Multiple Realms
Hi, I have spent some time reading and trying to configure multiple realms to no avail. Basically I currently have one active realm and need to have another realm configured onto the same radius box. For example dsl.example.com.au is one and voice.example.com.au is the second. How can I configure the second? I know it's somewhat to do with proxy.conf file, but not sure how or where to do this. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple realms
I have a freeradius server accepting proxy requests for
multiple Called-Station-Id‘s
I would like the SQL database field “realm” to
properly reflect what realm it is actually proxying for.
The problem is that if I put Called-Station-Id in the users
file and put the realm information in proxy.conf, I get an infinite loop.
Snippets -
users:
DEFAULT Called-Station-Id == "2345678901",
Proxy-To-Realm := "isp1.net"
DEFAULT Called-Station-Id == "9991114321",
Proxy-To-Realm := "isp2.net"
DEFAULT Called-Station-Id == "5554441234",
Proxy-To-Realm := "isp2.net"
proxy.conf:
realm isp1.net {
type
= radius
authhost
= LOCAL
accthost
= LOCAL
}
realm isp2.net {
type
= radius
authhost
= LOCAL
accthost
= LOCAL
}
If I take this information out of users and proxy.conf, they
authenticate but DEFAULT gets put into the DB.
Any thoughts? Am I doing something wrong, or is this just
something I’ll have to live with?
Anson Rinesmith
Trying multiple realms
Is there any way to try multiple realms inside an update control statement? What I want to do is try proxying to one realm, and if that fails trying the credentials via the local ream. Thanks in advance. -- Charles Plater Lead Application Technical Analyst Internet Services +1-313-577-4620 ab3...@wayne.edu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Realms
Shawky Skaff wrote:
> Basically I currently have one active realm and need to have another
> realm configured onto the same radius box. For example
> dsl.example.com.au is one and voice.example.com.au is the second.
You need to configure two realms.
> How can I configure the second? I know it’s somewhat to do with
> proxy.conf file, but not sure how or where to do this.
You create another "realm" block, using the name of the second realm.
It shouldn't be hard.
realm foo {
...
}
realm bar {
...
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adding multiple realms
Hello everyone! I am serious newbie and I apologize for my poor netiquette.
I am such a newbie that I cannot tell you what version of free radius that I
am running for I know not where to look.
It is running on red hat 9 box with mysql.
Currently we resell dial-up access; we have to provide the provider with a
"realm". We currently have only one realm but we need 2. I do not want to
keep the users separate; in other words I want the users that are in there
now to be able to use both realms with their user name; i.e.
[EMAIL PROTECTED] and [EMAIL PROTECTED] only one entry for both realms in
the dialup admin. I also already have all the IPs entered for the access
provider as they were left over from the initial configuration.
So far I have checked in radius.conf:
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
Proxy.conf has:
###
#
# Configuration for the proxy realms.
#
# The information given here is used in conjunction with the 'realms'
# file. This format is preferred, as it is more flexible. The realms
# listed here take priority over those listed in the 'realms' file.
#
#this one works
realm oldrealm.com {
type= radius
authhost= LOCAL
accthost= LOCAL
# nostrip
}
#this is the second realm that I added
#it does not work; nothing comes across the log script that I use
#but the error the customer sees is invalid username
realm newrealm.com {
type= radius
authhost= LOCAL
accthost= LOCAL
# nostrip
}
At the bottom it has default
realm DEFAULT {
type= radius
authhost= localhost:1812
accthost= localhost:1813
secret = sharedsecret
}
cd /var/www/dialup_admin/conf
admin.conf:
general_base_dir: /var/www/dialup_admin
general_radiusd_base_dir: /usr/local
general_domain: old_domain.com #here it has the old domain; is there a way
#to add a second or am I just completely lost. Sorry to be so general; I
#would really appreciate any help.
Thanks,
J.D.
See you @ AppState.Net's Wireless Technology Open House - Boone NC Jan. 26
Covering Watauga County with Broadband for Everyone
828-265-3773
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.7/214 - Release Date: 12/23/2005
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple realms
"Anson Rinesmith" <[EMAIL PROTECTED]> wrote:
> I would like the SQL database field "realm" to properly reflect what
> realm it is actually proxying for.
Ok...
> The problem is that if I put Called-Station-Id in the users file and put
> the realm information in proxy.conf, I get an infinite loop.
Of what?
> users:
>
> DEFAULT Called-Station-Id =3D=3D "2345678901", Proxy-To-Realm :=
> "isp1.net"
Which says "PROXY THE PACKET", not "Set the Realm"
Use the "Realm" attribute to set the Realm.
>
> proxy.conf:
>
> realm isp1.net {
> type= radius
> authhost = LOCAL
> accthost = LOCAL
You're trying to do RADIUS proxying to the local server. I don't
see why.
> Any thoughts? Am I doing something wrong, or is this just something I'll
> have to live with?
Use Realm, and not Proxy-To-Realm.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Multiple realms
I put
DEFAULT Called-Station-Id == "2345678901", Realm := "isp1.net"
In both users and acct_users
And I still get DEFAULT put in the realm field in my database.
Should this be a REPLY?
DEFAULT Called-Station-Id == "2345678901"
Realm := "isp1.net"
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:freeradius-
> [EMAIL PROTECTED] On Behalf Of Alan DeKok
> Sent: Monday, February 23, 2004 12:38 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Multiple realms
>
> "Anson Rinesmith" <[EMAIL PROTECTED]> wrote:
> > I would like the SQL database field "realm" to properly reflect what
> > realm it is actually proxying for.
>
> Ok...
>
> > The problem is that if I put Called-Station-Id in the users file and put
> > the realm information in proxy.conf, I get an infinite loop.
>
> Of what?
>
> > users:
> >
> > DEFAULT Called-Station-Id =3D=3D "2345678901", Proxy-To-Realm :=
> > "isp1.net"
>
> Which says "PROXY THE PACKET", not "Set the Realm"
>
> Use the "Realm" attribute to set the Realm.
>
> >
> > proxy.conf:
> >
> > realm isp1.net {
> > type= radius
> > authhost = LOCAL
> > accthost = LOCAL
>
> You're trying to do RADIUS proxying to the local server. I don't
> see why.
No, I am accepting a proxy request from another server.
>
> > Any thoughts? Am I doing something wrong, or is this just something I'll
> > have to live with?
>
> Use Realm, and not Proxy-To-Realm.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple realms
"Anson Rinesmith" <[EMAIL PROTECTED]> wrote: > DEFAULT Called-Station-Id == "2345678901", Realm := "isp1.net" > In both users and acct_users > And I still get DEFAULT put in the realm field in my database. Then read the debug log to see where the DEFAULT realm is coming from. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Multiple realms
;username'
sql_set_user: escaped user --> 'username'
radius_xlat: 'INSERT into radacct (RadAcctId, AcctSessionId, AcctUniqueId,
UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime,
AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start,
ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId,
CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol,
FramedIPAddress, AcctStartDelay, AcctStopDelay) values('', '440615203', '',
'username', 'DEFAULT', '111.222.333.444', '7', 'Async', '2004-02-23
14:51:16', '0', '0', 'RADIUS', '', '', '0', '0', '2345678901', '99',
'', 'Framed-User', 'PPP', '111.222.333.123', '0', '0')'
rlm_sql: Reserving sql socket id: 3
rlm_sql: Released sql socket id: 3
modcall[accounting]: module "sql" returns ok
modcall: group accounting returns ok
Sending Accounting-Response of id 238 to 209.16.220.24:1814
Proxy-State = 0x3538
Finished request 11
Going to the next request
Cleaning up request 11 ID 238 with timestamp 403a67c4
rl_next: returning NULL
Waking up in 6 seconds...
