AW: MAC address authorization
Hi, I´ve done this with access-points from extremenetworks. There it went this way: You have to create users in the usersfile in the folowing way: Username: MAC-Adress Password: Mac-Adress That´s all Maybe Cisco does it the same way (Cisco never had a good idea, only a goog bank account) Regards André Von: Vince Nguyen [mailto:[EMAIL PROTECTED] Gesendet: Samstag, 11. Juni 2005 01:16 An: freeradius-users@lists.freeradius.org Betreff: MAC address authorization Please help, I've installed Freeradius 0.9.3-1.1 to my Redhat Fedora Core 1 box, and would like to use it in conjunction with my Cisco AP1200 to simply allow authorized and registered MAC address to be on the network. Has someone done this and could show the way? Thanks, Vince __ Vince T Nguyen Systems Administrator www.quantum.com mailto:[EMAIL PROTECTED] 949/856.7809 (direct) 949/856.7799 (fax) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: Attributes Missing - Auth with ldap
Hi, I did the ldapsearch and here is the output: herkenra # extended LDIF # # LDAPv3 # base with scope sub # filter: uid=herkenra # requesting: ALL # # search result search: 2 result: 80 Internal (implementation specific) error text: NDS error: no referrals (-634) # numResponses: 1 It seems that the Novell 6.0 Ldap isn´t working as expected ! I tried this on the Novell 6.5 Server I use for testing and got this result: # extended LDIF # # LDAPv3 # base with scope sub # filter: uid=andre # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 With the Novell 6.5, I could append the attribute, that I defined in the "users"-File without putting anything in the user directory. Do you have any ideas ?? Is there a possibility to give these attributes without the exact LDAP result ? Regards André -Ursprüngliche Nachricht- Von: Dustin Doris [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 20. April 2005 16:41 An: freeradius-users@lists.freeradius.org Betreff: Re: AW: Attributes Missing - Auth with ldap On Wed, 20 Apr 2005, Andre Herkenrath wrote: > Hi, > I looked at a few things: > > 1. the authorize section contains "ldap" > 2. I bind with an existing user > 3. I want to return "Filter-Id" and this is in teh "ldap.attrmap" > > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to 170.56.185.59:389, authentication 0 > rlm_ldap: bind as cn=B_LDAP,o=FKEL/ to 170.56.185.59:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: performing search in OU=Abteilungen,O=FKEL, with filter > (uid=herkenra) > rlm_ldap: ldap_release_conn: Release Id: 0 > rlm_ldap: performing user authorization for herkenra > radius_xlat: '(uid=herkenra)' > radius_xlat: 'OU=Abteilungen,O=FKEL' > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in OU=Abteilungen,O=FKEL, with filter > (uid=herkenra) > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... > rlm_ldap: user herkenra authorized to use remote access **Nothing was found for reply items. > rlm_ldap: ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok for request 0 > modcall: group authorize returns ok for request 0 You need to make sure that your ldap.attrmap is correct, the entry in ldap is correct, and the user you are searching with has permissions to read that value. For ldap.attrmap, remember you match a radius attribute to an ldap attribute. replyItem Filter-Id radiusFilterId So you should have an entry in your directory with radiusFilterid. dn: uid=... somestuff... radiusFilterid: "some string" Try it with the command line. $ ldapsearch -x -D cn=B_LDAP,o=FKEL -w yourpassword -b "OU=Abteilungen,O=FKEL," uid=herkenra Does that return the radiusFilterid? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Attributes Missing - Auth with ldap
configured in the authorize section of radiusd.conf?
This is where it picks up the attributes from the user's record.
2) If the answer to 1 is yes, You're doing an anonymous bind to the LDAP
server. Does that give you the necessary access rights to read the
record from LDAP?
3) If the answer to 2 is yes, are the attributes you're trying to
read/return configured in $prefix/etc/raddb/ldap.attrmap
Hope that helps, and guides you on your way to a solution.
regards,
Mike
Andre Herkenrath wrote:
> Hi,
>
> I have a very strange problem.
> I authenticate a user agains a Novell 6 Server, which is not the
> problem.
