Re: problem with initial setup solved

2013-09-09 Thread Jeremiah Peterson 
NEVER

On Sep 9, 2013, at 10:34 AM, Swenson, Chris cswen...@curry.edu wrote:

 I guess I need to recycle my 2002 Shell O'Reilly book.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Selecting authentication based on NAS-IP-Address or Client IP Address

2013-05-21 Thread Jeremiah Peterson 
Thanks Alan.

I have been researching what you said and have seen from debug that the =
code you gave me seems to be accepted by the server when it is =
processed. I put the code in the authorize section of the =
/etc/freeradius/sites-enabled/default.

I get:

Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.10.10.10 port 51690, id=3D9, =
length=3D43
   User-Name =3D noo
   User-Password =3D smartcity123
# Executing section authorize from file =
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[IPASS] No '/' in User-Name =3D noo, looking up realm NULL
[IPASS] Found realm DEFAULT
[IPASS] Adding Stripped-User-Name =3D noo
[IPASS] Adding Realm =3D DEFAULT
[IPASS] Proxying request from user noo to realm DEFAULT
[IPASS] Preparing to proxy authentication request to realm DEFAULT
++[IPASS] returns updated
++? if (Packet-Src-IP-Address =3D=3D 10.10.10.10)
   expand: %{Packet-Src-IP-Address} - 10.10.10.10
? Evaluating (Packet-Src-IP-Address =3D=3D 10.10.10.10) - TRUE
++? if (Packet-Src-IP-Address =3D=3D 10.10.10.10) - TRUE
++- entering if (Packet-Src-IP-Address =3D=3D 10.10.10.10) {...}
+++[control] returns updated
++- if (Packet-Src-IP-Address =3D=3D 10.10.10.10) returns updated
[suffix] Request already proxied.  Ignoring.
++[suffix] returns ok
 WARNING: Empty pre-proxy section.  Using default return values.
Sending Access-Request of id 122 to 10.200.0.1 port 1812
   User-Name =3D noo
   User-Password =3D test
   NAS-IP-Address =3D 10.10.10.10
   Proxy-State =3D 0x3130
Proxying request 0 to home server 10.200.0.1 port 1812
Sending Access-Request of id 122 to 10.200.0.1 port 1812
   User-Name =3D noo
   User-Password =3D test
   NAS-IP-Address =3D 10.10.10.10
   Proxy-State =3D 0x3130
Going to the next request




So it looks like it evaluates the unlang correctly, but it doesn't =
change the home server pool to the intended pool.



Is the unlang supposed to be in the authorize section as I suspect?  =
(NEWPOOL is the pool I want to choose)

Here is some config (the relevant part anyway)



root@FreeRADIUS:/etc/freeradius# cat sites-enabled/default
authorize {
   preprocess
   IPASS
   if(Packet-Src-IP-Address =3D=3D 10.10.10.10) {
 update control {
  Home-Server-Pool =3D NEWPOOL
 }
   }
   suffix
}



root@FreeRADIUS:/etc/freeradius# cat proxy.conf
proxy server {
   default_fallback =3D no
}
home_server default {
   type =3D auth+acct
   ipaddr =3D 10.200.0.1
   port =3D 1812
   secret =3D gdsa
}
home_server primary {
   type =3D auth+acct
   ipaddr =3D 10.100.0.1
   port =3D 1812
   secret =3D secret
}

home_server_pool DEFAULT {
   home_server =3D default
}
home_server_pool NEWPOOL {
   home_server =3D primary
}

realm DEFAULT {
   auth_pool =3D DEFAULT
}


I am still learning and researching.  I just can't find enough =
documentation out there which is why I turned to the mailing list.  =
Thanks for your assistance.
On May 18, 2013, at 5:36 AM, Alan DeKok-2 [via FreeRADIUS] 
ml-node+s1045715n5720262...@n5.nabble.com wrote:

 Jeremiah Peterson wrote: 
  I see that it is possible to create realms and have each realm use a 
  different proxy, but what I am more interested in is having the 
  authentication method be selected based on client. 
  
