Re: Question on attributes
Hello Phil, Thanks for your answer. I have these: ATTRIBUTE Download78 integer ATTRIBUTE Upload 79 integer On /etc/freeradius/dictionary file that is being included as debug showed. including dictionary file /etc/freeradius/dictionary on freeradius v2. Maybe I need to create a separate dictionary file and have a include on this file? What I'm doing wrong? 2013/1/17 Phil Mayers p.may...@imperial.ac.uk: On 17/01/13 11:29, Tiago wrote: Hello everyone, I'm struggling with something that should be simple to fix. I have a rp-pppoe NAS server here that correctly understand a few attributes (radreply) that come from freeradius 1.x (w/mysql database). Example: Download (for download rates) attribute Simple real example, from pppoe server: # cat /var/run/radattr.ppp479 Framed-Compression Van-Jacobson-TCP-IP Framed-Protocol PPP Framed-MTU 1500 Download 12000 Upload 3072 Download and Upload aren't standard attributes. Where are these defined in dictionary files? Sending Access-Accept of id 192 to NASPPPOE01 port 48956 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Cliente = \000\000\000\000\000\000\000\000\000\000\000\000\000\000\000 Framed-MTU = 1500 WISPr-Bandwidth-Max-Down = 256000 WISPr-Bandwidth-Max-Up = 256000 Finished request 0. Going to the next request What I'm missing? it seems like the attributes are not being sent to NAS, but I could be wrong Correct. Check the attributes are actually defined in a dictionary on the 2.x installation; check raddb/dictionary on the 1.x installation, see if they were defined as custom VSAs or similar. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on attributes
Alan, Sorry, I did that. But I think I didn't understod it correctly, maybe due english not being my first lang. From man I have: The names have no meaning outside of the RADIUS server itself, and are never exchanged between server and clients. That is, editing the dictionaries will have NO EFFECT on anything other than the server that is reading those files. Adding new attributes to the dictioâ naries will have NO EFFECT on RADIUS clients, and will not make RADIUS clients magically understand those attributes. The dictionaries are solely for local administrator convenience, and are specific to each version of FreeRADIUS. May I ask you a bit of patience helping me on this? So, can I conclude that adding attributes to dictionary file will not make freeradius to send those to NAS? But are they necessary to create sql pairs and so got from sql radreply? Yet, On the dictionary file I have: # If you want to add entries to the dictionary file, # which are NOT going to be placed in a RADIUS packet, # add them here. The numbers you pick should be between # 3000 and 4000. So I didnt understand that, so entries with 3000-4000 numbers aren't placed on radius packet, can I conclude that the others are? but on the man it says that attributes are never exchanged. So I'm a bit confused here. What I need to do to radius server send the attributes that are collected from my mysql database (radreply attrib)? Thanks again. 2013/1/17 Alan DeKok al...@deployingradius.com: Tiago wrote: I have these: ATTRIBUTE Download78 integer ATTRIBUTE Upload 79 integer On /etc/freeradius/dictionary file that is being included as debug showed. They are wrong. Delete them. including dictionary file /etc/freeradius/dictionary on freeradius v2. Maybe I need to create a separate dictionary file and have a include on this file? What I'm doing wrong? The documentation describes how the dictionaries work. If you're editing the dictionary file, then READ IT. It contains DOCUMENTATION describing how to add new attributes. I honestly don't know why I write *any* documentation. It seems that the bulk of problems on this list are people who fanatically avoid all existing documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on attributes
