auth-Type := Reject * *Then add Auth-Type Accept with := as op in radgroupcheck for each group. * Sorry to ask again about that, but I can't get the correct configuration. Thank you. -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: R: R: NAS-Identifier and radgroupcheck table
WHERE username = BINARY 'ana' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = BINARY 'ana' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = BINARY '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = BINARY 'ana' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = BINARY 'ana' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'CAU1' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'CAU1' ORDER BY id rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok [expiration] Checking Expiration time: '02 Dec 2010' ++[expiration] returns ok [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = Reject Auth-Type = Reject, rejecting user Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [sql] expand: %{User-Name} - ana [sql] sql_set_user escaped user -- 'ana' [sql] expand: INSERT INTO radpostauth (username, mac, client, nas, reply, authdate) VALUES ( '%{User-Name}', '%{Calling-Station-Id}', '%C', '%{Nas-IP-Address}', '%{reply:Packet-Type}', NOW()) - INSERT INTO radpostauth (username, mac, client, nas, reply, authdate) VALUES ( 'ana', '', 'pcCAU1', '127.0.1.1', 'Access-Reject', NOW()) [sql] expand: /var/log/freeradius/sqltrace.sql - /var/log/freeradius/sqltrace.sql rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, mac, client, nas, reply, authdate) VALUES ( 'ana', '', 'pcCAU1', '127.0.1.1', 'Access-Reject', NOW()) rlm_sql (sql): Reserving sql socket id: 1 rlm_sql_mysql: query: INSERT INTO radpostauth (username, mac, client, nas, reply, authdate) VALUES ( 'ana', '', 'pcCAU1', '127.0.1.1', 'Access-Reject', NOW()) rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok [attr_filter.access_reject] expand: %{User-Name} - ana attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 133 to X.X.X.X port 45281 Reply-Message += Hola Anita Sorry for my english. -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting auth from a specific realm
Sorry, if (Realm == 'your.realm') { update control { Auth-Type = Reject } } Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting auth from a specific realm
Sorry if I mistaken and sorry for my english. I think you can use one of the next two options. Correct me if I'm wrong. OPTION A You can use unlang doing something like that: ### /etc/freeradius/proxy.conf realm your.realm { # authhost = LOCAL # not strictly necessary # accthost = LOCAL # not strictly necessary # nostrip } ### /etc/freeradius/sites-enable/default authorize { . . . suffix if (%{Realm} == /your\.realm$/){ update control { Auth-Type = Reject } } OPTION B Using hints and users files: ### /etc/freeradius/hints DEFAULTSuffix == your.realm Hint = MYUSERS, ### /etc/freeradius/users DEFAULTHint == MYUSERS, Auth-Type := RejectB Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with template.conf in proxy.conf
Thank you very much Alan. 2009/11/14 Alan DeKok al...@deployingradius.com Ana Gallardo wrote: WARNING: No such configuration item tld-rediris /etc/freeradius/proxy.conf[28]: Reference tld-rediris not found Errors reading /etc/freeradius/radiusd.conf I've committed a fix to git. It will be in 2.1.8. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with server atribute in NAS table with mysql
which means you havent updated the SQL qeuery to use that column. nas_query = SELECT id, nasname, shortname, type, secret, server FROM ${nas_table} That was the problem. Thank you very much Alan. -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with server atribute in NAS table with mysql
Hello, I'm using Freeradius 2.0.4-3 an Debian. My clients are in a MySQL database (nas table). ++--+---+---+-++-+---+---+ | id | nasname | shortname | type | ports| secret | server | community | description| ++--+---+---+-++-+---+---+ | 1 | XXX | NODO1 | other | NULL | secretN1 | nodes | nodo | Nodo Wifi | | 2 | YYY | NODO2 | other | NULL | secretN2 | nodes | nodo | Nodo Wifi | I want to process some clients through one virtual server (server nodes{}), so I have the name of the virtual server in the server column, but this doesn't work. When I receive a request from those clients, the default server proccess them. I test to change the column name to virtual_server with same result. I have to put the clients with value in virtual_server in clients.conf file and the clients without value in nas table from MySQL. I test to put them in server section: ##/etc/freeradius/sites-enabled/nodes server nodes{ client nodo1{ } ... } but this doesn't work. I have to put them out of server section, like this: ##/etc/freeradius/sites-enabled/nodes client nodo1{ } server nodes{ ... } and I think that this is the same that put them in clients files ¿? Thank you very much and sorry for my english. -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 55, Issue 32
I have a problem which I and a friend here have been trying to solve for some days now. ¿what is your problem? After we have run in terminal ./configure ; make sudo make install and afterwards try to run radius with radiusd -X (same as freeradius -X if youre using freeradius installed through Synaptic Package Manager). and when you run in debug mode?? You can try this howto that works fine http://www.linuxinsight.com/building-debian-freeradius-package-with-eap-tls-ttls-peap-support.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with template.conf in proxy.conf
