Re: NAS IPs in LDAP?
Alan == Alan DeKok [EMAIL PROTECTED] writes: Alan Jorgen Lundman wrote: Is it possible to also store the NAS IPs in LDAP, so changes can be done centrally? Alan Not without source code patches. Isn't this 'radiusClientIPAddress' (RADIUS attribute 'Client-IP-Address')? 'Client-IP-Address. Matches the IP address of the client in the request.' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS-LDAPv3.schema attribute description(s)
Quoting Turbo Fredriksson [EMAIL PROTECTED]:
Is there any documentation of the attributes in the LDAP
schema?
I'm trying to write a GUI manager for RADIUS (actually a
'plugin' to my http://phpQLAdmin.com) but I don't know
how to write the lead text to the form...
Cross referencing with the ldap.attrmap, I managed to make
the following patch. But a DESCription like:
DESC 'replyItem: Reply-Message'
for the LDAP attribute 'radiusReplyMessage', it kind'a sucks.
Maybe there's better documentation for the RADIUS attribute.
I'll check...
But that still leaves no mapping for the following RADIUS
attributes:
dialupAccess
radiusArapFeatures
radiusArapSecurity
radiusArapZoneAccess
radiusClientIPAddress
radiusGroupName
radiusHint
radiusHuntgroupName
radiusLoginTime
radiusPasswordRetry
radiusProfileDn
radiusPrompt
radiusProxyToRealm
radiusRealm
radiusReplicateToRealm
radiusStripUserName
radiusTunnelAssignmentId
radiusTunnelClientEndpoint
radiusTunnelMediumType
radiusTunnelPassword
radiusTunnelPreference
radiusTunnelPrivateGroupId
radiusTunnelServerEndpoint
radiusTunnelType
radiusUserCategory
radiusVSA
At least, they are'nt referenced in ldap.attrmap. Oversight, are these
LDAP attributes deprecated (or not implemented)?
One I recognize is 'radiusRealm'. Must be the RADIUS attribute 'Realm',
right? Shouldn't that be in ldap.attrmap?
If someone could finish the line(s) above ({reply,check}Item) and the
corresponding RADIUS attribute, I'm happy to produce a good patch for
this...
--- ./doc/examples/openldap.schema.orig 2007-09-14 09:27:51.0 +
+++ ./doc/examples/openldap.schema 2007-09-14 09:51:43.0 +
@@ -35,7 +35,7 @@
attributetype
( 1.3.6.1.4.1.3317.4.3.1.44
NAME 'radiusAuthType'
- DESC ''
+ DESC 'checkItem: Auth-Type'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
@@ -44,7 +44,7 @@
attributetype
( 1.3.6.1.4.1.3317.4.3.1.4
NAME 'radiusCallbackId'
- DESC ''
+ DESC 'replyItem: Callback-Id'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
@@ -53,7 +53,7 @@
attributetype
( 1.3.6.1.4.1.3317.4.3.1.5
NAME 'radiusCallbackNumber'
- DESC ''
+ DESC 'replyItem: Callback-Number'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
@@ -62,7 +62,7 @@
attributetype
( 1.3.6.1.4.1.3317.4.3.1.6
NAME 'radiusCalledStationId'
- DESC ''
+ DESC 'checkItem: Called-Station-Id'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
@@ -71,7 +71,7 @@
attributetype
( 1.3.6.1.4.1.3317.4.3.1.7
NAME 'radiusCallingStationId'
- DESC ''
+ DESC 'checkItem: Calling-Station-Id'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
@@ -80,7 +80,7 @@
attributetype
( 1.3.6.1.4.1.3317.4.3.1.8
NAME 'radiusClass'
- DESC ''
+ DESC 'replyItem: Class'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
@@ -97,7 +97,7 @@
attributetype
( 1.3.6.1.4.1.3317.4.3.1.9
NAME 'radiusFilterId'
- DESC ''
+ DESC 'replyItem: Filter-Id'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
@@ -105,7 +105,7 @@
attributetype
( 1.3.6.1.4.1.3317.4.3.1.10
NAME 'radiusFramedAppleTalkLink'
- DESC ''
+ DESC 'replyItem: Framed-AppleTalk-Link'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
@@ -114,7 +114,7 @@
attributetype
( 1.3.6.1.4.1.3317.4.3.1.11
NAME 'radiusFramedAppleTalkNetwork'
- DESC ''
+ DESC 'replyItem: Framed-AppleTalk-Network'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
@@ -122,7 +122,7 @@
attributetype
( 1.3.6.1.4.1.3317.4.3.1.12
NAME 'radiusFramedAppleTalkZone'
- DESC ''
+ DESC 'replyItem: Framed-AppleTalk-Zone'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
@@ -131,7 +131,7 @@
attributetype
( 1.3.6.1.4.1.3317.4.3.1.13
NAME 'radiusFramedCompression'
- DESC ''
+ DESC 'replyItem: Framed-Compression'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
@@ -139,7 +139,7 @@
attributetype
( 1.3.6.1.4.1.3317.4.3.1.14
NAME 'radiusFramedIPAddress'
- DESC ''
+ DESC 'replyItem: Framed-IP-Address'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
@@ -148,7 +148,7 @@
attributetype
( 1.3.6.1.4.1.3317.4.3.1.15
NAME 'radiusFramedIPNetmask'
- DESC ''
+ DESC 'replyItem: Framed-IP-Netmask'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
@@ -157,7 +157,7
RADIUS-LDAPv3.schema attribute description(s)