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:freeradius-
> [EMAIL PROTECTED] On Behalf Of Alan DeKok
> Sent: Monday, February 23, 2004 2:46 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Multiple realms
>
> "Anson Rinesmith" <[EMAIL PROTECTED]> wrote:
> > DEFAULT Called-Station-Id == "2345678901", Realm := "isp1.net"
> > In both users and acct_users
> > And I still get DEFAULT put in the realm field in my database.
>
> Then read the debug log to see where the DEFAULT realm is coming from.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying multiple realms
Charles Plater wrote: > Is there any way to try multiple realms inside an update control > statement? What I want to do is try proxying to one realm, and if that > fails trying the credentials via the local ream. Thanks in advance. Read raddb/proxy.conf. Look for the home server pool section. This works, and is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying multiple realms
On Jul 26, 2011, at 4:36 PM, Alan DeKok wrote:
> Charles Plater wrote:
>> Is there any way to try multiple realms inside an update control
>> statement? What I want to do is try proxying to one realm, and if that
>> fails trying the credentials via the local ream. Thanks in advance.
>
> Read raddb/proxy.conf. Look for the home server pool section.
>
> This works, and is documented.
If I'm reading raddb/proxy.conf correctly home_server_pool allows for fail-over
and load-balancing configurations. In my case I was to try the same credentials
against multiple servers. I'm currently using this bit of unlang to send some
requests to another radius server:
if (User-Name !~ /^..[0-9][0-9][0-9].*$/) {
update control {
Proxy-To-Realm := 'med.wayne.edu'
}
}
What I'm looking at doing is to retry failed proxy attempts locally. Is this
possible?
--
Charles Plater
Lead Application Technical Analyst
Internet Services
+1-313-577-4620
ab3...@wayne.edu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying multiple realms
Charles Plater wrote: > If I'm reading raddb/proxy.conf correctly home_server_pool allows for > fail-over and load-balancing configurations. Yes. > In my case I was to try the > same credentials against multiple servers. RADIUS doesn't do that. It's a *terrible* idea. > What I'm looking at doing is to retry failed proxy attempts locally. Is > this possible? *Please* use the correct terminology. Do you mean "failed", as in "failed to get a response", or "rejected", as in "received a reject packet"? If you use vague terminology, it's impossible to help you. The server treats rejects as being definitive. Changing them later to accepts is wrong and broken. Fix your design so that you send the packets to the correct server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying multiple realms
On 27 Jul 2011, at 17:14, Charles Plater wrote:
> On Jul 26, 2011, at 4:36 PM, Alan DeKok wrote:
>
>> Charles Plater wrote:
>>> Is there any way to try multiple realms inside an update control
>>> statement? What I want to do is try proxying to one realm, and if that
>>> fails trying the credentials via the local ream. Thanks in advance.
>>
>> Read raddb/proxy.conf. Look for the home server pool section.
>>
>> This works, and is documented.
>
>
> If I'm reading raddb/proxy.conf correctly home_server_pool allows for
> fail-over and load-balancing configurations. In my case I was to try the same
> credentials against multiple servers. I'm currently using this bit of unlang
> to send some requests to another radius server:
>
> if (User-Name !~ /^..[0-9][0-9][0-9].*$/) {
> update control {
> Proxy-To-Realm := 'med.wayne.edu'
> }
> }
>
> What I'm looking at doing is to retry failed proxy attempts locally. Is this
> possible?
Fail in what way. Because a servers down or because the user was rejected?
-Arran
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple Realms per NAS
We have just installed FreeRADIUS and have basic functionality working for ISP and Hotspot applications. For the ISP application, we would like to specify the realms supported on a NAS basis. Is this feasible and how would one go about configuring it. Thanks in advance... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding multiple realms
You should probably look into the strip realms config item since you only want a single username for all realms. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Adding multiple realms
In dialupadmin/ admin.conf: # Realm setup # # Set general_strip_realms to yes in order to stip realms from usernames. # By default realms are not striped #general_strip_realms : yes Should the above line "not" be commented out? Thanks for your help; J.D. See you @ AppState.Net's Wireless Technology Open House - Boone NC Jan. 26 Covering Watauga County with Broadband for Everyone 828-265-3773 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lewis Bergman Sent: Tuesday, December 27, 2005 4:02 PM To: FreeRadius users mailing list Subject: Re: Adding multiple realms You should probably look into the strip realms config item since you only want a single username for all realms. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.7/214 - Release Date: 12/23/2005 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.7/214 - Release Date: 12/23/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple realms: need help
Hi! I would like to have freeradius behave like this: - realm 'alwaysok' would always accept authentication - realme 'checkthis' would always check against mysql Since now I'd have done this by telling freeradius to proxy one of the realms to another freeradius the would behave accordingly leaving the former to do the processing for the other realm. Is there a more elegant way of doing this? Thank you! Normando -- | Normando Marcolongo | Micso s.r.l. | | via Tiburtina, 318 | I-65128 Pescara, Italy| |tel/fax (+39)08554105 | mob. (+39)3386296362 | begin:vcard fn:Normando Marcolongo n:Marcolongo;Normando org:Micso s.r.l.;System & Network Engineer adr:;;via Tiburtina, 318;Pescara;;65128;Italy email;internet:[EMAIL PROTECTED] tel;work:+3908554105 tel;fax:+3908554105 tel;cell:+393386296362 x-mozilla-html:FALSE url:http://www.micso.com version:2.1 end:vcard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple REALMS, multiple SQL
Hi to this list, I'm using freeradius from few weeks, and now I need a little help to understand how to configure a proxied configuration to do what I need. My situation: [ Proxy Frontend ] -- REALM ABC >> proxied to [ My Radius Server ] | |- REALM DEF >> proxied to [ My Customer Radius ] | |- REALM GHI >> proxied to [ My Customer Radius ] The data about the realm ABC is stored in a database by another server that I manage, so I keep data without problems. The data about the realm DEF/GHI is not stored at all because I'm not managing the final servers. I cannot store data on the proxy frontend by the simple "sql" configuration because I'll start to write a lot of useless and doubled data (the real configuration is more complex then described before). How can I let the proxy write in a db just the realm DEF and GHI and ignore the realm ABC? I think it can be done in the post-proxy section of the radius.conf... But how? Thank you -- Andrea - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authenticate multiple realms for dialups
I have an ISP scenario using freeradius 1.0.1. to authenticate dialup
customers on our single domain. We use a Mysql backend.
We have added a second domain for a national dialup service. A 3rd party
providing the POPS will pass radius requests to our radius servers.
Question:
How do I setup the ability to authenticate more than one domain (realm) in
freeradius?
Desired result:
Not only can our original realm authenticate but now freeradius should
authenticate <[EMAIL PROTECTED]> as well.
I put this in my proxy.conf file but I'm not sure this is the right thing to
do and ti seems to simple to be true:
realm powerline.net {
type= radius
authhost= LOCAL
accthost= LOCAL
}
I gratefully accept any pointers to archived answers/tips (I'm currenty
digging as well)
I can provide config files if it will help.
Thanks!!