Read raddb/templates.conf. Use: $template name NOT template = name In templates.conf I can read (sorry to paste here the text): # A section can reference a template by using $template name . . . # Then, each home_server section in proxy.conf would # only list the IP address of that home server, and a # line saying # # template = example.com I use the way you told me: ### /etc/freeradius/proxy.conf home_server tld-rediris1 { $template tld-rediris ipaddr = YYY } But doesn't work; /etc/freeradius# freeradius -X FreeRADIUS Version 2.0.4, for host x86_64-pc-linux-gnu, built on Oct 20 2009 at 11:45:11 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/templates.conf including configuration file /etc/freeradius/proxy.conf WARNING: No such configuration item tld-rediris /etc/freeradius/proxy.conf[28]: Reference tld-rediris not found Errors reading /etc/freeradius/radiusd.conf Thank you very much and sorry for my english. -- Ana Gallardo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Differencent assigments in users files
http://freeradius.org/radiusd/man/users.html 2009/11/4 Nicolas Goutte nicolas.gou...@extragroup.de Am 04.11.2009 um 11:12 schrieb verhoem: Hello, I'am a newbee in freeradius but after reading o'reilly's Radius book for dummies i still can't figure out what the difference is between := == and = in the usersfile. steve Auth-Type := Local, User-Password == Testing etc. It should read Cleartext-Password := Testing In FreeRadius passwords are assigned ( := ) not compared ( == ). I also see notations like Jonathan Password = Unix-PW. In the end my config seems to work but I'm wondering if i'm missing out on something important. Explanation or an url would be very appreciated ! Greetings Marcel -- View this message in context: http://old.nabble.com/Differencent-assigments-in-users-files-tp26193201p26193201.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: regular expressions in proxy.conf
Sorry to ask again the same, but I don't know if it's OK that Freeradius add the attribute Realm with the regex value. Thank you very mutch. rad_recv: Access-Request packet from host 127.0.0.1 port 60112, id=208, length=68 User-Name = x...@domain.es User-Password = YYY NAS-IP-Address = 127.0.1.1 NAS-Port = 0 +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_realm: Looking up realm domain.es for User-Name = x...@domain.es rlm_realm: Found realm ~(domain)+ rlm_realm: Adding Stripped-User-Name = XXX rlm_realm: Adding Realm = ~(domain)+ rlm_realm: Authentication realm is LOCAL. ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++? if (%{Realm} =~ /(temp\.)?domain\.es$/) expand: %{Realm} - ~(domain)+ ? Evaluating (%{Realm} =~ /(temp\.)?domain\.es$/) - FALSE ++? if (%{Realm} =~ /(temp\.)?domain\.es$/) - FALSE ++[files] returns noop expand: %{Realm} - ~(domain)+ ++- entering switch %{Realm} +++- entering case [control] returns noop +++- case returns noop ++- switch %{Realm} returns noop I can resolve this adding this to proxy.conf: ### /etc/freeradius/proxy.conf realm domain.es { authhost = LOCAL # not strictly necessary accthost = LOCAL # not strictly necessary } realm temp.domain.es { authhost = LOCAL # not strictly necessary accthost = LOCAL # not strictly necessary } realm ~(domain)+ { authhost = LOCAL # not strictly necessary accthost = LOCAL # not strictly necessary } But I don't know if that is the best way to resolve my problem, so I would like to reinforce my decision. Thanks in advance and sorry for my english. -- Ana Gallardo Gómez -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem regular expressions in hints file
Sorry, but I don't understand. I need to add an attribute to the request Yes. The unlang documentation explains how to do that. It is truth, the unlang documentation explains how to do that very well :) Thanks for quoting the documentation. Did you think we didn't know about it? Sorry, I only wanted to justify why I put this in hints file. No. In the authorize section, before the files module. There are examples of this in the configuration files. OK, now it's fine. #/etc/freeradius/sites-available/default authorize { preprocess mschap suffix eap { ok = return } if (%{Realm} =~ /(temp\.)?domain\.es$/){ update control { Intentos-Reject = ... } } files ... } Thank you very mutch, Alan -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
regular expressions in proxy.conf
