Several login-service attribut in reply message
Hello Everybody, I just want to put several login-service in an access-accept packet. If i try this in the users file : login_user Auth-Type := Local, User-Password == pass_user login-service = 50, login-service = telnet, Fall-Through = no It send an acces-racccept with only one attribut : login-service = telnet But if i put this in attrs file with rlm_filter module : DEFAULT login-service := telnet, login-service := 50 It works very well ! Sending Access-Accept of id 26 to IP_NAS port 5001 Login-Service := Telnet Login-Service := 50 How i can do this with the users file ?? Thanks for your help !! Nicolas. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dictionary for Huawei
I have this : # # dictionary.erx # # Unisphere's broadband RAS # From Terje Krogdahl [EMAIL PROTECTED] # # Version: $Id: dictionary.erx,v 1.1 2001/04/27 15:16:35 aland Exp $ # VENDOR HUAWEI 2011 ATTRIBUTE hw_Input_Peak_Rate 1 integer HUAWEI ATTRIBUTE hw_Input_Average_Rate 2 integer HUAWEI ATTRIBUTE hw_Input_Basic_Rate3 integer HUAWEI ATTRIBUTE hw_Output_Peak_Rate4 integer HUAWEI ATTRIBUTE hw_Output_Average_Rate 5 integer HUAWEI ATTRIBUTE hw_Output_Basic_Rate 6 integer HUAWEI ATTRIBUTE hw_In_KB_Before_T_Switch 7 integer HUAWEI ATTRIBUTE hw_Out_KB_Before_T_Switch 8 integer HUAWEI ATTRIBUTE hw_In_Pkt_Before_T_Switch 9 integer HUAWEI ATTRIBUTE hw_Out_Pkt_Before_T_Switch 10 integer HUAWEI ATTRIBUTE hw_In_KB_After_T_Switch11 integer HUAWEI ATTRIBUTE hw_Out_KB_After_T_Switch 12 integer HUAWEI ATTRIBUTE hw_In_Pkt_After_T_Switch 13 integer HUAWEI ATTRIBUTE hw_Out_Pkt_After_T_Switch 14 integer HUAWEI ATTRIBUTE hw_Remanent_Volume 15 integer HUAWEI ATTRIBUTE hw_Tariff_Switch_Interval 16 integer HUAWEI ATTRIBUTE hw_ISP_ID 17 stringHUAWEI ATTRIBUTE hw_Max_Users_Per_Logic_port19 integer HUAWEI ATTRIBUTE hw_Command 20 integer HUAWEI ATTRIBUTE hw_Priority22 integer HUAWEI ATTRIBUTE hw_Control_Identifier 24 integer HUAWEI ATTRIBUTE hw_Connect_ID 26 integer HUAWEI ATTRIBUTE hw_PortalURL 27 stringHUAWEI ATTRIBUTE hw_Ftp_Directory 28 stringHUAWEI ATTRIBUTE hw_Exec_Privilege 29 integer HUAWEI ATTRIBUTE hw_Group_IP_Address30 integer HUAWEI ATTRIBUTE hw_Group_IP_Mask 31 integer HUAWEI ATTRIBUTE hw_Acct_Destnation_IP_Addr 39 stringHUAWEI ATTRIBUTE hw_Destnation_Volume 40 stringHUAWEI ATTRIBUTE hw_Nas_Startup_Timetamp59 integer HUAWEI ATTRIBUTE hw_IP_Host_Addr60 stringHUAWEI ATTRIBUTE hw_User_Notify 61 stringHUAWEI ATTRIBUTE hw_Multicast_Source_Group 97 stringHUAWEI ATTRIBUTE hw_Multicast_Recieve_Group 98 integer HUAWEI ATTRIBUTE hw_User_Multicast_Type 99 integer HUAWEI ATTRIBUTE HW_SEVICE_CHG_CMD 105 integer HUAWEI ATTRIBUTE