Re: FR, SQL backend and Foreign keys
On 27/09/2011 11:25, Alan DeKok wrote: Fabien COMBERNOUS wrote: In the samples schema.sql proposed for SQL backend, no foreign keys are used. Any reason ? The schema is designed to be simple. What foreign keys would you propose it use? here a patch proposed : --- schema_orig.sql2011-09-28 10:42:08.0 +0200 +++ schema_withFK.sql2011-09-28 10:46:42.0 +0200 @@ -63,8 +63,8 @@ op char(2) NOT NULL DEFAULT '==', value varchar(253) NOT NULL default '', PRIMARY KEY (id), - KEY username (username(32)) -) ; + KEY username (username) +) ENGINE=InnoDB; # # Table structure for table 'radgroupcheck' @@ -117,8 +117,10 @@ username varchar(64) NOT NULL default '', groupname varchar(64) NOT NULL default '', priority int(11) NOT NULL default '1', - KEY username (username(32)) -) ; + INDEX username (username), + FOREIGN KEY (`username`) REFERENCES radcheck(username) +ON DELETE CASCADE ON UPDATE CASCADE +) ENGINE=InnoDB; -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33(0)9 5279 5202* Kezia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR, SQL backend and Foreign keys
On 28/09/2011 11:52, Fajar A. Nugraha wrote: On Wed, Sep 28, 2011 at 3:50 PM, Fabien COMBERNOUS fcombern...@kezia.com wrote: # Table structure for table 'radgroupcheck' @@ -117,8 +117,10 @@ username varchar(64) NOT NULL default '', groupname varchar(64) NOT NULL default '', priority int(11) NOT NULL default '1', - KEY username (username(32)) -) ; + INDEX username (username), You should stick with either KEY or INDEX for consistency (although both are synonyms in mysql). You are right. It is a mistake from me. We can stick with KEY. + FOREIGN KEY (`username`) REFERENCES radcheck(username) +ON DELETE CASCADE ON UPDATE CASCADE +) ENGINE=InnoDB; If you use foreign key for radgroupcheck, is there a reason not to use it on other tables (e.g. radreply, radgroupreply)? One exception might be radacct, where you might want to keep accounting records even for old/deleted accounts. I proposed a patch with only radcheck and radusergroup because i can test this here. I'm not a radius specialist, i prefer to make a first step before to run. -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33(0)9 5279 5202* Kezia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR, SQL backend and Foreign keys
On 28/09/2011 11:45, Alan DeKok wrote: Fabien COMBERNOUS wrote: here a patch proposed : A bit of explanation would help. Foreign key : add a username in radusergroup table needs to exist in radcheck table and be equal. On cascade : if you update ou delete a username in radcheck table, the same action is done in radusergroup table. It looks reasonable, but I'd want someone to try it before putting it into the server. --- schema_orig.sql2011-09-28 10:42:08.0 +0200 *PLEASE* use full paths. There are 4-5 SQL backends in the server. Which one is this modifying? Don't make us guess... +++ schema_withFK.sql2011-09-28 10:46:42.0 +0200 @@ -63,8 +63,8 @@ op char(2) NOT NULL DEFAULT '==', value varchar(253) NOT NULL default '', PRIMARY KEY (id), - KEY username (username(32)) -) ; + KEY username (username) +) ENGINE=InnoDB; # # Table structure for table 'radgroupcheck' @@ -117,8 +117,10 @@ username varchar(64) NOT NULL default '', groupname varchar(64) NOT NULL default '', priority int(11) NOT NULL default '1', - KEY username (username(32)) -) ; + INDEX username (username), + FOREIGN KEY (`username`) REFERENCES radcheck(username) +ON DELETE CASCADE ON UPDATE CASCADE +) ENGINE=InnoDB; - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33(0)9 5279 5202* Kezia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR, SQL backend and Foreign keys
Hi, In the samples schema.sql proposed for SQL backend, no foreign keys are used. Any reason ? With ON DELETE CASCADE or ON UPDATE CASCADE constraint it should be easier to manage updates or deletetion of records ? Am i missing something ? -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33(0)9 5279 5202* Kezia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
On 14/01/2011 23:47, Alan DeKok wrote: Fabien COMBERNOUS wrote: [...] David is not bridling but just remember his constraints. They are *his* constraints. If he can't even install a version of 2.1.10 in order to run radtest which can do MS-CHAP, then those constraints are ridiculous. Even if he have to consider them, perhaps he thinks like you. :) In a complex environment to change a piece of software can have unexpected consequences. And so to change it, it demands long testing procedures for several teams. I already worked in this kind of environment. And you have to give good reasons enough to make a modification of the setup. If it is impossible to do what it is necessary, a help for him is probably to provide the good reasons of the modification of his setup.Only blaming the person is not useful in my opinion. How ever, i understand that you don't want to loose your time. Regards, -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
Title: mail Kezia : Fabien COMBERNOUS
On 14/01/2011 15:32, Phil Mayers wrote:
[...]