Hello, I'm using Debian and Freeradius 2.0.4-3. I want to use a regular expression in proxy.conf file to match any request that contain the word domain in the realm (suffix mode). ### /etc/freeradius/proxy.conf realm ~(domain)+ { # authhost = LOCAL # not strictly necessary # accthost = LOCAL # not strictly necessary } Then, in authorize section I have: ### /etc/freeradius/sites-available/default authorize { preprocess mschap suffix eap { ok = return } if (%{Realm} =~ /(temp\.)?domain\.es$/){ update control { Intentos-Reject = ... } } files switch %{Realm} { case temp.domain.es { sql } case domain.es { redundant { ldap2 ldap1 ldap3 } } case { update control { Auth-Type := Reject } } } expiration pap } And, in users file: ### /etc/freeradius/proxy.conf DEFAULT Intentos-Reject 10, Auth-Type := Reject Reply-Message = NUMERO DE INTENTOS FALLIDOS(%{Intentos-Reject}) EXCEDIDO PARA %{%{Stripped-User-Name}:-%{User-Name}} My problem is: the Realm that Freeradius add to the request is the regular expression... Here is my debug information: rad_recv: Access-Request packet from host 127.0.0.1 port 60112, id=208, length=68 User-Name = x...@domain.es User-Password = YYY NAS-IP-Address = 127.0.1.1 NAS-Port = 0 +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_realm: Looking up realm domain.es for User-Name = x...@domain.es rlm_realm: Found realm ~(domain)+ rlm_realm: Adding Stripped-User-Name = XXX rlm_realm: Adding Realm = ~(domain)+ rlm_realm: Authentication realm is LOCAL. ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++? if (%{Realm} =~ /(temp\.)?domain\.es$/) expand: %{Realm} - ~(domain)+ ? Evaluating (%{Realm} =~ /(temp\.)?domain\.es$/) - FALSE ++? if (%{Realm} =~ /(temp\.)?domain\.es$/) - FALSE ++[files] returns noop expand: %{Realm} - ~(domain)+ ++- entering switch %{Realm} +++- entering case [control] returns noop +++- case returns noop ++- switch %{Realm} returns noop I can resolve this adding this to proxy.conf: ### /etc/freeradius/proxy.conf realm domain.es { authhost = LOCAL # not strictly necessary accthost = LOCAL # not strictly necessary } realm temp.domain.es { authhost = LOCAL # not strictly necessary accthost = LOCAL # not strictly necessary } realm ~(domain)+ { authhost = LOCAL # not strictly necessary accthost = LOCAL # not strictly necessary } But I don't know if that is the best way to resolve my problem, so I would like to reinforce my decision. Thanks in advance and sorry for my english. -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Database Problem
I would really appriciate if you would be able to tell me how the simplest (user/password with nothing extra returned back) authentication can be done using database backend. Insert in radcheck table: username - username attribute - Cleartext-Password op - := value - cleartext password Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Database Problem
Insert in radcheck table: username - username attribute - Cleartext-Password op - := value - cleartext password Unfortunatelly Cleartext-Password is not working in version 1.1.3 Try with User-Password Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Database Problem
Can you tell me if there is tool that I can use to test mschap authentication rahter than use local radtest it can be linux or windows app. http://deployingradius.com/scripts/eapol_test/ Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Asking to Ana Gallardo
:( Me temo que esta lista no es para establecer comunicaciones privadas Creo que es más adecuado que realices una pregunta más específica dirigida a la lista. Un saludo. El 30 de octubre de 2009 13:20, C. Diego Raffaelli A. c.diegoraffae...@gmail.com escribió: Querida Ana: Un gusto compartir contigo un mailing list. Lamentablemente, no tengo la solucion a tu problema, se que seguramente esperas eso, lo siento :( Mas al contrario tengo una pregunta. Has instalado FreeRadius en Debian y ademas has creado un NAS (Netw. autentication server? ) Esto te servira para que, por ejemplo usuarios tuyos se autentiquen en el Radius y el NAS les de acceso a ciertos dispositivos? te pregunto esto porque yo necesito implementar algo asi, tengo una red LAN que se extiende por la ciudad y necesito brindar nombre de usuario y contraseña para gestionar no tanto el tiempo, sino el ancho de banda que se les provee y ademas poder dar de baja o reconectar su usuario. Nosotros usamos esto para brindar internet. Yo estoy intentando hacerlo en OpenBSD ya que tengo un manual que indica casi todos los servicios (DHCP; DNS... y varios otros,,, EXCEPTO FREE RADIUS! ) :( Me gustaria saber no el como lo instalaste en Debian, sino para que lo estas usando y si estas usando un NAS.,,, una base de datos. Gracias por tu respuesta. PD.- Sorry for my.. SPANISH xD -- = = = = = Carlos Diego Raffaelli A. MSN: carlosdiego...@hotmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem regular expressions in hints file
Hello, I'm using Debian and Freeradius 2.0.4-3 I want to use the hints file to add an attribute named Intentos-Reject. I would like to use only one DEFAULT entry to match with @domain.es and with @ temp.domain.es If I use this DEFAULT entry the request don't match: #/etc/freeradius/hints DEFAULT Suffix =~ @(temp\.)?domain.es$, Strip-User-Name = Yes Intentos-Reject = ... ###DEFAULT Suffix == @domain.es ###Intentos-Reject = ... ###DEFAULT Suffix == @temp.domain.es ###Intentos-Reject = ... If I use this other DEFAULT entry the request match but Freeradius doesn't add Stripped-User-Name and I can't authenticate: DEFAULT User-Name =~ @(temp\.)?domain.es$, Strip-User-Name = Yes Intentos-Reject = ... ###DEFAULT Suffix == @domain.es ###Intentos-Reject = ... ###DEFAULT Suffix == @temp.domain.es ###Intentos-Reject = ... I don't know if I can use regular expressions with Suffix/Preffix atributes. Thank you very much and sorry for my english. -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem regular expressions in hints file
