[PATCH] Regexp for realms
Hi,
I wrote a patch that enables regular expression matching for realms.
This patch allows to use regular expressions in the realm definitions,
so that wildcards are possible in realm names.
The example below shows a realm containing a regular expression,
matching anything like [EMAIL PROTECTED] as well as [EMAIL PROTECTED]
realm company.com {
regexp= ^.*company\.com
type = radius
authhost = LOCAL
accthost = LOCAL
}
Please note that the regular expressions must be POSIX compatible and
will be matched case insensitive. Additionally, the regexp should be the
same on all servers of a fail-over and round-robin realm.
I included the patch at the end of this mail. Alternativly, you can
download it from:
http://projects.nuschkys.net/patches/freeradius-CVS-2004-07-15_regex-realms.patch.gz
Regards,
Arne Brutschy
---8---
diff -urN freeradius-CVS-2004-07-15.orig/raddb/proxy.conf
freeradius-CVS-2004-07-15/raddb/proxy.conf
--- freeradius-CVS-2004-07-15.orig/raddb/proxy.conf 2004-07-15
13:03:11.499855284 +0200
+++ freeradius-CVS-2004-07-15/raddb/proxy.conf 2004-07-15
15:25:00.042755212 +0200
@@ -136,6 +136,22 @@
# secret = testing123
#}
+# A realm containing a regular expression, matching anything like
+# [EMAIL PROTECTED] as well as [EMAIL PROTECTED]. All
+# requests with this realm will be handled locally.
+#
+# Please note that the regular expressions must be POSIX compatible
+# and will be matched case insensitive.
+# Additionally, the regexp should be the same on all servers of
+# a fail-over and round-robin realm.
+#
+#realm company2.com {
+# regexp = ^.*company2\.com
+# type = radius
+# authhost = LOCAL
+# accthost = LOCAL
+#}
+
# A realm entry with an optional fail-over realm. A request from
# [EMAIL PROTECTED] will be sent to radius.isp2.com as [EMAIL PROTECTED],
# because the 'nostrip' directive is specified for this realm.
@@ -242,9 +258,9 @@
# authhost = ipass.server.hostname:11812
# accthost = ipass.server.hostname:11813
#
- # The shared secret here must be the same
- # value as the secret of the NetServer found in the
- # /usr/ipass/raddb/clients file of your NetServer software.
+# The shared secret here must be the same
+# value as the secret of the NetServer found in the
+# /usr/ipass/raddb/clients file of your NetServer software.
# secret = mysecret
# nostrip
#}
diff -urN freeradius-CVS-2004-07-15.orig/src/include/radiusd.h
freeradius-CVS-2004-07-15/src/include/radiusd.h
--- freeradius-CVS-2004-07-15.orig/src/include/radiusd.h 2004-07-15
13:03:11.479858557 +0200
+++ freeradius-CVS-2004-07-15/src/include/radiusd.h 2004-07-15
15:24:37.365463901 +0200
@@ -35,6 +35,10 @@
#include arpa/inet.h
#endif
+#ifdef HAVE_REGEX_H
+#include regex.h
+#endif
+
#include missing.h
#define NO_SUCH_CHILD_PID (child_pid_t) (0)
@@ -140,6 +144,10 @@
int acct_active;
time_t acct_wakeup;
int ldflag;
+#ifdef HAVE_REGEX_H
+ regex_t *regex;
+#endif
+
struct _realm *next;
} REALM;
diff -urN freeradius-CVS-2004-07-15.orig/src/main/files.c
freeradius-CVS-2004-07-15/src/main/files.c
--- freeradius-CVS-2004-07-15.orig/src/main/files.c 2004-07-15
13:03:11.34887 +0200
+++ freeradius-CVS-2004-07-15/src/main/files.c 2004-07-15
15:24:37.365463901 +0200
@@ -33,6 +33,10 @@
# include netinet/in.h
#endif
+#ifdef HAVE_REGEX_H
+# include regex.h
+#endif
+
#include stdlib.h
#include string.h
#include netdb.h
@@ -314,6 +318,12 @@
while(cl) {
next = cl-next;
+#ifdef HAVE_REGEX_H
+ if (cl-regex != NULL) {
+ regfree(cl-regex);
+ free(cl-regex);
+ }
+#endif
free(cl);
cl = next;
}
@@ -435,6 +445,14 @@
c-active = TRUE;
c-acct_active = TRUE;
+ /*
+* Regular expressions for realms are not supported
+* with the old-style realm file
+*/
+#ifdef HAVE_REGEX_H
+ c-regex = NULL;
+#endif
+
while (getword(p, opts, sizeof(opts))) {
if (strcmp(opts, nostrip) == 0)
c-striprealm = FALSE;
@@ -564,7 +582,19 @@
*/
if (strcasecmp(cl-realm, realm) == 0) {
return cl;
+
+#ifdef HAVE_REGEX_H
+ /*
+* Check if we've got a regular expression to
+* match against this realm.
