RE: multiple radiusVSA in ldap.attrmap
Thanks Alan Dekok and Ivan Kalik, I will try the two way you sent me in my labo. -Message d'origine- De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org] De la part de Alan DeKok Envoyé : vendredi 12 juin 2009 13:28 À : FreeRadius users mailing list Objet : Re: multiple radiusVSA in ldap.attrmap François Mehault wrote: > + in ldap.attrmap I add > > replyItem Cisco-AVPair > radiusVSA > > replyItem Foundry-Privilege-Level radiusVSA > replyItem Foundry-INM-PrivilegeradiusVSA You can't do that. You are mapping the "radiusVSA" item to 3 different RADIUS attributes. This will NOT work. > I don’t succeed to give good value for each attribute with OpenLDAP, > ldapattrmap, radiusVSA … In addition, I can’t to have two radiusVSA > attributes with the same value in OpenLDAP. Yes, you can. Read the comments at the top of ldap.attrmap. Use the "+=" operator. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
multiple radiusVSA in ldap.attrmap
Hi, I would like to have a profil administrator on my openldap wich allows administrator to authenticate on cisco and foundry equipment and enters directly in Privileged EXEC level. So I read VSA attribute in dictionary.foundry and dictionary.cisco. I created my profile in OpenLDAP and I am logging on my cisco and see the reply log to see what is reply. With this profil : dn: cn=administrateur,ou=Profiles,dc=netplus,dc=fr objectClass: radiusObjectProfile objectClass: top objectClass: radiusprofile radiusServiceType: NAS-Prompt-User cn: administrateur radiusVSA: shell:priv-lvl=15 radiusReplyItem: "Foundry-Privilege-Level = 0" radiusReplyItem: "Foundry-Command-String = *" radiusReplyItem: "Foundry-Command-Exception-Flag = 0" radiusReplyItem: "Foundry-INM-Privilege = 15" + in ldap.attrmap I add replyItem $GENERIC$ radiusReplyItem [...] replyItem Cisco-AVPairradiusVSA I see in my log : Fri Jun 12 12:01:07 2009 Packet-Type = Access-Accept Reply-Message = "Utilisateur: fmehault, group: Administrateur" Cisco-AVPair = "shell:priv-lvl=15" Service-Type = NAS-Prompt-User With this profil : dn: cn=administrateur,ou=Profiles,dc=netplus,dc=fr objectClass: radiusObjectProfile objectClass: top objectClass: radiusprofile radiusServiceType: NAS-Prompt-User cn: administrateur radiusVSA: shell:priv-lvl=15 radiusVSA: 0 radiusVSA: 15 + in ldap.attrmap I add replyItem Cisco-AVPair radiusVSA replyItem Foundry-Privilege-Level radiusVSA replyItem Foundry-INM-PrivilegeradiusVSA I see in my log : Fri Jun 12 12:14:49 2009 Packet-Type = Access-Accept Reply-Message = "Utilisateur: fmehault, group: Administrateur" Foundry-INM-Privilege = AAA_pri_15 Foundry-Privilege-Level = 15 Cisco-AVPair = "shell:priv-lvl=15" Service-Type = NAS-Prompt-User I don't succeed to give good value for each attribute with OpenLDAP, ldapattrmap, radiusVSA ... In addition, I can't to have two radiusVSA attributes with the same value in OpenLDAP. So I woul like to know if it is possible to have just one profil with several attributes for different constructor (foundry, cisco, fortinet ...). Or I have to do a profil administratorCisco, administratorFoundry, ... Thanks for your help in advance Regards, François Mehault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: segmentation fault with group in huntgroups
I use version 2.1.4 on FreeBSD, but with Ldap-Group rather than Group in
huntgroups file, it works.
-Message d'origine-
De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org
[mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org]
De la part de Alan DeKok
Envoyé : jeudi 11 juin 2009 14:54
À : FreeRadius users mailing list
Objet : Re: segmentation fault with group in huntgroups
François Mehault wrote:
> So I understand that fmehault is able to authenticate on the NAS
> 192.168.0.50. But I have a segmentation fault of radiusd. I created also
> the posix group administrateur which includes fmehault.
Which version are you using?
> +- entering group authorize {...}
> zsh: segmentation fault radiusd –X
My guess is that you're using modules from one version of the server,
and a server binary from another.
What does the *full* debugging output say?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
segmentation fault with group in huntgroups
Hi All,
I want to use huntgroup to restrict access to certain huntgroups to
certaingroups of users. So I edit my huntgroups file :
swLaboNAS-IP-Address == 192.168.0.50
Group = administrateur
I guess that administrateur is a Ldap-Group, isn't it ? And I use OpenLDAP to
store my users and my radiusGroupName.
dn: ou=Profiles,dc=netplus,dc=fr
objectClass: organizationalUnit
objectClass: top
ou: Profiles
dn: cn=administrateur,ou=Profiles,dc=netplus,dc=fr
objectClass: radiusObjectProfile
objectClass: top
objectClass: radiusprofile
radiusServiceType: NAS-Prompt-User
radiusVSA: shell:priv-lvl=15
cn: administrateur
dn: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr
givenName:: RnJhbsOnb2lz
sn: MEHAULT
uid: fmehault
uidNumber: 1203
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: radiusprofile
radiusGroupName: administrateur
homeDirectory: /home/fmehault
loginShell: /usr/local/bin/zsh
cn: Francois MEHAULT
gidNumber: 1203
userPassword: {SHA}C5wmJdwh7wX2rU3fR8XyA4N6oyw=
So I understand that fmehault is able to authenticate on the NAS 192.168.0.50.
But I have a segmentation fault of radiusd. I created also the posix group
administrateur which includes fmehault.
rad_recv: Access-Request packet from host 192.168.0.50 port 1812, id=67,
length=80
NAS-IP-Address = 192.168.0.50
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = "fmehault"
Calling-Station-Id = "192.168.0.80"
User-Password = "mdp"
+- entering group authorize {...}
zsh: segmentation fault radiusd -X
# id fmehault
uid=1203(fmehault) gid=1203 groups=1203,1400(administrateur)
What is the problem ? If someone has a documentation/howto about huntgroups and
group, I am interested.