Christian
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy based on Multiple Realms
What I want to do is proxy requests based on being in multiple realms. For example: Realm1/username.Realm2 Where is Realm1 is "host" AND Realm2 is "some.fqdn" then proxy to xxx.xxx.xxx.xxx Specifically what I am doing is trying to use FreeRadius to proxy for AD Domains. I want to enable host based authentication (i.e. host/ workstation.domain.name ) but for multiple domains. I believe proxying is the only why to accomplish this. All I can find are references/warnings to making sure that I DON'T do this by mistake. Problem is I believe this is what I must do. Is this even possible with FreeRadius? Thanks Bob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Realms per NAS
On 1/6/2010 12:13 PM, Nalin Mistry wrote:
We have just installed FreeRADIUS and have basic functionality working for ISP
and Hotspot applications.
For the ISP application, we would like to specify the realms supported on a NAS
basis. Is this feasible and how would one go about configuring it.
FreeRADIUS uses a policy language for such things, it is up to you to
write the correct policy, there are no built in methods for doing this.
Here are a couple of examples as to how you could achieve it:
If you want a local non-centralized solution then use an instance of the
files module:
raddb/modules/files
files realm_map {
# The default key attribute to use for matches. The content
# of this attribute is used to match the "name" of the
# entry.
key = "%{Client-Shortame}"
usersfile = ${confdir}/realm_map
#acctusersfile = ${confdir}/acct_users
#preproxy_usersfile = ${confdir}/preproxy_users
# If you want to use the old Cistron 'users' file
# with FreeRADIUS, you should change the next line
# to 'compat = cistron'. You can the copy your 'users'
# file from Cistron.
compat = no
} raddb/realm_map NASX Realm=='RealmX' Fall-Through = no NASX
Realm=='RealmY' Fall-Through = no NASY Realm=='RealmZ' Fall-Through = no
DEFAULT Auth-Type := Reject Or if you want something SQL based:
authorize {} if("%{sql:SELECT COUNT(*) FROM `my_realm_mappings` WHERE
`nas`='%{Client-Shortname}' AND `realm`='%{Realm}' LIMIT 1" != 1){
reject } -Arran
smime.p7s
Description: S/MIME Cryptographic Signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple realms: need help
Normando Marcolongo <[EMAIL PROTECTED]> wrote: > I would like to have freeradius behave like this: > - realm 'alwaysok' would always accept authentication > - realme 'checkthis' would always check against mysql Sure, but they're not really realms. > Is there a more elegant way of doing this? Yes. You can look for the Realm in the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple REALMS, multiple SQL
Andrea Cerrito wrote: > How can I let the proxy write in a db just the realm DEF and GHI and ignore > the realm ABC? Do *conditional* logging to SQL. See Acct-Type, which lets you conditionally call a module. > I think it can be done in the post-proxy section of the radius.conf... But > how? Not in post-proxy. Do it in the "accounting" section. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Multiple REALMS, multiple SQL
Great, it does the trick :) It was simplier than I thought. Another question: is it safe to write into the same sql server\database\table by 2 radius servers authenticating the same realm? -- Andrea Cerrito - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticate multiple realms for dialups
> I have an ISP scenario using freeradius 1.0.1. to authenticate dialup
> customers on our single domain. We use a Mysql backend.
> We have added a second domain for a national dialup service. A 3rd party
> providing the POPS will pass radius requests to our radius servers.
>
> Question:
> How do I setup the ability to authenticate more than one domain (realm) in
> freeradius?
> Desired result:
> Not only can our original realm authenticate but now freeradius should
> authenticate <[EMAIL PROTECTED]> as well.
>
>
> I put this in my proxy.conf file but I'm not sure this is the right thing to
> do and ti seems to simple to be true:
>
> realm powerline.net {
> type= radius
> authhost= LOCAL
> accthost= LOCAL
> }
>
> I gratefully accept any pointers to archived answers/tips (I'm currenty
> digging as well)
> I can provide config files if it will help.
>
> Thanks!!
> Christian
>
So what errors do you get when you try to authenticate the user? Please
paste entire radiusd -X output.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: authenticate multiple realms for dialups
> > I have an ISP scenario using freeradius 1.0.1. to
> authenticate dialup
> > customers on our single domain. We use a Mysql backend.
> > We have added a second domain for a national dialup service. A 3rd
> > party providing the POPS will pass radius requests to our
> radius servers.
> >
> > Question:
> > How do I setup the ability to authenticate more than one domain
> > (realm) in freeradius?
> > Desired result:
> > Not only can our original realm authenticate but now
> freeradius should
> > authenticate <[EMAIL PROTECTED]> as well.
> >
> >
> > I put this in my proxy.conf file but I'm not sure this is the right
> > thing to do and ti seems to simple to be true:
> >
> > realm powerline.net {
> > type= radius
> > authhost= LOCAL
> > accthost= LOCAL
> > }
> >
> > I gratefully accept any pointers to archived answers/tips (I'm
> > currenty digging as well) I can provide config files if it
> will help.
> >
> > Thanks!!
> > Christian
> >
>
> So what errors do you get when you try to authenticate the
> user? Please paste entire radiusd -X output.
([EMAIL PROTECTED]) 1 ~ # service radiusd stop ; radiusd -x
Stopping FreeRADIUS: radiusd.
Starting - reading configuration files ...
Module: Loaded PAP
Module: Instantiated pap (pap)
Module: Loaded preprocess
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
Module: Instantiated realm (suffix)
Module: Loaded SQL
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
Module: Instantiated sql (sql)
Module: Loaded Acct-Unique-Session-Id
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
Module: Instantiated detail (detail)
Initializing the thread pool...
Listening on authentication 209.26.178.8:1812
Ready to process requests.
rad_recv: Access-Request packet from host 65.167.179.3:3574, id=1,
length=209
User-Name = "[EMAIL PROTECTED]"
User-Password = "[EMAIL PROTECTED]"
NAS-IP-Address = 209.247.22.208
NAS-Port = 258
Service-Type = Framed-User
Framed-Protocol = PPP
Ascend-Data-Rate = 31200
Ascend-Calling-Id-Type-Of-Num = Unknown
Ascend-Calling-Id-Number-Plan = Unknown
Ascend-Xmit-Rate = 28800
Called-Station-Id = "4077384022"
Calling-Station-Id = "4079332394"
NAS-Identifier = "nas16.orl1.Level3.net"
Acct-Session-Id = "334467454"
NAS-Port-Type = Async
Ascend-NAS-Port-Format = 2_4_5_5
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): User [EMAIL PROTECTED] not found in radcheck
rlm_sql (sql): User [EMAIL PROTECTED] not found in radgroupcheck
rlm_sql (sql): User not found
rlm_sql (sql): Released sql socket id: 4
Login incorrect: [EMAIL PROTECTED]/[EMAIL PROTECTED] (from client TXLink port
258 cli 4079332394)
I see where the user is missing in radcheck and radgroupcheck now. How do I
get this other realm setup and then the users in those proper places?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: authenticate multiple realms for dialups
On Thu, 2 Dec 2004, Christian Reeves wrote:
> > > I have an ISP scenario using freeradius 1.0.1. to
> > authenticate dialup
> > > customers on our single domain. We use a Mysql backend.
> > > We have added a second domain for a national dialup service. A 3rd
> > > party providing the POPS will pass radius requests to our
> > radius servers.
> > >
> > > Question:
> > > How do I setup the ability to authenticate more than one domain
> > > (realm) in freeradius?
> > > Desired result:
> > > Not only can our original realm authenticate but now
> > freeradius should
> > > authenticate <[EMAIL PROTECTED]> as well.
