Re: configuration parameters for perl module in rlm_perl
Am 14.09.2013 14:50, schrieb Alan DeKok: > Cornelius Kölbel wrote: >> I would like to avoid having the perl module read an additional >> configuration file. > Then edit the source code to rlm_perl, and add those features. > >> Is there a possibility to add such paramters somewhere in the freeradius >> config like in >> /etc/freeradius/modules/perl and than have the perl module access these >> parameters? > No. Thanks for the clarification! > > Why is it a problem to read a configuration file? Just to avoid to many config files... But now I will do so. Thanks a lot Cornelius > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
configuration parameters for perl module in rlm_perl
Hi list, is there are recommended way to pass configuration parameter to a rlm_perl module? My rlm_perl module, would need to have additional configuration parameters. I would like to avoid having the perl module read an additional configuration file. Is there a possibility to add such paramters somewhere in the freeradius config like in /etc/freeradius/modules/perl and than have the perl module access these parameters? Thanks a lot and kind regards Cornelius signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LinOTP
Hi Sergii, this is in fact possible, but not with the OSS components of LinOTP. Unfortunately, the SQL Resolver is at the moment only part of an enterprise edition. To go with the OSS components you need to create a flatfile resolver. But as Alan stated, this is no topic for this mailing list, for further questions you should join http://www.linotp.org/support.html Kind regards Cornelius Am 13.08.2013 14:20, schrieb Sergii Bieliaievskyi: > Hello. > > I am currently trying to install LinOTP with FreeRADIUS. I spent 3-4 > hours to get to work perl script > http://www.howtoforge.com/how-to-use-freeradius-with-linotp-2-to-do-two-factor-authentication-with-one-time-passwords. > > There was a problem with LWP::UserAgent and ssl connection (Error: > rlm_perl: perl_embed:: module = /usr/local/etc/raddb/radius.pl > <http://radius.pl> , func = authenticate exit status= Error at > https://172.16.17.18/validate/simplecheck 500 Can't connect to > 172.16.17.18:443 <http://172.16.17.18:443>) > But i change script a little bit and faced other problem that concern > Useridresolving. Is it OK that Comunity Edition reports that "Error > saving sql configuration: No module named > useridresolveree.SQLIdResolver"? > I want to have single username database and want to connect LinOTP to > radius mysql database. Is it possible? > > > PRIVILEGED AND CONFIDENTIAL COMMUNICATION > This e-mail transmission, and any documents, files or previous e-mail > messages > attached to it, may contain confidential information that is legally > privileged. > > If you are not the intended recipient or a person responsible for > delivering it > to the intended recipient, you are hereby notified that any > disclosure, copying, > distribution or use of any of the information contained in or attached > to this > transmission is strictly prohibited. > > If you have received this transmission in error, please: (1) > immediately notify > me by reply e-mail, or by collect telephone call; and (2) destroy the > original > transmission and its attachments without reading or saving in any manner. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Cornelius Kölbel (Head of Product Management) http://www.lsexperts.de LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt Tel: +49 6151 86086-252, Fax: -299, Mobil: +49 160 96307089 Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649 Geschaeftsfuehrer: Oliver Michel, Sven Walther, Dr. Peter Schill signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any One-Time password system.
Hi Sergii, if one day you not only would want to use motp but also other token types like HOTP, TOTP, SMS or OCRA tokens, you might want to take a look at LinOTP (http://linotp.org), which also integrates well with FreeRADIUS. OK, to be honest we try to make our living selling licenses and support for an enterprise version of the open source LinOTP solution. Of course the AGPL licensed LinOTP can be used free of charge. Kind regards Cornelius Am 14.05.2013 20:40, schrieb Michael Schwartzkopff: > > Am Dienstag, 14. Mai 2013, 10:26:17 schrieb Sergii Bieliaievskyi: > > > I am reading about MOTP and realy hope to implement its in my network. > > > Could I count on your help if i will have a difficulties? > > > > Of course. That is what the mailing list exists for. > > > > On the other hand I earn my money with consulting ;-) > > > > Mit freundlichen Grüßen, > > > > Michael Schwartzkopff > > > > -- > > [*] sys4 AG > > > > http://sys4.de, +49 (89) 30 90 46 64 > > Franziskanerstraße 15, 81669 München > > > > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 > > Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer > > Aufsichtsratsvorsitzender: Florian Kirstein > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Cornelius Kölbel (Head of Product Management) http://www.lsexperts.de LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt Tel: +49 6151 86086-252, Fax: -299, Mobil: +49 160 96307089 Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649 Geschaeftsfuehrer: Oliver Michel, Sven Walther, Dr. Peter Schill signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2 Factor Authetication and EAP-GTC
Hi Carl, This heavily depends on your OTP backend. The problem arises when the OTP is not passed to the radius server, which is the case with all challenge response protocols. Then the backend can not easily predict, which OTP value the user has entered--- due to time drifts (time based) or blank presses (event based). I.e. such backend should check with a bunch of acceptable OTP values. And this means you need a freeradius module that is capable of communicating with the OTP backend in the right way. Kind regards Cornelius Am 09.07.2012 um 07:07 schrieb Carl Pierre : > Hello: > > I have recently been made a part of a project in which we intend to use > freeradius. > So far, FR seems to be the ideal tool except for one small issue: 2-Factor > Authentication. > > Try as I might, I cannot seem to find any way to set up a multi-factor > solution using PEAP. > So I suppose my question is this: has anyone had any luck using EAP and > challenging the > user to enter some sort of OTP? I know that EAP-GTC is meant to do this, but > the meager > documentation I have on it does not give too much detail. > > Regards > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logrotate tool
Hi,
you could also try to use
copytruncate
This will not remove the current log file, but will copy the logfile and
then try to truncate, so that you should not run into file handle issues.