Alan, 2013/1/17 Alan DeKok al...@deployingradius.com: Tiago wrote: From man I have: Please don't quote the documentation here. I've read it. May I ask you a bit of patience helping me on this? So, can I conclude that adding attributes to dictionary file will not make freeradius to send those to NAS? That is what the documentation says. But are they necessary to create sql pairs and so got from sql radreply? I'm not sure what you mean by that. So I didnt understand that, so entries with 3000-4000 numbers aren't placed on radius packet, can I conclude that the others are? No. but on the man it says that attributes are never exchanged. So I'm a bit confused here. It says the NAMES are never exchanged. NAMES. Not ATTRIBUTES. What I need to do to radius server send the attributes that are collected from my mysql database (radreply attrib)? Use attributes that are *supposed* to go into a RADIUS packet. It has nothing to do with MySQL. The attributes can come from anywhere. You can't simply invent attribute numbers. They are assigned via a controlled process. The numbers you used 78 and 79 are *already* assigned to different attributes. You need to read the documentation for the PPOE server to see which attributes it understands. There's also a dictionary.roaringpenguin file distributed with FreeRADIUS. It defines attributes for the RP PPPoE server, for upload and download rate limiting. Use that. Thanks, can I add an attribute to dictionary.roaringpenguin besides the ones listed there? I'm asking that to avoid broking my production environment. I saw there this (dictionary.roaringpenguin): # Downstream speed limit in kb/s ATTRIBUTE RP-Downstream-Speed-Limit 2 integer Can I add at the end? ATTRIBUTE Download 6 integer Do I need to make any attribute number change on my pppoe/nas server to understand the new defined here? I'm asking that because the old freeradius/pppoe are working using those attributes numbers, which is already defined by another attributes as you stated. Thanks Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on attributes
2013/1/17 Phil Mayers p.may...@imperial.ac.uk: On 17/01/13 12:42, Tiago wrote: Hello Phil, Thanks for your answer. I have these: ATTRIBUTE Download78 integer ATTRIBUTE Upload 79 integer On /etc/freeradius/dictionary file that is being included as debug showed. including dictionary file /etc/freeradius/dictionary on freeradius v2. Maybe I need to create a separate dictionary file and have a include on this file? What I'm doing wrong? These attributes are already allocated; you've stolen them from the main attribute space, and are probably having problems with dictionary precedence - IIRC there were changes in this area in FR2. Thanks for clarification. The correct thing to do is either use a valid, allocated attribute, or assign your own from a valid, allocated enterprise number that you own. Any suggestion/tip on how can I migrate from v1 to v2 considering that I have few invalid attributes on production today (Download/Upload for example) that it was implemented using the numbers I already mentioned here, so I don't need to mess with 11,000 of customers radreply attributes (that are configured with Download/Upload values) without naming-change? Maybe it will not be there best thing to do, but as a next step. What is processing these attributes? Since you are using rp-pppoe, I suspect you are using an ip-up script and processing them in shell script? In that case, find an allocated attribute with similar purpose, and use that. Use grep to search the dictionaries. Yes, that's correct, its being processed on ip-up. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New attribute on old freeradius server
Thanks Alan, So basically the correct way would be create a vendor dict, and there can I use any number or I need to follow some guideline? 2012/10/20 Alan DeKok al...@deployingradius.com: Tiago wrote: I think its not my case, because I'll need to get these attributes on my NAS (rp-pppoe server) and with it set Down/Up rates to my customer. Am I right? If yes, so which number should I use? You use the numbers as defined in the dictionary on the NAS. If it has a Up/Down rate attribute, use that. By the way, I'm setting the same attr on freeradius and NAS server. You should create a vendor-specific dictionary, and define the attribute there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New attribute on old freeradius server