Regards,
François Mehault
Netplus Communication
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [freeradius] fail-over ldap + reply-item missing
Hum, now all works perfectly. My reply-item are present now, I will try now to
understand why it works. Thanks to Ivan Kalik for his help and all freeradius
project.
Ldap.attrmap:
[...]
checkItem Cleartext-Password userPassword
Users:
DEFAULT ldaplabobe2-Ldap-Group == administrateur, User-Profile :=
"cn=administrateur,ou=Profiles,dc=netplus,dc=fr"
Reply-Message = "Utilisateur: %{User-name}, group: Administrateur",
Fall-Through = yes
DEFAULT ldaplabobe2-Ldap-Group == stagiaire, User-Profile :=
"cn=stagiaire,ou=Profiles,dc=netplus,dc=fr"
Reply-Message = "Utilisateur: %{User-name}, group: Stagiaire",
Fall-Through = yes
DEFAULT ldaplabobe1-Ldap-Group == administrateur, User-Profile :=
"cn=administrateur,ou=Profiles,dc=netplus,dc=fr"
Reply-Message = "Utilisateur: %{User-name}, group: Administrateur",
Fall-Through = yes
DEFAULT ldaplabobe1-Ldap-Group == stagiaire, User-Profile :=
"cn=stagiaire,ou=Profiles,dc=netplus,dc=fr"
Reply-Message = "Utilisateur: %{User-name}, group: Stagiaire",
Fall-Through = yes
Radiusd.conf:
Instantiate {
[...]
ldaplabobe2
ldaplabobe1
}
/site-available/default:
Redundant { ldaplabobe2 ldaplabobe1} in section authorize and authenticate
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems with Cisco switch and authorization.
FYI http://wiki.freeradius.org/Cisco ,maybe it can help you Regards, François -Message d'origine- De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org] De la part de Alan DeKok Envoyé : mercredi 10 juin 2009 10:22 À : FreeRadius users mailing list Objet : Re: Problems with Cisco switch and authorization. Jeff Davis wrote: > Sorry - I'm a n00b to this project. > > Trying to get OpenLDAP-based authentication working (well the auth DOES > work) but cannot seem to get authorization working. > > Googling has so far failed me. Perhaps someone on this list can clue me > in... Have you run the server in debug mode as suggested in the FAQ, README, "man" page, etc..? > users file has the following: > > DEFAULT Service-Type == NAS-Prompt-User >Service-Type := NAS-Prompt-User, >Cisco-AVPair += "shell:priv-lvl=15" If those attributes are being sent back to the NAS, then fix the NAS so that it follows the instructions sent by the RADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [freeradius] fail-over ldap + reply-item missing
(following my last mail)
I read in my log:
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
So in the user file I replace
DEFAULT ldaplabobe2-Ldap-Group == administrateur, User-Profile :=
"cn=administrateur,ou=Profiles,dc=netplus,dc=fr
Reply-Message = "Utilisateur: %{User-name}, group: Administrateur",
Fall-Through = yes
By
DEFAULT ldaplabobe2-Ldap-Group == administrateur, User-Profile :=
"cn=administrateur,ou=Profiles,dc=netplus,dc=fr", Auth-Type := LDAP
Reply-Message = "Utilisateur: %{User-name}, group: Administrateur",
Fall-Through = yes
And I start radiud -X and I have :
/usr/local/etc/raddb/users[247]: Parse error (check) for entry DEFAULT: Unknown
value LDAP for attribute Auth-Type
Errors reading /usr/local/etc/raddb/users
/usr/local/etc/raddb/modules/files[7]: Instantiation failed for module "files"
/usr/local/etc/raddb/sites-enabled/inner-tunnel[111]: Failed to find module
"files".
/usr/local/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize
section.
}
}
Errors initializing modules
But in raddb/site-available/default, in section authenticate i have Auth-Type
LDAP :
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
redundant {
ldaplabobe2
ldaplabobe1
}
}
eap
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [freeradius] fail-over ldap + reply-item missing
Thanks for your responce, I read http://freeradius.org/radiusd/doc/rlm_ldap , I
am focus on section GROUP SUPPORT.
So I have two ldap module instances in raddb/modules/ldap :
ldap ldaplabobe2 { [...] }
ldap ldaplabobe1 { [...] }
I added the ldap module in the instantiate{} block in radiusd.conf.
instantiate {
exec
expr
expiration
logintime
ldaplabobe2
ldaplabobe1
}
I use this form in my raddb/users :
DEFAULT ldaplabobe2-Ldap-Group == administrateur, User-Profile :=
"cn=administrateur,ou=Profiles,dc=netplus,dc=fr"
Reply-Message = "Utilisateur: %{User-name}, group: Administrateur",
Fall-Through = yes
DEFAULT ldaplabobe2-Ldap-Group == stagiaire, User-Profile :=
"cn=stagiaire,ou=Profiles,dc=netplus,dc=fr"
Reply-Message = "Utilisateur: %{User-name}, group: Stagiaire",
Fall-Through = yes
DEFAULT ldaplabobe1-Ldap-Group == administrateur, User-Profile :=
"cn=administrateur,ou=Profiles,dc=netplus,dc=fr"
Reply-Message = "Utilisateur: %{User-name}, group: Administrateur",
Fall-Through = yes
DEFAULT ldaplabobe1-Ldap-Group == stagiaire, User-Profile :=
"cn=stagiaire,ou=Profiles,dc=netplus,dc=fr"
Reply-Message = "Utilisateur: %{User-name}, group: Stagiaire",
Fall-Through = yes
Instead of
DEFAULT Ldap-Group == administrateur, User-Profile :=
"cn=administrateur,ou=Profiles,dc=netplus,dc=fr"
Reply-Message = "Utilisateur: %{User-name}, group: Administrateur",
Fall-Through = yes
DEFAULT Ldap-Group == stagiaire, User-Profile :=
"cn=stagiaire,ou=Profiles,dc=netplus,dc=fr"
Reply-Message = "Utilisateur: %{User-name}, group: Stagiaire",
Fall-Through = yes
Then I still use redundant in authorize and authenticate section in
raddb/site-available/default (I test whithout also)
And now I have Access-Reject for all, some reply-item are in the users file,
others are in my openldap (I use radiusgroupname with
ou=profiles,dc=netplus,dc=fr + radiusprofile attribute ...)