+*/
+ } else if ((cl-regex != NULL)
+ (regexec(cl-regex, realm, 0, NULL, 0) == 0)) {
+ return cl;
+ }
+#else
}
+#endif
/*
* No default realm, try to set one.
diff -urN freeradius-CVS-2004-07-15.orig/src/main/mainconfig.c
freeradius-CVS-2004-07-15/src/main/mainconfig.c
Rewrite local realm and strip username
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi all,
I want to rewrite a local realm. The realm might be host.example.com
and I want to rewrite it to example.com. This can be accomplished by
the line
DEFAULT User-Name =~ ^([EMAIL PROTECTED])@(.*)example\.com$, \
~ Proxy-To-Realm := example.com
Fall-Through = Yes
in the users file, as Alan wrote. My problem is, that my realm is LOCAL
and therefore, I need to strip the realm from the username. Usually, you
can strip the username in the preproxy_users like this:
DEFAULT User-Name =~ ^([EMAIL PROTECTED])@(.*)example\.com$
User-Name := `${1}`
My problem is, that Freeradius does not process this file, as the
Proxy-To-Realm is a local realm. In the log, this message appears:
WARNING: You set Proxy-To-Realm = example.com, but it is a LOCAL \
~ Realm!
Cancelling invalid proxy request.
Any idea what I'm doing wrong, here? Or does someone know a way around it?
Regards,
Arne Brutschy
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFA8mH7lKz+zKOoy+oRAmvzAJwIOUJwbSyUvSTbil/7zQuNTDMdEACfV4HM
5WX8bt05c0Ax05oLqfd+sOY=
=jrKv
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using wildcards in realm
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alan DeKok wrote: | You can use the preproxy_users file to re-write the User-Name | before it's proxied. | Yes, but it's never being processed, because uni-leipzig.de is my local realm. So the proxying request gets canceled: ~ WARNING: You set Proxy-To-Realm = uni-leipzig.de, but it is a LOCAL \ ~ Realm! Cancelling invalid proxy request. So the the preproxy_users file won't be processed. Is there any way around it? Or do I get something wrong here? Regards, Arne -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFA7T8ilKz+zKOoy+oRAvnUAJ9M7pFknOL+Vcrcry5ftZpB2VQJYwCfSdjQ p0JwsjBUQ6C1tMPEbKIOE+s= =4e6b -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using wildcards in realm
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Alan DeKok wrote:
|~ WARNING: You set Proxy-To-Realm = foo.com but it is a LOCAL realm!
|~ Cancelling invalid proxy request.
|
| That's a WARNING, in large letters. It's not an error.
|
Yes, I got confused by the line Cancelling invalid proxy request. I
thought the request fails because of this line.
The problem is, that this solution does not strips the realm from the
username. How do I accomplish this? I tried:
DEFAULT User-Name =~ ^([EMAIL PROTECTED])@(.*)uni-leipzig\.de$, \
Proxy-To-Realm := uni-leipzig.de, User-Name := `%{1}`
~ Fall-Through = Yes
..but it does not work. Any suggestions?
