Group questions..several group memberships to one account. FreeRADIUS Version 2.1.10
Hello,
Never played around with groups using rlm_sql and the default schema..
I am reading what i assume is saying that it should be possible to have several
groups to a account and each group should be able to supply that specific
groups radgroupreply attributes..
Number 4 below sure sounds like it should get all the accounts groups first and
then process them according to priority? Below test shows it only reads the
first group? And no matter what priority..
Is that how it should work or what am i missing here?
1.Search the radcheck table for any check attributes specific to the user
2.If check attributes are found, and there's a match, pull the reply items from
the radreply table for this user and add them to the reply
3.Group processing then begins if any of the following conditions are met:
◦The user IS NOT found in radcheck
◦The user IS found in radcheck, but the check items don't match
◦The user IS found in radcheck, the check items DO match AND Fall-Through is
set in the radreply table
◦The user IS found in radcheck, the check items DO match AND the read_groups
directive is set to 'yes'
4.If groups are to be processed for this user, the first thing that is done is
the list of groups this user is a member of is pulled from the usergroup table
ordered by the priority field. The priority field of the usergroup table allows
us to control the order in which groups are processed, so that we can emulate
the ordering in the users file. This can be important in many cases.
5.For each group this user is a member of, the corresponding check items are
pulled from radgroupcheck table and compared with the request. If there is a
match, the reply items for this group are pulled from the radgroupreply table
and applied.
6.Processing continues to the next group IF:
◦There was not a match for the last group's check items OR
◦Fall-Through was set in the last group's reply items (The above is exactly the
same as in the users file)
7.Finally, if the user has a User-Profile attribute set or the Default Profile
option is set in the sql.conf, then steps 4-6 are repeated for the groups that
the profile is a member of.
To test it i added som data to
mysql select * from radcheck;
++--+---++---+
| id | username | attribute | op | value |
++--+---++---+
| 8 | alex | Password | := | test |
++--+---++---+
mysql select * from radusergroup;
+--+--+--+
| username | groupname| priority |
+--+--+--+
| alex | mega-admin-group |0 |
| alex | cisco_admin |1 |
+--+--+--+
mysql select * from radgroupreply;
++--+++--+
| id | groupname| attribute | op | value
|
++--+++--+
| 1 | mega-admin-group | Reply-Message | = | test-mega-admin-reply-attribute
|
| 2 | mega-admin-group | NAS-Identifier | = | test-NAS
|
| 3 | cisco_admin | Service-Type | = | NAS-Prompt-User
|
| 4 | cisco_admin | cisco-avpair | = | shell:priv-lvl=15
|
++--+++--+
5 rows in set (0.00 sec)
root@noc1:/etc/freeradius# radtest -x alex test localhost 1812 testing123
Sending Access-Request of id 69 to 127.0.0.1 port 1812
User-Name = alex
User-Password = test
NAS-IP-Address = 10.173.2.10
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=69, length=63
Reply-Message = test-mega-admin-reply-attribute
NAS-Identifier = test-NAS -- Only replies from
group mega-admin-group
And freeradius debug is showing it only checked replies from the first group..
rad_recv: Access-Request packet from host 127.0.0.1 port 49061, id=3, length=56
User-Name = alex
User-Password = test
NAS-IP-Address = 10.173.2.10
NAS-Port = 1812
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
rlm_perl: rlm_perl::Itux DEBUG::Inside authorize Function.
rlm_perl: Added pair User-Name = alex
rlm_perl: Added pair User-Password = test
rlm_perl: Added pair NAS-Port = 1812
rlm_perl: Added pair NAS-IP-Address = 10.173.2.10
++[perl] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = alex, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[sql] expand: %{User-Name} - alex
[sql] sql_set_user escaped user -- 'alex'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM
SV: Group questions..several group memberships to one account. FreeRADIUS Version 2.1.10
Sorry forget about priority i thought higher was first..Which it wasn’t.. Still
is it possible to get replies from multiple groups an account belongs to?
Cheers
Alex
Från:
freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org
[mailto:freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org]
För Alexander Silveröhrt
Skickat: den 12 april 2013 09:33
Till: freeradius-users@lists.freeradius.org
Ämne: Group questions..several group memberships to one account. FreeRADIUS
Version 2.1.10
Hello,
Never played around with groups using rlm_sql and the default schema..
