FW: MS AD / OpenLDAP with PAP - is it really not possible ?
Hello I have got application that allow only to authenticate using PAP method. My Goal would bo to use Active Directory as a abckend User Database, but I found that: Once the PAP authentication test has been successful, the next step for sites using Active Directory is to configure the system to perform user authentication against Active Directory. The clear-text passwords are unavailable through Active Directory, so we have to use Samba Is it true ? The same page describing to use ntlm_auth instead, But I cannot found how to pass attributes from LDAP Database using ntlm_auth to Radius Client. Is it possible to reply attributes from LDAP using ntlm_auth ? Best Regars Pawel. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Project site down
Hello, can it be, that the site is down? Looks like it :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS list update without restarting radius server.
Hi Liran
I think, that will have to be a solution, i havegot also an idea to run two
instances of server on one machine on diffrent ports and redirect ports
using iptables, for egzample:
Radius A listening on ports 1820-1821
Radius B listening on ports 1822-1823
Variable server_on;
Start script is to run both servers and tell ip tables to redirect ports
1812-1813 to 1820-1821.
Variable server_on is set to A;
And reboot server script is checking server_on value:
If server_on == A then
{ reboot server B;
tell iptables to forward request to server B;
server_on = B;
} else {
reboot server A;
tell iptables to forward request to server A;
server_on = A;
}
Theoreticly non working server is idle and not taking resoures.
The only thing i dont know yet is switching while request is operating eg:
user send auth_request... Get response, and we swithed servers before
accounting.
Its just an idea, maybe it will be useful to someone
Pawel Cieplinski
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
g] On Behalf Of liran tal
Sent: 23 January 2008 12:07
To: FreeRadius users mailing list
Subject: Re: NAS list update without restarting radius server.
I think that having 2 servers running in master/slave and constantly
exchanging the roles between them is highly a compromise for reading
once in a while a cached nas list and updating it every now and
then.
The interval to update the nas list can be user defined and will
solely
depend on your system being able to support it. Ofcourse I wouldn't
recommend doing it every second but a reasonable time is in place
I think.
Also I'm thinking that like most services in the world changes take
affect
only after a limited time which you can enforce in a policy.
For example, you tell your users or whomever operates the nas list
that
changes to the nas are affected only after 3 hours and set that time
as
the interval for freeradius to re-build the list.
Very much like that is what happens with DNS record updates for
example
(although for somewhat different reasons) which you have to wait at
least
a couple of hours if not the full 72 hours for the dns records to
update
on servers/routers across the globe.
Regards,
Liran Tal.
On Jan 23, 2008 12:08 PM, Pawel Cieplinski [EMAIL PROTECTED]
wrote:
I wont be adding NASes, but users will do, so i am thinking
0-10 a day.
Linking to a dynamic list using interal its not a good
solution, becouse i
will need to wait for list update after adding NAS.
Other solution i am thinking is to run two instances of
server and restart
them in round robin and use iptables to redirect packets to
actual working
server.
Goal is to serveradius to third party as a service, so users
will add their
own nases, modified them etc, at this stage i cannot really
say how many
times a day i will need a restart, but i am wondering about
also about
following soltion:
Run two servers:
Primary and Secondary, primary will be restarted once a day,
and secondary
every time NAS list will be changed. After adding a NAS
primimary will not
respond (unknown NAS) so NAS will ask secondary instead)
also request from
other nases will not be lost becouse primary is not
restarded on NAS list
change.
What do you think ?
From:
freeradius-users-bounces+pawel=
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
g] On Behalf Of Marinko Tarlac
Sent: 23 January 2008 10:05
To: FreeRadius users mailing list
Subject: Re: NAS list update without restarting
radius server.
Well how many times per day do you add nases?
On Jan 23, 2008 10:20 AM, liran tal
[EMAIL PROTECTED] wrote:
Hey Alan,
On Jan 23, 2008 9:47 AM, Alan DeKok
RE: authenticating with PIN only not username and password.