Hello, Since my last message, I've created a new attribute on a old freeradius server (ver 1.x) and it worked perfectly. Now I've migrated to freeradius 2.x and I need to put the same old attributes on production. However, per Alan instructions I should use attr 3000,... and reading the dictionary file it says: # If you want to add entries to the dictionary file, # which are NOT going to be placed in a RADIUS packet, # add them here. The numbers you pick should be between # 3000 and 4000. I think its not my case, because I'll need to get these attributes on my NAS (rp-pppoe server) and with it set Down/Up rates to my customer. Am I right? If yes, so which number should I use? By the way, I'm setting the same attr on freeradius and NAS server. Thanks in advance. 2012/8/2 Alan DeKok al...@deployingradius.com: Tiago wrote: I'm trying to implement an new radreply attribute on an old freeradius 1.x production server that should be replaced on the next days. I've set a user attribute on my mysql database - table radreply like: Shape = 1 I've added that new attribute on my dictionary file /etc/freeradius/dictionary (ubuntu server) like: . .. ATTRIBUTE Shape 86 integer No. Attribute 86 is already defined. Don't use it. Use 3000 instead. This is documented in newer versions of the server. I'm doing some radtests and I'm getting this: Thu Aug 2 14:43:49 2012 : Error: rlm_sql: Failed to create the pair: Unknown attribute Shape Thu Aug 2 14:43:49 2012 : Error: rlm_sql (sql): Error getting data from database Thu Aug 2 14:43:49 2012 : Auth: Login OK: [user] (from client pppoe02 port 0) Where else should I look for? Well... the server isn't reading the dictionary file you edited. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
New attribute on old freeradius server
Hello everyone, I'm trying to implement an new radreply attribute on an old freeradius 1.x production server that should be replaced on the next days. I've set a user attribute on my mysql database - table radreply like: Shape = 1 I've added that new attribute on my dictionary file /etc/freeradius/dictionary (ubuntu server) like: . .. ATTRIBUTE Shape 86 integer I'm doing some radtests and I'm getting this: Thu Aug 2 14:43:49 2012 : Error: rlm_sql: Failed to create the pair: Unknown attribute Shape Thu Aug 2 14:43:49 2012 : Error: rlm_sql (sql): Error getting data from database Thu Aug 2 14:43:49 2012 : Auth: Login OK: [user] (from client pppoe02 port 0) Where else should I look for? Kindly regards, Tiago - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stuck on very basic freeradius setup
Hello, I've just installed freeradius 2.x on an ubuntu server 12.04 with apt-get. I've follow documentation and I'm stuck on a very basic setup (pap auth). Basically I'm testing the default config using the users file to test auth with radtest. So, here is the thing: *users file - first line: teste Cleartext-Password:=teste* I'm running freeradius on debug mode, here is the error log: rad_recv: Access-Request packet from host 127.0.0.1 port 38134, id=101, length=57 User-Name = teste User-Password = teste NAS-IP-Address = 201.x.x.x NAS-Port = 0 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = teste, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry teste at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group PAP {...} *[pap] login attempt with password teste [pap] No password configured for the user. Cannot do authentication* *++[pap] returns fail Failed to authenticate the user.* Login incorrect: [teste/teste] (from client localhost port 0) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - teste attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated My radtest command: radtest teste teste 127.0.0.1 0 testing123 Ok, is that so obvious that I'm blind? Is there pap auth looking for another file instead users file? What am I missing? Thanks people. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stuck on very basic freeradius setup
No, still getting errors, but it sends the reply message: [pap] login attempt with password davis45 [pap] No password configured for the user. Cannot do authentication ++[pap] returns fail Failed to authenticate the user. Login incorrect: [miles/davis45] (from client localhost port 0) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - miles attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 230 to 127.0.0.1 port 59377 Reply-Message = Hello, miles 2012/7/3 Andreas Meyer anme...@anup.de Hello! Tiago syt...@gmail.com wrote: Hello, I've just installed freeradius 2.x on an ubuntu server 12.04 with apt-get. I've follow documentation and I'm stuck on a very basic setup (pap auth). Basically I'm testing the default config using the users file to test auth with radtest. So, here is the thing: *users file - first line: teste Cleartext-Password:=teste* My entry in the user file looks like this: miles---Cleartext-Password := davis45 Reply-Message = Hello, %{User-Name} Does this help? Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html N - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stuck on very basic freeradius setup