Is there any documentation of the attributes in the LDAP schema? I'm trying to write a GUI manager for RADIUS (actually a 'plugin' to my http://phpQLAdmin.com) but I don't know how to write the lead text to the form... I took a look at the schema in 1.1.7, but that don't have any comments or DESC fields either.. -- Why can't programmers tell the difference between halloween and christmas day? Because 25 DEC = 31 OCT. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius+Active directory - router login authentciation
Quoting Rakesh Jha [EMAIL PROTECTED]: Using ntlm_auth I can test user authentication. Are you saying that ntlm_auth tests work? When I do following - radtest ActDirectUser ActDirectUserPassword 127.0.0.1 1812 testing123 As said before, output from 'freeradius -X' is necessary for anyone to help... freeradius -X 21 | tee /tmp/freeradius.log Then look in the file /tmp/freeradius.log for something that don't seem right (try figuring it out for yourself first before asking for help - you will earn more respect/help that way). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to get a Radius Client for Radius Server in Red Hat Enterprise Linux ES 3
Quoting [EMAIL PROTECTED] [EMAIL PROTECTED]: can any one please tell me where can i get radius client for radius server suitable to Red Hat Enterprise Linux ES 3. Try searching for one at http://freshmeat.net/. Looking there myself, shows 12 projects (at least two of them are clients). Also please tell me how to install and configure the radius client... That's usually availible on the application(s) web site. -- Why can't programmers tell the difference between halloween and christmas day? Because 25 DEC = 31 OCT. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius+Active directory - router login authentciation
Quoting Rakesh Jha [EMAIL PROTECTED]:
I'm far from an expert in FreeRADIUS (so take what I say with a
grane of salt), but I instantly noticed this.
tls: private_key_file = /usr/local/etc/raddb/certs/cert-srv.pem
tls: certificate_file = /usr/local/etc/raddb/certs/cert-srv.pem
tls: CA_file = /usr/local/etc/raddb/certs/demoCA/cacert.pem
tls: check_cert_cn = (null)
tls: cipher_list = (null)
tls: check_cert_issuer = (null)
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap_tls: Unable to open DH file - (null)
rlm_eap: Failed to initialize type tls
It can't open the 'DH file' (don't quite know which one that is),
but I would assume that it's some (or maybe all?) of the first
three files. Do they exist? Does the freeradius daemon have the
right to _read_ those files (are you running the daemon under some
user _not_ root). I run (default in Debian GNU/Linux) the daemon
under the 'freerad' user so this user must be able to read the
files mentioned (AND have the right to access all directory paths
before it).
Also, the 'check_cert_cn' is empty. If you don't use it, uncomment
it in the config file. probably goes for the options 'check_cert_cn'
and 'check_cert_issuer' to.
I DO use them, and my eap.conf file looks like this:
- s n i p -
celia:~# egrep 'check_cert_issuer|check_cert_cn|cipher_list'
/etc/freeradius/eap.conf
check_cert_issuer = see below
check_cert_cn = %{User-Name}
cipher_list = DEFAULT
- s n i p -
The 'check_cert_issuer' value is a little personal (something
I wouldn't want to post to the 'Net) but is the value
found in the 'subject' line when running the command:
openssl x509 -subject -noout -in cacert
- s n i p -
celia:~# openssl x509 -subject -noout -in /etc/ssl/CA/cacert.pem
subject= secret
- s n i p -
radiusd.conf[10]: eap: Module instantiation failed.
radiusd.conf[1962] Unknown module eap.
radiusd.conf[1909] Failed to parse authenticate section.
These will probably go away once you have fixed the tls parts
above...
As you have written 'as are most helpful pages not on freeradius.org',
can you please suggest some links which guide correctly to configure
radius, openssl and active directory.
I think Alan is a little 'judgmental' (wrong choice, but I
can't quite get the exact translation of what I meant) if here.
I would to if (since!) people don't think for them self and
only follow external 'documentation' by the letter without
trying to actually understand what it means...
Following ANY documentation require UNDERSTANDING! Not HOW,
but WHY ('... a certain option is used with a special value').
DISCLAIMER (before Alan slaps me :): I'm in no way better
my self - I'm lousy in reading documentation.
I only read a little here and a little there,
but I (almost) always understand the parts that
I DO read :)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 13 LDAP queries for one authorize!