I am reading what i assume is saying that it should be possible to have several
groups to a account and each group should be able to supply that specific
groups radgroupreply attributes..
Number 4 below sure sounds like it should get all the accounts groups first and
then process them according to priority? Below test shows it only reads the
first group? And no matter what priority..
Is that how it should work or what am i missing here?
1.Search the radcheck table for any check attributes specific to the user
2.If check attributes are found, and there's a match, pull the reply items from
the radreply table for this user and add them to the reply
3.Group processing then begins if any of the following conditions are met:
◦The user IS NOT found in radcheck
◦The user IS found in radcheck, but the check items don't match
◦The user IS found in radcheck, the check items DO match AND Fall-Through is
set in the radreply table
◦The user IS found in radcheck, the check items DO match AND the read_groups
directive is set to 'yes'
4.If groups are to be processed for this user, the first thing that is done is
the list of groups this user is a member of is pulled from the usergroup table
ordered by the priority field. The priority field of the usergroup table allows
us to control the order in which groups are processed, so that we can emulate
the ordering in the users file. This can be important in many cases.
5.For each group this user is a member of, the corresponding check items are
pulled from radgroupcheck table and compared with the request. If there is a
match, the reply items for this group are pulled from the radgroupreply table
and applied.
6.Processing continues to the next group IF:
◦There was not a match for the last group's check items OR
◦Fall-Through was set in the last group's reply items (The above is exactly the
same as in the users file)
7.Finally, if the user has a User-Profile attribute set or the Default Profile
option is set in the sql.conf, then steps 4-6 are repeated for the groups that
the profile is a member of.
To test it i added som data to
mysql select * from radcheck;
++--+---++---+
| id | username | attribute | op | value |
++--+---++---+
| 8 | alex | Password | := | test |
++--+---++---+
mysql select * from radusergroup;
+--+--+--+
| username | groupname| priority |
+--+--+--+
| alex | mega-admin-group |0 |
| alex | cisco_admin |1 |
+--+--+--+
mysql select * from radgroupreply;
++--+++--+
| id | groupname| attribute | op | value
|
++--+++--+
| 1 | mega-admin-group | Reply-Message | = | test-mega-admin-reply-attribute
|
| 2 | mega-admin-group | NAS-Identifier | = | test-NAS
|
| 3 | cisco_admin | Service-Type | = | NAS-Prompt-User
|
| 4 | cisco_admin | cisco-avpair | = | shell:priv-lvl=15
|
++--+++--+
5 rows in set (0.00 sec)
root@noc1:/etc/freeradius# radtest -x alex test localhost 1812 testing123
Sending Access-Request of id 69 to 127.0.0.1 port 1812
User-Name = alex
User-Password = test
NAS-IP-Address = 10.173.2.10
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=69, length=63
Reply-Message = test-mega-admin-reply-attribute
NAS-Identifier = test-NAS -- Only replies from
group mega-admin-group
And freeradius debug is showing it only checked replies from the first group..
rad_recv: Access-Request packet from host 127.0.0.1 port 49061, id=3, length=56
User-Name = alex
User-Password = test
NAS-IP-Address = 10.173.2.10
NAS-Port = 1812
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
rlm_perl: rlm_perl::Itux DEBUG::Inside authorize Function.