> > >
> > >
> > > I put this in my proxy.conf file but I'm not sure this is the right
> > > thing to do and ti seems to simple to be true:
> > >
> > > realm powerline.net {
> > > type= radius
> > > authhost= LOCAL
> > > accthost= LOCAL
> > > }
> > >
> > > I gratefully accept any pointers to archived answers/tips (I'm
> > > currenty digging as well) I can provide config files if it
> > will help.
> > >
> > > Thanks!!
> > > Christian
> > >
> >
> > So what errors do you get when you try to authenticate the
> > user? Please paste entire radiusd -X output.
>
>
>
> ([EMAIL PROTECTED]) 1 ~ # service radiusd stop ; radiusd -x
> Stopping FreeRADIUS: radiusd.
> Starting - reading configuration files ...
> Module: Loaded PAP
> Module: Instantiated pap (pap)
> Module: Loaded preprocess
> Module: Instantiated preprocess (preprocess)
> Module: Loaded realm
> Module: Instantiated realm (suffix)
> Module: Loaded SQL
> rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
> rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius
> rlm_sql (sql): starting 0
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
> rlm_sql_mysql: Starting connect to MySQL server for #0
> rlm_sql (sql): Connected new DB handle, #0
> rlm_sql (sql): starting 1
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
> rlm_sql_mysql: Starting connect to MySQL server for #1
> rlm_sql (sql): Connected new DB handle, #1
> rlm_sql (sql): starting 2
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
> rlm_sql_mysql: Starting connect to MySQL server for #2
> rlm_sql (sql): Connected new DB handle, #2
> rlm_sql (sql): starting 3
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
> rlm_sql_mysql: Starting connect to MySQL server for #3
> rlm_sql (sql): Connected new DB handle, #3
> rlm_sql (sql): starting 4
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
> rlm_sql_mysql: Starting connect to MySQL server for #4
> rlm_sql (sql): Connected new DB handle, #4
> Module: Instantiated sql (sql)
> Module: Loaded Acct-Unique-Session-Id
> Module: Instantiated acct_unique (acct_unique)
> Module: Loaded detail
> Module: Instantiated detail (detail)
> Initializing the thread pool...
> Listening on authentication 209.26.178.8:1812
> Ready to process requests.
> rad_recv: Access-Request packet from host 65.167.179.3:3574, id=1,
> length=209
> User-Name = "[EMAIL PROTECTED]"
> User-Password = "[EMAIL PROTECTED]"
> NAS-IP-Address = 209.247.22.208
> NAS-Port = 258
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Ascend-Data-Rate = 31200
> Ascend-Calling-Id-Type-Of-Num = Unknown
> Ascend-Calling-Id-Number-Plan = Unknown
> Ascend-Xmit-Rate = 28800
> Called-Station-Id = "4077384022"
> Calling-Station-Id = "4079332394"
> NAS-Identifier = "nas16.orl1.Level3.net"
> Acct-Session-Id = "334467454"
> NAS-Port-Type = Async
> Ascend-NAS-Port-Format = 2_4_5_5
> rlm_sql (sql): Reserving sql socket id: 4
> rlm_sql (sql): User [EMAIL PROTECTED] not found in radcheck
> rlm_sql (sql): User [EMAIL PROTECTED] not found in radgroupcheck
> rlm_sql (sql): User not found
> rlm_sql (sql): Released sql socket id: 4
> Login incorrect: [EMAIL PROTECTED]/[EMAIL PROTECTED] (from client TXLink port
> 258 cli 4079332394)
>
>
> I see where the user is missing in radcheck and radgroupcheck now. How do I
> get this other realm setup and then the users in those proper places?
>
First you need to make sure you've enabled proxying.
Make sure you have this line with yes and uncommented
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
Now, you need to think about how you are going to store your usernames.
If all usernames will be unique, regardless of the domain, then you should
be done and ready to go. The domain will be stripped from the username
when authentication takes place.
ie: there will be no [EMAIL PROTECTED] and [EMAIL PROTECTED]
If you may have the same username for different realms, then you need to
add nostrip to that realm.
ie:
#realm isp2.com {
# type= radius
# authhost= radius.isp2.com:1645
# accthost= radius.isp2.com:1646
# secret = TheirKey
# nostrip
#}
Then you need to add all those users to
Re: Proxy based on Multiple Realms
Hi, > What I want to do is proxy requests based on being in multiple realms. For > example: > Realm1/username.Realm2 so long as the second part with always be username.realm2 (and you dont get into user.name.realm2 then you can use 2.1.x with unlang to configure what you need. you need to use a decent regex parttern to match $1/[string].$2(in fact, you can simply ignore $1 as it will always be host/ if dealing with type of traffic i expect)...and then you can simply set the proxy-to-realm to be equal to the $2 value. however, this is not a trivial 'it'll just work' and the realm details might not be the sites real NAI realm (as it might be an internal AD realm that has no basis on real world name, for example). PS in eduroam we only allow the authentication of users via RFC NAI values - this stops this nasty machine authentication mess (which most RADIUS servers will not be able to handle) - i guess this is a demonstration of FR power/flexibility rather than common use :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy based on Multiple Realms
Perfect, I think that is exactly what I want, but I'm hoping you might be
able to help me with the syntax. I am trying this, but is doesn't seem to
work:
# - From the proxy.conf file:
realm host {
if ( Stripped-User-Name =~ ".*\.domain\.name" ) {
pool = adradius
nostrip
}
}
Thanks
Bob
On Thu, Oct 15, 2009 at 3:38 PM, Alan Buxey wrote:
> Hi,
> > What I want to do is proxy requests based on being in multiple realms.
> For
> > example:
> > Realm1/username.Realm2
>
> so long as the second part with always be username.realm2 (and you dont get
> into user.name.realm2 then you can use 2.1.x with unlang to configure what
> you need. you need to use a decent regex parttern to match
>
> $1/[string].$2(in fact, you can simply ignore $1 as it will always
> be host/ if dealing with type of traffic i expect)...and then you can
> simply
> set the proxy-to-realm to be equal to the $2 value.
>
> however, this is not a trivial 'it'll just work' and the realm details
> might not be the sites real NAI realm (as it might be an internal AD realm
> that has no basis on real world name, for example).
>
> PS in eduroam we only allow the authentication of users via RFC NAI values
> -
> this stops this nasty machine authentication mess (which most RADIUS
> servers
> will not be able to handle) - i guess this is a demonstration of FR
> power/flexibility
> rather than common use :-)
>
> alan
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy based on Multiple Realms
> Perfect, I think that is exactly what I want, but I'm hoping you might be
> able to help me with the syntax. I am trying this, but is doesn't seem to
> work:
>
> # - From the proxy.conf file:
> realm host {
> if ( Stripped-User-Name =~ ".*\.domain\.name" ) {
> pool = adradius
> nostrip
> }
> }
You can't use unlang in proxy.conf file. Use it in virtual server
configuration (authorize section).
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy based on Multiple Realms
Okay, perfect that was part of the answer I needed, Thanks! I guess I now have two more questions: 1. Is there a way to "manually" specify a proxy or Realm in the authorize section? 2. Is there a way to modify the Realms file to find a realm find the realm domain.name in from within user.domain.name. Whenever I try I only get the Realm name not domain.name. (i.e. I want it to pick up from the first . character not the last ) Thanks Bob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy based on Multiple Realms
Hi,
> Okay, perfect that was part of the answer I needed, Thanks!
