Re: 802.1x machine authentication patch help
I found my problem. From Andrew Bartlett himself This is not supported against NT4. Only Samba 3.0.21rc1 and AD support this extra flag. To do machine authentication with freeradius, your workstation (supplicant) and samba server must be a member of a 2000/2003 domain. I had the supplicant and samba server still a member of the nt4 domain. Once I changed this, it worked great. Were still in the middle of a migration from nt4 to 2003 and all accounts still authenticate fine. Thanks for everyones help!! jamie [EMAIL PROTECTED] 11/18/2005 12:16:43 PM Make sure you used the rlm_MSchap module from the snapshot, not the rlm_chap module. They're different. --Mike Jamie Crawford wrote: Hi, I am trying to get machine authentication working with freeradius. I have patched the samba code and freeradius code. But am getting this error when the machine tries to authenticate. I patched the rlm_chap module by taking last nights cvs snapshot and copying over the rlm_chap folder overwriting the contents of the same folder in the freeradius-1.0.5 release and recompiling. I see that it is trying to pass the username as host/IS--31176. I thought the updated rlm_mschap was suppposed to strip the host/ part of the username. Do I need to create a realm to strip the host/? Any help would be appreciated!!! Thanks, jamie make clean ./configure --configure --with-raddbdir=/etc/radius --with-logdir=/var/log/radius --disable-snmp --without-rlm_sql --without-rlm_ldap --without-rlm_krb5 make make install modcall: entering group Auth-Type for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for host/IS--31176 with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: d3 radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --domain= --request-nt-key --username=host/IS--31176 --challenge=12345ce0768615e --nt-response=123456f1011a2f799b5d62e04ba d8bb39719fa48c3d11299e' Exec-Program: /usr/bin/ntlm_auth --domain= --request-nt-key --username=host/IS--31176 --challenge=123453ce0768615e --nt-response=12345f1011a2f799b5d62e04bad8bb39719fa48c3d11299e Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 rlm_mschap: External script failed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x machine authentication patch help
Hi, I am trying to get machine authentication working with freeradius. I have patched the samba code and freeradius code. But am getting this error when the machine tries to authenticate. I patched the rlm_chap module by taking last nights cvs snapshot and copying over the rlm_chap folder overwriting the contents of the same folder in the freeradius-1.0.5 release and recompiling. I see that it is trying to pass the username as host/IS--31176. I thought the updated rlm_mschap was suppposed to strip the host/ part of the username. Do I need to create a realm to strip the host/? Any help would be appreciated!!! Thanks, jamie make clean ./configure --configure --with-raddbdir=/etc/radius --with-logdir=/var/log/radius --disable-snmp --without-rlm_sql --without-rlm_ldap --without-rlm_krb5 make make install modcall: entering group Auth-Type for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for host/IS--31176 with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: d3 radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --domain= --request-nt-key --username=host/IS--31176 --challenge=ba9273ce0768615e --nt-response=fd385f1011a2f799b5d62e04ba d8bb39719fa48c3d11299e' Exec-Program: /usr/bin/ntlm_auth --domain= --request-nt-key --username=host/IS--31176 --challenge=ba9273ce0768615e --nt-response=fd385f1011a2f799b5d62e04bad8bb39719fa48c3d11299e Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 rlm_mschap: External script failed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x machine authentication patch help
Sorry for the typo, I meant to type rlm_mschap. Are there only certain files out of the /src/modules/rlm_mschap cvs snapshot that I need to copy over? Thanks, jamie [EMAIL PROTECTED] 11/18/2005 12:16:43 PM Make sure you used the rlm_MSchap module from the snapshot, not the rlm_chap module. They're different. --Mike Jamie Crawford wrote: Hi, I am trying to get machine authentication working with freeradius. I have patched the samba code and freeradius code. But am getting this error when the machine tries to authenticate. I patched the rlm_chap module by taking last nights cvs snapshot and copying over the rlm_chap folder overwriting the contents of the same folder in the freeradius-1.0.5 release and recompiling. I see that it is trying to pass the username as host/IS--31176. I thought the updated rlm_mschap was suppposed to strip the host/ part of the username. Do I need to create a realm to strip the host/? Any help would be appreciated!!! Thanks, jamie make clean ./configure --configure --with-raddbdir=/etc/radius --with-logdir=/var/log/radius --disable-snmp --without-rlm_sql --without-rlm_ldap --without-rlm_krb5 make make install modcall: entering group Auth-Type for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for host/IS--31176 with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: d3 radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --domain= --request-nt-key --username=host/IS--31176 --challenge=ba9273ce0768615e --nt-response=fd385f1011a2f799b5d62e04ba d8bb39719fa48c3d11299e' Exec-Program: /usr/bin/ntlm_auth --domain= --request-nt-key --username=host/IS--31176 --challenge=ba9273ce0768615e --nt-response=fd385f1011a2f799b5d62e04bad8bb39719fa48c3d11299e Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 rlm_mschap: External script failed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x machine authentication patch help