HW_ACCT_PACKET_TYPE106 integer HUAWEI ATTRIBUTE HW_CALL_REFERENCE 107 integer HUAWEI ATTRIBUTE HW_PSTN_PORT 108 integer HUAWEI ATTRIBUTE HW_VOIP_SERVICE_TYPE 109 integer HUAWEI ATTRIBUTE HW_ACCT_CONNECTION_TIME110 integer HUAWEI ATTRIBUTE HW_ERROR_REASON112 integer HUAWEI ATTRIBUTE HW_REMAIN_MONEY113 integer HUAWEI ATTRIBUTE HW_REMAIN_TIME 128 integer HUAWEI ATTRIBUTE HW_ORG_GK_ADDRESS 123 integer HUAWEI ATTRIBUTE HW_ORG_GW_ADDRESS 124 integer HUAWEI ATTRIBUTE HW_DST_GK_ADDRESS 125 integer HUAWEI ATTRIBUTE HW_DST_GW_ADDRESS 126 integer HUAWEI ATTRIBUTE HW_ACCESS_NUM 127 stringHUAWEI ATTRIBUTE HW_CODEC_TYPE 131 integer HUAWEI ATTRIBUTE HW_TRANSFER_NUM132 stringHUAWEI ATTRIBUTE HW_NEW_USER_NAME 133 stringHUAWEI ATTRIBUTE HW_ONLY_ACCOUNT_TYPE 137 integer HUAWEI ATTRIBUTE HW_DOMAIN_NAME 138 stringHUAWEI ATTRIBUTE hw_Version 254 stringHUAWEI ATTRIBUTE hw_Product_ID 255 stringHUAWEI it reveals some differences. Selon Pshem Kowalczyk [EMAIL PROTECTED]: Hi, I've noticed that there is no dictionary for Huawei in the source. Can you please add this one: # # dictionary.huawei # VENDOR Huawei2011 # # Huawei Attributes ATTRIBUTE Huawei-Input-ATTRIB_UNUSED 1 integer Huawei ATTRIBUTE Huawei-Input-Average-Rate 2 integer Huawei ATTRIBUTE Huawei-Input-Peak-Rate 3 integer Huawei ATTRIBUTE Huawei-Output-ATTRIB_UNUSED 4 integer Huawei ATTRIBUTE Huawei-Output-Average-Rate 5 integer Huawei ATTRIBUTE Huawei-Output-Peak-Rate 6 integer Huawei ATTRIBUTE Huawei-In-Kb-Before-T-Switch7 integer Huawei ATTRIBUTE Huawei-Out-Kb-Before-T-Switch 8 integer Huawei ATTRIBUTE Huawei-In-Pkt-Before-T-Switch 9 integer Huawei ATTRIBUTE
Re: Dictionary for Huawei
I have this : # # dictionary.erx # # Unisphere's broadband RAS # From Terje Krogdahl [EMAIL PROTECTED] # # Version: $Id: dictionary.erx,v 1.1 2001/04/27 15:16:35 aland Exp $ # VENDOR HUAWEI 2011 ATTRIBUTE hw_Input_Peak_Rate 1 integer HUAWEI ATTRIBUTE hw_Input_Average_Rate 2 integer HUAWEI ATTRIBUTE hw_Input_Basic_Rate3 integer HUAWEI ATTRIBUTE hw_Output_Peak_Rate4 integer HUAWEI ATTRIBUTE hw_Output_Average_Rate 5 integer HUAWEI ATTRIBUTE hw_Output_Basic_Rate 6 integer HUAWEI ATTRIBUTE hw_In_KB_Before_T_Switch 7 integer HUAWEI ATTRIBUTE hw_Out_KB_Before_T_Switch 8 integer HUAWEI ATTRIBUTE hw_In_Pkt_Before_T_Switch 9 integer HUAWEI ATTRIBUTE hw_Out_Pkt_Before_T_Switch 10 integer HUAWEI ATTRIBUTE hw_In_KB_After_T_Switch11 integer HUAWEI ATTRIBUTE hw_Out_KB_After_T_Switch 12 integer HUAWEI ATTRIBUTE hw_In_Pkt_After_T_Switch 13 integer HUAWEI ATTRIBUTE hw_Out_Pkt_After_T_Switch 14 integer HUAWEI ATTRIBUTE hw_Remanent_Volume 15 integer HUAWEI ATTRIBUTE hw_Tariff_Switch_Interval 16 integer HUAWEI ATTRIBUTE hw_ISP_ID 17 