Hello Fajar, Yes, I did, here is my users file: teste Cleartext-Password := teste miles Cleartext-Password := davis45 Reply-Message = Hello, %{User-Name} The only entry refering to users file is this when I run freeradius -X: Module: Linked to module rlm_files Module: Instantiating module files from file /etc/freeradius/modules/files files { * usersfile = /etc/freeradius/users* acctusersfile = /etc/freeradius/acct_users preproxy_usersfile = /etc/freeradius/preproxy_users compat = no } 2012/7/3 Fajar A. Nugraha l...@fajar.net On Tue, Jul 3, 2012 at 8:53 PM, Tiago syt...@gmail.com wrote: No, still getting errors, but it sends the reply message: [pap] login attempt with password davis45 [pap] No password configured for the user. Cannot do authentication Did you do what John suggests, add spaces like the example on users file? What does your entry currently looks like? Did the debug log show it's reading that user file? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stuck on very basic freeradius setup
Sorry, here is my complete debug log: http://pastebin.com/dYWb5tDs 2012/7/3 Fajar A. Nugraha l...@fajar.net On Tue, Jul 3, 2012 at 9:20 PM, Tiago syt...@gmail.com wrote: Hello Fajar, Yes, I did, here is my users file: teste Cleartext-Password := teste miles Cleartext-Password := davis45 Reply-Message = Hello, %{User-Name} The only entry refering to users file is this when I run freeradius -X: Module: Linked to module rlm_files Module: Instantiating module files from file /etc/freeradius/modules/files files { usersfile = /etc/freeradius/users acctusersfile = /etc/freeradius/acct_users preproxy_usersfile = /etc/freeradius/preproxy_users compat = no } Then read the rest of the debug log. It should print (on authorize phase) which lines matched, and you can compare whether it's the correct line. Since you cut that part, no one else will be able to help you. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stuck on very basic freeradius setup
Alan, My first message had that data, I'm pasting here again - after ready to process line, thanks. Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 44400, id=204, length=57 User-Name = miles User-Password = davis45 NAS-IP-Address = 201.23.200.7 NAS-Port = 0 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = miles, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry miles at line 3 [files] expand: Hello, %{User-Name} - Hello, miles ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password davis45 [pap] No password configured for the user. Cannot do authentication ++[pap] returns fail Failed to authenticate the user. Login incorrect: [miles/davis45] (from client localhost port 0) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - miles attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 204 to 127.0.0.1 port 44400 Reply-Message = Hello, miles Waking up in 4.9 seconds. Cleaning up request 0 ID 204 with timestamp +10 Ready to process requests. 2012/7/3 alan buxey a.l.m.bu...@lboro.ac.uk Hi, Sorry, here is my complete debug log: [1]http://pastebin.com/dYWb5tDs no it isnt. thats not complete - thats just the startup...where is the actual log when an event happens..this debug log just ends with Listening on authentication address * port 1812 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. and please dont use pastebin etc - just post the full output to this list. its not big its just simple and easy for us to help you then. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stuck on very basic freeradius setup
Hello, Even removing users file and recreating it didn't work (same error) I did a purge/reinstall and it solved the problem O.o. Well, thanks very much for the help! 2012/7/3 Fajar A. Nugraha l...@fajar.net On Tue, Jul 3, 2012 at 10:13 PM, Tiago syt...@gmail.com wrote: Alan, My first message had that data, I'm pasting here again - after ready to process line, thanks. It works on my setup. [files] users: Matched entry miles at line 3 [files] expand: Hello, %{User-Name} - Hello, miles ++[files] returns ok Check your users file again. If you don't have empty lines on top, and your users file is what you pasted earlier, it should say line 2 instead of line 3. Recreate from scratch if necessary. My users file is like this #=== testuser1 Cleartext-Password := testpass testuser2 Cleartext-Password := testpass Reply-Message := Hello %{User-Name} #=== and doing a radtest testuser2 testpass 127.0.0.1 0 testing123 gets me #== [files] users: Matched entry testuser2 at line 2 [files] expand: Hello %{User-Name} - Hello testuser2 ++[files] returns ok #== Maybe it's extra line on your users file, or tab vs space issue, or something else that I don't know about. Try copy-paste from mine (minus the comment mark), and see if you get the correct line (which is line 2 in my example). ... and if you've modified anything else on the config files, better start from scratch (e.g. apt-get purge, apt-get install) just to be sure. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