Hello, I'm using Debian and Freeradius 2.0.4-3 I want to use the hints file to add an attribute named Intentos-Reject. I would like to use only one DEFAULT entry to match with @domain.es and with @temp.domain.es Don't use hints for that. Sorry, but I don't understand. I need to add an attribute to the request # /etc/freeradius/hints # The hints file. This file is used *to match* # *a request, and then add attributes to it*. This ... I use this attribute later, in users file, to reject users: # /etc/freeradius/users DEFAULT Intentos-Reject 10, Auth-Type := Reject Reply-Message = NUMERO DE INTENTOS FALLIDOS(%{Intentos-Reject}) EXCEDIDO The Suffix attribute matches a suffix, not a regular expression. OK Use unlang for this kind of matching. See man unlang I saw unlang, but, Where must I use unlang? In hints file? This it not OK: # /etc/freeradius/hints DEFAULT (Suffix == @domain.es || Suffix == @temp.domain.es) Intentos-Reject = ... Sorry if my questions are stupid and sorry for my english. Thanks Alan Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem regular expressions in hints file
I'm really sorry, this is stupid, I thougth || was OR: # /etc/freeradius/hints DEFAULT (Suffix == @domain.es || Suffix == @temp.domain.es) Intentos-Reject = ... Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with default configuration in 2.0.4-3 version
testing123 Sending Access-Request of id 186 to 127.0.0.1 port 1812 User-Name = bob User-Password = hello NAS-IP-Address = 127.0.1.1 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=186, length=20 Thankyou very much and sorry for my english -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with default configuration in 2.0.4-3 version
2009/10/22 Alan DeKok al...@deployingradius.com Ana Gallardo wrote: Hello, I have installed debian lenny with freeradius 2.0.4-3: ... /etc/freeradius# freeradius -X ... Starting - reading configuration files ... ... including files in directory /etc/freeradius/sites-enabled/ There are no files in that directory. You either deleted them, or they were not installed by the package. I delete nothing in my sites-enabled directory, it was empty. I create a soft link and everithing is ok now. /etc/freeradius# ls -l sites-enabled/ total 0 lrwxrwxrwx 1 root freerad 39 oct 22 12:29 default - /etc/freeradius/sites-available/default Thankyou very much Alan. -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Openldap and FreeRadius2
Hi Dave, I would like to see what you learn :) 2009/6/25 Dave Rummel daverum...@boothcreek.com Would like to make a request for an account to the wiki so I can add to it. Dave Rummel wrote: If anyone needs help in getting there openldap to work with freeradius2 please reply back. I finally was able to figure it out and then used unlang to authorize my groups and would like to share what I have learned. Christopher Sheldon wrote: Does anyone else who subscribes to the list specifically read every email Alan sends just to chuckle at him berating the poor, confused people seeking help? It's like reality TV. ;-) Chris. Alan DeKok wrote: jpablorp wrote: I replace eap.conf with the Default eap.conf file and this is my debug: Where you have *deleted* the real cause of the error. [peap] Had sent TLV failure. User was rejected earlier in this session. Look EARLIER in the debug log for the failure. It's really not hard. Look for words like reject, or fail, or error. The messages will tell you what is wrong, and why. All you need to do is read them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
response_window and zombie_period problem
Hello, first of all, sorry for my english. I'm testing Freeradius 2.0.4+dfsg-6 in Debian. I want to configure proxy like this (proxy.conf): # radiusxx authentication home_server radiusxx_auth { type = auth ipaddr = 1.2.3.4 port = 1812 secret = secret response_window = 50 zombie_period = 20 status_check = request username = user password = pass check_interval = 30 num_answers_to_alive = 3 } # radiusxx accounting home_server radiusxx_acct { type = acct ipaddr = 1.2.3.4 port = 1813 secret = secret response_window = 50 zombie_period = 20 status_check = request username = user password = pass check_interval = 30 num_answers_to_alive = 3 } # radiusyy authentication home_server radiusyy_auth { type = auth ipaddr = 1.2.3.5 port = 1812 secret = secret response_window = 50 zombie_period = 20 status_check = request username = user password = pass check_interval = 30 num_answers_to_alive = 3 } # radiusyy accounting home_server radiusyy_acct { type = acct ipaddr = 1.2.3.5 port = 1813 secret = secret response_window = 50 zombie_period = 20 status_check = request username = user password = pass check_interval = 30 num_answers_to_alive = 3 } #authentication pool home_server_pool my_auth { type = fail-over home_server = radiusxx_auth home_server = radiusyy_auth } #accounting pool home_server_pool my_acct { type = fail-over home_server = radiusxx_acct home_server = radiusyy_acct } realm myrealm.my { auth_pool = my_auth acct_pool = my_acct # nostrip } My problem is when I'm going to test failover: I stop Freeradius in xx server and I send a authentication request. Sending Access-Request of id 143 to 1.2.3.4 port 1812 User-Name = User-Password = 111 Calling-Station-Id = 00:11:22:33:44:55 NAS-IP-Address = 1.2.2.2 Proxy-State = 0x3238 