regular expression with ldap-Group problems
Hi everybody, I have a little problem with regular expression on Ldap-Group attribute. In the radiusd.conf I have : regular_expressions = yes extended_expressions= yes In the users file I have rule like this : DEFAULT Huntgroup-Name == "clietn802.x", Realm =="NULL", Ldap-Group =~ "^interne(.*)", Autz-Type := ldap In my test this rule must be matched but it's not the case If anybody have an idea?, Please! thanks in advance. ___ Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. http://fr.answers.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Re: RE : Re: no Client-IP-Address in packet
Phil Mayers <[EMAIL PROTECTED]> a écrit : Mitaine Yoann wrote:> > */Michael Mitchell <[EMAIL PROTECTED]>/* a écrit :> > Client-IP-Address is an internal freeRADIUS attribute, and is not> defined in the RFC's. Hence it is never proxied to another server.Yes, I am aware of that. I said that, in fact.> > In fact, the "Client-IP-Address" for server B in the example above> would be the address of server A, and not the NAS.> > Exactly, but it would seem that never arrives.> Could you tell me, how to make so that the Client-IP-Address have the > IP address value of server A .Don't remove the preprocess module from authorize.- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.htmlthe only problem is that "preprocess" is present in the authorize section in the radiusd.conf file of the radius server A :authorize { preprocess suffix eap files Autz-Type LDAP { ldap }}so I don't understand when a proxying request arrives, why the server B didn't match the rule in the users file :DEFAULT Huntgroup-Name == "foo", Ldap-Group == "interne", Autz-Type := Ldapwhere foo Client-IP-Address == x.x.x.xthere is perhaps a bug in the version which I use?
Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet !
Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Re: no Client-IP-Address in packet
Michael Mitchell <[EMAIL PROTECTED]> a écrit :Client-IP-Address is an internal freeRADIUS attribute, and is not defined in the RFC's. Hence it is never proxied to another server.In fact, the "Client-IP-Address" for server B in the example above would be the address of server A, and not the NAS. Exactly, but it would seem that never arrives. Could you tell me, how to make so that the Client-IP-Address have the IP address value of server A . your sincerly Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : no Client-IP-Address in packet
Dear everybody,In my previous email , I forgot to say that when I received a proxing packet, I tried to match a rule on the radius server B like :DEFAULT Huntgroup-Name == "foo", Autz-Type := Ldapwhere foo is defining in huntgroups file as : foo Client-IP-Address == x.x.x.xin the users file.But this one hadn't been matched.If somebody has an idea...?Mitaine Yoann <[EMAIL PROTECTED]> a écrit : Dear everybody,I've installed the radius 's CVS version of 08-23-06.I've this architecture : client < > AP <> Radius A <> Radius B 802.1X proxyingThe client does not have adress of IP, it recover his IP address by the DHCP server installed in radius server A, after being authenticated.I'm doing an EAP/TTLS authentication.When I proxied the request from to server A to the server B, there wasn't Client-IP-Address in the packet. I thought radius server A would have put its own ip address for Client-IP-Address attribute before sending the packet to server B. So, I would like to know if it's a normal situation and in this case, how I could insert the Client-IP-Address attribute in the packet. Thanks in advance.Your sincerly. Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
no Client-IP-Address in packet
Dear everybody,I've installed the radius 's CVS version of 08-23-06.I've this architecture : client < > AP <> Radius A <> Radius B 802.1X proxyingThe client does not have adress of IP, it recover his IP address by the DHCP server installed in radius server A, after being authenticated.I'm doing an EAP/TTLS authentication.When I proxied the request from to server A to the server B, there wasn't Client-IP-Address in the packet. I thought radius server A would have put its own ip address for Client-IP-Address attribute before sending the packet to server B. So, I would like to know if it's a normal situation and in this case, how I could insert the Client-IP-Address attribute in the packet. Thanks in advance.Your sincerly. Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy Problem maybe a bug!
Dear everybody,I've installed the radius 's CVS version of 08-02-06.I've this architecture : client < > AP <> Radius A <> Radius B proxyingwith proxy.conf file :realm NULL { type = radius authhost = LOCAL accthost = LOCAL}realm AAA
{ type = radius authhost = LOCAL accthost = LOCAL type = radius}realm BBB { type = radius authhost = 147.173.3.249:1812 accthost = 147.173.3.249:1813 secret =
RaDCNRSgreCentr1 nostrip}# This realm is for ALL OTHER requests.##realm DEFAULT { type = radius authhost = anIP@:1812 accthost = anIP@:1813 secret = RaDCNRSgreCentr1 nostrip}I tried to use the proxy's configuration between the ServerA and the Server B.the server A sent an Access-Request proxied to the Server B.When the server B answered to the proxy-request by anAcces-Chalenge request proxied,I had an error message like this
:"Received Unknown packet code 11from client 147.173.3.249port 1812: Cannot validate signature Dropping packet withoutresponse."So I searched for what could cause this error and I thinkI found it in the radius.c file, at the end of the rad_verifyfunction.in the last switch-case code :/** Calculate and/or verify digest.*/switch(packet->code) { int rcode; char buffer[32]; case PW_AUTHENTICATION_REQUEST: case PW_STATUS_SERVER: case PW_DISCONNECT_REQUEST: /* * The authentication vector is random * nonsense, invented by the
client. */ break; case PW_ACCOUNTING_REQUEST: if (calc_acctdigest(packet, secret) > 1) { librad_log("Received Accounting-Request packet " "from %s with invalid signature! (Shared secret is incorrect.)", inet_ntop(packet->src_ipaddr.af,
&packet->src_ipaddr.ipaddr,buffer, sizeof(buffer))); return -1; } break; /* Verify the reply digest */ case PW_AUTHENTICATION_ACK: case PW_AUTHENTICATION_REJECT: case PW_ACCOUNTING_RESPONSE: rcode =
calc_replydigest(packet,original, secret); if (rcode > 1) { librad_log("Received %s packet " "from client %s port %d with invalid signature (err=%d)! (Shared secret is incorrect.)",packet_codes[packet->code],
inet_ntop(packet->src_ipaddr.af, &packet->src_ipaddr.ipaddr,buffer, sizeof(buffer)),packet->src_port, rcode); return -1;
} break; default: librad_log("Received Unknown packet code %d" "from client %s port %d: Cannot validate signature",
packet->code,inet_ntop(packet->src_ipaddr.af, &packet->src_ipaddr.ipaddr, buffer,sizeof(buffer)), packet->src_port); return -1; }There was no case of Acces challenge resquest ,I added it(case PW_ACCESS_CHALLENGE).And now the proxy request works !I would like
to know if the change is correct and if somebody already had this error .Your sincerly.
Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet !
Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