So I progress I think but it doesn't work for now. Sorry if I need some help, I
begin with openldap, I read lot of documentation freeradius, openldap, PAM (my
head will explose) and all is new for me , so maybe I read the solution at my
problem but don't remember :s
Thansk for your help.
Regards,
François
rad_recv: Access-Request packet from host 192.168.0.50 port 1812, id=253,
length=80
NAS-IP-Address = 192.168.0.50
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = "fmehault"
Calling-Station-Id = "192.168.0.80"
User-Password = "toto"
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radacct/192.168.0.50/auth-detail-20090609
[auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to
/var/log/radacct/192.168.0.50/auth-detail-20090609
[auth_log] expand: %t -> Tue Jun 9 16:27:02 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "fmehault", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
rlm_ldap: Entering ldap_groupcmp()
[files] expand: dc=netplus,dc=fr -> dc=netplus,dc=fr
[files] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[files] expand:
(&(uid=%{Stripped-User-Name:-%{User-Name}})(radiusHuntgroupName=%{Huntgroup-name}))
-> (&(uid=fmehault)(radiusHuntgroupName=swLabo))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.96.18.10:389, authentication 0
rlm_ldap: bind as cn=root,dc=netplus,dc=fr/secret to 10.96.18.10:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=netplus,dc=fr, with filter
(&(uid=fmehault)(radiusHuntgroupName=swLabo))
rlm_ldap: ldap_release_conn: Release Id: 0
[files] expand:
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
-> (|(&(objectClass=GroupOfNames)(member=cn\3dFrancois
MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dFrancois
MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=netplus,dc=fr, with filter
(&(cn=administrateur)(|(&(objectClass=GroupOfNames)(member=cn\3dFrancois
MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dFrancois
MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr
rlm_ldap: object not found
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap:
[freeradius] fail-over ldap + reply-item missing
Hi all
I try to do a fail-over with two ldap on my freeradius. I read this article
http://wiki.freeradius.org/Fail-over, I instantiated two openldap modules and i
use the keyword redundant in my /raddb/site-available/default in authorize and
authenticate section.
redundant {
Primary-ldap
Secondary-ldap
}
I also enabled reply_log
When the two ldap are launched, it works.
reply log :
Tue Jun 9 11:45:53 2009
Packet-Type = Access-Accept
Reply-Message = "Utilisateur: fmehault, group: Administrateur"
Cisco-AVPair = "shell:priv-lvl=15"
Service-Type = NAS-Prompt-User
But if i stop the Secondary-ldap, I have just :
reply log :
Tue Jun 9 11:49:19 2009
Packet-Type = Access-Accept
I can see in my log that radiusd try to contact Secondary-ldap at first. Why ?
Then it test 3 times, rather than test Primary-ldap, why ?
I will be please to give you more information about my problem to help me to
fix it,
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
rlm_ldap: Entering ldap_groupcmp()
[files] expand: dc=netplus,dc=fr -> dc=netplus,dc=fr
[files] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[files] expand:
(&(uid=%{Stripped-User-Name:-%{User-Name}})(radiusHuntgroupName=%{Huntgroup-name}))
-> (&(uid=fmehault)(radiusHuntgroupName=swLabo))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.96.18.4:389, authentication 0
rlm_ldap: bind as cn=root,dc=netplus,dc=fr/secret to 10.96.18.4:389
rlm_ldap: cn=root,dc=netplus,dc=fr bind to 10.96.18.4:389 failed: Can't contact
LDAP server
rlm_ldap: (re)connection attempt failed
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
[...]
rlm_ldap: cn=root,dc=netplus,dc=fr bind to 10.96.18.4:389 failed: Can't contact
LDAP server
[...]
rlm_ldap: cn=root,dc=netplus,dc=fr bind to 10.96.18.4:389 failed: Can't contact
LDAP server
resume :
Primary-ldap started
Secondary-ldap started
It works
Primary-ldap stoped
Secondary-ldap started
It works
Primary-ldap started
Secondary-ldap stoped
Access-Accept without reply-item ...
If someone can explain me what is my problem
Regards,
François
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: checkval module
Hi
I think you have to do like this :
checkval checkNasPortId {
item-name = NAS-Port-Id
check-name = NAS-Port-Id
data-type = string
notfound-reject = yes
}
checkval checkNasPortType {
item-name = NAS-Port-Type
check-name = NAS-Port-Type
data-type = string
notfound-reject = yes
}
and in your /site-available/default you load checkNasPortId & checkNasPortType
instead of checkval
#checkval
checkNasPortId
checkNasPortType
I hope I help you
François
De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org
[mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org]
De la part de Amr el-Saeed
Envoyé : mercredi 3 juin 2009 15:36
À : FreeRadius users mailing list
Objet : checkval module
Hi every one
I am using freeradius 1.1.7
i am configuring checkval to check for Nas-Port-Type , i need to make it checks
for Nas-Port-Id also .
this is the radius.conf checkval sections
checkval {
item-name = NAS-Port-Id
check-name = NAS-Port-Id
item-name = NAS-Port-Type
check-name = NAS-Port-Type
data-type = string
notfound-reject = yes
}
but actually it process the first entry only which is NAS-Port-Id and ignore
the second one which is NAS-Port-Type .