Hi, I finally got freeradius to strip the host/ and append the $ to the host name, but it still wont validate the workstation. I get No logon workstation trust account (0xc199) At least now it's narrowed down to the ntlm_auth command. I tried to run the command manually with different workstation accounts, and got the same error. I know I've modified the code correctly by changing: init_id_info2(ctr.auth.id2, domain, 0x800, /* param_ctrl */ 0xdead, 0xbeef, /* LUID? */ Any suggestions??? Thanks, jamie Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/radius/proxy.conf Config: including file: /etc/radius/clients.conf Config: including file: /etc/radius/snmp.conf Config: including file: /etc/radius/eap.conf Config: including file: /etc/radius/sql.conf main: prefix = /usr/local main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/local/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 256000 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = root main: group = root main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = yes mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = /usr/bin/ntlm_auth -d 10 --domain=central --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /etc/radius/certs/cert-srv.pem tls: certificate_file = /etc/radius/certs/cert-srv.pem tls: CA_file = /etc/radius/certs/root.pem tls: private_key_password = whatever tls: dh_file = /etc/radius/certs/dh tls: random_file = /etc/radius/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/radius/huntgroups preprocess: hints = /etc/radius/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) realm: format = prefix realm: delimiter = \ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (ntdomain) Module: Loaded
ntlm_auth multiple domains
Hi, I'm using ntlm_auth to authenticate users in freeradius. My samba server is joined to DOMAINA. When I run ntlm_auth --username=domainauser everything works great. When I run ntlm_auth --username=domainbuser it fails because the user does not exist in domaina which the server is joined to. If I run ntlm_auth --username=domainbuser --domain=domainb it works great. I was wanting to do ntlm_auth --domain=domaina --domain=domainb --username=domainbuser, it works only because the second domain variable is domainb. If I were to use a domainauser, it would fail. Would setting up realms help? How can I tell freeradius to use ntlm_auth --domain=domaina on domaina users and ntlm_auth --domain=domainb on domainb users? Any ideas??? tia, jamie Jamie Crawford, MCSE RHCT Network Analyst I Information Services Central Missouri State University Warrensburg, MO 64093 Phone:6605434357 Email:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth multiple domains
I'm trying to validate a user from two trusted NT4 domains. I cannot get ntlm_auth --username=domainb/domainbuser to work. How are you supposed to validate a user with domain credentials, when you can't pass along the domain information? I think it's more of a limitation with ntlm_auth than anything. tia, jamie [EMAIL PROTECTED] 9/20/2005 11:45:49 AM Jamie Crawford [EMAIL PROTECTED] wrote: When I run ntlm_auth --username=domainauser everything works great. When I run ntlm_auth --username=domainbuser it fails because the user does not exist in domaina which the server is joined to. You need to point winbindd to a global catalog server, and then establish trust relationships between the GC and all of the domains. Would setting up realms help? No. The limitation is due to Active Directory, not realms or FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth multiple domains
First Thanks for the help. I solved my own problem in my previous email and didnt realize it. Second This got it working. change radiusd.conf /usr/bin/ntlm_auth --domain=realm--request-nt-key --username=mschap:User-Name add to proxy.conf realm DOMAINA type = radius authhost = LOCAL accthost = LOCAL realm DOMAINB type = radius authhost = LOCAL accthost = LOCAL realm DOMAINC type = radius authhost = LOCAL accthost = LOCAL [EMAIL PROTECTED] 09/20/05 3:54 pm Jamie Crawford [EMAIL PROTECTED] wrote:Im trying to validate a user from two trusted NT4 domains.Icannot get ntlm_auth --username=domainb/domainbuser to work.Howare you supposed to validate a user with domain credentials whenyou cant pass along the domain informationI think its more of alimitation with ntlm_auth than anything.Have you tried reading the configuration filesThere are examplesof passing domains to ntlm_auth.Alan DeKok.-List info/subscribe/unsubscribe See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Howto strip off Domain Name