stringHUAWEI ATTRIBUTE hw_Max_Users_Per_Logic_port19 integer HUAWEI ATTRIBUTE hw_Command 20 integer HUAWEI ATTRIBUTE hw_Priority22 integer HUAWEI ATTRIBUTE hw_Control_Identifier 24 integer HUAWEI ATTRIBUTE hw_Connect_ID 26 integer HUAWEI ATTRIBUTE hw_PortalURL 27 stringHUAWEI ATTRIBUTE hw_Ftp_Directory 28 stringHUAWEI ATTRIBUTE hw_Exec_Privilege 29 integer HUAWEI ATTRIBUTE hw_Group_IP_Address30 integer HUAWEI ATTRIBUTE hw_Group_IP_Mask 31 integer HUAWEI ATTRIBUTE hw_Acct_Destnation_IP_Addr 39 stringHUAWEI ATTRIBUTE hw_Destnation_Volume 40 stringHUAWEI ATTRIBUTE hw_Nas_Startup_Timetamp59 integer HUAWEI ATTRIBUTE hw_IP_Host_Addr60 stringHUAWEI ATTRIBUTE hw_User_Notify 61 stringHUAWEI ATTRIBUTE hw_Multicast_Source_Group 97 stringHUAWEI ATTRIBUTE hw_Multicast_Recieve_Group 98 integer HUAWEI ATTRIBUTE hw_User_Multicast_Type 99 integer HUAWEI ATTRIBUTE HW_SEVICE_CHG_CMD 105 integer HUAWEI ATTRIBUTE HW_ACCT_PACKET_TYPE106 integer HUAWEI ATTRIBUTE HW_CALL_REFERENCE 107 integer HUAWEI ATTRIBUTE HW_PSTN_PORT 108 integer HUAWEI ATTRIBUTE HW_VOIP_SERVICE_TYPE 109 integer HUAWEI ATTRIBUTE HW_ACCT_CONNECTION_TIME110 integer HUAWEI ATTRIBUTE HW_ERROR_REASON112 integer HUAWEI ATTRIBUTE HW_REMAIN_MONEY113 integer HUAWEI ATTRIBUTE HW_REMAIN_TIME 128 integer HUAWEI ATTRIBUTE HW_ORG_GK_ADDRESS 123 integer HUAWEI ATTRIBUTE HW_ORG_GW_ADDRESS 124 integer HUAWEI ATTRIBUTE HW_DST_GK_ADDRESS 125 integer HUAWEI ATTRIBUTE HW_DST_GW_ADDRESS 126 integer HUAWEI ATTRIBUTE HW_ACCESS_NUM 127 stringHUAWEI ATTRIBUTE HW_CODEC_TYPE 131 integer HUAWEI ATTRIBUTE HW_TRANSFER_NUM132 stringHUAWEI ATTRIBUTE HW_NEW_USER_NAME 133 stringHUAWEI ATTRIBUTE HW_ONLY_ACCOUNT_TYPE 137 integer HUAWEI ATTRIBUTE HW_DOMAIN_NAME 138 stringHUAWEI ATTRIBUTE hw_Version 254 stringHUAWEI ATTRIBUTE hw_Product_ID 255 stringHUAWEI It reveals some differences.. Selon Pshem Kowalczyk [EMAIL PROTECTED]: Hi, I've noticed that there is no dictionary for Huawei in the source. Can you please add this one: # # dictionary.huawei # VENDOR Huawei2011 # # Huawei Attributes ATTRIBUTE Huawei-Input-ATTRIB_UNUSED 1 integer Huawei ATTRIBUTE Huawei-Input-Average-Rate 2 integer Huawei ATTRIBUTE Huawei-Input-Peak-Rate 3 integer Huawei ATTRIBUTE Huawei-Output-ATTRIB_UNUSED 4 integer Huawei ATTRIBUTE Huawei-Output-Average-Rate 5 integer Huawei ATTRIBUTE Huawei-Output-Peak-Rate 6 integer Huawei ATTRIBUTE Huawei-In-Kb-Before-T-Switch7 integer Huawei ATTRIBUTE Huawei-Out-Kb-Before-T-Switch 8 integer Huawei ATTRIBUTE Huawei-In-Pkt-Before-T-Switch 9 integer Huawei ATTRIBUTE
Different Authentication for several devices (several Nas-Ip-Address)
Hello,
Thank you for your help but I don't understand how you can make it.
