Users file and rlm_sql
Hi,
We are currently using
freeradius with users file configuration for our Wireless system, authenticating
through ldap and rlm_eap which is working fine, but wed like to use a
sql database to store login/password for guest accounts. This seems to us the
easiest way to manage this because well have to create and delete theses
accounts from a web interface.
Can we do this with rlm_sql? After
lookink at the documentation and googled about this, my feeling is that using
rlm_sql will prevent the server to parse the users file, but Id like the
users to be parsed first and then if there is no match, the sql database to be
queried. Is this possible? Do we have to create all radius tables in the sql
server even if we use only the radcheck one?
Here is our actual users file which I dont see
how to configure with rlm_mysql:
DEFAULT hint == WPA ,
FreeRADIUS-Proxied-To == 127.0.0.1, Ldap-Group != WPA_Allowed,
Auth-Type := Reject
DEFAULT
User-Name := %{User-Name}
Will putting sql in the authorise section
of radius.conf just after file do the trick?
Thanks for your help.
Benoît.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ldap-Group AND EAP-TTLS/Ldap Question (Again)
Hi, Is there a way to use the Ldap-Group with EAP-TTLS authentication based on LDAP??? Ive set it up in my users file but It doesnt work as the group belonging is performed on the outer identity first Can I some way specify to check the group only for the tunnelled identity? Benoît Bianchi. Ingénieur Système CRI / ISTY Université de Versailles Saint Quentin en Yvelines - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ldap-Group and EAP
I have trouble to set up some authorization upon ldap attribute of the user: I have different SSID for my wireless LAN, using WPA or WPA2 with EAP/TTLS and ldap auth which work fine right now with Freeradius How can I prevent user without some ldap special attribute to get authenticated on a special SSID (which is send with the access request as: Called-Station-Id = 00-12-34-56-78-90:SSID ) ??? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pb with Mac and EAP auth
Hi, Im using Freeradius for both Mac and WPA authentication (EAP-TTLS) of my WiFi users, and im facing a trouble I have no idea how to solve : In my users file Ive set a list of the mac address like this : # Portable MACHIN 001122334455 Auth-Type := Accept Cisco-AVpair := ssid=Machin, Cisco-AVpair += ssid=Machin2 And for users a password crypt file filecrypt DEFAULT Autz-Type := filecrypt The problem is that when doing EAP-TTLS authentication if I set the mac address of one of the allowed card as the login name I am authenticated!!! Is there a way to prevent this somehow? To specify that Auth-Type:=Accept is only for non EAP authentication ??? Thanks for help Benoît Bianchi. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius SSLv3 probleme
I've been facing that kind of problem too and usually it is related to the certificate of the client or server which Authority's isn't trust by the other. -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de awal.mohamadou Envoyé : jeudi 24 novembre 2005 12:14 À : freeradius Objet : freeradius SSLv3 probleme can someone help me please?thanks a lot. Alan, thanks for your help. i've found out why my server isn't replying to the client. but unffortunately, i'm facing another probleme about certificate.such as this: TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A where will i go to resolve this option.And what will i have to do? ps: i have fedora 4 with freeradius 1.0.2 with MySQL 4.1.11 and a cisco Aironet 1120 AP. The client is WindowsXP PRO SP2. Here are my logs: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 6 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = yes proxy: default_fallback = no proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = yes main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = yes mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = /etc/passwd unix: shadow = /etc/shadow unix: group = /etc/group unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /etc/raddb/certs/cert-srv.pem tls: certificate_file = /etc/raddb/certs/cert-srv.pem tls: CA_file = /etc/raddb/certs/demoCA/cacert.pem tls: private_key_password = whatever tls: dh_file = /etc/raddb/certs/dh tls: random_file = /etc/raddb/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = yes preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess)
How to use different passwd files
Im trying to manage two different passwd files for 2 types of users which I am distinguishing with a hint... Ive defined 2 passwd modules in radiusd.conf (1 for each file): lets say Mac and Users. But Im not able to set corresponding authentication types: when I put Mac and Users in the authenticate section of radiusd.conf, FR doesnt start with message: passwd modules aren't allowed in 'authenticate' sections So Ive put them in Authorize section but now FR is trying to match the login each time with both files, even is I set MAC, Auth-Type := Mac for the group I want to use this file. Ive understood thats not the good way to do that even if Ive found in the mail archive someone saying thats possible. What am I doing wrong? Was there an option to configure before compiling to allow rlm_passd authentification? Or if only autorization is possible with passwd how can I tell FR to use a specific file for a group of users? Thanks, Benoît Bianchi. smime.p7s Description: S/MIME cryptographic signature