rlm_perl: Added pair User-Name = alex
SV: Group questions..several group memberships to one account. FreeRADIUS Version 2.1.10
And sorry again… I forgot old Fall-Through= yes which of course made it work.. I thank myself for my excellent answers☺ Cheers Alex Från: freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org [mailto:freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org] För Alexander Silveröhrt Skickat: den 12 april 2013 09:41 Till: FreeRadius users mailing list Ämne: SV: Group questions..several group memberships to one account. FreeRADIUS Version 2.1.10 Sorry forget about priority i thought higher was first..Which it wasn’t.. Still is it possible to get replies from multiple groups an account belongs to? Cheers Alex Från: freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org [mailto:freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org] För Alexander Silveröhrt Skickat: den 12 april 2013 09:33 Till: freeradius-users@lists.freeradius.org Ämne: Group questions..several group memberships to one account. FreeRADIUS Version 2.1.10 Hello, Never played around with groups using rlm_sql and the default schema.. I am reading what i assume is saying that it should be possible to have several groups to a account and each group should be able to supply that specific groups radgroupreply attributes.. Number 4 below sure sounds like it should get all the accounts groups first and then process them according to priority? Below test shows it only reads the first group? And no matter what priority.. Is that how it should work or what am i missing here? 1.Search the radcheck table for any check attributes specific to the user 2.If check attributes are found, and there's a match, pull the reply items from the radreply table for this user and add them to the reply 3.Group processing then begins if any of the following conditions are met: ◦The user IS NOT found in radcheck ◦The user IS found in radcheck, but the check items don't match ◦The user IS found in radcheck, the check items DO match AND Fall-Through is set in the radreply table ◦The user IS found in radcheck, the check items DO match AND the read_groups directive is set to 'yes' 4.If groups are to be processed for this user, the first thing that is done is the list of groups this user is a member of is pulled from the usergroup table ordered by the priority field. The priority field of the usergroup table allows us to control the order in which groups are processed, so that we can emulate the ordering in the users file. This can be important in many cases. 5.For each group this user is a member of, the corresponding check items are pulled from radgroupcheck table and compared with the request. If there is a match, the reply items for this group are pulled from the radgroupreply table and applied. 6.Processing continues to the next group IF: ◦There was not a match for the last group's check items OR ◦Fall-Through was set in the last group's reply items (The above is exactly the same as in the users file) 7.Finally, if the user has a User-Profile attribute set or the Default Profile option is set in the sql.conf, then steps 4-6 are repeated for the groups that the profile is a member of. To test it i added som data to mysql select * from radcheck; ++--+---++---+ | id | username | attribute | op | value | ++--+---++---+ | 8 | alex | Password | := | test | ++--+---++---+ mysql select * from radusergroup; +--+--+--+ | username | groupname| priority | +--+--+--+ | alex | mega-admin-group |0 | | alex | cisco_admin |1 | +--+--+--+ mysql select * from radgroupreply; ++--+++--+ | id | groupname| attribute | op | value | ++--+++--+ | 1 | mega-admin-group | Reply-Message | = | test-mega-admin-reply-attribute | | 2 | mega-admin-group | NAS-Identifier | = | test-NAS | | 3 | cisco_admin | Service-Type | = | NAS-Prompt-User | | 4 | cisco_admin | cisco-avpair | = | shell:priv-lvl=15 | ++--+++--+ 5 rows in set (0.00 sec) root@noc1:/etc/freeradius# radtest -x alex test localhost 1812 testing123 Sending Access-Request of id 69 to 127.0.0.1 port 1812 User-Name = alex User-Password = test NAS-IP-Address = 10.173.2.10 NAS-Port = 1812 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=69, length=63 Reply-Message = test-mega-admin-reply-attribute NAS-Identifier = test-NAS -- Only replies from group mega-admin-group
random questions on rlm_perl.c (was: rlm_perl and threads)
Digging through the rlm_perl source, I stumbled over the following: 1. Is it on purpose that it normally checks USE_ITHREADS and only perl_xlat checks WITH_ITHREADS? 2. Is it also on purpose that radiusd::radog is newXS'd only after perl_parse()? That hit me because as it is, you can't log anything (like a version number) inside the script's body/main program (or call it initialization routine). 3. I also noticed that tests like #if PERL_REVISION = 5 PERL_VERSION 8 would trigger for 6.0 if that is ever going to happen. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: random questions on rlm_perl.c
Edgar Fuß wrote: Digging through the rlm_perl source, I stumbled over the following: 1. Is it on purpose that it normally checks USE_ITHREADS and only perl_xlat checks WITH_ITHREADS? No. It should be fixed. 2. Is it also on purpose that radiusd::radog is newXS'd only after perl_parse()? No idea. That hit me because as it is, you can't log anything (like a version number) inside the script's body/main program (or call it initialization routine). Well, patches are welcome. 3. I also noticed that tests like #if PERL_REVISION = 5 PERL_VERSION 8 would trigger for 6.0 if that is ever going to happen. Sure. Send a patch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: random questions on rlm_perl.c
EF Is it also on purpose that radiusd::radog is newXS'd only after perl_parse()? AdK No idea. I'm not familiar with the FreeRADIUS project: Is there something like a maintainer of the rlm_perl module I could ask this question? AdK Well, patches are welcome. That would be trivial: move the newXS() before the perl_parse(). But I'm not familiar enough with embeded Perl to know whether that would be legal (I could check whether it works in my environment, but if it does, that wouldn't mean anything). I guess there are people in the project much more competent than me on this subject. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: random questions on rlm_perl.c
Edgar Fuß wrote: EF Is it also on purpose that radiusd::radog is newXS'd only after perl_parse()? AdK No idea. I'm not familiar with the FreeRADIUS project: Is there something like a maintainer of the rlm_perl module I could ask this question? On this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Questions on the finer points of CUI
All,
I was after some clarification about the implementation of CUI in freeRADIUS.