Here my configuration that I try:
#Replae The Nas-Ip6address by Proxy-IP
attr_rewrite overwrite_nasip {
attribute = NAS-IP-Address
searchfor = .*
packet= packet
replacewith = 10.28.65.130
max_matches = 1
}
# Dev Eqpt : 192.168.48.0/24
attr_rewrite dev_equipment {
attribute = Calling-Station-Id
searchfor = .*
packet= packet
replacewith = Dev -- Replace String Dev for all Eqpts but not for
192.168.48.0/24!!
max_matches = 1
}
preproxy {
files
overwrite_nasip
dev_equipment
}
Here what I want :
1.
If [ NAS-IP-Address =~ 192.168.48.* ]
Calling-Station-Id = Dev
else
if [ NAS-IP-Address =~ 192.168.49.* ]
Calling-station-id = Prod
else
Calling-station-id = Any
fi
fi
2.
the proxy forwards the access-request to the radius server
3.
The radius server receives the acces-request
If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id == Dev ]
instance_openldap-Ldap-Group == CiscoDev
else
If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id = Prod ]
instance_openldap-Ldap-Group == CiscoProd
else
instance_openldap-Ldap-Group == CiscoOthers
fi
fi
Thank you for your assistance
Nicolas.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different Authentication for several devices (several Nas-Ip-Address)
Re-Hello ;-)
I search how i can do this but i don't find...
I want to do this :
If NAS-IP-Address == 192.168.48.0/24 -- Rewrite Calling-station-id to Dev
else
If NAS-IP-Address == 192.168.48.0/24 -- Rewrite Calling-station-id to Prod
else
Do nothing.
fi
fi
I don't know how check the NAS-IP-ADDRESS attribute and rewrite an other
attribute (Calling-Station-ID)..
Thank you for your help !!
NicolaS.
Selon [EMAIL PROTECTED]:
Hello,
Thank you for your help but I don't understand how you can make it.
Here my configuration that I try:
#Replae The Nas-Ip6address by Proxy-IP
attr_rewrite overwrite_nasip {
attribute = NAS-IP-Address
searchfor = .*
packet= packet
replacewith = 10.28.65.130
max_matches = 1
}
# Dev Eqpt : 192.168.48.0/24
attr_rewrite dev_equipment {
attribute = Calling-Station-Id
searchfor = .*
packet= packet
replacewith = Dev -- Replace String Dev for all Eqpts but not for
192.168.48.0/24!!
max_matches = 1
}
preproxy {
files
overwrite_nasip
dev_equipment
}
Here what I want :
1.
If [ NAS-IP-Address =~ 192.168.48.* ]
Calling-Station-Id = Dev
else
if [ NAS-IP-Address =~ 192.168.49.* ]
Calling-station-id = Prod
else
Calling-station-id = Any
fi
fi
2.
the proxy forwards the access-request to the radius server
3.
The radius server receives the acces-request
If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id == Dev ]
instance_openldap-Ldap-Group == CiscoDev
else
If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id = Prod ]
instance_openldap-Ldap-Group == CiscoProd
else
instance_openldap-Ldap-Group == CiscoOthers
fi
fi
Thank you for your assistance
Nicolas.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different Authentication for several devices (severalNas-Ip-Address)
Called-Station-Id isn't equal to Nas-Ip-Address, it equal to the PC where I
initiate telnet Connection.
It's not equal to my Nas-Ip :(
So, i would change the called-station-id to Nas-Ip-Adress and Nas-Ip-Address to
proxy address.
Any idea ?
Selon [EMAIL PROTECTED]:
OK. If you devices put their IP addresses in Called-Station-Id field
there is no need to do rewrites. You can use regexp operators to
controll access as Called-Station-Id attribute is a string.
NAS1 NAS-IP-Address == proxyIP, Called-Station-Id =~ ^192.168.48.