Even though you are bridling at my advice, I'm going to try one
last time to be helpful.
Imagine that David is alone, on an very isolated island without any
others humans. And he needs to eat. He asks help to learn how to
kill animals of this island. Your answer was "go to the
supermarket". This answer didn't consider the question enough.
David is not bridling but just remember his constraints.
Best regards,
--
Fabien COMBERNOUS
unix system engineer
www.kezia.com
Tel: +33 (0) 467 992 986
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unidentified users and vlan assignment
Hi, We use the freeradius to assigne users in the vlan. The default settings rejects users in case of a request from an unidentified user. Instead of this we would like assign him to a specific vlan. I don't find information about how to do this. Any pointer or information are wellcome. Regards, -- Fabien COMBERNOUS unix system engineer www.kezia.com Tel: +33 (0) 467 992 986 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unidentified users and vlan assignment
Thank you Phil for your answer.
On 15/09/2010 11:09, Phil Mayers wrote:
Are you using 802.1x or macauth?
If you are sending an access-reject, you can't assign a vlan.
Reject means "give no service". You either need to send an accept
with a vlan, or look for a "reject vlan" feature on your switch.
I'm using macauth. But how to assign a vlan on devices unidentified
?
--
Fabien COMBERNOUS
unix system engineer
www.kezia.com
Tel: +33 (0) 467 992 986
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unidentified users and vlan assignment
My sql module (we use an sql backend return notfound.
I tried to add the following at the end of the authorize section.
On 15/09/2010 16:30, Phil Mayers wrote:
if (notfound) {
update reply {
Tunnel-Private-Group-Id = 1234
}
}
But the radius log says :
? Evaluating (notfound) FALSE
...
Failed to authenticate the user
What am i misunderstanding ?
--
Fabien COMBERNOUS
unix system engineer
www.kezia.com
Tel: +33 (0) 467 992 986
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unidentified users and vlan assignment
We use a sql backend. Just after my sql module (in the authorise
section) i added the following bloc.
if (notfound) {
update reply {
Tunnel-Type := 13
Tunnel-Medium-Type := 6
Tunnel-Private-Group-ID := 42
}
}
When a user is unknown, the sql module returns notfound and this
block is evaluated as TRUE.
But the return value is not the VLAN as expected :
? Evaluating (notfound) - TRUE
++? if (notfound) - TRUE
++- entering if (notfound) {...}
+++[reply] returns notfound
++- if (notfound) returns notfound
? Evaluating (notfound) - TRUE
++? if (notfound) - TRUE
++- entering if (notfound) {...}
+++[reply] returns notfound
++- if (notfound) returns notfound
Regards,
--
Fabien COMBERNOUS
unix system engineer
www.kezia.com
Tel: +33 (0) 467 992 986
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unidentified users and vlan assignment
On 15/09/2010 17:29, Phil Mayers wrote:
Please post the full debugging output.
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "08-00-0f-44-c7-42", looking up realm
NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 10.2.2.230 does not have an access
group.
rlm_opendirectory: no access control groups, all users allowed.