Quoting Phil Mayers [EMAIL PROTECTED]:
2) INNER Auth part ensures that the ldap module is only called for the
INNER part of the check...not for everything else. also very very useful
as it stops outer ID junk and debris from being checked.
What IS 'the INNER part' (may depend on the answer on my first question
above) as opposed to 'the outer'? In context I get the general idea, but
the actual definition on INNER and OUTER?
You're getting hung up on the specifics, which is probably my fault for
giving minimal info; Autz-Type is a general mechanism. Please see
doc/Autz-Type for more info.
I'm only slightly wiser from reading that... Shouldn't 'eap' and 'mschap'
be in this Authz-Type to then?
- s n i p
authorize {
preprocess
auth_log
chap
mschap
digest
IPASS
suffix
realmpercent
ntdomain
eap
files
Autz-Type INNER {
ldap
}
}
- s n i p
What I don't understand is why everything is done so many times! The
'authorize' section is done a whole bunch of times, just to authenticate
ONE user [request].
If I have undestood the Authz-Type file correctly (which I'm quite sure
I haven't), I'd put the whole 'authorize' section in a 'Authz-Type' section!
But that can't be right...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 13 LDAP queries for one authorize!
Quoting Phil Mayers [EMAIL PROTECTED]: DEFAULT FreeRadius-Proxied-To == 127.0.0.1, Autz-Type := INNER 1) proxy part makes sure that only INNER is called when its proxied to 127.0.0.1 Ok, think I got this. Does it matter WHERE in the file this DEFAULT is? And is the keyword 'INNER' important? I.e. Can it be any word, or must it be just 'INNER' (uppercased and all)? 2) INNER Auth part ensures that the ldap module is only called for the INNER part of the check...not for everything else. also very very useful as it stops outer ID junk and debris from being checked. What IS 'the INNER part' (may depend on the answer on my first question above) as opposed to 'the outer'? In context I get the general idea, but the actual definition on INNER and OUTER? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
13 LDAP queries for one authorize!
I'm working on fine tuning my radiusd.conf file, and found that I get 13 authorize request to the LDAP server for one XXX (client, request, logon?!). I have 802.1x (RADIUS) enabled on my WiFi router, and when requesting a network on my client, there's 13 authorize requests... Using multilog which logs exactly when every line is done, all 13 requests is done during the same second, but it still seem to be 13 requests... ? The thing that strikes me is that first it returns 'notfound' then on the line below it returns 'updated'... Including my radiusd.conf, the 'users' file (stripped of comments and no sensitive info) (192.168.1.254 is the WiFi Router). Also, in the ldap filter, I have '(!(accountStatus=disabled))' which don't seem to work as expected.. I DO get a failure in the authorization section, but the EAP is still done (and succeedes, hence no failures): Logfile 1 is without the 'accountStatus' attribute, and logfile 2 is with the account disabled... In the disabled state, I get 'only' 12 authorize request for some reason... ? On the other hand (looking closer on a grep '^ modcall' logoutput) shows that there are NINE requests... ? And that it's enough if ONE authorization module succeeds for the authorization to be OK... ? Attatchments to bug, so the files in question is now on http://bayour.com/problems/freeradius/. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 13 LDAP queries for one authorize!
Quoting Phil Mayers [EMAIL PROTECTED]:
On Wed, 2007-08-22 at 19:29 +0200, Turbo Fredriksson wrote:
I'm working on fine tuning my radiusd.conf file, and found that
I get 13 authorize request to the LDAP server for one XXX (client,
request, logon?!).
You can reduce this somewhat by doing this:
authorize {
preprocess
eap
files
Autz-Type INNER {
ldap
}
}
...then in /etc/raddb/users:
DEFAULT FreeRadius-Proxied-To == 127.0.0.1, Autz-Type := INNER
...which will only run the LDAP auth for the EAP inner request. You'll
still see two queries though for PEAP/MSCHAP
I see. I'll try that as soon as my girlfriend leaves again, I can only
fiddle with the WiFi router when she's not home :)
In the mean time, what does all this do, and why didn't my work? Will
this also solve my problem with the ldap query?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to use LDAP for authorization and authentication while using EAPmethod!!!!!!
[EMAIL PROTECTED] writes: If I understand you well, passwords in LDAP are encrypted, so PEAP won't work. And you want to keep them that way. Your only option is to use SecureW2 and EAP-TTLS-PAP. Or do as I managed to get it working yesterday - put a Samba server in between. RADIUS - Samba - LDAP This means that RADIUS uses LDAP directly for _authorization_, but MSCHAP (ntlm_auth from samba) for _authentication_. Works great now that I managed to get Samba configured correctly (had some unstability problems). Dana 2/8/2007, shantanu choudhary [EMAIL PROTECTED] piše: hello all, i have ldap server installed, i am using it to cross check user-name and password provided by the client!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