My first point is the use of Client IP Address. I notice that client IP Address
makes a regular appearance but I'm wondering whether it should. Looking at the
cui.conf the post-auth insert adds the Client IP Address.
postauth_query = INSERT IGNORE INTO ${cui_table} \
(clientipaddress, callingstationid, username, cui, lastaccounting) \
VALUES \
('%{Client-IP-Address}', '%{Calling-Station-Id}', '%{User-Name}',
'%{reply:Chargeable-User-Identity}', NULL) ON DUPLICATE KEY UPDATE
lastaccounting='-00-00 00:00:00', cui='%{reply:Chargeable-User-Identity}';
likewise the schema (in cui.sql) even has the Client IP Address as a primary
key which to me seems wrong. In the world of eduroam my RADIUS server can
proxy off to one of 3 National Proxies each will have a different Client IP
Address, therefore a single client could have 3 entries in the cui table
depending upon which National proxy dealt with the request. I don't see the
point of the Client IP Address being in there. If each home server is using a
salt (together with the operator name) then even the same username and calling
station id will return a different CUI for different home servers. Maybe some
could explain what I'm missing and why the Client IP Address is there?
Staying with the Client IP Address, my next point surrounds the Accounting.
The cui.conf shows that accounting updates the table using Client IP Address in
the search:
accounting_start_query = UPDATE ${cui_table} \
SET \
lastaccounting = CURRENT_TIMESTAMP \
WHERE clientipaddress = '%{Client-IP-Address}' \
AND callingstationid = '%{Calling-Station-Id}' \
AND username = '%{User-Name}' \
AND cui = '%{Chargeable-User-Identity}';
How would this work? The NAS doesn't know what the Client IP Address is and
doesn't send it in Accounting packets.
Finally, why does the Accounting stop for cui remove the cui from the database:
accounting_stop_query = DELETE FROM ${cui_table} WHERE \
clientipaddress = '%{Client-IP-Address}' \
AND callingstationid = '%{Calling-Station-Id}' \
AND username = '%{User-Name}' \
AND cui = '%{Chargeable-User-Identity}';
Surely I'd want to keep this? If 2 weeks later I get a copyright infringement
notice for a client, I'd want the CUI when contacting the home site of the user.
Thanks
Scott Armitage
PGP.sig
Description: This is a digitally signed message part
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions on the finer points of CUI
On 28.06.2012 09:07, Scott Armitage wrote:
All,
I was after some clarification about the implementation of CUI in freeRADIUS.
My first point is the use of Client IP Address. I notice that client IP
Address makes a regular appearance but I'm wondering whether it should.
Looking at the cui.conf the post-auth insert adds the Client IP Address.
postauth_query = INSERT IGNORE INTO ${cui_table} \
(clientipaddress, callingstationid, username, cui, lastaccounting) \
VALUES \
('%{Client-IP-Address}', '%{Calling-Station-Id}', '%{User-Name}',
'%{reply:Chargeable-User-Identity}', NULL) ON DUPLICATE KEY UPDATE
lastaccounting='-00-00 00:00:00',
cui='%{reply:Chargeable-User-Identity}';
likewise the schema (in cui.sql) even has the Client IP Address as a primary
key which to me seems wrong. In the world of eduroam my RADIUS server can
proxy off to one of 3 National Proxies each will have a different Client IP
Address, therefore a single client could have 3 entries in the cui table
depending upon which National proxy dealt with the request. I don't see the
point of the Client IP Address being in there. If each home server is using
a salt (together with the operator name) then even the same username and
calling station id will return a different CUI for different home servers.