Dev group(s) in reply
NAS2 NAS-IP-Address == proxyIP, Called-Station-Id =~ ^192.168.49.
Prod group(s) in reply
Ivan Kalik
Kalik Informatika ISP
You can leave this out proxy IP check if all traffic comes over the
proxy. You might need to escape periods in regexp.
Dana 23/7/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] pi¹e:
Re-Hello ;-)
I search how i can do this but i don't find...
I want to do this :
If NAS-IP-Address == 192.168.48.0/24 -- Rewrite Calling-station-id to Dev
else
If NAS-IP-Address == 192.168.48.0/24 -- Rewrite Calling-station-id to
Prod
else
Do nothing.
fi
fi
I don't know how check the NAS-IP-ADDRESS attribute and rewrite an other
attribute (Calling-Station-ID)..
Thank you for your help !!
NicolaS.
Selon [EMAIL PROTECTED]:
Hello,
Thank you for your help but I don't understand how you can make it.
Here my configuration that I try:
#Replae The Nas-Ip6address by Proxy-IP
attr_rewrite overwrite_nasip {
attribute = NAS-IP-Address
searchfor = .*
packet= packet
replacewith = 10.28.65.130
max_matches = 1
}
# Dev Eqpt : 192.168.48.0/24
attr_rewrite dev_equipment {
attribute = Calling-Station-Id
searchfor = .*
packet= packet
replacewith = Dev -- Replace String Dev for all Eqpts but not
for
192.168.48.0/24!!
max_matches = 1
}
preproxy {
files
overwrite_nasip
dev_equipment
}
Here what I want :
1.
If [ NAS-IP-Address =~ 192.168.48.* ]
Calling-Station-Id = Dev
else
if [ NAS-IP-Address =~ 192.168.49.* ]
Calling-station-id = Prod
else
Calling-station-id = Any
fi
fi
2.
the proxy forwards the access-request to the radius server
3.
The radius server receives the acces-request
If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id == Dev ]
instance_openldap-Ldap-Group == CiscoDev
else
If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id = Prod ]
instance_openldap-Ldap-Group == CiscoProd
else
instance_openldap-Ldap-Group == CiscoOthers
fi
fi
Thank you for your assistance
Nicolas.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different Authentication for several devices (severalNas-Ip-Address)
Moreover, i use a proxy because in the huntgroup file, i can't use a CIDR
network just a Host IP.
Selon [EMAIL PROTECTED]:
OK. If you devices put their IP addresses in Called-Station-Id field
there is no need to do rewrites. You can use regexp operators to
controll access as Called-Station-Id attribute is a string.
NAS1 NAS-IP-Address == proxyIP, Called-Station-Id =~ ^192.168.48.
Dev group(s) in reply
NAS2 NAS-IP-Address == proxyIP, Called-Station-Id =~ ^192.168.49.
Prod group(s) in reply
Ivan Kalik
Kalik Informatika ISP
You can leave this out proxy IP check if all traffic comes over the
proxy. You might need to escape periods in regexp.
Dana 23/7/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] pi¹e:
Re-Hello ;-)
I search how i can do this but i don't find...
I want to do this :
If NAS-IP-Address == 192.168.48.0/24 -- Rewrite Calling-station-id to Dev
else
If NAS-IP-Address == 192.168.48.0/24 -- Rewrite Calling-station-id to
Prod
else
Do nothing.
fi
fi
I don't know how check the NAS-IP-ADDRESS attribute and rewrite an other
attribute (Calling-Station-ID)..
Thank you for your help !!
NicolaS.
Selon [EMAIL PROTECTED]:
Hello,
Thank you for your help but I don't understand how you can make it.
Here my configuration that I try:
#Replae The Nas-Ip6address by Proxy-IP
attr_rewrite overwrite_nasip {
attribute = NAS-IP-Address
searchfor = .*
packet= packet
replacewith = 10.28.65.130
max_matches = 1
}
# Dev Eqpt : 192.168.48.0/24
attr_rewrite dev_equipment {
attribute = Calling-Station-Id
searchfor = .*
packet= packet
replacewith = Dev -- Replace String Dev for all Eqpts but not
for
192.168.48.0/24!!
max_matches = 1
}
preproxy {
files
overwrite_nasip
dev_equipment
}
Here what I want :
1.