two freeradius + 1 db server
Hello again, I'm building a scenario that initially should have: - two redundant freeradius - one mysql server (soon will be a clustered server) Should I be aware of something? I mean if requests goes to both servers, one specific customer auth session will be handled only by that specific freeradius server that received the request? I'm concerned to avoid any kind of inconsistency on my db data. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius Server Performance Provisioning
Hello there, We are using Freeradius for about four years now, and it has proven a robust and reliable AAA solution. In our actual setup, we don't use Interim updates. As our needs changed over time, it's now imminent for us to use the Interim feature, so we've done some tests and statistics. We have an average of 7K simultaneously connected users, of 15K in total. Our growth is something about 150 users per month. In our first test, we'd set our NASses to send updates with 1 minute frequency, what resulted in about 100 update queries per second. Our server didn't managed to handle that volume of activity, and when using vmstat to measure the performance, we've noticed that our problem was relative with interrupts per second and context switches, with both parameters with levels in about 3000. Since each query take about 0,016 seconds to execute, we need 1,6 seconds to handle 1 second of activity. Our current server configuration is a Quad core Xeon 3400, with 2GB RAM, and a RAID 0 array of 2 disks running MySQL as database backend. Later we had set our Interim update to 5 minutes, so we ended with an average of 20 update queries per second, and interrupts per second and context switches in about 800 with 1200 peaks. I'm no DBA, so I've done as much tuning as I could learn from MySQL documentations and users forums. But I feel that our database could be tuned a little more. In addition, we're planning to upgrade the server. So I ask you guys some advice on MySQL tuning and Server provisioning to do the AAA of about 25000 users with the 5 minutes Interim. Much Thanks Tiago Ratto t...@friistelecom.com.br IT - Friis Telecom http://www.friistelecom.com.br - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to run a script after the host disconnect?
Hi, As Exec-Program-Wait runs before the connection stabilized, I need to run a script after the host disconnect. I'm using Freeradius 2.1.3 and Mikrotik's PPPoE-Server. Someone could help me? Thanks Tiago Resende - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP/MS-CHAP/MS-CHAPv2 + LDAP problem
On Thu, 2005-09-01 at 12:32 +0300, Vilius Šumskas wrote: Hello, I'm having trouble authenticating from VPN box through Radius server to LDAP. My VPN uses MS-CHAP challenge/response system for authentification. Packet that comes from VPN to Radius server looks like this: User-Name = admin MS-CHAP-Challenge = 0x45bc0700dd22f6795f77bbe0d986328c MS-CHAP2-Response = 0x0100313396a8ea58cd1155c817c50a00715bb03e5340a5ae3c2ac4e 9408d57eae02fcfdbffab3f983a1b NAS-Port = 0 NAS-Port-Type = Virtual Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 10.1.1.202 But Radius can't autenticate to LDAP as there is no User-Password attribute in the packet. (rlm_ldap: Attribute User-Password is required for authentication). insert the NT-Password (ntPassword) attribute into ldap user. this attibute is field with a NT hash value example: password: test NT Hash: 0CB6948805F797BF2A82807973B89537 Is there a way to do this authentification and NOT turning MS-CHAP protocol in VPN box? Are there some kind of preauth hooks in Radius? I'm using freeradius-1.0.1-1.1.RHEL3 with openldap-2.0.27-17 and Netware 6.0 Directory Services. P.S. I tried to turn MS-CHAP protocol and it works great with PAP or plain-text passwords. So everything is configured to work well with LDAP. signature.asc Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy reply attributes