Its simple Pin will be a be a username And password will be hidden on login page eg: form name=login input type=text name=username -- your pin input type=hidden name=password value=default -- hidden password /form And radius needs to store usernames (pins) and passwords (default for all) Thats how i see it Pawel Cieplinski -Original Message- From: [EMAIL PROTECTED] ius.org [mailto:[EMAIL PROTECTED] .freeradius.org] On Behalf Of Goke Aruna Sent: 23 January 2008 13:09 To: freeradius-users@lists.freeradius.org Subject: authenticating with PIN only not username and password. hi all, Can someone give me an insigth into how a user can authenticate from hotspot with 10digit PIN number not username and password. Thanks goksie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.19.9/1238 - Release Date: 22/01/2008 20:12 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hi there (its me again :P) Another problem: How to assign users to a NAS ? In radcheck i got entires for 4 users (A,B,C,D) and 2 nas (I and II) But i want to assign somehow users A and B to NAS I and users C and D do NAS II (eg: user C using NAS II should get Acess-Reject - wrong username or password ) I found out that it is possible using REALMS - check calling station id And separating databases: User A and B and NAS I are id sql1 and C,D,II in sql2 But this way doing it could be quite dificult for longer run. Other option i have in mind is to add a record or table and match Usertable and Nastable together and change SQL entires for authentication like : Select * from radcheck where username=calling user and nas=calling station (example). Is there any simplier method to group users and nas together ? Thanks for answering my stupid questions Pawel Cieplinski - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS list update without restarting radius server.
I wont be adding NASes, but users will do, so i am thinking 0-10 a day. Linking to a dynamic list using interal its not a good solution, becouse i will need to wait for list update after adding NAS. Other solution i am thinking is to run two instances of server and restart them in round robin and use iptables to redirect packets to actual working server. Goal is to serveradius to third party as a service, so users will add their own nases, modified them etc, at this stage i cannot really say how many times a day i will need a restart, but i am wondering about also about following soltion: Run two servers: Primary and Secondary, primary will be restarted once a day, and secondary every time NAS list will be changed. After adding a NAS primimary will not respond (unknown NAS) so NAS will ask secondary instead) also request from other nases will not be lost becouse primary is not restarded on NAS list change. What do you think ? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Marinko Tarlac Sent: 23 January 2008 10:05 To: FreeRadius users mailing list Subject: Re: NAS list update without restarting radius server. Well how many times per day do you add nases? On Jan 23, 2008 10:20 AM, liran tal [EMAIL PROTECTED] wrote: Hey Alan, On Jan 23, 2008 9:47 AM, Alan DeKok [EMAIL PROTECTED] wrote: liran tal wrote: Maybe freeradius can read the nas list from sql at startup to some linked list and this list will be updated every given interval with a query to the database. It's more complicated than that. The NASes need to be deleted, too. And this has to be done without affecting normal server operation. As always, patches are welcome. Well, every given interval a query will run on the database server to get the list of nases and it will build a new linked list based on that and delete the other nodes and free the pointers of those. I guess that coming up with a method to check against each nas if it's there or not, and to remove or add it based on a check is do-able but would probably face some efficiency issues where-as I think it would be proper to create a new linked list with whatever nases that query returns and free the previous linked list from memory. I haven't had a look at the relevant code but it seems quite basic to implement unless I'm over-seeing some critical aspects :-) I'll be glad to take a look if you can refer me to the current piece of code where freeradius handles the nas lists read from the database and stores them. Regards, Liran Tal. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list with MySQL
[EMAIL PROTECTED] wrote: Hi with 1.1.x i believe you still need a single entry in clients.conf - a fake entry - eg 127.0.0.2 or it barfs. 2.0.0 doesnt have this issue alan - Thanks i managed to sort that out Can u tell me about stability in freeradius 2.0.0. I am preparing a project for servers wchich will have to serve more than few milion entries (users) and i am concercn using lastests versions Pawel Cieplinski - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