If [ NAS-IP-Address =~ 192.168.48.* ]
Calling-Station-Id = Dev
else
if [ NAS-IP-Address =~ 192.168.49.* ]
Calling-station-id = Prod
else
Calling-station-id = Any
fi
fi
2.
the proxy forwards the access-request to the radius server
3.
The radius server receives the acces-request
If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id == Dev ]
instance_openldap-Ldap-Group == CiscoDev
else
If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id = Prod ]
instance_openldap-Ldap-Group == CiscoProd
else
instance_openldap-Ldap-Group == CiscoOthers
fi
fi
Thank you for your assistance
Nicolas.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accept authentication from a list of equipments
Yes I know but how ? It's not a simple equipment, it's a network
192.168.0.0 / 24 : Users1
192.168.1.0 / 24 : Users2
10.0.0.0 / 8 : Users1
.. (and other networks : 1800 equipments)
If i make this with the huntgroupfile, i will type :
#NAS1 Equipment (Ldap Group : Dev-Equipment)
NAS1 NAS-IP-ADDRESS = 192.168.0.1
NAS1 NAS-IP-ADDRESS = 192.168.0.2
NAS1 NAS-IP-ADDRESS = 192.168.0.3
NAS1 NAS-IP-ADDRESS = 192.168.0.4
...
...
NAS1 NAS-IP-ADDRESS = 192.168.0.254
#NAS2 Equipment ( Ldap Group : Prod-Equipment)
NAS2 NAS-IP-ADDRESS = 192.168.1.1
NAS2 NAS-IP-ADDRESS = 192.168.1.2
...
...
NAS1 NAS-IP-ADDRESS = 192.168.1.254
etc..
I can't type :
NAS2 NAS-IP-ADDRESS = 192.168.1.0/24 ?
So how I can make the difference between the devices (== Authentication with an
other Ldap Group) ?
Thanks
Nicolas.
[EMAIL PROTECTED] wrote:
Try Called-Station-Id.
Ivan Kalik
Kalik Informatika ISP
Dana 20/7/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] pie:
Hello Everybody,
We have several network equipments with radius athentication. We want to
limit
the access to several administrators. We use a radius-proxy and a radius
server
with a LDAP base.
For example :
We have two NAS : NAS1 and NAS2
Two groups of users USERS1 and USERS2 in the LDAP base. USERS1 can access to
NAS1 and USER2 can access to NAS2.
Proxy configuration :
** clients.conf **
NAS1 {
hostname = NAS1
secret = NAS1_SECRET
}
NAS2 {
hostname = NAS2
secret = NAS2_SECRET
}
** proxy.conf **
realm null {
type = radius
authhost = radius_server
accthost = radius_server
secret = RADIUS_SECRET
}
Radius_configuration :
** HUNTGROUP **
cisco NAS-IP-ADDRESS = IP_PROXY
** USERS **
DEFAULT Huntgroup-Name == cisco, instance_openldap-Ldap-Group == ??? USERS1
or
USER2 ???
# It's USERS1 for NAS1 and USER2 for NAS2, but the proxy rewrite the
NAS_IP_Address by its address :( I can't differenciate the NAS_IP because
it's
the PROXY IP.
How can I do differenciate these equipments ? For information, My
equipments
are Cisco equipment.
Thanks for your assistance !
Nicolas.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accept authentication from a list of equipments
Hello Everybody,
We have several network equipments with radius athentication. We want to limit
the access to several administrators. We use a radius-proxy and a radius server
with a LDAP base.
For example :
We have two NAS : NAS1 and NAS2
Two groups of users USERS1 and USERS2 in the LDAP base. USERS1 can access to
NAS1 and USER2 can access to NAS2.
Proxy configuration :
** clients.conf **
NAS1 {
hostname = NAS1
secret = NAS1_SECRET
}
NAS2 {
hostname = NAS2
secret = NAS2_SECRET
}
** proxy.conf **
realm null {
type = radius
authhost = radius_server
accthost = radius_server
secret = RADIUS_SECRET
}
Radius_configuration :
** HUNTGROUP **
cisco NAS-IP-ADDRESS = IP_PROXY
** USERS **
DEFAULT Huntgroup-Name == cisco, instance_openldap-Ldap-Group == ??? USERS1 or
USER2 ???