>
> I guess I now have two more questions:
>
> 1. Is there a way to "manually" specify a proxy or Realm in the authorize
> section?
>
> 2. Is there a way to modify the Realms file to find a realm find the realm
> domain.name in from within user.domain.name. Whenever I try I only get the
> Realm name not domain.name. (i.e. I want it to pick up from the first .
> character not the last )
add a small bit of unlang to the default site... eg
(and this is conceptual, not real code!)
if User-Name contains/ends in .domain.name then
update the realm identifier to be domain.name
in reality this would be *something* (ie no guarantees, check debug
etc to work out why it doesnt work etc) like
if("%{User-Name}" =~ /\.domain\.name$/) {
update request {
Realm := 'domain.name'
}
update control {
Proxy-To-Realm := 'domain.name'
}
}
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy based on Multiple Realms
> 1. Is there a way to "manually" specify a proxy or Realm in the authorize
> section?
Yes.
update control {
Proxy-To-Realm := "some_realm"
}
> 2. Is there a way to modify the Realms file to find a realm find the realm
> domain.name in from within user.domain.name. Whenever I try I only get
> the
> Realm name not domain.name. (i.e. I want it to pick up from the first .
> character not the last )
So put prefix not suffix as format. But that will break down if you allow
dots in usernames, like:
Sam.Body.domain.name
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy based on Multiple Realms
Great I'll try the update control..
As for Realms file, I did try using prefix instead of suffix, but in the
case of username.domain.name, it says that the Realm is username and the
Stripped User name is domain.name
Thanks
Bob
On Tue, Oct 20, 2009 at 10:21 AM, Ivan Kalik wrote:
> > 1. Is there a way to "manually" specify a proxy or Realm in the authorize
> > section?
>
> Yes.
>
> update control {
> Proxy-To-Realm := "some_realm"
> }
>
> > 2. Is there a way to modify the Realms file to find a realm find the
> realm
> > domain.name in from within user.domain.name. Whenever I try I only get
> > the
> > Realm name not domain.name. (i.e. I want it to pick up from the first .
> > character not the last )
>
> So put prefix not suffix as format. But that will break down if you allow
> dots in usernames, like:
>
> Sam.Body.domain.name
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
The problem with socialism is that you eventually run out of other people's
money. - Margaret Thatcher
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy based on Multiple Realms
Okay, just to update everyone and for others that might search this
mail-listing:
I have finally gotten it, using the code below in the authorize section I
can send host authentication to multiple proxies based on domain name
if ( User-Name =~ /^host\//i ) {
if ( User-Name =~ /\\.first\\.domain$/i ) {
update control {
Proxy-To-Realm := "first.domain"
}
}
if ( User-Name =~ /\\.second\\.domain$/i ) {
update control {
Proxy-To-Realm := "second.domain"
}
}
if ( User-Name =~ /\\.first\\.domain$/i ) {
update control {
Proxy-To-Realm := "third.domain"
}
}
}
For whatever reason I had to use 2 backslashes in front of the period in the
domain names?? But anyway, this part of the project is working.
Thanks for all the help!
Bob
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy based on Multiple Realms
Hi,
> if ( User-Name =~ /^host\//i ) {
> if ( User-Name =~ /\\.first\\.domain$/i ) {
> update control {
> Proxy-To-Realm := "first.domain"
> }
> }
> if ( User-Name =~ /\\.second\\.domain$/i ) {
> update control {
> Proxy-To-Realm := "second.domain"
> }
> }
> if ( User-Name =~ /\\.first\\.domain$/i ) {
> update control {
> Proxy-To-Realm := "third.domain"
> }
> }
> }
will that 4th if ever work (first.domain being sent to third.domain)
as the match would have already happened on the 2nd if..
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy based on Multiple Realms
Oops, just a typo :)
Anyway I have tested it with one domains, (I will have more in the future)
but in theory it should work and my testing using RADNTPING and RADIUS -X
shows that it should.
Thanks
Bob
On Tue, Oct 20, 2009 at 12:36 PM, Alan Buxey wrote:
> Hi,
>
> > if ( User-Name =~ /^host\//i ) {
> > if ( User-Name =~ /\\.first\\.domain$/i ) {
> > update control {
> > Proxy-To-Realm := "first.domain"
> > }
> > }
> > if ( User-Name =~ /\\.second\\.domain$/i ) {
> > update control {
> > Proxy-To-Realm := "second.domain"
> > }
> > }
> > if ( User-Name =~ /\\*.third*\\.domain$/i ) {
> > update control {
> > Proxy-To-Realm := "third.domain"
> > }
> > }
> > }
>
> will that 4th if ever work (first.domain being sent to third.domain)
> as the match would have already happened on the 2nd if..
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
The problem with socialism is that you eventually run out of other people's
money. - Margaret Thatcher
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
questions about multiple realms and proxy
Hi, This may be in a FAQ or earlier thread but I didnt see it. Just a quick couple of questions. 1. Is it possible to append another realm to the NAI when proxying a message? That is, if a message with [EMAIL PROTECTED] arrives and I proxy it to another host based on realm1 in proxy.conf, can the outgoing NAI be [EMAIL PROTECTED]@realm2? If this can't be done with configuration, I believe it could be done with code, probably in some authorization module somewhere? 2. A related question: If a message arrives at a proxy server with NAI in the form [EMAIL PROTECTED]@realm2, can Freeradius do a proxy determination based on realm2? If so, I assume you would have a normal entry for realm2 in proxy.conf, and optionally strip off realm2, leaving the NAI as [EMAIL PROTECTED] Thanks, Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using kerberos for authentication -- multiple realms.