Is that possible to make the radius to check both items ??
thanks
Amr
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 1 freeradius with 2 openldap (multi master)
Well, I read the documentation, but I don't succeed to fix my problem, and I
don't know if the solution is in this documentation:
I use the attribute redundant and we can read:
"
* redundant{...} and append{...} are just shortcuts. You could write
group {
sql1 {
fail = 1
notfound = 2
noop = return
ok = return
updated = return
reject = return
userlock = return
invalid = return
handled = return
}
sql2 {
fail = 1
notfound = 2
noop = return
ok = return
updated = return
reject = return
userlock = return
invalid = return
handled = return
}
}
instead of
redundant {
sql1
sql2
}
but the latter is just a whole lot easier to read."
When I use redundant, I understand it's equivalent to have groups which are
failable. My problem is I have failover between two ldaps, and if the first
ldap is used, it works because I have:
Sending Access-Accept of id 93 to 192.168.0.50 port 1812
Reply-Message = "Utilisateur: fmehault, group: Administrateur"
Cisco-AVPair = "shell:priv-lvl=15"
Service-Type = NAS-Prompt-User
Finished request 0.
And if the first failed, the second ldap is used, so we can say that it's
works, but it fails because I have:
Sending Access-Accept of id 94 to 192.168.0.50 port 1812 Finished request 0.
It fails because the Access-Accept was built without Cisco-AVPair =
"shell:priv-lvl=15" and Service-Type = NAS-Prompt-User. And I don't know why, I
don't understand,
Thanks Alan for your help, I will continue to read the failover documentation,
maybe there is something that I missed, If someone has another lead ..
Regards,
François
-Message d'origine-
De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org
[mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org]
De la part de a.l.m.bu...@lboro.ac.uk
Envoyé : vendredi 29 mai 2009 18:04
À : FreeRadius users mailing list
Objet : Re: 1 freeradius with 2 openldap (multi master)
Hi,
> And now, if I start radiusd and slapd on server A and not on server B, it
> works. And if I stop slapd on server A, and start slapd on server B, it
> doesn't work. It's maybe a lead...
this is documented
http://wiki.freeradius.org/Fail-over
you need the group to be failable etc
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 1 freeradius with 2 openldap (multi master)
I did the same test but I swaped the order of ldap modules in
/site-available/default
Redundant {
Ldapbackup
Ldapmaster
}
and authorize section :
Auth-Type LDAP {
redundant {
Ldapbackup
Ldapmaster
}
}
And now, if I start radiusd and slapd on server A and not on server B, it
works. And if I stop slapd on server A, and start slapd on server B, it doesn't
work. It's maybe a lead...
-Message d'origine-
De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org
[mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org]
De la part de François Mehault
Envoyé : vendredi 29 mai 2009 16:23
À : FreeRadius users mailing list
Objet : RE: 1 freeradius with 2 openldap (multi master)
Well, I fact I have two servers: A and B.
A has freeradius + openldap
B has openldap bacukp
So on server A, I put in /site-available/default:
In authentication section :
Redundant {
Ldapmaster
Ldapbackup
}
and authorize section :
Auth-Type LDAP {
redundant {
Ldapmaster
Ldapbackup
}
}
Modelue Ldapmaster has attribute server="127.0.0.1", and Ldapbackup has
attribute server="192.168.x.x" (Ip of server B)
Well, If I shutdown my openldap on server A, freeradius on server A will
discuss with openldap on server B, and it works perfectly !
[Ldapbackup] user fmehault authenticated succesfully
++[ Ldapbackup] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 93 to 192.168.0.50 port 1812
Reply-Message = "Utilisateur: fmehault, group: Administrateur"
Cisco-AVPair = "shell:priv-lvl=15"
Service-Type = NAS-Prompt-User
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 93 with timestamp +11
Ready to process requests.
Another test, I stop daemon openldap on server B and start openldap on server
A, so I imagine my freeradius will discuss with openldap on server A. But PB :
[Ldapmaster] user fmehault authenticated succesfully
+++[ Ldapmaster] returns ok
++- policy redundant returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 94 to 192.168.0.50 port 1812
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 94 with timestamp +10
Ready to process requests.
My NAS is Cisco Catalyst 2950, and I use radius VSA Cisco-AVPair. As you can
see in the log, I am succesfully authenticated, And freeradius send me
Access-Accept, without Raply-Message, Cisco-AVPair, Service-Type ... Why ???
On cisco:
User Access Verification
Username: fmehault
Password:
% Authorization failed.
My two ldaps are both striclty the same, it's sur because if I don't use unlang
redundant, it works.
Someone has an idea ??
Thanks for your help,
Regards,
François
-Message d'origine-
De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org
[mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org]
De la part de François Mehault
Envoyé : vendredi 29 mai 2009 15:27
À : FreeRadius users mailing list
Objet : RE: 1 freeradius with 2 openldap (multi master)
redundant-load-balance {
ldap1 # 50%, unless ldap2 is down, then 100%
ldap2 # 50%, unless ldap1 is down, then 100%
}
Seems perfect, thanks a lot !
-Message d'origine-
De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org
[mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org]
De la part de Alan DeKok
Envoyé : vendredi 29 mai 2009 15:10
À : FreeRadius users mailing list
Objet : Re: 1 freeradius with 2 openldap (multi master)
François Mehault wrote:
> And in my site-available/default I load the two modules. If my two
> openldap are alive, authentication succeed, but if one of them fall,
> authentication failed, so like this I have a « AND » between modules,
> and not a « OR » like I would. I don’t know if I am really clear, i
> don’t speak very well, sorry.
$ man unlang
Look for "redundant"
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 1 freeradius with 2 openldap (multi master)
Well, I fact I have two servers: A and B.
A has freeradius + openldap
B has openldap bacukp
So on server A, I put in /site-available/default:
In authentication section :
Redundant {
Ldapmaster
Ldapbackup
}
and authorize section :
Auth-Type LDAP {
redundant {
Ldapmaster
Ldapbackup
}
}
Modelue Ldapmaster has attribute server="127.0.0.1", and Ldapbackup has
attribute server="192.168.x.x" (Ip of server B)
Well, If I shutdown my openldap on server A, freeradius on server A will
discuss with openldap on server B, and it works perfectly !