  For example: 
  
  If the request comes from IP 10.10.10.10 and user bob then use 
  home_server_pool xxx (and return attribute blah blah blah) 
  If the request comes from IP 10.20.20.20 and user bob then use 
  home_server_pool yyy (and return attribute yadda yadda yadda) 
  If the request comes from IP 10.30.30.30 and user bob then use 
  home_server_pool zzz (and return results from SQL query x) 
 
   Most of this can be done via unlang.  It has if/then/else checks, 
 just like you wrote above.  You can even update the control items to 
 have Home-Server-Pool := xxx. 
 
  I can see how this is done when making the user enter a realm name or 
  prefix or suffix to the username, but I don't want to do that for every 
  authentication.  I want the authentication method to be selected based on 
  the client. 
 
   You can select the *source* for authentication credentials.  You can't 
 select the authentication *method*.  The client selects that.  (PAP, 
 CHAP, etc.) 
 
  I have been searching for details on all the configuration files but I am 
  not finding anything very conclusive or explanatory on how to build custom 
  sites. 
 
   It's pretty simple: 
 
 if ((Packet-Src-IP-Address == 10.10.10.10)  (User-Name == bob)) { 
 update control { 
 Home-Server-Pool := xxx 
 } 
 } 
 
 
   You can't edit the reply here, because it's set

Re: Selecting authentication based on NAS-IP-Address or Client IP Address

2013-05-21 Thread Jeremiah Peterson 
Well then I obviously have missed something in the debug output which
should have been completely obvious but has not to this point been.

I do appreciate your time and willingness to help.   I have made a lot of
changes to the default configuration because I am deploying a highly
customized solution.

I will go over the debug output again and see if I can figure out what I am
missing and turn on a higher level of debugging.

I was not trying to get a quick and easy solution without reading the debug
output and I apologize if I came across that way.

Thank you for the reply.

Sent from my iPhone

On May 21, 2013, at 5:06 PM, Alan DeKok-2 [via FreeRADIUS] 
ml-node+s1045715n5720330...@n5.nabble.com wrote:

Jeremiah Peterson wrote:
 Thanks Alan.

 I have been researching what you said and have seen from debug that the
 code you gave me seems to be accepted by the server when it is
 processed. I put the code in the authorize section of the
 /etc/freeradius/sites-enabled/default.

 I get:

  Well... it helps to read the debug output and think about what you've
configured.

  I'll also note that the debug output shows you've made a *lot* of
changes to the default configuration.

  So... it helps to understand the changes, before you make them.

  i.e. if you're not going to bother reading the debug output and
thinking about it, I'm not going to bother doing that, either.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


--
 If you reply to this email, your message will be added to the discussion
below:
http://freeradius.1045715.n5.nabble.com/Selecting-authentication-based-on-NAS-IP-Address-or-Client-IP-Address-tp5720259p5720330.html
 To unsubscribe from FreeRADIUS, click
herehttp://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_codenode=2740692code=Z2FtZXJqQGdtYWlsLmNvbXwyNzQwNjkyfC0xMjA3NTI4NDQ3
.
NAMLhttp://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewerid=instant_html%21nabble%3Aemail.namlbase=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespacebreadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Selecting authentication based on NAS-IP-Address or Client IP Address

2013-05-17 Thread Jeremiah Peterson 
I see that it is possible to create realms and have each realm use a different 
proxy, but what I am more interested in is having the authentication method be 
selected based on client.

For example:

If the request comes from IP 10.10.10.10 and user bob then use home_server_pool 
xxx (and return attribute blah blah blah)
If the request comes from IP 10.20.20.20 and user bob then use home_server_pool 
yyy (and return attribute yadda yadda yadda)
If the request comes from IP 10.30.30.30 and user bob then use home_server_pool 
zzz (and return results from SQL query x)

I can see how this is done when making the user enter a realm name or prefix or 
suffix to the username, but I don't want to do that for every authentication.  
I want the authentication method to be selected based on the client.

I have been searching for details on all the configuration files but I am not 
finding anything very conclusive or explanatory on how to build custom sites.

Any help would be appreciated.

Thanks for your help.

JerLasVegas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html