Proxying request 0 to home server 1.2.3.4 port 1812 Sending Access-Request of id 143 to 1.2.3.4 port 1812 User-Name = User-Password = 111 Calling-Station-Id = 00:11:22:33:44:55 NAS-IP-Address = 1.2.2.2 Proxy-State = 0x3238 Going to the next request Waking up in 0.9 seconds. Waking up in 28.9 seconds. rad_recv: Access-Request packet from host 1.2.2.2 port 39710, id=28, length=75 Sending duplicate proxied request to home server 1.2.3.4 port 1812 - ID: 143 Sending Access-Request of id 143 to 1.2.3.4 port 1812 User-Name = User-Password = 111 Calling-Station-Id = 00:11:22:33:44:55 NAS-IP-Address = 1.2.2.2 Proxy-State = 0x3238 Waking up in 26.9 seconds. rad_recv: Access-Request packet from host 1.2.2.2 port 39710, id=28, length=75 Sending duplicate proxied request to home server 1.2.3.4 port 1812 - ID: 143 Sending Access-Request of id 143 to 1.2.3.4 port 1812 User-Name = User-Password = 111 Calling-Station-Id = 00:11:22:33:44:55 NAS-IP-Address = 1.2.2.2 Proxy-State = 0x3238 Waking up in 23.9 seconds. . . . WARNING: Marking home server 1.2.3.4 port 1812 as zombie (it looks like it is dead). After 30 seconds I always get an accept_reject the first time. But if my zombie_period = 20, don't must mark radiusxx as zombie after 20 seconds and proxy my request to radiusyy. My response_window = 50 and Freeradius must wait 50 seconds before consider the request dead. Then, when I send another authentication request: Sending Access-Request of id 129 to 1.2.3.4 port 1812 User-Name = User-Password = 111 Calling-Station-Id = 00:11:22:33:44:55 NAS-IP-Address = 1.2.2.2 Proxy-State = 0x31 Proxying request 1 to home server 1.2.3.4 port 1812 Sending Access-Request of id 129 to 1.2.3.4 port 1812 User-Name = User-Password = 111 Calling-Station-Id = 00:11:22:33:44:55 NAS-IP-Address = 1.2.2.2 Proxy-State = 0x31 Going to the next request Waking up in 0.9 seconds. Waking up in 28.9 seconds. rad_recv: Access-Request packet from host 1.2.2.2 port 59850, id=1, length=75 FAILURE: Marking home server 1.2.3.4 port 1812 as dead. Sending Access-Request of id 118 to 1.2.3.5 port 1812 User-Name = User-Password = 111 Calling-Station-Id = 00:11:22:33:44:55 NAS-IP-Address = 1.2.2.2 Proxy-State = 0x31 Proxying request 1 to home server 1.2.3.5 port 1812 Sending Access-Request of id 118 to 1.2.3.5 port 1812 User-Name = User-Password = 111 Calling-Station-Id = 00:11:22:33:44:55 NAS-IP-Address = 1.2.2.2 Proxy-State = 0x31 Waking up in 26.9 seconds. rad_recv: Access-Accept packet from host 1.2.3.5 port 1812, id=118, length=23 Proxy-State = 0x31 I don't know why Freeradius doesn't send me an acces-accept, when I send the first request, after mark radiusxx (zombie_period = 20) as zombie and proxy the request to radiusyy. Thank you and sorry for my english. - List info/subscribe/unsubscribe? See
Re: response_window and zombie_period problem
Thank you to for you response. Certainly in the proxy.conf file we can read # If the home server doesn't respond to the request within # this time, this server will consider the request dead, and # respond to the NAS with an Access-Reject. # # Useful range of values: 5 to 60 response_window = 20 # If the home server does not respond to ANY packets for # a certain time, consider it dead. This time period is # called the zombie period, because the server is neither # alive nor dead. # # Useful range of values: 20 to 120 zombie_period = 40 My response_window = 50 zombie_period=20. So, after 20 seconds, my radiusxx Freeradius must consider it dead, and then, I think that Freeradius can proxy the request until the response_window = 50 time gone. Maybe I'm mitaked, so I would like to know how if I'm in an error. When a home server does not respond to an Access-Request, the proxy process has failed and the default behavior is to reject the users Access-Request. The proxy server marks the home server as a zombie and after another 40 seconds has passed, the proxy server marks the home server as dead. Once a server is marked dead, the proxy server will not send requests to that server. Access-Requests that are sent to the proxy server after the home server is marked dead, will skip the dead home server and fail-over to the next home server. Since an Access-Reject is sent to the NAS, the NAS will deny the user/device access. This will happen to all users/devices that try to authenticate when the proxy server was marked alive but it is actually dead. You can lessen the impact of a dead server by using type=load-balance instead of fail-over for the home server pool. Why is lessen the impact using load-balance? In 2.1.6 the server can be configured to not respond when it does not receive a response from a home server. This will cause the NAS to retry the request multiple times, which will eventually cause the proxy server to send the request to the alive home server. Let me know if you want to try this and I can send an example configuration. Yes, I want to try. Tim Thank you very much Tim. Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: response_window and zombie_period problem