[Ldapbackup] user fmehault authenticated succesfully
++[ Ldapbackup] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 93 to 192.168.0.50 port 1812
Reply-Message = "Utilisateur: fmehault, group: Administrateur"
Cisco-AVPair = "shell:priv-lvl=15"
Service-Type = NAS-Prompt-User
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 93 with timestamp +11
Ready to process requests.
Another test, I stop daemon openldap on server B and start openldap on server
A, so I imagine my freeradius will discuss with openldap on server A. But PB :
[Ldapmaster] user fmehault authenticated succesfully
+++[ Ldapmaster] returns ok
++- policy redundant returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 94 to 192.168.0.50 port 1812
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 94 with timestamp +10
Ready to process requests.
My NAS is Cisco Catalyst 2950, and I use radius VSA Cisco-AVPair. As you can
see in the log, I am succesfully authenticated, And freeradius send me
Access-Accept, without Raply-Message, Cisco-AVPair, Service-Type ... Why ???
On cisco:
User Access Verification
Username: fmehault
Password:
% Authorization failed.
My two ldaps are both striclty the same, it's sur because if I don't use unlang
redundant, it works.
Someone has an idea ??
Thanks for your help,
Regards,
François
-Message d'origine-
De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org
[mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org]
De la part de François Mehault
Envoyé : vendredi 29 mai 2009 15:27
À : FreeRadius users mailing list
Objet : RE: 1 freeradius with 2 openldap (multi master)
redundant-load-balance {
ldap1 # 50%, unless ldap2 is down, then 100%
ldap2 # 50%, unless ldap1 is down, then 100%
}
Seems perfect, thanks a lot !
-Message d'origine-
De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org
[mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org]
De la part de Alan DeKok
Envoyé : vendredi 29 mai 2009 15:10
À : FreeRadius users mailing list
Objet : Re: 1 freeradius with 2 openldap (multi master)
François Mehault wrote:
> And in my site-available/default I load the two modules. If my two
> openldap are alive, authentication succeed, but if one of them fall,
> authentication failed, so like this I have a « AND » between modules,
> and not a « OR » like I would. I don’t know if I am really clear, i
> don’t speak very well, sorry.
$ man unlang
Look for "redundant"
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 1 freeradius with 2 openldap (multi master)
redundant-load-balance {
ldap1 # 50%, unless ldap2 is down, then 100%
ldap2 # 50%, unless ldap1 is down, then 100%
}
Seems perfect, thanks a lot !
-Message d'origine-
De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org
[mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org]
De la part de Alan DeKok
Envoyé : vendredi 29 mai 2009 15:10
À : FreeRadius users mailing list
Objet : Re: 1 freeradius with 2 openldap (multi master)
François Mehault wrote:
> And in my site-available/default I load the two modules. If my two
> openldap are alive, authentication succeed, but if one of them fall,
> authentication failed, so like this I have a « AND » between modules,
> and not a « OR » like I would. I don’t know if I am really clear, i
> don’t speak very well, sorry.
$ man unlang
Look for "redundant"
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1 freeradius with 2 openldap (multi master)
Hi All
I have one freeradius and 2 openldap (multi - master). And I want my freeradius
use the second openldap if the first crash. So in freeradius I instantiate the
module ldap :
Ldap ldapmaster {
[...]
}
Ldap ldapbackup {
[...]
}
And in my site-available/default I load the two modules. If my two openldap are
alive, authentication succeed, but if one of them fall, authentication failed,
so like this I have a « AND » between modules, and not a « OR » like I would. I
don't know if I am really clear, i don't speak very well, sorry.
So If some understand the problem that I try to describe and if you know how I
can fix my problem, could you help me please ? thanks,
Regards,
François
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: check-item NAS-IP-ADdress & Calling-Station-ID with openldap
Thanks Ivan ! With huntgroup it works perfectly, now I am searching to manage my huntgroup whith ldap, no longer with the file huntgroup. Each users have the primitive radiusHuntgroupName, but I want to define my huntgroup in ldap, is it possible you think ? Regards, Francois -Message d'origine- De : Ivan Kalik [mailto:t...@kalik.net] Envoyé : mardi 19 mai 2009 15:09 À : François Mehault Objet : RE: check-item NAS-IP-ADdress & Calling-Station-ID with openldap > Well, I am using checkval to check the attribute NAS-IP-Address, what I > want : I have several users and several NAS, some users allows to > authenticate on some NAS, and others not. I use an openldap database. Each > users have an attribute "radiusCheckItem". I don't know if I am right, if > it's the good way to do what I need, but I am a novice with freeRadisu and > OpenLDAP. Well, if user is going to have only one value for NAS IP, then you don't need checkval - just map appropriate attribute as check item in raddb/ldap.attrmap. If he should be allowed on several devices it might be better to use huntgroups/sqlhuntgroups - as long as there are not too many combinations. Same applies to mac address - if user can use only one there is no need to use checkval. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: communication safe ssh <-> NAS <-> FreeRADIUS ?
Oki, thanks. In fact, I want my radius client crypt my passwd in md5 for
example, and freeradius check the MD5 hash. So I understand I have to use PAP ?
In my modul ldap I think I have to put « password_attribute = userPassword ».
But If I do, I have to put my password in clear in my ldap, otherwise it don't
works. Also, I can comment the « password_attribute = userPassword » in my ldap
module and put my password in md5/ssha etc... in openldap and it works. But I
don't know very well why ??
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
CA_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/usr/local/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org
[mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org]
De la part de Nicolas Goutte
Envoyé : mardi 19 mai 2009 14:45
À : FreeRadius users mailing list
Objet : Re: communication safe ssh <-> NAS <-> FreeRADIUS ?