I am new to this list and am hoping for some assistance with my freeradius configuration. Please forgive me if this is a stupid qustion, but I am stumped. Background: Red Hat 9.0 Freeradius (from RH) The RPMs that seem most relevant are: freeradius-0.9.3-1 krb5-libs-1.2.7-14 krb5-workstation-1.2.7-14 pam_krb5-1.60-1 I have had it up and running fairly well for several months -- my compliments to the author(s). The relevant components in my configuration to this question are a Cisco VPN concentrator as the NAS and the radius server authenticates via PAM (PAM routes it as a Kerberos request to an MS Windows 2000 AD). The problem: I need to add at least one more Kerberos realm (read MS Windows forest/AD) back-end authentication store. (These MS Windows forests do not trust each other.) On the radius server (computer), I can manually perform kinit requests against each krb5 realm just fine. My problem is how do I get freeradius (or PAM) to take the authentication request and direct it to the correct Kerberos server/realm. It seems this should not be that hard, I am probably missing something very basic. Some other notes: -- I have looked into the rlm_krb, but have gotten nowhere (I can't find it in the RPMs, and I can't get it to compile). -- I would like to avoid setting up lots of proxies, it does not seem appropriate in this environment. -- I have looked at (although not experimented with) LDAP authentication, but it looks like I would have the same problem. Any pointers, even to existing documents I have not yet found, would be most appreciated. If it can't be done, feel free to tell me that too -- I will stop beating my head against this wall. Best Wishes, --Bill - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: questions about multiple realms and proxy
Dave Mason <[EMAIL PROTECTED]> wrote: > 1. Is it possible to append another realm to the NAI when proxying a > message? That is, if a message with [EMAIL PROTECTED] arrives and I proxy it > to another host based on realm1 in proxy.conf, can the outgoing NAI be > [EMAIL PROTECTED]@realm2? If this can't be done with configuration, I believe > it could be done with code, probably in some authorization module somewhere? That's what the "preproxy" section is for. See the "preproxy_users" file. > 2. A related question: If a message arrives at a proxy server with NAI > in the form [EMAIL PROTECTED]@realm2, can Freeradius do a proxy determination > based on realm2? If so, I assume you would have a normal entry for > realm2 in proxy.conf, and optionally strip off realm2, leaving the NAI > as [EMAIL PROTECTED] Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: questions about multiple realms and proxy
1) Use preproxy. 2) Yes correct. Jyran Glucky - Original Message - From: "Dave Mason" <[EMAIL PROTECTED]> To: "freeradius mailing list" <[EMAIL PROTECTED]> Sent: Monday, January 12, 2004 7:11 PM Subject: questions about multiple realms and proxy > Hi, > This may be in a FAQ or earlier thread but I didnt see it. Just a quick > couple of questions. > > 1. Is it possible to append another realm to the NAI when proxying a > message? That is, if a message with [EMAIL PROTECTED] arrives and I proxy it > to another host based on realm1 in proxy.conf, can the outgoing NAI be > [EMAIL PROTECTED]@realm2? If this can't be done with configuration, I believe > it could be done with code, probably in some authorization module somewhere? > > 2. A related question: If a message arrives at a proxy server with NAI > in the form [EMAIL PROTECTED]@realm2, can Freeradius do a proxy determination > based on realm2? If so, I assume you would have a normal entry for > realm2 in proxy.conf, and optionally strip off realm2, leaving the NAI > as [EMAIL PROTECTED] > > Thanks, > Dave > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > -- > This message has been scanned for viruses and > dangerous content by Flxtek, Inc., and is > believed to be clean. > Home of the 6.95 Unlimited Dialup Internet Service. -- This message has been scanned for viruses and dangerous content by Flxtek, Inc., and is believed to be clean. Home of the 6.95 Unlimited Dialup Internet Service. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using kerberos for authentication -- multiple realms.
Bill Shaver <[EMAIL PROTECTED]> wrote: > I need to add at least one more Kerberos realm (read MS Windows forest/AD) > back-end authentication store. (These MS Windows forests do not trust > each other.) On the radius server (computer), I can manually perform kinit > requests against each krb5 realm just fine. My problem is how do I get > freeradius (or PAM) to take the authentication request and direct it to > the correct Kerberos server/realm. It seems this should not be that hard, > I am probably missing something very basic. That would depend on pam_krb5. If it doesn't describe how to do this, it probably can't. > -- I have looked into the rlm_krb, but have gotten nowhere (I can't > find it in the RPMs, and I can't get it to compile). If it's not in the RPM's, it's probably because the Kerberos on RH is different than the one in the module. You might try the latest CVS snapshot. The kerberos module may have been updated. > -- I have looked at (although not experimented with) LDAP authentication, > but it looks like I would have the same problem. I'm not sure why. You can have multiple instances of the LDAP module, each pointing to a different back-end. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using kerberos for authentication -- multiple realms.
Alan, Thanks for your quick response. I put several more hours of testing in after I made this posting and determined it is almost certainly not a radius issue, but probably a PAM or Kerberos issue, so I am starting to dig deeper in those areas. The LDAP information is interesting and may prove to be the option I need to take if I can't get the Kerberos working soon. Thanks for your assistance. --Bill On Sun, May 09, 2004 at 08:34:48AM -0400, Alan DeKok wrote: > Bill Shaver <[EMAIL PROTECTED]> wrote: > > I need to add at least one more Kerberos realm (read MS Windows forest/AD) > > back-end authentication store. (These MS Windows forests do not trust > > each other.) On the radius server (computer), I can manually perform kinit > > requests against each krb5 realm just fine. My problem is how do I get > > freeradius (or PAM) to take the authentication request and direct it to > > the correct Kerberos server/realm. It seems this should not be that hard, > > I am probably missing something very basic. > > That would depend on pam_krb5. If it doesn't describe how to do > this, it probably can't. > > > -- I have looked into the rlm_krb, but have gotten nowhere (I can't > > find it in the RPMs, and I can't get it to compile). > > If it's not in the RPM's, it's probably because the Kerberos on RH > is different than the one in the module. > > You might try the latest CVS snapshot. The kerberos module may have > been updated. > > > -- I have looked at (although not experimented with) LDAP authentication, > > but it looks like I would have the same problem. > > I'm not sure why. You can have multiple instances of the LDAP > module, each pointing to a different back-end. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius2 multiple realms auth off different database types
Greetings freeradius list members, I'm hoping one of the more experienced FR2 users might shed some light on a query I have, historically i've only worked with radiator so i am very much a novice with FR2. Is it possible to auth different realms off different database server types within the same FR2 configuration? ie. apples.com auth's off a mysql db pears.com auth's off Active Directory Regards Ronald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mschap auth for multiple realms off different domain ctlrs?
I've inherited a system which now needs changed and I can't seem to make it do
it! I'm sure it can, but I'm just not familiar enough with FreeRadius to know
how to coax it into doing what I need.
Its a fairly old system, FreeRADIUS Version 1.1.3
Remote users connect to the host using windows VPN client, hence MS-CHAPv2,
call terminates on mpd running on freebsd which auths from using freeradius on
the same host. That all works.
Problem is, the client has been like the borg and assimilated another company
and needs to support their roaming users too.
so now users log in as userand the request is done via ntlm request to
their primary domain controller 10.1.1.1 in realm company1.local
This is configured in krb5.conf as far as I can determine.
FreeRadius also looks for a specific group membership with
"--require-membership-of=company1-vpn-users"
I now need to support (additionally) another set of users logging in as
otheruser who will need to specify their realm as company2
I can get freeradius to "see" otheru...@company2.local and it splits the
username and realm out (as seen with radiusd -X) but what I can't figure out is
how to tell it to still use the "local" auth but to know that it now has to use
"company2.local" for its realm, to ask 10.1.1.3 instead of 10.1.1.1, and to
look for group membership of "company2-vpn-users".
I thought I could perhaps use a variable and set that within a specific realm{}
definition during auth, but I can't see how to define/use variables other than
attributes offered or returned.
I have used
ntlm_auth --request-nt-key --username=user --password=xxx
--domain=COMPANY1.LOCAL --require-membership-of=COMPANY1-VPN-USERS
ntlm_auth --request-nt-key --username=otheruser --password=xxx
--domain=COMPANY2.LOCAL --require-membership-of=COMPANY2-VPN-USERS
and I get the right answers, so looks like the settings in my krb5.conf are
working, but I just can't see how to get freeradius to make the request this
way.
(Yes, I know the correct request will use --challenge= and --nt-response= but
I'm "assuming" if I can get the rest of the request right, it'll "just work")
Any help please? I've googled and tried more things than I can document here
without driving you nuts!