Maybe some could explain what I'm missing and why the Client IP Address is
there?
The $cui_table is merely a helper table to bind returned
CUI values from the home server during the *authentication* phase to a
possible subsequent Accounting packet for that same session. It is
logically maintained at the SP side of the transactions (i.e. towards
Access Points and Controllers).
When doing auth, Calling-Station-Id and a User-Name are present in the
request. The response contains the associated Chargeable-User-Identity,
and may or may not contain a User-Name, and that User-Name may or may
not be the same as the request had.
If the NAS doesn't bin auth-CUI to acct-CUI itself (which is true for
most NASes), the SP-side RADIUS server needs to do guesswork to add the
CUI attribute to the outgoing accounting request (for all such requests:
starts, interims and stops).
It can see the binding primarily by observing that the calling-station
ID is the same.
It can not use the User-Name in Accounting because some NASes use the
value of an Access-Accept instead of the original value.
In principle, one could stop here. However, if a user moves from one NAS
to another, he needs to reauthenticate and has the same
Calling-Station-Id. This new authentication might get the same CUI or
another (as you rightly note, the next request can go to a different
home server, who might calculate his own CUI).
In that case, there are two entries for the same Calling-Station-Id with
different CUIs, and the server won't know which one to attach to the
next outgoing Accounting-Request - BAD.
That's why the Client-IP-Address is a secondary key: since we're talking
SP-side, the client is the Access-Point or Controller, and the tuple of
(CSI;Client-IP) makes the CUI value unique: This device *on this client*
at a particular point in time.
You might argue that the user could close the session and then re-auth
on the *same* NAS. That's true, but it is not a problem: if that
previous session was closed in order with an Accounting-Stop, the
temporary entry in $cui_table gets deleted, and the new session gets the
new one. If not, since the key of CSI and Client-IP is identical, the
new session overwrites the CUI value of the previous one.
This should also explain your subsequent queries below.
Greetings,
Stefan Winter
Staying with the Client IP Address, my next point surrounds the Accounting.
The cui.conf shows that accounting updates the table using Client IP Address
in the search:
accounting_start_query = UPDATE ${cui_table} \
SET \
lastaccounting = CURRENT_TIMESTAMP \
WHERE clientipaddress = '%{Client-IP-Address}' \
AND callingstationid = '%{Calling-Station-Id}' \
AND username = '%{User-Name}' \
AND cui = '%{Chargeable-User-Identity}';
How would this work? The NAS doesn't know what the Client IP Address is and
doesn't send it in Accounting packets.
Finally, why does the Accounting stop for cui remove the cui from the
database:
accounting_stop_query = DELETE FROM ${cui_table} WHERE \
clientipaddress = '%{Client-IP-Address}' \
AND callingstationid = '%{Calling-Station-Id}' \
AND username = '%{User-Name}' \
AND cui = '%{Chargeable-User-Identity}';
Surely I'd want to keep this? If 2 weeks later I get a copyright
infringement notice for a client, I'd want the CUI when contacting the home
site of the user.
Thanks
Scott Armitage
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA
Re: Freeradius 2 , TTLS/PAP, multiples questions
hello, I try to configure TLS with RAP BUT it does not work? how to do this - kahina akkouche -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-2-TTLS-PAP-multiples-questions-tp2782263p5713840.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2 , TTLS/PAP, multiples questions
I try to configure TLS withPAP it does not work? - kahina akkouche -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-2-TTLS-PAP-multiples-questions-tp2782263p5713841.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2 , TTLS/PAP, multiples questions
On Tue, Jun 19, 2012 at 03:02:09AM -0700, akkouche wrote: I try to configure TLS withPAP it does not work? http://wiki.freeradius.org/FAQ#It-still-doesn%27t-work%21 -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Few Questions
Hi all! FreeRadius is better than I thought. Thanks to all developers! I use /etc/freeradius/users file to store userdata, I've got a few questions: 1. Is it possible to make a group of user and add a parameters to created group? 2. Is it possible to autenticate this group by a system? 3. Is it possible to write log of its operation to another specified file (good login, no good pass, other) ? 4. Does anyone got a example of php login script using radius? Where to read about it? Regards -- Jarosław 'YArii' Kłopotek mob +48 607 893 111 GG:1336231 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Few Questions