My response_window = 50 zombie_period=20. So, after 20 seconds, my radiusxx Freeradius must consider it dead, and then, I think that Freeradius can proxy the request until the response_window = 50 time gone. Maybe I'm mitaked, so I would like to know how if I'm in an error. You are mistaken. Server will be considered dead for requests *recieved* after the zombie period. It doesn't apply for ongoing requests. Ok, thanks When a home server does not respond to an Access-Request, the proxy process has failed and the default behavior is to reject the users Access-Request. ... You can lessen the impact of a dead server by using type=load-balance instead of fail-over for the home server pool. Why is lessen the impact using load-balance? The idea is that only one will die at the time. Fewer request go to the dead server before it's marked dead - fewer rejects and retries. Ok, thanks again. In 2.1.6 the server can be configured to not respond when it does not receive a response from a home server. This will cause the NAS to retry the request multiple times, which will eventually cause the proxy server to send the request to the alive home server. Let me know if you want to try this and I can send an example configuration. Yes, I want to try. It's there already, you just need to use the policy. See do_not_respond in policy.conf. Thank you very much Ivan. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
reject_relay and freeradius as a daemon
- Freeradius 1.1.7 - Debian Sarge (kernel 2.6.18-5-686) - IBM x3550 Hello! When I run freeradius in debug mode the Access-Reject is sent after the delay time indicated by the reject_delay setting. When I run freeradius as a daemos, the Access-Reject is delayed too many time when reject_delay 0. If I set reject_delay to 0 and run as a daemon, there is no delay. In radiusd.conf I can read: # reject_delay: When sending an Access-Reject, it can be # delayed for a few seconds. This may help slow down a DoS # attack. It also helps to slow down people trying to brute-force # crack a users password. # # Setting this number to 0 means send rejects immediately # # If this number is set higher than 'cleanup_delay', then the # rejects will be sent at 'cleanup_delay' time, when the request # is deleted from the internal cache of requests. # # Useful ranges: 1 to 5 I have seen this thread in the mailing-list in 2004 (http://lists.freeradius.org/mailman/htdig/freeradius-users/2004-September/035812.html), but I find the same problem right now. I don´t know if the global delayed time is reject_delay + max_session_time. I can´t find max_session_time. Maybe reject_delay + max_request_time ? I don´t know what can I do: 1. delay_reject = 0 2. small max_request_time ... Thank you and sorry for my english. _ Prueba algunos de los nuevos servicios en línea que te ofrece Windows Live Ideas: tan nuevos que ni siquiera se han publicado oficialmente todavía. http://ideas.live.com- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxying based on SSID
I think you have to use the attribute Stripped-User-Name to authenticate the user. Date: Wed, 24 Jan 2007 14:21:59 +0800 From: [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Subject: Proxying based on SSID Hi, Sorry if the questions have been asked. I have done a lot of searches, but could not find the answer. Normally, I proxy a PEAP request whenever the realm is unknown to us (i.e. using the DEFAULT realm without stripping user name). However, for some SSIDs, I want requests to be handled locally with ldap, independent of what the realm is (and with the user name stripped). What I did is to find those SSIDs in Called-Station-ID and set proxy-to-realm to a local realm. But the problem (I guess) is that when freeradius processes the realm file, the user name is not stripped. When later on processed by the local realm, the request fails because the user name still contains the domain. Any suggestions to solve it is appreciated. Thanks in advance. Best Regards, Lai Users = DEFAULT NAS-Port-Type == Wireless-802.11, Called-Station-Id =~ MY-SSID$, St rip-User-Name := Yes, Autz-Type := usePlainTextPwd, Proxy-to-realm := hku.hk DEFAULT NAS-Port-Type == Wireless-802.11, Autz-Type := usePlainTextPwd Radiusd -X = rad_recv: Access-Request packet from host 17.18.28.26:20002, id=136, length=152 NAS-Port-Id = 2098/1 Calling-Station-Id = 00-18-DE-83-3E-1B Called-Station-Id = 00-16-E0-FD-47-40:VIP-peap Service-Type = Framed-User EAP-Message = 0x02010012017063637732406173642e636f6d User-Name = [EMAIL PROTECTED] NAS-Port-Type = Wireless-802.11 NAS-Identifier = 3Com NAS-IP-Address = 17.18.28.26 Message-Authenticator = 0x46e6da4a3ad7d253157a9f21a110807b Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_realm: Looking up realm asd.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm DEFAULT rlm_realm: Proxying request from user pcw2 to realm DEFAULT rlm_realm: Adding Realm = DEFAULT rlm_realm: Preparing to proxy authentication request to realm DEFAULT modcall[authorize]: module suffix returns updated for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 users: Matched entry DEFAULT at line 171 users: Matched entry DEFAULT at line 244 modcall[authorize]: module files returns ok for request 0 rlm_eap: EAP packet type response id 1 length 18 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 modcall: leaving group authorize (returns updated) for request 0 Found Autz-Type usePlainTextPwd Processing the authorize section of radiusd.conf modcall: entering group usePlainTextPwd for request 0 modcall: entering group redundant