Am 19.05.2009 um 14:14 schrieb François Mehault:
Hi,
I authenticate on cisco equipments via ssh/telnet. There is no supplicant, so I
don't understand in my case and i would like to know if the communication
between my cisco equipment and my FreeRadius safe is. I have a secret shared
between both. I understand that the communciation between freeradius and the
client radius use the protocol Radius. But in my case there is no PEAP, EAP/TLS
...
Someone can confirm me please if the communication is safe ? because I afraid
to see in the file users my password in clear-text. Is it possible to use md5,
ssha ... and how ?
For the compatibility, see
http://deployingradius.com/documents/protocols/compatibility.html
Thanks,
Regards,
François
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Have a nice day!
Nicolas Goutte
extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany
Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: check-item NAS-IP-ADdress & Calling-Station-ID with openldap
Well, I am using checkval to check the attribute NAS-IP-Address, what I want : I have several users and several NAS, some users allows to authenticate on some NAS, and others not. I use an openldap database. Each users have an attribute "radiusCheckItem". I don't know if I am right, if it's the good way to do what I need, but I am a novice with freeRadisu and OpenLDAP. -Message d'origine- De : Ivan Kalik [mailto:t...@kalik.net] Envoyé : mardi 19 mai 2009 13:46 À : François Mehault Objet : RE: check-item NAS-IP-ADdress & Calling-Station-ID with openldap > [...] > > rlm_checkval: Could not find item named Client-IP-Address in request > rlm_checkval: Could not find attribute named Client-IP-Address in check > pairs > ++[nas-check] returns notfound OK. It can't work since Client-IP-Address is not in the request. Can you remind me: why are you using checkval? Multiple values for NAS IP? Your user entry has only one. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
communication safe ssh <-> NAS <-> FreeRADIUS ?
Hi, I authenticate on cisco equipments via ssh/telnet. There is no supplicant, so I don't understand in my case and i would like to know if the communication between my cisco equipment and my FreeRadius safe is. I have a secret shared between both. I understand that the communciation between freeradius and the client radius use the protocol Radius. But in my case there is no PEAP, EAP/TLS ... Someone can confirm me please if the communication is safe ? because I afraid to see in the file users my password in clear-text. Is it possible to use md5, ssha ... and how ? Thanks, Regards, François - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: check-item NAS-IP-ADdress & Calling-Station-ID with openldap
Checkval with Calling-station-id works fine ! And I want to check also the IP
of the NAS to authenticate my user.
rlm_checkval: Item Name: Calling-Station-Id, Value: 192.168.0.80
rlm_checkval: Value Name: Calling-Station-Id, Value: 192.168.0.80
++[station-check] returns ok
>NAS-IP-Address can be forged. Use Client-IP-Address. I am not sure why did
>it come out like that in checkval when elsewhere in the debug it looks OK.
I try with Client-IP-Address instead of NAS-IP-Address but it don't works:
rad_recv: Access-Request packet from host 192.168.0.50 port 1812, id=162,
length=80
NAS-IP-Address = 192.168.0.50
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = "fmehault"
Calling-Station-Id = "192.168.0.80"
User-Password = "toto"
+- entering group authorize {...}
[...]
rlm_checkval: Could not find item named Client-IP-Address in request
rlm_checkval: Could not find attribute named Client-IP-Address in check pairs
++[nas-check] returns notfound
My ldap:
dn: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr
givenName:: RnJhbsOnb2lz
sn: MEHAULT
uid: fmehault
cn: Francois MEHAULT
homeDirectory: /home/admins/fmehault
loginShell: /usr/local/bin/zsh
gidNumber: 1203
uidNumber: 1203
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: radiusprofile
objectClass: hostObject
radiusGroupName: stagiaire
userPassword: {MD5}9x2+UmKKP4OnerSUgXUlxg==
radiusNASIpAddress: 192.168.0.50
host: labobe1
radiusCheckItem: "Client-IP-Address = 192.168.0.50"
radiusCallingStationId: 192.168.0.80
My checval modul:
checkval station-check {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
notfound-reject = yes
}
checkval nas-check {
item-name = Client-IP-Address
check-name = Client-IP-Address
data-type = ipaddr
notfound-reject = yes
}
Thanks Ivan Kalik for your first response
Regards,
François
-Message d'origine-
De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org
[mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org]
De la part de Ivan Kalik
Envoyé : lundi 11 mai 2009 13:29
À : FreeRadius users mailing list
Objet : Re: check-item NAS-IP-ADdress & Calling-Station-ID with openldap
> I want to use FreeRadius to administer network equipement. I use also
> OpenLDAP to stock information about users. FreeRADIUS and OpenLDAP are
> installed on the same server FreeBSD 7.0.
> I contact a Network equipement (like catalyst cisco 2950 v12.1) with putty
> (ssh/telnet).
>
> I have 2 questions :
>
>
> - Why my calling-station-id in the request is a IP and not a MAC
> ?
Because you are using telnet/ssh. Same applies to VPN. PPPoE (wired and
wireless) request should have mac address in that field. Dial-up should
have phone number.
>
> - When I authenticate on the cisco 2950, I have in my log «
> rlm_checkval: Item Name: NAS-IP-Address, Value: À¨ » instead of
> 192.168.0.50, what is the problem ???
>
NAS-IP-Address can be forged. Use Client-IP-Address. I am not sure why did
it come out like that in checkval when elsewhere in the debug it looks OK.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius client on fedora 10 ?
Hi, I would like to know is there any radius client on fedora 10 ? pam_radius ? other ? Regards, François - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
apologize
Hi All Sorry about my mails, I check the pipermail now. Thanks Nicolas Goutte. Regards, François De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org] De la part de Nicolas Goutte Envoyé : mardi 12 mai 2009 11:36 À : FreeRadius users mailing list Cc : François Mehault Objet : Re: test Am 12.05.2009 um 11:31 schrieb François Mehault: De : François Mehault Envoyé : mardi 12 mai 2009 11:27 À : 'freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org>' Cc : François Mehault Objet : RE: check-item NAS-IP-ADdress & Calling-Station-ID with openldap Hi All, Don't worry. We do receive your emails. See also http://lists.freeradius.org/pipermail/freeradius-users/2009-May/date.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OpenLDAP check item
Hi All,
I want to use FreeRadius to administer network equipement. I use also OpenLDAP
to stock information about users. FreeRADIUS and OpenLDAP are installed on the
same server FreeBSD 7.0.