Jarosław Kłopotek wrote: FreeRadius is better than I thought. Thanks to all developers! It's what we do. I think it's the best RADIUS server available. I use /etc/freeradius/users file to store userdata, I've got a few questions: 1. Is it possible to make a group of user and add a parameters to created group? See the FAQ for how to create groups of users. 2. Is it possible to autenticate this group by a system? See the FAQ for how to check group membership. 3. Is it possible to write log of its operation to another specified file (good login, no good pass, other) ? No. But you can add the group name to the log message. See my recent message to the list. 4. Does anyone got a example of php login script using radius? Not me. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Few Questions
Greetings, I use the Pure PHP Radius Class from http://developer.sysco.ch/php/ It works very well. We use it for web access to our user-only pages used for our online billing options. Wm On Thu, 14 Jun 2012 12:13:26 +0200 Alan DeKok al...@deployingradius.com wrote: Jarosław Kłopotek wrote: FreeRadius is better than I thought. Thanks to all developers! It's what we do. I think it's the best RADIUS server available. I use /etc/freeradius/users file to store userdata, I've got a few questions: 1. Is it possible to make a group of user and add a parameters to created group? See the FAQ for how to create groups of users. 2. Is it possible to autenticate this group by a system? See the FAQ for how to check group membership. 3. Is it possible to write log of its operation to another specified file (good login, no good pass, other) ? No. But you can add the group name to the log message. See my recent message to the list. 4. Does anyone got a example of php login script using radius? Not me. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- William Ragsdale NetOne Communications, Inc. Work: 231-734-2917 FAX: 231-734-6395 signature.asc Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: optimize questions for unlang code
Am 06.04.2012 18:16, schrieb Brian Julin: Tobias Hachmer wrote: Q3: Is there a smarter way to reject an AD user immediately when he wants to logon to a telnet device? You could use Auth-Type subsections, but with LDAP the control flow can be a bit confusing (the statements in the block outside those sections all run, and then the block gets run again from the top once an Auth-Type is selected, which happens inside of the ldap module.) Your best bet for this scenario is to look at the as of 2.0 instructions in clients.conf, where you can select a virtual server to enter based on which clients are requesting, and construct a separate virtual server for telnet devices. Wow, thank you Brian for your good answer. I know virtual servers and I don't knwo why this idea didn't come to me, maybe a mental block. I have implemented this immediately and looks fine know. Thanks again! Q4: Are there any tweaking capabilities to my unlang code to make it smarter or more hardened? Q5: Can I abbreviate any code snippets like using a switch/case block or use variables or anything I don't know? When using Ldap-Group as a check item, you have to be careful, because it is a special case. You are not really comparing the value after the '==' to a variable, rather each time an LDAP group query is launched looking for the value after the '=='. This is the way LDAP groups work -- you do not query a list of groups, you query them one-by-one. Note that using Ldap-Group in the users file is also inefficient. I use a nested if statement to short-circuit, and sort by prevalence, but I do not have quite as many cases as you. OK, so this means I cannot use a switch/ case block because fr have to know all the ldap groups a user is in itself? I try to nest my code a bit better like you have mentioned, Brian. Regards, Tobias Hachmer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: optimize questions for unlang code