for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for [EMAIL PROTECTED] radius_xlat: '(([EMAIL PROTECTED])))' radius_xlat: 'ou=ldap,o=hku,c=hk' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap1.hku.hk:389, authentication 0 rlm_ldap: starting TLS rlm_ldap: bind as cn=net,o=hku,c=hk/M134aNaa to ldap1.hku.hk:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=ldap,o=hku,c=hk, with filter (([EMAIL PROTECTED])) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module withNTPwd returns notfound for request 0 modcall: leaving group redundant (returns notfound) for request 0 modcall: leaving group usePlainTextPwd (returns notfound) for request 0 WARNING: You set Proxy-To-Realm = hku.hk, but it is a LOCAL realm! Cancelling invalid proxy request. rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 WARNING: Cancelling proxy to Realm hku.hk, as the realm is local. Sending Access-Challenge of id 136 to 17.18.28.26 port 20002 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0xfd7f032f1c3ed7e8e39bf1872727e771 Finished request 0 Going to the next request - List info/subscribe/unsubscribe? See
authorize and authenticate in proxy
Hello!I want to use Freeradius as a proxy Radius server, and I think that my Freeradius don´t have to do authorize and authenticate: my Freeradius have to proccess request with realm @unex.es, the others request have to be proxyed. My configuration is:radiusd.conf: authorize { preprocess suffix files Autz-Type LDAP_UNEX_ES{ ldap_unex_es } mschap eap } authenticate { ldap_unex_es Auth-Type MS-CHAP { mschap } eap } users: DEFAULT Autz-Type = LDAP_UNEX_ES proxy.conf: realm unex.es { type= radius authhost= LOCAL accthost= LOCAL } realm NULL { type= radius authhost= LOCAL accthost= LOCAL } realm DEFAULT { type= radius authhost= other_server_1 accthost= LOCAL secret = ** nostrip } realm DEFAULT { type= radius authhost= other_server_2 accthost= LOCAL secret = ** nostrip }- I want to define two instances of realm DEFAULT, in case one of then fails. It is posible?- Have my freeradius to do authorize and autheticate when request have to be proxyed?- I think that in users file I have to distinguish between request with realm @unex.es to set Autz-Type = LDAP_UNEX_ES and the others...I´m lost with proxy... I need help. Thank you.Sorry for my english. _ Prueba algunos de los nuevos servicios en línea que te ofrece Windows Live Ideas: tan nuevos que ni siquiera se han publicado oficialmente todavía. http://ideas.live.com- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: problem with NT-Password and LDAP
OK, use the perl module to re-write the attribute. There is an example.pl distributed with the server that should be a good start. Alan DeKok. I 'm trying to use the perl module to authenticate users removing white spaces from NT-Password. This is my remove_white_spaces.pl: use strict; use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK %RAD_CONFIG %RAD_PROXY %RAD_PROXY_REPLY); use Data::Dumper; use constantRLM_MODULE_REJECT=0;# /* immediately reject the request */ use constantRLM_MODULE_FAIL= 1;# /* module failed, don't reply */ use constantRLM_MODULE_OK=2;# /* the module is OK, continue */ use constantRLM_MODULE_HANDLED= 3;# /* the module handled the request, so stop. */ use constantRLM_MODULE_INVALID= 4;# /* the module considers the request invalid. */ use constantRLM_MODULE_USERLOCK= 5;# /* reject the request (user is locked out) */ use constantRLM_MODULE_NOTFOUND= 6;# /* user not found */ use constantRLM_MODULE_NOOP= 7;# /* module succeeded without doing anything */ use constantRLM_MODULE_UPDATED= 8;# /* OK (pairs modified) */ use constantRLM_MODULE_NUMCODES= 9;# /* How many return codes there are */ sub hex_to_ascii ($) { # Convert each two-digit hex number back to an ASCII character. (my $str = shift) =~ s/([a-fA-F0-9]{2})/chr(hex $1)/eg; return $str; } sub ascii_to_hex ($) { ## Convert each ASCII character to a two-digit hex number. (my $str = shift) =~ s/(.|\n)/sprintf(%02lx, ord $1)/eg; return $str; } # Function to handle authorize sub authorize { my $h_str = $RAD_CHECK{'NT-Password'}; radiusd::radlog(1, NT-Password (hex) . $h_str); my $a_str = hex_to_ascii $h_str; $a_str=~s/(\s)+$//; $a_str=~s/(0x)//; radiusd::radlog(1, NT-Password (ascii) . $a_str); $h_str = ascii_to_hex $a_str; $RAD_CHECK{'NT-Password'}=$h_str; radiusd::radlog(1, NT-Password . $RAD_CHECK{'NT-Password'}); return RLM_MODULE_OK; } In radiusd.conf... perl { module = /usr/local/radius/scripts_perl/quitar_espacios.pl max_clones = 32 start_clones = 5 min_spare_clones = 3 max_spare_clones = 3 cleanup_delay = 5 max_request_perl_clone = 0 } authorize { preprocess suffix files Autz-Type LDAP_UNEX_ES{ ldap_unex_es perl } mschap eap } The debug information is: rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap_unex_es returns ok for request 6 perl_pool: item 0x835eb10 asigned new request. Handled so far: 3 found interpetator at address 0x835eb10 rlm_perl: NT-Password (hex) . 0x303642313145334439343130323145314135433531433638363846324630453620202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020 rlm_perl: NT-Password (ascii) . 06B11E3D941021E1A5C51C6868F2F0E6 rlm_perl: NT-Password . 