proxy.conf realm DEFAULT { type = radius authhost = LOCAL accthost =LOCAL } [EMAIL PROTECTED] 9/16/2005 9:56:21 AM Lookup realms in the docs. And people wonder why Alan is so cranky. ;-) - Brian J. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sebastian Mauer Sent: Friday, September 16, 2005 9:43 AM To: freeradius-users@lists.freeradius.org Subject: Howto strip off Domain Name Hello there, I managed to get FreeRadius authenticating users with PEAP against a OpenLDAP Directory containing my Samba controlled domain data and users. The Users are stored with der normal username (without Domain) in the LDAP. As default the windows WLAN Client tries to authenticate with the entered windows logon credentials which is fine if the client would send the username without the Domain added. When FreeRadius looks up DOMAIN\testuser in the LDAP there is obviously no result because the user is stored as testuser. So what can I do to strip of any Domain Name by default? Thanks in Advance, Sebastian Mauer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MS-CHAP-Use-NTLM-Auth = No
Hi, I'm trying to have a local user in my users file called guest password guest. If the user is not guest forward on the user to domain authentication. I'm having trouble when authenticating guest when it comes to the mchap authentication, although I have the MS-CHAP-Use-NTLM-Auth = No, it still runs the ntlm_auth command against my domain controllers, which I don't have a guest account, and I don't want a guest account on my dc's, so it automatically rejects because I dont have a guest account on my domain. If I comment out the ntlm_auth command in radiusd.conf, it works fine, but of course my domain authentication doesn't work now. Any help is appreciated!!! Thanks, jamie guest User-Password == guest, MS-CHAP-Use-NTLM-Auth = No, Filter-Id =Filter-Id =enterasys:version=1:policy=guest_basic DEFAULT Auth-Type = System Filter-Id = enterasys:version=1:policy=faculty_staff, Fall-Through = 1 Redhat AS4 Freeradius 1.0.4 Supplicants XP SP1,SP2 PEAP NT4 DOMAINS Jamie Crawford, MCSE RHCT Network Analyst I Information Services Central Missouri State University Warrensburg, MO 64093 Phone:6605434357 Email:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth multiple nt4 domains peap xp
Hi, I have a two nt4 trusted domain infrastructure and am trying to setup freeradius to authenticate xp supplicants with peap. I have nmbd and winbindd running correctly, and can run the ntlm_auth program with no problems. But what I have found out is that my freeradius server is joined to the DOMAINA domain. So when running /usr/bin/ntlm_auth --username=domainatestuser it automatically validates the user against DOMAINA. But if I try to run /usr/bin/ntlm_auth --username=domainbtestuser it will fail. I have to add the --domain=DOMAINB for it to validate correctly. So when I use my xp supplicant to validate my user, domainatestuser (without typing in the DOMAINA), it works perfectly. If I put in DOMAINA in the domain box, I get rejected. If I try to validate the domainbtestuser using nothing for the domain box, I get rejected. If I put in DOMAINB in the domain box, I get rejected. I guess I am needing to setup realms for each domain. How do I setup DOMAINA users to go to the DOMAINA domain controllers, and how do I setup DOMAINB users to go to DOMAINB domain controllers. I shouldn't really have to setup to go do different domain controllers, I just need freeradius to pass on the domain in the ntlm_auth command. Thanks for any help rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:3076, id=85, length=181 NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Framed-MTU = 1400 User-Name = DOMAINB\\domainbtestuser Calling-Station-Id = 001217a8df41 Called-Station-Id = 0001f4449c4c NAS-Identifier = RoamAbout AP State = 0x1ce29e6a91a9663ff39346a69f85748c EAP-Message = 0x020800261900170301001b4ca905292ffadaa855c356acd5417b6989915df2dd32ffdc0b08d3 Message-Authenticator = 0x6dca7a93ca473745cab0f6a063b66d0e Processing the authorize section of radiusd.conf modcall: entering group authorize for request 15 modcall[authorize]: module preprocess returns ok for request 15 modcall[authorize]: module mschap returns noop for request 15 rlm_realm: No '@' in User-Name = DOMAINB\domainbtestuser, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 15 rlm_realm: Looking up realm DOMAINB for User-Name = DOMAINB\domainbtestuser rlm_realm: No such realm DOMAINB modcall[authorize]: module ntdomain returns noop for request 15 rlm_eap: EAP packet type response id 8 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 15 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 15 modcall: group authorize returns updated for request 15 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 15 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 15 modcall: group authenticate returns invalid for request 15 auth: Failed to validate the user. Delaying request 15 for 1 seconds Finished request 15 Going to the next request Jamie Crawford, MCSE RHCT Network Analyst I Information Services Central Missouri State University Warrensburg, MO 64093 Phone:6605434357 Email:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: urgent help needed!! freeradius peap enterasys ap 3000 xp certificate failure?
certificate_file = ${raddbdir}/certs/server_keycert.pem # Trusted Root CA list CA_file = ${raddbdir}/certs/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random Zoltan Ori [EMAIL PROTECTED] 08/16/05 1:25 PM On Tuesday 16 August 2005 10:28, Jamie Crawford wrote: Everything seems to work great until the certificate negotiation, then it blows chunks. Bad or wrong certificates. Server and supplicant need a copy of the same trusted root certificate. Zoltan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius ldap authentication sql authorization help!!