Tobias Hachmer wrote: Now I'm coming closer to my questions. When a local user logon to a telnet device freeradius does all the ldap membership queries. When an AD user will logon to a telnet device freeradius also does all the ldap membership queries. Q1: Can I abbreviate this process that when a local user wants access to a telnet device the ldap queries will be skipped? Q2: Is there a smarter way to reject a local user immediately when he wants to logon to a non telnet device? Q3: Is there a smarter way to reject an AD user immediately when he wants to logon to a telnet device? You could use Auth-Type subsections, but with LDAP the control flow can be a bit confusing (the statements in the block outside those sections all run, and then the block gets run again from the top once an Auth-Type is selected, which happens inside of the ldap module.) Your best bet for this scenario is to look at the as of 2.0 instructions in clients.conf, where you can select a virtual server to enter based on which clients are requesting, and construct a separate virtual server for telnet devices. Q4: Are there any tweaking capabilities to my unlang code to make it smarter or more hardened? Q5: Can I abbreviate any code snippets like using a switch/case block or use variables or anything I don't know? When using Ldap-Group as a check item, you have to be careful, because it is a special case. You are not really comparing the value after the '==' to a variable, rather each time an LDAP group query is launched looking for the value after the '=='. This is the way LDAP groups work -- you do not query a list of groups, you query them one-by-one. Note that using Ldap-Group in the users file is also inefficient. I use a nested if statement to short-circuit, and sort by prevalence, but I do not have quite as many cases as you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
optimize questions for unlang code
=Groups,dc=test,dc=local
if(Ldap-Group ==
cn=netscreen.rw,ou=Groups,dc=test,dc=local) {
update reply {
NS-Admin-Privilege := Root-Admin
}
}
# Return appropriate return attributes to members of
cn=netscreen.ro,ou=Groups,dc=test,dc=local
if(Ldap-Group ==
cn=netscreen.ro,ou=Groups,dc=test,dc=local !Ldap-Group ==
cn=netscreen.rw,ou=Groups,dc=test,dc=local) {
update reply {
NS-Admin-Privilege := Read-Only-Admin
}
}
# Return appropriate return attributes to members of
cn=nsm.rw,ou=Groups,dc=test,dc=local
if(Ldap-Group ==
cn=nsm.rw,ou=Groups,dc=test,dc=local) {
update reply {
NS-NSM-User-Domain-Name := global
NS-NSM-User-Role-Mapping :=
global:System Administrator
}
}
# Return appropriate return attributes to members of
cn=nsm.ro,ou=Groups,dc=test,dc=local
if(Ldap-Group == cn=nsm.ro,ou=Groups,dc=test,dc=local
!Ldap-Group == cn=nsm.rw,ou=Groups,dc=test,dc=local) {
update reply {
NS-NSM-User-Domain-Name := global
NS-NSM-User-Role-Mapping :=
global:Read-Only System Administrator
}
}
# Return appropriate return attributes to members of
cn=aruba.rw,ou=Groups,dc=test,dc=local
if(Ldap-Group ==
cn=aruba.rw,ou=Groups,dc=test,dc=local) {
update reply {
Aruba-Admin-Role := root
Aruba-Priv-Admin-User := 1
}
}
# Return appropriate return attributes to members of
cn=aruba.ro,ou=Groups,dc=test,dc=local
if(Ldap-Group ==
cn=aruba.ro,ou=Groups,dc=test,dc=local !Ldap-Group ==
cn=aruba.rw,ou=Groups,dc=test,dc=local) {
update reply {
Aruba-Admin-Role := read-only
}
}
}
This is working quite well.
An AD user can't logon to a telnet device because the Auth-Type is set
to PAP.
A local user defined in users file can't logon to any other device than
the telnet ones cause of the Huntgroup restriction:
xosadminHuntgroup-Name == xos, Cleartext-Password := testpw
Now I'm coming closer to my questions.
When a local user logon to a telnet device freeradius does all the ldap
membership queries.
When an AD user will logon to a telnet device freeradius also does all
the ldap membership queries.
Q1: Can I abbreviate this process that when a local user wants access
to a telnet device the ldap queries will be skipped?
Q2: Is there a smarter way to reject a local user immediately when he
wants to logon to a non telnet device?
Q3: Is there a smarter way to reject an AD user immediately when he
wants to logon to a telnet device?
Q4: Are there any tweaking capabilities to my unlang code to make it
smarter or more hardened?
Q5: Can I abbreviate any code snippets like using a switch/case block
or use variables or anything I don't know?
Q6: Are the positions of the unlang code in the authorize section
correct?
Thanks in advance for any help and hints.
Regards,
Tobias Hachmer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth ldap authorize questions
Hello list,
I set up a testing environment with an virtual Windows Server 2008 R2
server with Active Directory Role and a virtual freeradius server
(v2.1.12).
For the authentication I use ntlm_auth (followed instructions on
http://deployingradius.com/documents/configuration/active_directory.html)
which works great.
I understand that I cannot authorize using ntlm_auth so I want to set
up the ldap module for authorization, e.g. perform checks on group
memberships.
The ldap bind with the builtin Administrator and also the ldap search
in the basedn for the builtin account Administrator is successful:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 42796, id=160,
length=83
User-Name = Administrator
User-Password = abc123!