RossW
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius2 multiple realms auth off different database types
Hi, > apples.com auth's off a mysql db > pears.com auth's off Active Directory yes. set a virtual server as the server in the proxy.conf or use unlang to update the realm details and send it to a new virtual server. that VS will only have the relevant engines configured in it alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticate users from multiple realms on the same NAS
Hi, I've been using GNU-RADIUS and asked this question on the GNU-RADIUS list last week but didn't get any responses. The ISP I work for has recently aquired two other local ISPs. None of the ISPs have their customers setup to authenticate with [EMAIL PROTECTED] I need to merge dial-up numbers and bring the DSL aggregation together in order to reduce costs. That means, I will have potentially three users with the username of "bob" trying to login on the same NAS box with no way to tell which one they are other than the password the user supplies. The NAS address and everything else I can think of will be the same for all users. (we lack caller-id features). Is it possible to setup radius to authenticate these users? I'm willing to switch RADIUS servers if someone has a nifty module that makes magic happen. I've been skimming through the FreeRADIUS mailing list and trying to search google for pointers on how to accomplish this. Unfortunately, the search terms I have been trying are pretty much useless. "multiple realms", "multiple domains" combined with or without "one NAS", "same NAS" ... If anyone has pointers to documentation that tells me why it can't be done or how to do it, or even a "hey stupid, it's not that complicated", I would appreciate the help. -- Scott LambertKC5MLE Unix SysAdmin [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschap auth for multiple realms off different domain ctlrs?
> I have used
>
> ntlm_auth --request-nt-key --username=user --password=xxx
> --domain=COMPANY1.LOCAL --require-membership-of=COMPANY1-VPN-USERS
>
> ntlm_auth --request-nt-key --username=otheruser --password=xxx
> --domain=COMPANY2.LOCAL --require-membership-of=COMPANY2-VPN-USERS
>
> and I get the right answers, so looks like the settings in my krb5.conf
> are
> working, but I just can't see how to get freeradius to make the request
> this
> way.
>
> (Yes, I know the correct request will use --challenge= and --nt-response=
> but
> I'm "assuming" if I can get the rest of the request right, it'll "just
> work")
Create two mschap module instances, mschap_co1 with first ntlm_auth line
and mschap_co2 with second one. Then create redundancy inside Auth-Type
MS-CHAP (default server for mschap requests, inner-tunnel for peap):
Auth-Type MS-CHAP {
if(Realm == "company1.local") {
mschap_co1
}
elsif(Realm == "company2.local") {
mschap_co2
}
else {
mschap (or reject if you don't want to try users file, sql, ldap
or other accounts)
}
}
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschap auth for multiple realms off different domain ctlrs?
On Tue, 28 Jul 2009, Ivan Kalik wrote:
Thankyou for the reply and suggestion. I've been interstate and just back
now to try it.
Create two mschap module instances, mschap_co1 with first ntlm_auth line
and mschap_co2 with second one.
ok.
Then create redundancy inside Auth-Type
MS-CHAP (default server for mschap requests, inner-tunnel for peap):
Auth-Type MS-CHAP {
if(Realm == "company1.local") {
mschap_co1
}
elsif(Realm == "company2.local") {
mschap_co2
}
else {
mschap (or reject if you don't want to try users file, sql, ldap
or other accounts)
}
}
When I do this, stop radiusd and re-run with -X, I get:
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/clients.conf
/usr/local/etc/raddb/radiusd.conf[1948]: Line is not in 'attribute = value'
format
Errors reading radiusd.conf
I then commented out most to check for stupid operator errors:
# new MSCHAP authentication.
# auths differently depending on the realm
# If none of the defined realms, use standard
Auth-Type MS-CHAP {
# if(Realm == "aae.local") {
mschap_co1
# }
# elseif(Realm == "lla.local") {
mschap_co2
# }
# else {
# mschap
# }
}
This at least got further... but not much. Here's the -X output:
# /usr/local/sbin/radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/clients.conf
main: prefix = "/usr/local"
main: localstatedir = "/var"
main: logdir = "/var/log"
main: libdir = "/usr/local/lib"
main: radacctdir = "/var/log/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius.log"
main: log_auth = no
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: bind_address = 127.0.0.1 IP address [127.0.0.1]
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
radiusd.conf[723] Failed to link to module 'rlm_mschap_co1': Shared object
"rlm_mschap_co1.so" not found, required by "radiusd"
radiusd.conf[1949] Unknown module "mschap_co1".
radiusd.conf[1949] Failed to parse "mschap_co1" entry.
bash-2.05b#
I'm simply not familiar enough with FreeRadius to know where to go with
this - I learned enough to set it up many years ago on my own systems,
it's been rock-solid ever since and I guess I've just forgotten it all.
This particular configuration was done by someone else and is quite
different to my own. Any (further) help appreciated.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mschap auth for multiple realms off different domain ctlrs?
> radiusd.conf[723] Failed to link to module 'rlm_mschap_co1': Shared object
> "rlm_mschap_co1.so" not found, required by "radiusd"
> radiusd.conf[1949] Unknown module "mschap_co1".
> radiusd.conf[1949] Failed to parse "mschap_co1" entry.
Did you create 3 instances of mschap using aliases like below?
mschap {
.
.
.
}
mschap mschap_co1 {
.
.
}
mschap mschap_co2 {
.
.
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Autoreply: Authenticate users from multiple realms on the same NAS
Attualmente non sono in sede. Per richieste urgenti contattare lo 800 919299 o inviare una mail a [EMAIL PROTECTED] oppure a [EMAIL PROTECTED] Cordiali Saluti Giuseppe Parlato Area Network mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate users from multiple realms on the same NAS
Scott Lambert <[EMAIL PROTECTED]> wrote:
> I've been using GNU-RADIUS and asked this question on the GNU-RADIUS
> list last week but didn't get any responses.
They haven't had a release for 2 years now...
> I need to merge dial-up numbers and bring the DSL aggregation together
> in order to reduce costs. That means, I will have potentially three
> users with the username of "bob" trying to login on the same NAS box
> with no way to tell which one they are other than the password the user
> supplies. The NAS address and everything else I can think of will be
> the same for all users. (we lack caller-id features).
Yuck.
> Is it possible to setup radius to authenticate these users? I'm willing
> to switch RADIUS servers if someone has a nifty module that makes magic
> happen.
If your users are in LDAP, it's actually pretty easy, so long as
they're all doing PAP authentication. FreeRADIUS has the ability to
run multiple modules, depending on the return codes from a module.
See doc/configurable_failover.
The short answer is that if you have 3 LDAP databases, you can do
something like:
authenticate {
...
Auth-Type any_is_ok {
ldap1 {
reject = 1
notfound = 2
ok = return
}
ldap2 {
reject = 1
notfound = 2
ok = return
}
ldap3
}
...
}
This says "if they're not found in LDAP1, or if their password is
wrong, try LDAP2, or try LDAP3".
If your users aren't in LDAP, the same kind of thing can be done
with another module, but it's a little more work.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate users from multiple realms on the same NAS
On Thu, Aug 10, 2006 at 05:26:39PM -0400, Alan DeKok wrote:
> Scott Lambert <[EMAIL PROTECTED]> wrote:
> > I need to merge dial-up numbers and bring the DSL aggregation together
> > in order to reduce costs. That means, I will have potentially three
> > users with the username of "bob" trying to login on the same NAS box
> > with no way to tell which one they are other than the password the user
> > supplies. The NAS address and everything else I can think of will be
> > the same for all users. (we lack caller-id features).
>
> Yuck.
>
> > Is it possible to setup radius to authenticate these users? I'm willing
> > to switch RADIUS servers if someone has a nifty module that makes magic
> > happen.
>
> If your users are in LDAP, it's actually pretty easy, so long as
> they're all doing PAP authentication. FreeRADIUS has the ability to
> run multiple modules, depending on the return codes from a module.
> See doc/configurable_failover.
>
> The short answer is that if you have 3 LDAP databases, you can do
> something like:
>
> authenticate {
> ...
> Auth-Type any_is_ok {
> ldap1 {
...
> }
...
> ldap3
> }
> ...