Kind regards
Cornelius
Am 14.05.2012 16:15, schrieb yagizozen:
> Hello everyone,
>
> As you know, FR has a radius.log file under /var/log/radius directory. I
> noticed that inside the logrorate file, radius.log is set to rotate every
> month. Like this :
>
> /var/log/radius/radius.log {
>monthly
>rotate 100
>create
> missingok
>compress
> }
>
> This is by default. I changed this to "daily" but the problem is, I need to
> restart radius everytime when the new day comes in order to write to NEW
> radius.log file. If I do not restart, it tries to point the compress version
> of the old radius.log.
>
> Why is that?
>
> I also can not do this inside an external script. When I rename the file
> inside the script, it still writes to the new renamed radius.log file. Any
> suggestions or any place for me to read?
>
> Thanks You in advance.
>
> --
> View this message in context:
> http://freeradius.1045715.n5.nabble.com/Logrotate-tool-tp5709081.html
> Sent from the FreeRadius - User mailing list archive at Nabble.com.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple challenges to login
Hello, I would take a look at the cookies in your browser. I could suspect that you got two cookies, the browser might not send the cookie for some internal URL, that gets called on your site. (maybe because it is not the fqdn but the IP). Then the cookie will not be sent and you need to authenticate again. ...and you will receive a second cookie... Kind regards Cornelius Am 14.05.2012 14:36, schrieb Maria Sanchez: > We are having problems when accessing our sites. No matter which browser we > use to access it always requests authentication twice. > We have an Apache web server (v.2.2) with mod_auth_radius 2.0 installed. And > we have mounted a Jboss application using mod_jk module and protected access > to it. > > I am not able to find any information about this and this is becoming a big > problem. > > This is the configuration for radius.conf: > > > AuthType Basic > AuthName "RADIUS authentication" > AuthBasicAuthoritative Off > AuthRadiusAuthoritative on > AuthRadiusCookieValid 0 > AuthRadiusActive On > require valid-user > > > I have been playing with the values of the cookies, I originally had it in 5 > and changed it to 0 but didn't help. > > Any ideas why this can be happening? > > Thanks, > Maria > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeRadius with OTP and gateway
Hello Mercier, the interesting part about your idea is, that the user sends the SMS to authenticate, this avoids that you will have to pay for the SMS. Most solutions send the SMS with the OTP to the user, so that you - the provider - will have to pay for the SMS sending. Nevertheless you might take a look at LinOTP, which does one time password authentication and come with a freeradius module, so that integration in your scenario could be rather simple. Also in this case the RADIUS server does not know the users, but the auth request (with user and OTP) is forwarded to the linotp daemon, which in turn is able to verify the username and the provided OTP. The users can be fetched from any flat file and/or LDAP and/or SQL database. Only drawback for your case is the thing with "who sends the sms". Kind regards Cornelius Am 07.03.2012 13:56, schrieb Mercier Valentin: > Hi everyone, > > I'm using Freeradius 2.1.12 on a server Debian. I have an another > server Debian with Coovachilli (captive portal) and an Access Point > based on Ruckus OS. > When my users connected on the AP, a web page is coming with a > formular to connect. Then the user enter is information (username and > password) and Coovachilli made the authentication on the radius and > this is working fine. > > Now I want to make something different, when the user connected on the > AP, I want that he received a little formular, then he need to enter a > username (not know on the radius) and i want the radius to create a > One Time Password and send it to the user (on an another webpage). And > the user send this OTP via SMS to a smsm gateway to finish the > authentication, is that possible, and if yes, could someone explain to > me how I can make it ? > > For the gateway sms I am using SMSLib (java library) on the > *same* server as freeradius. > > Best regards and sorry for my bad english (from switzerland). > -- > Mercier Valentin > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Returning Filter-Id based on LDAP group
Hi Phil, I thought so. But thanks a lot for clarifying this. Kind regards Cornelius Am 06.02.2012 17:21, schrieb Phil Mayers: > On 06/02/12 15:53, Cornelius Kölbel wrote: > >> ... but it seems that the ldap_groupcmp does not support pattern >> matching? >> Am I right or does anybody has another idea? > > Ldap-Group isn't a "real" attribute. It is a virtual attribute, that > triggers a search in the directory when you compare to it. > > So you can't do this. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Returning Filter-Id based on LDAP group
Hello list,
I'd like to set the Filter-Id in the response based on an LDAP group.
authorize {
if ( Ldap-Group =~ /CN=group1,ou=groups,dc=company,dc=com/ ) {
update control {
Tmp-String-1 := "group1"
}
}
post-auth {
update reply {
Filter-Id := "%{control:Tmp-String-1}"
}
}
This works like a charme!
As I got a lot of groups, I'd like to do some pattern matching...
if ( Ldap-Group =~ /CN=(xyz),ou=groups,dc=company,dc=com/ ) {
update control {
Tmp-String-1 := "%{1}"
}
... but it seems that the ldap_groupcmp does not support pattern matching?
Am I right or does anybody has another idea?
Thanks a lot and kind regards
Cornelius
signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