hi, On Fri, 2005-04-22 at 12:46 -0400, Alan DeKok wrote: Tiago Fernandes [EMAIL PROTECTED] wrote: pre-proxy { ... pre_proxy_filter That filters attributes BEFORE the packet is sent to the home server. so with this config, i say that any attributes Tunnel-* in proxy replies packets are removed (i suppose). Don't suppose. Read the debugging output of the server. Is this config right ? What can be the problem ?? Any idea's ?? The config is wrong for what you say you want to do. The debug output of the server would tell you this. right. So what i want is to tell home server to remove some attributes from a reply, if that reply is going to be sent to a specific proxy server. How can i do this ?? can't find any config to do this in radiusd.conf or other file... To debug problems like this, run it in debugging mode, and read the output. All of it. done Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html signature.asc Description: This is a digitally signed message part
Re: proxy reply attributes
hi. i have configured radius.conf with these lines: modules { ... attr_filter pre_proxy_filter{ attrsfile = ${confdir}/attrs_out } ... } pre-proxy { ... pre_proxy_filter ... } config of the file attrs_out: DEFAULT Tunnel-Type !* ANY, Tunnel-Medium-Type !* ANY, Tunnel-Private-Group-ID !* ANY so with this config, i say that any attributes Tunnel-* in proxy replies packets are removed (i suppose). the problem is that freeradius isn't removing any of these attributes. Is this config right ? What can be the problem ?? Any idea's ?? thanks, Tiago Fernandes On Thu, 2005-04-14 at 12:54 -0400, Alan DeKok wrote: Tiago Fernandes [EMAIL PROTECTED] wrote: what i want to know, is if it's possible to configure the freeradius in que proxied servers to only send necessary attributes in replies, even if que attr_filter is configured in the server that is going do send back only allowed attributes. That's what attr_filter does. Use it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html signature.asc Description: This is a digitally signed message part
Re: proxy reply attributes
On Wed, 2005-04-13 at 12:51 -0400, Alan DeKok wrote: Tiago Fernandes [EMAIL PROTECTED] wrote: I know that it's possible in freeradius to set attributes to a default value when a local freeradius is proxying an auth request (attr_filter). Ok... But what i want to do, is to prevent those attributes from getting out in the proxy reply (like vlan attribute), when a local freeradius A is contacted by an external freeradius B. Have you tried attr_filter? yes... attr_filter comment in radiusd.conf: # attr_filter - filters the attributes received in replies from # proxied servers, to make sure we send back to our RADIUS client # only allowed attributes. so attr_filter work's only for attributes that are received in replies from proxied servers. what i want to know, is if it's possible to configure the freeradius in que proxied servers to only send necessary attributes in replies, even if que attr_filter is configured in the server that is going do send back only allowed attributes. Alan DeKok. thank's Tiago Fernandes signature.asc Description: This is a digitally signed message part
proxy reply attributes
hi, I know that it's possible in freeradius to set attributes to a default value when a local freeradius is proxying an auth request (attr_filter). But what i want to do, is to prevent those attributes from getting out in the proxy reply (like vlan attribute), when a local freeradius A is contacted by an external freeradius B. Is it possible to do this in freeradius config ?? thanks, Tiago Fernandes signature.asc Description: This is a digitally signed message part
Re: dialupAccess attribute - access denied by default
On Fri, 10 Sep 2004 15:52:39 +0100 Hugo Sousa [EMAIL PROTECTED] wrote: Does anyone know why does this message dialupAccess attribute - access denied by default appears? comment the line in radiusd.conf with access_attr restart freeradius and see the message appears again. Tiago Fernandes rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=office,dc=netsystems,dc=PT, with filter (sAMAccountName=hugo.sousa) rlm_ldap: no dialupAccess attribute - access denied by default rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns userlock for request 28 Regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal pgptpghfPQ0iS.pgp Description: PGP signature
Re: LDAP (continued...)