++[opendirectory] returns ok
++- entering group redundant_sql {...}
[sql1] expand: %{User-Name} - 08-00-0f-44-c7-42
[sql1] sql_set_user escaped user -- '08-00-0f-44-c7-42'
rlm_sql (sql1): Reserving sql socket id: 1
[sql1] expand: SELECT id, username, attribute, value,
op FROM radcheck WHERE username =
'%{SQL-User-Name}'
[sql1] expand: SELECT groupname FROM
radusergroup WHERE username = '%{SQL-User-Name}'
ORDER BY prior
rlm_sql (sql1): Released sql socket id: 1
[sql1] User 08-00-0f-44-c7-42 not found
+++[sql1] returns notfound
++- group redundant_sql returns notfound
++? if (notfound)
? Evaluating (notfound) - TRUE
++? if (notfound) - TRUE
++- entering if (notfound) {...}
+++[reply] returns notfound
++- if (notfound) returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = CHAP
+- entering group CHAP {...}
[chap] login attempt by "08-00-0f-44-c7-42" with CHAP password
[chap] Cleartext-Password is required for authentication
++[chap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -
08-00-0f-44-c7-42
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Have you tested this? With radclient/radtest? It should work, from
what I can see.
no. I didn't tested.
Thank you for your help.
--
Fabien COMBERNOUS
unix system engineer
www.kezia.com
Tel: +33 (0) 467 992 986
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Installation on debian with postgresql
On 29/08/2010 10:17, Alan DeKok wrote:
Michele Petrazzo - Unipex wrote:
It's the "normal" procedure when install a new program. Install with
apt-get install and go with google for look at docs.
Normal I don't find complete docs and example directly on the program's
web pages.
I suggest trying the documentation that comes with the project first.
Third-party documentation is almost always wrong.
How did you do before google exist ?
Each time you install a package on GNU/Linux you install also manual
(cf man) and you have also documents in directory
/usr/share/doc/package_name . In my opinion the "normal"
procedure is to first have a look in your box, then on the project
pages, then in the wide network. What's append if you are in a place
without access to internet ?
and on my server:
srv:/etc/freeradius# grep -D skip -R authorise *
Try looking in raddb/sites-enabled/*
srv:/etc/freeradius# echo $?
1
Mean that, unless I'm completely wrong, that the word authorise have to
be authorize.
No.
If you read radiusd.conf, the comments near the bottom will tell you
where the authorise section can be found.
On my debian testing install i have the following at the end of the
radiusd.conf :
##
#
# As of 2.0.0, the "authorize", "authenticate", etc. sections
# are in separate configuration files, per virtual host.
#
##
##
#
# Include all enabled virtual hosts.
#
# The following directory is searched for files that match
# the regex:
#
# /[a-zA-Z0-9_.]+/
#
# The files are then included here, just as if they were cut
# and pasted into this file.
#
# See "sites-enabled/default" for some additional
documentation.
#
$INCLUDE sites-enabled/
Regards,
--
mail Kezia : Fabien COMBERNOUS
Fabien COMBERNOUS
unix system engineer
www.kezia.com
Tel: +33 (0) 467 992 986
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Encountering error when using radius -X
kartik dadwal wrote: [...] when you say 'radius binary .deb package', does '.deb' belongs to debian? I have ubuntu (I know ubuntu is a spun off from debian!). The only other way I know for installing something on my ubuntu us using synaptic package manager. Do you mean to say I can search for freeradius on synaptic manager and install it from there as it takes care of all the dpendencies? With Debian and Ubuntu, the management of the world is done by .deb packages. If you want to get binaries (or sources also) the system use .deb. To do this you can use synaptic (gui), or aptitude (cli). So, yes you can search and find and install freeradius with synaptic. It will take care of all dependencies. And you'll have to remember to use /etc/freeradius instead of /etc/raddb when you'll read freeradius documents. If you haven't a special request about your freeradius setup just install freeradius with synaptic. Here the command with aptitude : sudo aptitude install freeradius If you want a ldap backend : sudo aptitude install freeradius-ldap If you want a sqlbackend, it depand of the rdbms you want : sudo aptitude install freeradius-mysql sudo aptitude install freeradius-postgresql With this process you'll get a basic running freeradius. Then you'll have to fit your needs by modifying the setup. The search flag will give all the freeradius .deb possibilities. You can always use synaptic gui or aptitude cli as following : sudo aptitude search pattern Regards, -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Encountering error when using radius -X