> But I need some Attributes from the authentication brought back to the
> NAS
>
> I put these in the users file and it worked with another server:
>
> Users (complete)
> -
> DEFAULT Auth-Type :=3DLDAP ,Ldap-Group =3D=3D "CN=3DWGRAS,O=3DFKEL"
> Reply-Message =3D "Welcome, you are allowed to have dialup
> access",
> Framed-Filter-Id =3D "std.ppp",
> Fall-Through =3D 0
> --
> The Ldap portion of the radiusd.conf (comments removed)
>
>
> ldap {
> server =3D "170.56.185.59"
> identity =3D "anonymous"
> basedn =3D "OU=3DAbteilungen,O=3DFKEL"
> filter =3D
"(uid=3D%{Stripped-User-Name:-%{User-Name}})"
> start_tls =3D no
> dictionary_mapping =3D ${raddbdir}/ldap.attrmap
> ldap_connections_number =3D 5
> groupmembership_attribute =3D radiusGroupName
> timeout =3D 20
> timelimit =3D 20
> net_timeout =3D 10
> }
>
> Strangely the binds need a very long time (up to 8 seconds each) - but
> what has this to do with the not transmitting the Attributes ??
>
> As I said, the authentication works, but the Attributes are missing -
> Any Ideas ?
>
> Regards
> Andre
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Attributes Missing - Auth with ldap
Hi,
I have a very strange problem.
I authenticate a user agains a Novell 6 Server, which is not the
problem.
But I need some Attributes from the authentication brought back to the
NAS
I put these in the users file and it worked with another server:
Users (complete)
-
DEFAULT Auth-Type :=3DLDAP ,Ldap-Group =3D=3D "CN=3DWGRAS,O=3DFKEL"
Reply-Message =3D "Welcome, you are allowed to have dialup
access",
Framed-Filter-Id =3D "std.ppp",
Fall-Through =3D 0
--
The Ldap portion of the radiusd.conf (comments removed)
ldap {
server =3D "170.56.185.59"
identity =3D "anonymous"
basedn =3D "OU=3DAbteilungen,O=3DFKEL"
filter =3D "(uid=3D%{Stripped-User-Name:-%{User-Name}})"
start_tls =3D no
dictionary_mapping =3D ${raddbdir}/ldap.attrmap
ldap_connections_number =3D 5
groupmembership_attribute =3D radiusGroupName
timeout =3D 20
timelimit =3D 20
net_timeout =3D 10
}
Strangely the binds need a very long time (up to 8 seconds each) - but
what has this to do with the not transmitting the Attributes ??
As I said, the authentication works, but the Attributes are missing -
Any Ideas ?
Regards
Andre
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
Hi,
I have a very strange problem.
I authenticate a user agains a Novell 6 Server, which is not the
problem.
But I need some Attributes from the authentication brought back to the
NAS
I put these in the users file and it worked with another server:
Users (complete)
-
DEFAULT Auth-Type :=LDAP ,Ldap-Group == "CN=WGRAS,O=FKEL"
Reply-Message = "Welcome, you are allowed to have dialup
access",
Framed-Filter-Id = "std.ppp",
Fall-Through = 0
--
The Ldap portion of the radiusd.conf (comments removed)
ldap {
server = "170.56.185.59"
identity = "anonymous"
basedn = "OU=Abteilungen,O=FKEL"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupmembership_attribute = radiusGroupName
timeout = 20
timelimit = 20
net_timeout = 10
}
Strangely the binds need a very long time (up to 8 seconds each) - but
what has this to do with the not transmitting the Attributes ??
As I said, the authentication works, but the Attributes are missing -
Any Ideas ?
Regards
Andre
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication Alternatives
Hi, I have a little problem with authentication. I want to setup the following: A user has to be authenticated against a Win2000-Server or against a Novell 6.0 Server. Each of it seems to work, but how can I put these two together ? The Usernames can be e.g. [EMAIL PROTECTED] or [EMAIL PROTECTED] I tried this with proxying on the same machine, but the authentication against ads took a very long time so the main Radius sent an reject. Any Ideas ? Regards André - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