# It's USERS1 for NAS1 and USER2 for NAS2, but the proxy rewrite the
NAS_IP_Address by its address :( I can't differenciate the NAS_IP because it's
the PROXY IP.
How can I do differenciate these equipments ? For information, My equipments
are Cisco equipment.
Thanks for your assistance !
Nicolas.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius and User-Password from Cisco Device
Hello, Here a access-request packet from a Cisco Router (2621) : NAS-IP-Address = IP_NAS NAS-Port = 66 NAS-Port-Type = Virtual User-Name = MyUserLogin Calling-Station-Id = IP NAS User-Password = ry\My\Pass/Wo\rd\Hash\Not\Plain\Text` Why is my password not in plain text ? With other cisco devices (Switch 2960 for example), the User-Password is in plain text.. If I receive a hashed password, the authentication doesn't work.. My AAA configuration : aaa new-model aaa authentication login default group radius line aaa authentication login console line aaa authorization exec default group radius none aaa authorization network default group radius aaa accounting exec default start-stop group radius aaa accounting connection default start-stop group radius What can I do ? Thanks for your help ! Nicos. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and User-Password from Cisco Device
The shared secret is the same because I use a radius Proxy and this proxy forwards the access-request to my radius server. The problem is the password ! With a password in plain text (Check with H3C 2811 and Cisco 2960 equipmnents). Thanks for your help ! Nicolas. Selon Stefan Winter [EMAIL PROTECTED]: User-Password = ry\My\Pass/Wo\rd\Hash\Not\Plain\Text` Why is my password not in plain text ? With other cisco devices (Switch 2960 for example), the User-Password is in plain text.. If I receive a hashed password, the authentication doesn't work.. Are you sure it's hashed, and not just garbled? First guess is: check the shared secret on the Cisco device and the server. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.luFax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and User-Password from Cisco Device
Here, my radius configuration : radius-server host RADIUS_IP auth-port 1812 acct-port 1813 key 7 RADUIUS_KEY radius-server retransmit 1 radius-server timeout 2 Thanks ! Selon Stefan Winter [EMAIL PROTECTED]: Hm, this means the NAS actually sent this garbage/hash. In this case, it would be enlightening to see the lines in your IOS config that start with radius-server not the aaa ones. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.luFax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and User-Password from Cisco Device
:) No because with other devices, the proxy works fine !! I don 't understand why it doesn't work :( Selon Peter Nixon [EMAIL PROTECTED]: On Mon 16 Jul 2007, [EMAIL PROTECTED] wrote: The shared secret is the same because I use a radius Proxy and this proxy forwards the access-request to my radius server. The problem is the password ! With a password in plain text (Check with H3C 2811 and Cisco 2960 equipmnents). Then you have the shared secret wrong between your proxy and your radius server. -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and User-Password from Cisco Device
I'm so sorry ! the Problem was the secret between proxy and the Cisco Device. Enven if the secret is different, the access-request is forwarded to the radius server, I didn't know that :( Thank you very much!!! Nicolas. Selon [EMAIL PROTECTED]: Check then secret in clents.conf on the proxy and Cisco device radius key. They are not the same then. Ivan Kalik Kalik Informatika ISP Dana 16/7/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] pi¹e: :) No because with other devices, the proxy works fine !! I don 't understand why it doesn't work :( Selon Peter Nixon [EMAIL PROTECTED]: On Mon 16 Jul 2007, [EMAIL PROTECTED] wrote: The shared secret is the same because I use a radius Proxy and this proxy forwards the access-request to my radius server. The problem is the password ! With a password in plain text (Check with H3C 2811 and Cisco 2960 equipmnents). Then you have the shared secret wrong between your proxy and your radius server. -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access-Accept Packet and Attribute 29
Hello Everybody, I must use the attribute : 29 : Termination-Action with an access-accept packet. How could I do this ? My Huawei device uses this attribute to allow a user to manage the switch with a specific level. Thank you for your assistance ! Best regards, Nicolas. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