I contact a Network equipement (like catalyst cisco 2950 v12.1) with putty
(ssh/telnet).
To resume :
Windows XP -> ssh or telnet -> Cisco 2950 (client radius/authenticator/NAS) ->
EAPoRadius (I suppose) -> FreeRADIUS & OpenLDAP
For the moment, I don't install/configure supplicant on the Windows XP, I don't
know if it's require because I don't want to use FreeRADIUS to auhtenticate my
Windows session. I have an active directory to do this.
I configure slapd.conf, radius.conf, clients.conf, module ldap etc ... and it's
works. And now I would like to add some check-item like NAS-IP-Address and
Caliing-Station-ID. But I don't succeed :s, I use checkval to do this.
I have 2 questions :
- Why my calling-station-id in the request is a IP and not a MAC ?
- When I authenticate on the cisco 2950, I have in my log «
rlm_checkval: Item Name: NAS-IP-Address, Value: À¨ » instead of 192.168.0.50,
what is the problem ???
I think I have numerous problem, If you see one of them, could you inform me ?
I am a novice with freeradius (and openldap also :s ). I could give you all
information you need to help me to fix my problem.
Thanks for your help,
Regards
Francçois MEHAULT
On my cisco 2950 :
aaa new-model
aaa authentication login default local group radius
aaa authorization exec default group radius local
aaa authorization network default group radius
My ldap.attrmap :
checkItem Calling-Station-Id radiusCallingStationId
checkItem NAS-IP-Address radiusNASIpAddress
Extract of my openldap :
dn: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr
givenName:: RnJhbsOnb2lz
sn: MEHAULT
uid: fmehault
cn: Francois MEHAULT
homeDirectory: /home/admins/fmehault
loginShell: /usr/local/bin/zsh
gidNumber: 1203
uidNumber: 1203
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: radiusprofile
radiusGroupName: stagiaire
radiusCallingStationId: 192.168.0.80 -> I put a IP address and not a Mac
address because in the request it's a IP and not a mac, I don't know why...
radiusNASIpAddress: 192.168.0.60 -> in fact, the NAS IP is 192.168.0.50, but
I put .60 to have Access-Reject
userPassword: {SSHA}tOoPUvtVW5O3+StoxScmQLiGFTO5l/+z
<12:34>[labobe2:~]# radiusd -X
FreeRADIUS Version 2.1.4, for host i386-portbld-freebsd7.0, built on Apr 16
2009 at 12:03:36
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
[...]
radiusd: Loading Clients
client 192.168.0.50 {
require_message_authenticator = no
secret = "cherche"
shortname = "swlabo"
nastype = "cisco"
}
radiusd: Instantiating modules
[...]
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_ldap
Module: Instantiating ldap
ldap {
server = "127.0.0.1"
port = 389
password = "secret"
identity = "cn=root,dc=netplus,dc=fr"
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
require_cert = "allow"
}
basedn = "dc=netplus,dc=fr"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
groupmembership_attribute = "radiusGroupName"
dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
[...]
rlm_ldap: LDAP radiusVSA mapped to RADIUS Cisco-AVPair
conns: 0x2852c240
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_checkval
Module: Instantiating station-check
checkval station-check {
item-name = "Calling-Station-Id"
check-name = "Calling-Station-Id"
data-type = "string"
notfound-reject = no
}
rlm_checkval: Reg
test
De : François Mehault
Envoyé : mardi 12 mai 2009 11:27
À : 'freeradius-users@lists.freeradius.org'
Cc : François Mehault
Objet : RE: check-item NAS-IP-ADdress & Calling-Station-ID with openldap
Hi All,
I want to use FreeRadius to administer network equipement. I use also OpenLDAP
to stock information about users. FreeRADIUS and OpenLDAP are installed on the
same server FreeBSD 7.0.
I contact a Network equipement (like catalyst cisco 2950 v12.1) with putty
(ssh/telnet).
To resume :
Windows XP -> ssh or telnet -> Cisco 2950 (client radius/authenticator/NAS) ->
EAPoRadius (I suppose) -> FreeRADIUS & OpenLDAP
For the moment, I don't install/configure supplicant on the Windows XP, I don't
know if it's require because I don't want to use FreeRADIUS to auhtenticate my
Windows session. I have an active directory to do this.
I configure slapd.conf, radius.conf, clients.conf, module ldap etc ... and it's
works. And now I would like to add some check-item like NAS-IP-Address and
Caliing-Station-ID. But I don't succeed :s, I use checkval to do this.
I have 2 questions :
- Why my calling-station-id in the request is a IP and not a MAC ?
- When I authenticate on the cisco 2950, I have in my log «
rlm_checkval: Item Name: NAS-IP-Address, Value: À¨ » instead of 192.168.0.50,
what is the problem ???
I think I have numerous problem, If you see one of them, could you inform me ?
I am a novice with freeradius (and openldap also :s ). I could give you all
information you need to help me to fix my problem.