If you're authorizing via SQL, your LDAP schema shouldn't need changes. Alan DeKok. Alan, thanks for the response!!! But if I'm authorizing through SQL, do I have to have the users password in the database. I was hoping to use the db kind of like the users file. I have nas port numbers with allowed users with only their username for authorization, if their username isnt in the first port it falls through and so on, and if the user isnt authorized for any of the ports, the user is denied access. Is this possible? thanks, jamie [EMAIL PROTECTED] 03/13/05 08:10PM Jamie Crawford [EMAIL PROTECTED] wrote: I'm wondering if anyone has setup freeradius to authenticate through ldap and authorize through a postgress db. Yes. I haven't done it myself, but FreeRADIUS is *designed* to have that kind of flexibility. All the documentation that I have read says that I need the users username and password in the database, or that I need to modify my ldap schema. If you're authorizing via SQL, your LDAP schema shouldn't need changes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius ldap authentication sql authorization help!!
Hello, To make it short, is it possible to authenticate users through ldap (which I can do right now), but limit which ports they can login to (16) on a port by port basis through sql with having to store their password in the db or modifying my ldap schema? Currently I have freeradius authenticating users through NIS and authorizing users to port numbers with the users file. This works great until the list starts changing daily on who can and cannot use ras. I'm wondering if anyone has setup freeradius to authenticate through ldap and authorize through a postgress db. All the documentation that I have read says that I need the users username and password in the database, or that I need to modify my ldap schema. Thanks, jamie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Special users only allowed to login to certain ras ports
Ok. I got the presidentlogin working for certain port numbers. Works great. One more question though, what if I also wanted the vicepresidentlogin to be able to login to those nas port numbers. For example: #NAS PORT 3 = 1800xxx DEFAULT Nas-Port == 3, User-Name != presidentlogin, Auth-Type := Reject DEFAULT Nas-Port == 3, User-Name != vicepresidentlogin, Auth-Type := Reject #NAS PORT 9 = 1866xxx DEFAULT Nas-Port == 9, User-Name != presidentlogin, Auth-Type := Reject #NAS PORT 10 = 1866xxx DEFAULT Nas-Port == 10, User-Name != presidentlogin, Auth-Type := Reject #ALL OTHER PORTS/PHONE NUMBERS DEFAULT Group == nisras, Auth-Type := System When I have this setup, the president or vicepresident cannot login to port 3, but the president can still login to ports 9 and 10 and the others fine. I tried doing the DEFAULT Nas-Port == 3, User-Name != presidentlogin,vicepresidentlogin, Auth-Type := Reject but that failed miserably. Thanks for your help!!! jamie [EMAIL PROTECTED] 03/02/04 08:31AM JAMIE CRAWFORD escreveu: Hello, Is there a way to limit the users to login to certain ports on the ras server. For example, I need to allow the president of the company to dialin to the 1800number configured which would be port 3 on the ras sever. I need to make sure that he can get in at any time and no one else can take that port. The other ports are all local dialin numbers. Just to clarify. I have a patton 2960/16 connected to a bit-robbed T1. This allows us to have 16 concurrent dialup connections. But I only want 15 for general use, and the 16th for only the president. There is a NAS-Port-Id attribute. You'd have to check the authenticate packets that are arriving from your RAS to see if that contains 3 for port 3. If it does you can add a line to your users file: DEFAULT Nas-Port-Id == 3, User-Name != presidentlogin, Auth-Type := Reject That should reject anyone else but the president who tries to login on port 3. Hope that helps, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help with NOT running freeradius as root
Hello, Is there anyway to run freeradius NOT as root on rh9.0 when it does pap authentication which needs to read my /etc/passwd and /etc/group files? I uncommented out the user=nobody and group=nobody and then had to chown of /usr/local/var/log/radius.log to nobody to get to start. Now it refuses to authenticate, most likely because nobody doesn't have the ability to read /etc/passwd or /etc/group. Thanks for your help, I'm still a linux newb. jamie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html