Regards,
Arne Brutschy
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFA6RUxlKz+zKOoy+oRAu/ZAKDimnYo1DiNPQHWKaIPyb00IUV2ZQCfbOt4
VDuQgysdsVZdo58SF7Ka9vk=
=W+Jp
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Client member in multiple huntgroups
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I have clients that are in multiple huntgroups (ie. in dot1xswitches, used for 802.1x auth and shellaccess used to give access to the config shell of this switch. Is it possible to have a client in multiple huntgroups? Regards, Arne -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFA6Sm1lKz+zKOoy+oRAsbUAKD4fwKhuaB2NgF+2dJtF+5+IazDBwCff6XQ 6V7lKpZJg12g49vpyCrSsbE= =//SD -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client member in multiple huntgroups
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thomas MARCHESSEAU wrote: | DEFAULT Realm == realm.net, Huntgroup-Name == bas, Autz-Type := | autz.realm1.net | DEFAULT Realm == realm.net, Huntgroup-Name == lns, Autz-Type := | autz.realm2.net | | I check for Nas-Ip-Address to assign the correct huntgroup and the | correct authentification method. | Yes, but this won't work if you have in the huntgroups file: bas == 192.168.1.1 bas == 192.168.1.2 lns == 192.168.1.1 If the client 192.168.1.1 tries to authenticate, the line DEFAULT Realm == realm.net, Huntgroup-Name == lns, Autz-Type := autz.realm2.net fails, as the huntgroup file matches on the bas group. Or did I understand your config wrong? Regards, Arne -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFA6TH8lKz+zKOoy+oRAv1wAJ0Qel6U2tKmWBMliJDvj1CQYZukDQCgymiD QqVLyz1xxGA3IoIHU/Kr0Uk= =n+lV -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Schema file for iPlanet/Sun One Directory Servers 5.x
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, I converted the RADIUS-LDAPv3.txt schema file so it can be used with iPlanet/Sun One Directory Servers 5.x. I'm sure serveral people already converted it, but I couldn't find it in the web and/or mailing list, so I share it. You can download ist here: http://projects.nuschkys.net/freeradius-ldapv3-schema-for-iplanet-ds5x.ldif.gz or simply copy it from this mail: - --- 8 snip --- # This is a LDAPv3 schema for RADIUS attributes. # Tested on OpenLDAP 2.0.7 # Posted by Javier Fernandez-Sanguino Pena jfernandez at sgi.es # LDAP v3 version by Jochen Friedrich jochen at scram.de # Updates by Adrian Pavlykevych pam at polynet.lviv.ua # Converted for use with iPlanet/Sun Directory Servers 5.x by Arne Brutschy abrutschy at xylon.de ## dn: cn=schema attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.1 NAME 'radiusArapFeatures' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.2 NAME 'radiusArapSecurity' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.3 NAME 'radiusArapZoneAccess' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.44 NAME 'radiusAuthType' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.4 NAME 'radiusCallbackId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.5 NAME 'radiusCallbackNumber' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.6 NAME 'radiusCalledStationId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.7 NAME 'radiusCallingStationId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.8 NAME 'radiusClass' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.45 NAME 'radiusClientIPAddress' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.9 NAME 'radiusFilterId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.10 NAME 'radiusFramedAppleTalkLink' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.11 NAME 'radiusFramedAppleTalkNetwork' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.12 NAME 'radiusFramedAppleTalkZone' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.13 NAME 'radiusFramedCompression' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.14 NAME 'radiusFramedIPAddress' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.15 NAME 'radiusFramedIPNetmask' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.16 NAME 'radiusFramedIPXNetwork' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.17 NAME 'radiusFramedMTU' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.18 NAME 'radiusFramedProtocol' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.19 NAME 'radiusFramedRoute' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.20 NAME 'radiusFramedRouting' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.46 NAME 'radiusGroupName' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.47 NAME 'radiusHint' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.48 NAME 'radiusHuntgroupName' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.21 NAME 'radiusIdleTimeout' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.22 NAME 'radiusLoginIPHost' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX
Re: Schema file for iPlanet/Sun One Directory Servers 5.x
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Arne Brutschy wrote: | or simply copy it from this mail: | Ups, sorry, my stupid mail program wrapped the lines. So just download it, in case you need it. I still can't figure out why my da** Thunderbird disables the Paste Without Formatting button. Regards, Arne -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFA5CVYlKz+zKOoy+oRArU+AKDjxaRjQfgVjn01j+2HFes2BSrBkACdHpwb nSSms7HW5zdri3h3Y/eMCKg= =v365 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using wildcards in realm
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I want to use wildcards in my realm for proxying. But the method posted by Alan does not work. If I set ~ DEFAULT User-Name =~ @foo, Proxy-To-Realm := foo.com I get an error: ~ WARNING: You set Proxy-To-Realm = foo.com but it is a LOCAL realm! ~ Cancelling invalid proxy request. foo.com is my local realm, and I need the DEFAULT realm to be proxied to another server. I want to handle all realm like @.*foo\.com on my local server (and the NULL realm), everything else should be forwarded using the DEFAULT realm. Any Ideas? Regards, Arne -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFA5CsllKz+zKOoy+oRAjg5AJwPd2LV5eLsMPRUI0cjnFWCr3+p5gCg+nAc dBZnd643njjyc9wc+qn9yco= =o7VZ -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [OT] Freeradius Cisco Aironet 1200 with 802.1x, EAP, VLANs and WEP key rotation
Michael Griego wrote: Amazingly enough, I ran into this exact scenario last night as I was testing RADIUS-assigned VLANs for the first time on an Aironet 1100. Setting up dummy ssid sections with the same settings as my primary ssid (with the exception of the vlan) fixed this problem. ie: [..] And so on and so forth... Your clients will never associate with your secondary ssids, only your primary ssid. The ssid sections seem to be necessary, however, for clients to be placed on whatever VLANs your RADIUS server may place them on. I couldn't find any reference in the Cisco documentation specifically saying You must have ssid sections for each VLAN you assign from RADIUS, but I did it on a hunch and it worked for me. I figured out that the problem of not association is a bug of the meetinghouse client! ARGH! I really like this piece of software, but this renders it nearly useless.. Anyway, I tried again with Funk's Odyssey client, and *tada* it worked perfectly! Even without the dummy-SSIDs. But when I enabled optional WPA support on my primary SSID, I got the every-10-seconds-reauthentication behaviour. This went away after adding dummy SSIDs as you described. So you can get away with one single SSIDs, as long as you aren't using WPA.. I'm now trying to find out what's wrong with the Aegis client - the Odyssey Client works perfectly but is sort of .. strange. Thanks for your help, Arne - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[OT] Freeradius Cisco Aironet 1200 with 802.1x, EAP, VLANs and WEP key rotation
Hello, I'm trying to set up the following structure: A client authenticates via 802.1x and EAP-TTLS at the access point (Cisco Aironet 1200, 12.2(13)JA3). The RADIUS server (freeradius cvs snapshot) authenticates the client, reads the users VLAN from the directory and tells the access point in which VLAN the user shoulb be. I use only one single SSID, configured as guest-mode, native vlan 228. All VLANs should use 128bit WEP encryption with key rotation. The SSIDs accepted method is Open with EAP. My problem is the following: When I enable mandatory on the native VLAN (= the VLAN the user is in before he will be switched to his home VLAN), the user never associates. It seems that the user has never the right to communicate with the access point, even when it's only for authenticating and getting the wep keys. It doesn't change anything when I'm enabling Network-EAP.. When I'm switching the native VLANs encryption setting from mandatory to optional, the