3036423131453344393431303231453141354335314336383638463246304536 rlm_perl: Added pair NT-Password = 3036423131453344393431303231453141354335314336383638463246304536 rlm_perl: Added pair User-Password = 76027476 rlm_perl: Added pair Autz-Type = LDAP_UNEX_ES rlm_perl: Added pair Simultaneous-Use = 1 rlm_perl: Added pair Auth-Type = EAP perl_pool total/active/spare [3/0/3] Unreserve perl at address 0x835eb10 modcall[authorize]: module perl returns ok for request 6 modcall: leaving group LDAP_UNEX_ES (returns ok) for request 6 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 6 rlm_mschap: Invalid NT-Password rlm_mschap: Told to do MS-CHAPv2 for 02747632 with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 6 modcall: leaving group MS-CHAP (returns reject) for request 6 rlm_eap: Freeing handler modcall[authenticate]: module eap returns reject for request 6 modcall: leaving group authenticate (returns reject)
RE: problem with NT-Password and LDAP
Date: Thu, 28 Dec 2006 08:44:22 -0800 From: [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Subject: Re: problem with NT-Password and LDAP Ana Gallardo Gómez wrote: Well, I can not modify the LDAP server, I only can use it, so, while I ask the LDAP administrator to modify this atribute, I would like to modify in Freeradius server. OK, use the perl module to re-write the attribute. There is an example.pl distributed with the server that should be a good start. Alan DeKok. -- I'm goint to use the perl module, but first, and while I learn to use it, I probed the attr_rewrite module: attr_rewrite quitar_espacios { attribute = NT-Password # may be packet, reply, proxy, proxy_reply or config searchin = config searchfor = replacewith = ignore_case = no new_attribute = no max_matches = 220 ## If set to yes then the replace string will be appended to the original string append = no } I don't know if I can use regular expressions in searcfor field, and, in this case, what is the regular expressions grammar; or if is better with max_matches = 220 and searchfor = ... I use this module in authorize section: authorize { preprocess suffix files Autz-Type LDAP_LOCAL{ ldap_local } Autz-Type LDAP_UNEX_ES{ ldap_unex_es quitar_espacios } mschap eap } and I can authenticate users: rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap_unex_es returns ok for request 7 radius_xlat: ' ' rlm_attr_rewrite: Changed value for attribute NT-Password from '06B11E3D941021E1A5C51C6868F2F0E6 ' to '06B11E3D941021E1A5C51C6868F2F0E6' modcall[authorize]: module quitar_espacios returns ok for request 7 modcall: leaving group LDAP_UNEX_ES (returns ok) for request 7 Thank you _ ¡Ya está aquí Windows Live Spaces! Ahora podrás crear fácilmente tu propio sitio Web. http://spaces.live.com/signup.aspx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with NT-Password and LDAP
Ana Gallardo Gómez wrote: Hello, my problem is, i have a Freeradius server that retrieves the authentication information from an OpenLDAP server; in this server the NT-Password atributte has 252 characters (32 characters from NT-hash + white spaces) Why not just update the entries in LDAP to remove the space? Alan DeKok. Well, I can not modify the LDAP server, I only can use it, so, while I ask the LDAP administrator to modify this atribute, I would like to modify in Freeradius server. I have read that there is a module to rewrite the value of an atribute on fly, but I can´t find how to use it. I have a regular expression to modify... I have a ssript perl to modify... but I don´t know how to use it. Thank you _ Consigue el nuevo Windows Live Messenger http://get.live.com/messenger/overview - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with NT-Password and LDAP
Hello, my problem is, i have a Freeradius server that retrieves the authentication information from an OpenLDAP server; in this server the NT-Password atributte has 252 characters (32 characters from NT-hash + white spaces), and the NT-Password generated in ms-chap has 32 characters. How can I remove the white spaces from NT-Password in the ldap module?Debug information:...rlm_ldap: performing search in ou=xxx,dc=xxx,dc=xxx, with filter (cn=) rlm_ldap: Added password xxx in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding ntPassword as NT-Password, value 06B11E3D941021E1A5C51C6868F2F0E6 op=21...After that LOGIN INCORRECT.Sorry for my english.Thank you very much. _ ¡Ya está aquí Windows Live Spaces! Ahora podrás crear fácilmente tu propio sitio Web. http://spaces.live.com/signup.aspx- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[RE]Freeradius-Users Digest, Vol 18, Issue 98
Sorry for my english...I had the same problem with Freeradius-OpenSSL. I´m running a Debian Sarge 3.1. My installation is:/usr/local/openssl -- OpenSSL binaries/usr/local/radius -- Freeradius binaries/usr/local/freeradius-1.1.3 -- Freeradius source/usr/local/openssl-0.9.7k -- OpenSSL sourceTo compile and install OpenSSL:/usr/local/openssl-0.9.7k/.config shared --prefix=/usr/local/openssl/usr/local/openssl-0.9.7k/make/usr/local/openssl-0.9.7k/make installCopy OpenSSL library and include files to /usr/local/lib and /usr/local/include.To compile and install Freeradius:/usr/local/freeradius-1.1.3/.configure --prefix=/usr/local/radius /usr/local/freeradius-1.1.3/make /usr/local/freeradius-1.1.3/make install :)Consigue el nuevo Windows Live Messenger Pruébalo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html