viva, On Thu, 9 Sep 2004 19:06:22 +0100 Hugo Sousa [EMAIL PROTECTED] wrote: My Windows 2000 domain is office.netsystems.pt. The user I'm using is administrator. Is this wrong? ldap { server = 192.168.2.1 identity = cn=administrator,dc=office,dc=netsystems,dc=pt password = password if you are using password, try to use just password without basedn = dc=office,dc=netsystems,dc=PT filter = (uid=%{Stripped-User-Name:-%{User-Name}}) # base_filter = (objectclass=radiusprofile) ( ) } Something is wrong because I'm getting: rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns fail for request 0 What should I change to correct this problem? Thanks. Regards, Hugo Sousa pgpBXeJJyXz7z.pgp Description: PGP signature
Re: PEAP LDAP
hi. try to add ntPassword attribute or lmPassword to your ldap schema. define the ntPassword attribute for the user, using smbencrypt to generate the password hash. Tiago Fernandes On Tue, 10 Aug 2004 10:03:30 +0200 Alexandre Durand [EMAIL PROTECTED] wrote: So how to configure password for it works?? Because i configure clear password in LDAP database but it doesn't work. Can you explain me in details what i have to do. In radiusd.conf i put in ldap section : password_attribute = userPassword So i test freeradius with many authentification methods like TTLS, TLS,... but PEAP only doesn't work with me in LDAP mode.For example TTLS/LDAP works fine !! PEAP works without LDAP with me. Thanks for your help - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, August 09, 2004 11:06 PM Subject: Re: PEAP LDAP Alexandre Durand [EMAIL PROTECTED] wrote: I want to make an authentication PEAP between Win XP, openldap, and freeradius. I ve a problem between mschapv2 and openldap. Indeed, I make a test with PEAP without openldap and its works. But if i want to use openldap + freeradius with peap i get an error in eap-mschap module of freeradius. error is : rlm_mschap: No User-Password configured. Cannot create LM-Password. So... configure a password. So, In my Openldap i precised a clear password for my users. I'm not sure what you mean by that. In any case, stop trying to use PEAP. Instead, test your existing configuration with PAP requests, sent in via radtest. If you can get clear-text passwords from OpenLDAP do PAP, you can do PEAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html pgpBrNxlOhdkZ.pgp Description: PGP signature
Re: PEAP LDAP
On Tue, 10 Aug 2004 14:30:48 +0200 Alexandre Durand [EMAIL PROTECTED] wrote: i open ldap.attrmap file and i can see 2 lines : checkItemLM-PasswordlmPassword checkItemNT-PasswordntPassword So? right. that is for freeradius to know how radius atributes correspond to ldap atributes. And in my schema file i can't see lmpassword or ntpassword !!! see the attach and apply the patch on your radius schema (RADIUS-LDAPv3.schema), to get lmPassword and ntPassword. - Original Message - From: Alexandre Durand [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 10, 2004 2:09 PM Subject: Re: PEAP LDAP I oblige to install samba to get schema with lmpassword or ntPassword !! So, haw can i resolve my problem without Samba ? - Original Message - From: Tiago Fernandes [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 10, 2004 12:46 PM Subject: Re: PEAP LDAP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html patch-RADIUS-LDAPv3.schema+samba_password.diff.gz Description: Binary data pgpN4C2vlrN9n.pgp Description: PGP signature
Re: FreeRADIUS + OpenLDAP schema
On Mon, 05 Jul 2004 18:39:34 +0530 Saket Sathe [EMAIL PROTECTED] wrote: Hi Guys, Does the LDAP schema that comes with FreeRADIUS works with OpenLDAP ? yes. did you use the RADIUS-LDAPv3.schema ?? Coz the first line says it is a Netscape directory schema.. Thanks, Saket - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Tiago Fernandes pgplidijCtgFd.pgp Description: PGP signature