client authenticates just right, gets his keys, will be switched to his home VLAN and is WEP encrypted. Works nicely, and it's exactly the same configuration I used with my old Aironet 350 AP for testing. BUT there is one strange error: the client re-authenticates every 10 seconds! So the client can't do anything except authentication.. I encounter the same strange behavoir on my Aironet 350, but only with enabled key rotation. On the Aironet 1200, it doesn't seem to matter if I'm using key roation or not. Has anyone encountered this type of behavior or can someone tell me how to set up this stucture properly? Regards, Arne Brutschy My cisco config: .. interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 226 mode wep mandatory ! encryption vlan 225 mode wep mandatory ! encryption vlan 228 mode wep optional ! broadcast-key vlan 226 change 600 ! broadcast-key vlan 225 change 600 ! broadcast-key vlan 228 change 600 ! ! ssid 802.1X vlan 228 authentication open eap eap_methods guest-mode infrastructure-ssid optional ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 rts threshold 2312 station-role root dot1x reauth-period 600 ! interface Dot11Radio0.225 encapsulation dot1Q 225 no ip route-cache bridge-group 225 bridge-group 225 subscriber-loop-control bridge-group 225 block-unknown-source no bridge-group 225 source-learning no bridge-group 225 unicast-flooding bridge-group 225 spanning-disabled ! interface Dot11Radio0.226 encapsulation dot1Q 226 no ip route-cache bridge-group 226 bridge-group 226 subscriber-loop-control bridge-group 226 block-unknown-source no bridge-group 226 source-learning no bridge-group 226 unicast-flooding bridge-group 226 spanning-disabled ! interface Dot11Radio0.228 encapsulation dot1Q 228 native no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! .. As said before, the radius server is freeradius (current CVS snapshot), the client is Windows 2000 with Aegis Client software, using Cisco Aironet 350 or a/b/g client adapter. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS multiple ldap settings
Hi,
I'm trying to use freeradius with EAP-TTLS and multiple ldap setting.
Multiple ldap settings because each of them is looking on a different
access attribute and profile dn attribute. I want to select one of the
ldap sources for the huntgroup used for wireless clients, the other one
for the wired clients huntgroup.
As I understood it right, this should work when I set my authorize
section to:
preprocess
files
Autz-Type wiredLDAP {
wiredLDAP
}
eap
In my users file I have:
DEFAULT Service-Type == Framed-User, Huntgroup-Name == dot1xWired, \
Autz-Type := wiredLDAP
NAS-Port-Type = Ethernet,
Fall-Through = No
So I thought the request will be go through the authorize section, first
preprocessing the huntgroups, then selecting the DEFAULT entry in the
users file, adding Autz-Type as check-items and selecting the
appropriate Autz-Type based on that item.
However, this doesn't work when I'm using TTLS, where it works only when
I have an authorize section like this:
preprocess
files
wiredLDAP
eap
I think it might have something to do with the eap-ttls module proxying
the request back to the localhost, now using the requestitems from
inside the tunnel. If the ldap section gets executed in any case (as in
the second auth section) it works just fine. When I'm using the first
auth section, I get a no Auth-Type found for this request error,
because no ldap section was processed.
Has anyone encountered problems like this? Is this a bug/not available
feature or just a stupid misconfiguration?
Regards,
Arne
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with EAP/TTLS+PAP and LDAP
Alan DeKok wrote: Why the heck are you doing packet sniffing when you could run the server in debugging mode to see what it's doing? I was running debug mode - but the setting use_tunneled_reply didn't change anything. After a day of debugging I realized that this was the most idiotic configuration error I've ever made: Before installing the cvs version of freeradius, I moved the /etc/raddb dir to /etc/raddb.bak so make install couldn't mess up my config dir. Afterwards, I copied back. But I still had the vi on radiusd.conf open.. So I edited the whole day my backup and was already debugging config.c when I realized this! I think I should go home now.. ;) Thanks anyway, Arne - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