kartik dadwal wrote: Hi Fabien, Can you tell me how to get rid of already installed freeradius? So that I can re-install it using synaptic or aptitude. Funny Makefile : - # The $(R) is a magic variable not defined anywhere in this source. # It's purpose is to allow an admin to create an installation 'tar' # file *without* actually installing it. e.g.: # # $ R=/home/root/tmp make install # $ cd /home/root/tmp # $ tar -cf ~/freeradius-package.tar * # # The 'tar' file can then be un-tar'd on any similar machine. It's a # cheap way of creating packages, without using a package manager. # Many of the platform-specific packaging tools use the $(R) variable # when creating their packages. # # For compatibility with typical GNU packages (e.g. as seen in libltdl), # we make sure DESTDIR is defined. # export DESTDIR := $(R) So you probably don't have to take care of your make install. Perhaps i'm wrong i don't have more time to check. And if i'm wrong, then aptitude or synaptic will give an error message. Use aptitude or synapic and give us the result of the install. If you get an error message past it here. Regards, -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Encountering error when using radius -X
kartik dadwal wrote: Hi, I have ubuntu 9.10. Can you please tell me 1)Before running radius -X what all steps should be completed? 2)what should be the subdirectory structure for freeradius and where it should be formed in the directory structure? 3)which sub directory should I give the radius -X command. Before to try to give answers, do you really need to compile your own radius from sources ? Now you know that with radius binary .deb package, radius config is in /etc/freeradius directory. Can you consider to forget sources you downloaded ? If you can't, i never used the way you are following. You'll have to consided depends. And i have not enough time to try your way on a box. On Wed, Aug 18, 2010 at 7:05 AM, Fabien COMBERNOUS fcombern...@kezia.com mailto:fcombern...@kezia.com wrote: In general you can get the list of the files from a deb package with the command line : $ dpkg -L name of the package Here we have : $ dpkg -L freeradius | grep etc /etc /etc/pam.d /etc/pam.d/radiusd /etc/init.d /etc/init.d/freeradius /etc/freeradius -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Encountering error when using radius -X
kartik dadwal wrote: Hi, -freeradius version: freeradius-2.1.0+dfsg (downloaded from http://packages.ubuntu.com/source/karmic/freeradius) -OS: Ubuntu 9.10 (Karmic Koala) I wanted to use freeradius with PAM. I performed following steps in order: 1) Downloaded freeradius from above given link. This link does not permit to download any freeradius. -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Encountering error when using radius -X
kartik dadwal wrote: Hi, -freeradius version: freeradius-2.1.0+dfsg (downloaded from http://packages.ubuntu.com/source/karmic/freeradius) -OS: Ubuntu 9.10 (Karmic Koala) I was unable to download but now i get a page that is not empty. But, if i check depends of my binary deb : *Depends: lsb-base (= 3.0-6), libc6 (= 2.7-1), libfreeradius2 (= 2.0.4+dfsg-6), libgdbm3, libltdl3 (= 1.5.2-2), libpam0g (= 0.99.7.1), libperl5.10 (= 5.10.0), libsnmp15 (= 5.4.1~dfsg), libssl0.9.8 (= 0.9.8f-5), python2.5 (= 2.5), freeradius-common If you want to compile your own freeradius, it should be easier to use the .deb source. You'll get a .deb binary package and all the advantages of .deb. * -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Encountering error when using radius -X
kartik dadwal wrote: Hi, @Fablen: I first used synaptic packet manger to install free radius as it synaptic pkt. manger takes care of the dependencies. After insatlling freeradius through the synaptic pkt. manger I could not find any of the freeradius subdirectories. So, I removed freeradius completely again using synaptic manager. Then I decided to download .tar.gz file from the link that I had sent earlier and ran: ./configure make make install I just got one error for some particular package, I googled the error and insatlled libltdl-dev package from http://packages.ubuntu.com/karmic/libltdl-dev After that everything went smoothly and I did face any error. I am sure all dependencies were found. can you also tell me why I don't have raddb in /etc/ ?. It makes me believe as If there something is wrong (which might ot might noe be true!!) The /etc/raddb is the default settings. In my debian box, radius files are in the directry /etc/freeradius/ In general you can get the list of the files from a deb package with the command line : $ dpkg -L name of the package Here we have : $ dpkg -L freeradius | grep etc /etc /etc/pam.d /etc/pam.d/radiusd /etc/init.d /etc/init.d/freeradius /etc/freeradius /etc/freeradius/preproxy_users /etc/freeradius/policy.conf /etc/freeradius/sites-enabled /etc/freeradius/clients.conf /etc/freeradius/sqlippool.conf /etc/freeradius/templates.conf /etc/freeradius/attrs.accounting_response /etc/freeradius/attrs /etc/freeradius/certs /etc/freeradius/hints /etc/freeradius/experimental.conf /etc/freeradius/users /etc/freeradius/huntgroups ... -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tag and Untag a port in several VLAN