> }
>
> This says "if they're not found in LDAP1, or if their password is
> wrong, try LDAP2, or try LDAP3".
That looks very cool.
> If your users aren't in LDAP, the same kind of thing can be done
> with another module, but it's a little more work.
Actually, I have one set of users in password files, one in msql, and
one in MS SQL.
I was thinking about putting everything into mysql/postgresql databases.
--
Scott LambertKC5MLE Unix SysAdmin
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate users from multiple realms on the same NAS
Scott Lambert <[EMAIL PROTECTED]> wrote: > I was thinking about putting everything into mysql/postgresql databases. That gets a little harder, because you effectively have 3 passwords for the user, and want any one of them to work. Th eserver sn't really set up to do that right now... It could be done with a little bit of work, which isn't hard, but it's a rare enough request that it hasn't been done until now. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate users from multiple realms on the same NAS
Le Fri, Aug 11, 2006 at 02:48:33PM -0400, Alan DeKok ecrivait: > Scott Lambert <[EMAIL PROTECTED]> wrote: > > I was thinking about putting everything into mysql/postgresql databases. > > That gets a little harder, because you effectively have 3 passwords > for the user, and want any one of them to work. Th eserver sn't > really set up to do that right now... > > It could be done with a little bit of work, which isn't hard, but > it's a rare enough request that it hasn't been done until now. I would do it that way: I would use hints file to rewrite the User-Name depending on the Called-Station-ID and Medium-Type. This way you could: - rewrite dialup user bob into [EMAIL PROTECTED] when Called-Station-Id is present - rewrite DSL user bob [EMAIL PROTECTED] when Called-Station-Id isn't present This way you can have [EMAIL PROTECTED] and [EMAIL PROTECTED] into the same database without any problem. It's a bit tricky, any easier way Alan ? Regards, Fox. signature.asc Description: Digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate users from multiple realms on the same NAS
Francois-Xavier GAILLARD <[EMAIL PROTECTED]> wrote: > It's a bit tricky, any easier way Alan ? I'm not sure... the main problem is that multiple people with the same name are dialing into the same NAS equipment. So they really are the "same" person, but with many possible valid passwords. It's a hard problem to solve cleanly. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate users from multiple realms on the same NAS
Le Fri, Aug 11, 2006 at 06:09:21PM -0400, Alan DeKok ecrivait: > Francois-Xavier GAILLARD <[EMAIL PROTECTED]> wrote: > > It's a bit tricky, any easier way Alan ? > > I'm not sure... the main problem is that multiple people with the > same name are dialing into the same NAS equipment. So they really are > the "same" person, but with many possible valid passwords. > > It's a hard problem to solve cleanly. And I'm not even sure my solution works. It's easy to look for Called-Station-Id, but how would one look for Called-Station-Id if it's not there (DSL users). Maybe he should configure the NASes to send different NAS-IP-Address according to wheter it's a dialup user or a DSL user, using different loopback addresses, and then rewrite User-Name using NAS-IP-Address attribute. Regards, Fox. signature.asc Description: Digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate users from multiple realms on the same NAS
On Sat, Aug 12, 2006 at 01:06:38AM +0200, Francois-Xavier GAILLARD wrote: > Le Fri, Aug 11, 2006 at 06:09:21PM -0400, Alan DeKok ecrivait: > > Francois-Xavier GAILLARD <[EMAIL PROTECTED]> wrote: > > > It's a bit tricky, any easier way Alan ? > > > > I'm not sure... the main problem is that multiple people with the > > same name are dialing into the same NAS equipment. So they really are > > the "same" person, but with many possible valid passwords. > > > > It's a hard problem to solve cleanly. > > And I'm not even sure my solution works. It's easy to look for > Called-Station-Id, but how would one look for Called-Station-Id if > it's not there (DSL users). > > Maybe he should configure the NASes to send different NAS-IP-Address > according to wheter it's a dialup user or a DSL user, using different > loopback addresses, and then rewrite User-Name using NAS-IP-Address > attribute. I proabably wasn't clear, it's not the same NAS for DSL and dialup. However, it is (going to be) the same NAS for DSL at all three ISPs. Also, it will be the same, different, NAS for dialup in the towns where coverage overlaps. We have to use DS1s for dial in these areas and they don't have caller id features so there is no Called-Station-Id. Would I be able to setup three mysql entries in the way that Alan suggested for the LDAP setup, but with a different query specified for each realm which includes the realm in the selection criteria of query? I need to find some time to get a test install up. Or hire somebody to build the initial config for me. I just don't know how the accounting will hold together with any solution. -- Scott LambertKC5MLE Unix SysAdmin [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate users from multiple realms on the same NAS
Scott Lambert <[EMAIL PROTECTED]> wrote: > Would I be able to setup three mysql entries in the way that Alan > suggested for the LDAP setup, but with a different query specified for > each realm which includes the realm in the selection criteria of query? If the users are logging in with different realms (i.e. [EMAIL PROTECTED], [EMAIL PROTECTED]), then there's no problem. It's easy to do, just key off of the realms. If you have 3 users logging in as "bob", each with different passwords, then it's hard. Just putting different MySQL entries won't work. > I just don't know how the accounting will hold together with any > solution. "Class". Send a Class attribute back in the Access-Accept with some kind of unique identifier for the user. e.g. a numerical ID, or something that uniquely identifies them. The Class attribute will come back in the accounting packets, and you can use that to tell which user to bill. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Autoreply: Re: Authenticate users from multiple realms on the same NAS
Attualmente non sono in sede. Per richieste urgenti contattare lo 800 919299 o inviare una mail a [EMAIL PROTECTED] oppure a [EMAIL PROTECTED] Cordiali Saluti Giuseppe Parlato Area Network mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Autoreply: Re: Authenticate users from multiple realms on the same NAS
Attualmente non sono in sede. Per richieste urgenti contattare lo 800 919299 o inviare una mail a [EMAIL PROTECTED] oppure a [EMAIL PROTECTED] Cordiali Saluti Giuseppe Parlato Area Network mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VMware View 5.1 smsotp authentication with multiple realms [WAS: Re: Yeah, it works !!]
Hello Joël, > jodan@otpradius:~/work/smsotpd$ ./pap_challenge_request.pl > Enter username: dsp1A00113 > Enter password: > server response type = Access-Challenge (11) > Enter otp: 89003 > server response type = Access-Accept (2) > Yeah, it works !! The step 1 is achieved :o) that is good to hear. > One more question, have you setup several realms? It will be my case, > and if you have some clues it must be a quick win. Yes, it will work with multiple realms. There is not much that you need to other than you need to use HINTS or any other way of rewriting in the radius server to rewrite the username to username@REALM. The REALM has to be written UPPERCASE otherwise it will not work. Once you have that achieved it will works if the radius server is able to resolve the ticket granting server for the REALM using DNS. You can use the following command to double check: apt-get install dnsutils dig _kerberos._udp.ww004.siemens.net srv # Exchange ww004.siemens.net with your REALM. In the DNS query the realm # can be lowercase because DNS is case insensitive. > So the test environnemnt is functional, and i will test it against > view 5.1 before the end of the week if my other tasks lets me quiet > ;o) Let me know. VMware View 5.1 has a bug in there you need to configure it with this option uncheck: Enforce 2-factor and Windows username matching. Otherwise if your username contains a backslash as in domain\username the View Client will not send the acces challenge reply. I opened a bugreport with VMware, they have accepted it but decided not to fix it. If you need help with VMware View let me know. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