Thanks for your help,
Regards
Francçois MEHAULT
On my cisco 2950 :
aaa new-model
aaa authentication login default local group radius
aaa authorization exec default group radius local
aaa authorization network default group radius
My ldap.attrmap :
checkItem Calling-Station-Id radiusCallingStationId
checkItem NAS-IP-Address radiusNASIpAddress
Extract of my openldap :
dn: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr
givenName:: RnJhbsOnb2lz
sn: MEHAULT
uid: fmehault
cn: Francois MEHAULT
homeDirectory: /home/admins/fmehault
loginShell: /usr/local/bin/zsh
gidNumber: 1203
uidNumber: 1203
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: radiusprofile
radiusGroupName: stagiaire
radiusCallingStationId: 192.168.0.80 -> I put a IP address and not a Mac
address because in the request it's a IP and not a mac, I don't know why...
radiusNASIpAddress: 192.168.0.60 -> in fact, the NAS IP is 192.168.0.50, but
I put .60 to have Access-Reject
userPassword: {SSHA}tOoPUvtVW5O3+StoxScmQLiGFTO5l/+z
<12:34>[labobe2:~]# radiusd -X
FreeRADIUS Version 2.1.4, for host i386-portbld-freebsd7.0, built on Apr 16
2009 at 12:03:36
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
[...]
radiusd: Loading Clients
client 192.168.0.50 {
require_message_authenticator = no
secret = "cherche"
shortname = "swlabo"
nastype = "cisco"
}
radiusd: Instantiating modules
[...]
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_ldap
Module: Instantiating ldap
ldap {
server = "127.0.0.1"
port = 389
password = "secret"
identity = "cn=root,dc=netplus,dc=fr"
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
require_cert = "allow"
}
basedn = "dc=netplus,dc=fr"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
groupmembership_attribute = "radiusGroupName"
dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
[...]
rlm_ldap: LDAP radiusVSA mapped to RADIUS Cisco-AVPair
conns: 0x2852c240
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_asce
RE: check-item NAS-IP-ADdress & Calling-Station-ID with openldap
Hi All,
I want to use FreeRadius to administer network equipement. I use also OpenLDAP
to stock information about users. FreeRADIUS and OpenLDAP are installed on the
same server FreeBSD 7.0.
I contact a Network equipement (like catalyst cisco 2950 v12.1) with putty
(ssh/telnet).
To resume :
Windows XP -> ssh or telnet -> Cisco 2950 (client radius/authenticator/NAS) ->
EAPoRadius (I suppose) -> FreeRADIUS & OpenLDAP
For the moment, I don't install/configure supplicant on the Windows XP, I don't
know if it's require because I don't want to use FreeRADIUS to auhtenticate my
Windows session. I have an active directory to do this.
I configure slapd.conf, radius.conf, clients.conf, module ldap etc ... and it's
works. And now I would like to add some check-item like NAS-IP-Address and
Caliing-Station-ID. But I don't succeed :s, I use checkval to do this.
I have 2 questions :
- Why my calling-station-id in the request is a IP and not a MAC ?
- When I authenticate on the cisco 2950, I have in my log «
rlm_checkval: Item Name: NAS-IP-Address, Value: À¨ » instead of 192.168.0.50,
what is the problem ???
I think I have numerous problem, If you see one of them, could you inform me ?
I am a novice with freeradius (and openldap also :s ). I could give you all
information you need to help me to fix my problem.
Thanks for your help,
Regards
Francçois MEHAULT
On my cisco 2950 :
aaa new-model
aaa authentication login default local group radius
aaa authorization exec default group radius local
aaa authorization network default group radius
My ldap.attrmap :
checkItem Calling-Station-Id radiusCallingStationId
checkItem NAS-IP-Address radiusNASIpAddress
Extract of my openldap :
dn: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr
givenName:: RnJhbsOnb2lz
sn: MEHAULT
uid: fmehault
cn: Francois MEHAULT
homeDirectory: /home/admins/fmehault
loginShell: /usr/local/bin/zsh
gidNumber: 1203
uidNumber: 1203
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: radiusprofile
radiusGroupName: stagiaire
radiusCallingStationId: 192.168.0.80 -> I put a IP address and not a Mac
address because in the request it's a IP and not a mac, I don't know why...
radiusNASIpAddress: 192.168.0.60 -> in fact, the NAS IP is 192.168.0.50, but
I put .60 to have Access-Reject
userPassword: {SSHA}tOoPUvtVW5O3+StoxScmQLiGFTO5l/+z
<12:34>[labobe2:~]# radiusd -X
FreeRADIUS Version 2.1.4, for host i386-portbld-freebsd7.0, built on Apr 16
2009 at 12:03:36
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
[...]
radiusd: Loading Clients
client 192.168.0.50 {
require_message_authenticator = no
secret = "cherche"
shortname = "swlabo"
nastype = "cisco"
}
radiusd: Instantiating modules
[...]
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_ldap
Module: Instantiating ldap
ldap {
server = "127.0.0.1"
port = 389
password = "secret"
identity = "cn=root,dc=netplus,dc=fr"
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
require_cert = "allow"
}
basedn = "dc=netplus,dc=fr"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
groupmembership_attribute = "radiusGroupName"
dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
[...]
rlm_ldap: LDAP radiusVSA mapped to RADIUS Cisco-AVPair
conns: 0x2852c240
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_checkval
Module: Instantiating station-check
checkval station-check {
item-name = "Calling-Station-Id"
check-name = "Calling-Station-Id"
data-type = "string"
notfound-reject = no
}
rlm_checkval: Reg
NAS or supplicant, pam_radius or xsupplicant
Hi All I have to install a FreeRADIUS to authenticate some users on network equipement (like a Catalyst cisco). I just want to authenticate users on the cisco switch, no vlan attribution ... So i conclude that I don't have to install/configure supplicant on my computer (windows XP), the computer I use to contact the switch via telnet/ssh. Could you confirm me that I'm right ? I would like also to authenticate users on UNIX servers. Also, I just need to authenticate the users on servers, So I conclude that I configure pam_radius on these servers and no install/configure xsupllicant. Servers are RADIUS client/NAS and no supplicant. Of course I would like to have a safe communication beetween NAS and FreeRADIUS. Could you say me if I selected the good configuration, or if I am totally wrong. I read comments in files configuration and a lot of documentation on the web, but the case described are often with supplicant - NAS - FreeRADIUS, with Authentication on the supplicant for vlan attribution. I don't understand wery well when I have to install xsupplicant or pam_radius on my server UNIX, if my Server is a supplicant or a NAS. Thanks for your help François - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