Fabien COMBERNOUS wrote: [...] So i used the other possibility with Egress-VLAN-Name instead of Egress-VLANID. It is easier to understand the meaning of the value and it works with my version of FreeRadius. About the dynamic vlan assignment i use the two methods explained in [1] : - some ports are single untaged vlan : all works fine. - some ports are multiple tagged and untagged vlan : the ports of the switch looks tagged and untagged as expected but the packets are not rooted as expected. The input packets are not transmited to the output expected. I tagged and untagged manually some others ports similarly to my sql backend and all packets are well routed. In the single untagged vlan method, 3 parameters are needed. In the multiple tagged/untagged vlan method i used only several times Egress-VLAN-Name. Is it necessary to use an other parameter in the sql backend other than Egress-VLAN-Name ? [1] http://wiki.freeradius.org/HP Thank you for your help. -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Tag and Untag a port in several VLAN
Hi there,
I'm using FreeRadius 2.1.3. I'm doing a mac based port assignment with
sql backend.
To untag a port of the switch in a VLAN works well.
But in some case i need to tag a port in several VLAN. In the wiki [1]
it looks possible. By following indicated in the wiki i inserted the
followind data in my sql backend :
insert into radgroupreply(groupname,attribute,op,value) values
('AP_test','Egress-VLANID',':=','0x320007');
insert into radgroupreply(groupname,attribute,op,value) values
('AP_test','Egress-VLANID',':=','0x32000102');
But when i plug the equipment radius give this debug :
[sql1] expand: SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname =
'%{Sql-Group}' ORDER BY id - SELECT id, groupname,
attribute, value, op FROM radgroupreply
WHERE groupname = 'test' ORDER BY id
rlm_sql: Failed to create the pair: Unknown value 0x320007 for attribute
Egress-VLANID
What am i missing or misunderstanding ?
Help is welcome.
Best regards,
[1] http://wiki.freeradius.org/HP
--
*Fabien COMBERNOUS*
/unix system engineer/
www.kezia.com http://www.kezia.com/
*Tel: +33 (0) 467 992 986*
Kezia Group
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tag and Untag a port in several VLAN
Alan DeKok wrote:
Fabien COMBERNOUS wrote:
I'm using FreeRadius 2.1.3. I'm doing a mac based port assignment with
sql backend.
...
But when i plug the equipment radius give this debug :
[sql1] expand: SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname =
'%{Sql-Group}' ORDER BY id - SELECT id, groupname,
attribute, value, op FROM radgroupreply
WHERE groupname = 'test' ORDER BY id
rlm_sql: Failed to create the pair: Unknown value 0x320007 for attribute
Egress-VLANID
What am i missing or misunderstanding ?
The hex value isn't accepted in 2.1.3. You'll need to run 2.1.6 or later.
Or, change the hex number to a decimal number.
Thank you for your answer.
I can't change FreeRadius version. So i need to use decimal number.
Can you give me an exemple about to untag a port in vlan 7 ?
Best regards,
--
*Fabien COMBERNOUS*
/unix system engineer/
www.kezia.com http://www.kezia.com/
*Tel: +33 (0) 467 992 986*
Kezia Group
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tag and Untag a port in several VLAN
Alan DeKok wrote:
Fabien COMBERNOUS wrote:
I'm using FreeRadius 2.1.3. I'm doing a mac based port assignment with
sql backend.
...
But when i plug the equipment radius give this debug :
[sql1] expand: SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname =
'%{Sql-Group}' ORDER BY id - SELECT id, groupname,
attribute, value, op FROM radgroupreply
WHERE groupname = 'test' ORDER BY id
rlm_sql: Failed to create the pair: Unknown value 0x320007 for attribute
Egress-VLANID
What am i missing or misunderstanding ?
The hex value isn't accepted in 2.1.3. You'll need to run 2.1.6 or later.
Or, change the hex number to a decimal number.
So i used the other possibility with Egress-VLAN-Name instead of
Egress-VLANID.
