client's shortname cast the real IP
Hi, I have: client 10.1.2.0/24 { secret = secretkey shortname = 10.1.2.x } The problem is the log has only 10.1.2.x, not the real NAS IP. However, taking the shortname out will generate error when the radiusd runs. What I can do to have the server log the real NAS ip. Of cause, I don't want to do client 10.1.2.1 ... client 10.1.2.2 ... ... client 10.1.2.254 ... I have FC4 and freeradius 1.0.4 installed Thanks, Min - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius - setting up
Fedora Core 4 has prebuild rpm freeradius-1.0.4.-1.FC4.1 yum install freeradius will do it. Hope this will help, Min -Original Message- From: [EMAIL PROTECTED] freeradius.org [mailto:freeradius-users-bounces+mqiu=globalinternetworking.co [EMAIL PROTECTED] On Behalf Of Timolthy Keithy Sent: Tuesday, January 31, 2006 4:19 PM To: freeradius-users@lists.freeradius.org Subject: FreeRadius - setting up Hi, I am trying to build the FreeRadius under Fedora Core 4, I found many info on how to buil FreeRadius on the Internet, which includes freeradius.org, and I tried several times and different info from websites but still without luck. Anyone has any info with step-by-step on how to build the Freeradius from scratch please share or point to where I can obtain those correct info, I would like to set it to work with PEAP, LEAP, TLS, and TTLS. FreeRadius 1.x and OpenSSL, etc... Very appreciated in advance, Timolthy __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems System Auth with FreeRadius (/etc/shadow)
You may read the doc wrong. The group you should look for is radiusd. When you create user radiusd, the group radiusd should also be created if you use adduser command to do the job. You don't what user radiusd belong to group root. Do chgrp radiusd /etc/shadow. Min -Original Message- From: [EMAIL PROTECTED] freeradius.org [mailto:freeradius-users-bounces+mqiu=globalinternetworking.co [EMAIL PROTECTED] On Behalf Of Nataniel Klug Sent: Thursday, January 26, 2006 3:57 PM To: FreeRadius users mailing list Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) Alan, Now you have gived me a tip... At my Fedora there is no group shadow, so I put radius to run as group root so it could read /etc/shadow only if I set +r to group at shadow files. Att, Nataniel Klug - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, January 26, 2006 3:37 PM Subject: Re: Problems System Auth with FreeRadius (/etc/shadow) Nataniel Klug [EMAIL PROTECTED] wrote: I just have installed the package from Fedora Core 3, nothing else. Then look at the configuration file. See how it's different from what is shipped with FreeRADIUS. And setting a+rw on /etc/passwd and /etc/shadow is probaby the single worst thing you can do to your system. EVER. Rather than doing that, read raddb/radiusd.conf, it talks about issues with reading /etc/shadow, and describes suggested fixes won't destroy your system. Honestly, I don't understand why it's so hard to read the configuration files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Restricting access to a NAS
I'm able to make it work by using huntgroups admin NAS-IP-address =~ ^10\.1\.2\.# thanks a lot to Bjørn User-Name = admin1, User-Name = admin2, ... ... and users admin1 Auth-Type := Local, User-Password == secret, Huntgroup-Name == admin ... I would asume that add a huntgroup in the check line would be the same with database backend. Can you post your solution once you make it work? Thanks, Min -Original Message- From: [EMAIL PROTECTED] on behalf of Lewis Bergman Sent: Tue 1/24/2006 12:01 PM To: FreeRadius users mailing list Subject: Re: Restricting access to a NAS Laker Netman wrote: I have a Cisco 3660 router configured for dialup AAA through FR (1.0.5) to access our LAN. I also have the login to the router itself, for admin, authenticating through FR (MySQL backend). The same DB is used for all auth, so currently anyone with a dialup account could also telnet into the router. This leaves only my 'enable' password to prevent problems. I want to configure FR to eliminate this ability for all but a select group of users (admins). There are other devices I would like to add to the list later. I've been looking at huntgroups as the solution, but was unsure how (or if) this could be handled via sql rather than the users file. Is anyone doing this and could provide a sample config layout? I am not currently doing this but plan to tackle it by using something like a realm of admin when I do get to it. So a user needing admin privs would have to log in like [EMAIL PROTECTED] to get access. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS-IP-address == 10.1.2.0/24 allowed?
Hi, Again, newbie question that I failed to find the anwser from FAQ or wiki. I would like to restrict user login by NAS-IP-address or fqdn if possible. Therefore I can restrict user to login a group of devices. user1 Auth-Type := Local, User-Password == sceret, NAS-IP-address ==10.1.2.0/24 ... It works if NAS-IP-address == 10.1.2.3, but that will require ~250 entries in users file. Can it be group into /24 or is NAS-Network-address exist? How about using DNS name, something like user1 Auth-Type := Local, User-Password == sceret, NAS-fqdn =~ /*.(core|edge).domain/ ... Thanks a lot, Min winmail.dat- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to set crypted password in 'users' file?
Hi all, I'm able to make clear text password work by adding entry in 'users' file: mqiuAuth-Type := Local, User-Password == clear-text However, cut and past the crypted password from /etc/shadow to the entry failed: mqiuAuth-Type := Local, User-Password == $1$CWOjXm2v$dzjrc385t1iQXMN0 Change above Auth-Type to pam or unix does not work. My question is how to set an crypted password in 'users' file? In addition, how to set different passwords for the same user in different hosts? something like: [EMAIL PROTECTED]/24Auth-Type := Local, User-Password == pass1 [EMAIL PROTECTED]/24Auth-Type := Local, User-Password == pass2 ... [EMAIL PROTECTED]/24Auth-Type := Local, User-Password == passN I have freeradius-1.0.4-1.FC4.1 installed. Thanks a lot, Min - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html