It is easier to understand the meaning of the value and it works with my
version of FreeRadius.
Thank you for your help.
--
*Fabien COMBERNOUS*
/unix system engineer/
www.kezia.com http://www.kezia.com/
*Tel: +33 (0) 467 992 986*
Kezia Group
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User-Name issue and mac based authentication
Alan DeKok wrote: Fabien COMBERNOUS wrote: I'm using Free radius for Mac Address authentication. When a use tcpdump on the radius server, the Radius Request packet contains all the mac Address. But in the radiusd -X output, the User-Name is truncated. The last digit is erased and so the device is rejected. Please *show* the output of tcpdump radiusd -X. My guess is that you're looking at different fields in tcpdump radiusd -X. i.e. The server accepts all fields as the NAS sends them. It does not truncate or delete anything unless you specifically tell it to do that. It is exactly what i thouht.The tcpdump showed that radius use what it received. We found the source of the issue. It was the nas (switch). The last version of its firware was bugged. Thank you for reading. Best regards, -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User-Name issue and mac based authentication
Hi there, I'm using Free radius for Mac Address authentication. When a use tcpdump on the radius server, the Radius Request packet contains all the mac Address. But in the radiusd -X output, the User-Name is truncated. The last digit is erased and so the device is rejected. Any help is appreciated. -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius and fail over
Hi there, In the freeradius wiki a page give informations about failover [1]. It explains how to setup two sql modules pointing to two dbms. But in this setup, the radius server is a single point of failure. How to setup two radius servers speaking with two dbms ? Thank you for your help. [1] http://wiki.freeradius.org/Fail-over -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN Attribute ?
Difan Zhao wrote: You have to send some attributes to the switch. I am using Cisco switches and here are the attributes that I need to send to the switch to switch the port to VLAN 3: bob Cleartext-Password := test Tunnel-Type:0 = VLAN, Tunnel-Medium-Type:0 = IEEE-802, Tunnel-Private-Group-Id:0 = 3, Tunnel-Preference = 0x00 Other switch vendor may use different attributes. Thank you for your input. I'm using HP procurve core switch. I used the following values : Tunnel-Type = 13 Tunnel-Medium-Type = 6 Tunnel-Private-Group-ID =4 It works. In radius log i get the display you given. ie VLAN instead of 13, IEEE-802 instead of 6. I will make some tests to use directly your input. It is easier to read. But i am surprise. In the rfc the value 13 does not exist about Tunnel-Type : http://freeradius.org/rfc/rfc2868.html#Tunnel-Type Where is decided the value of 13 ? Best regards, -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VLAN Attribute ?
Hi, I'm seting up a FreeRadius Server using SQL backend to store informations about NAS, Users and Groups. I search the Attribute to use to allow a group in a VLAN of my switch. My setup permit to authenticate a user and the group of the user. But what is the attribute to use in table radreply or radgroupreply to put the port of my switch in the good vlan ? Best regards, -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and MacOSX 10.6
Alan DeKok wrote: Fabien COMBERNOUS wrote: Hi there, I'm trying to setup a freeRadius on MacOSX host 10.6. This OS use FreeRADIUS Version 2.1.3. I'm looking for informations about how to permit a client device to ask an IP address when it is plugged on the network. Is this for PPP? (a) Yes: use the ippool / sqlippool module. (b) No: use DHCP. It is not for ppp. I'm already using dhcp. In a first step, i would like to dynamically assign a vlan to the port of my switch in function of the mac address where the device is plugged. I would like to add a device in the opendirectory, and specifying its mac address and the vlan this mac address have to use. Then when a device is plugged on a port of my switch, it asks to freeradius if this device is allowed. Then the radius ask to opendirectory, the directory answer by no or yes. If yes it also give the vlan number to assign. Now my switch is able to talk with my freeradius server. -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius and MacOSX 10.6
Hi there, I'm trying to setup a freeRadius on MacOSX host 10.6. This OS use FreeRADIUS Version 2.1.3. I'm looking for informations about how to permit a client device to ask an IP address when it is plugged on the network. The switch forward the request to radius server. The radius server ask to opendirectory (ldap) if the client is allowed (Mac Address check) and in which vlan. Then if the client is allowed the port of the switch is configured in the vlan specified by opendirectory. All informations are welcome. -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