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x2f21233db6232800e133f6891b78309d
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = Administrator, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 205
++[files] returns ok
[ldap] performing user authorization for Administrator
[ldap] expand: %{Stripped-User-Name} -
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} - Administrator
[ldap] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) -
(cn=Administrator)
[ldap] expand: cn=Users,dc=test,dc=local - cn=Users,dc=test,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Users,dc=test,dc=local, with filter
(cn=Administrator)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] user Administrator authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = ntlm_auth
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[ntlm_auth] expand: --username=%{mschap:User-Name} -
--username=Administrator
[ntlm_auth] expand: --password=%{User-Password} -
--password=abc123!
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 160 to 127.0.0.1 port 42796
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 160 with timestamp +380
Ready to process requests.
My first problem is that I cannot do the ldap bind with any other user
as the builtin Administrator. I created a new user freeradius in
cn=Users,dc=test,dc=local where the builtin Administrator also is
located but the bind fails:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 44706, id=162,
length=83
User-Name = Administrator
User-Password = abc123!
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x6b50ad7469b14cd74c9fcb7c41d93cc1
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = Administrator, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 205
++[files] returns ok
[ldap] performing user authorization for Administrator
[ldap] expand: %{Stripped-User-Name} -
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} - Administrator
[ldap] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) -
(cn=Administrator)
[ldap] expand: cn=Users,dc=test,dc=local - cn=Users,dc=test,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to testwdc.test.local:389, authentication 0
[ldap] bind as cn=freeradius,cn=Users,dc=test,dc=local/abc234! to
testwdc.test.local:389
[ldap] waiting for bind result ...
[ldap] LDAP login failed: check identity, password settings in ldap
section of radiusd.conf
[ldap] (re)connection attempt failed
[ldap] search failed
[ldap]
RE: ntlm_auth ldap authorize questions
I set up a testing environment with an virtual Windows Server 2008 R2 server with Active Directory Role and a virtual freeradius server (v2.1.12). For the authentication I use ntlm_auth (followed instructions on http://deployingradius.com/documents/configuration/active_directory.html) which works great. I understand that I cannot authorize using ntlm_auth so I want to set up the ldap module for authorization, e.g. perform checks on group memberships. I (sort of) solved exactly the same problem. I will post my solution in MSSCHAP auth + LDAP authorizaton shortly. Stay tuned. A. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ntlm_auth ldap authorize questions (solved)
Am 04.04.2012 12:30, schrieb Andres Septer:
I (sort of) solved exactly the same problem. I will post my solution
in
MSSCHAP auth + LDAP authorizaton shortly. Stay tuned.
# Note to Andres Septer:
Thanks for your reply, but I fixed my problem by now without giving the
ldap bind user any specific rights.
(http://www.advproxy.net/ldapads.html)
I did the following:
# ldapsearch -h testwdc.test.local -D
cn=Administrator,cn=Users,dc=test,dc=local -w abc123! -b
dc=test,dc=local
# Free RADIUS, Users, test.local
dn: CN=Free RADIUS,CN=Users,DC=test,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Free RADIUS
sn: RADIUS
givenName: Free
distinguishedName: CN=Free RADIUS,CN=Users,DC=test,DC=local
instanceType: 4
whenCreated: 20120404112536.0Z
whenChanged: 20120404112536.0Z
displayName: Free RADIUS
uSNCreated: 20580
uSNChanged: 20585
name: Free RADIUS
objectGUID:: Wc/75uS3EEOkigLBcBPVQw==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 129780123362628750
primaryGroupID: 513
objectSid:: AQUAAAUVXrAss/fHBMRa4JZ1UgQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: freeradius
sAMAccountType: 805306368
userPrincipalName: freeradius@test.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=test,DC=local
dSCorePropagationData: 1601010100.0Z
and recognized that the CN of the user I want to use for ldap bind is
CN=Free RADIUS but I assumed that the CN is like the sAMAccountName.
So I changed the identity in /etc/freeradius/modules/ldap
from
identity = cn=freeradius,cn=Users,dc=test,dc=local
to
identity = cn=Free RADIUS,cn=Users,dc=test,dc=local
and
the filter
from
filter = (cn=%{%{Stripped-User-Name}:-%{User-Name}}) (default was
uid)
to
filter = (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
additionally I set the groupmembership_filter accordingly for active
directory:
groupname_attribute = cn
groupmembership_filter =
((objectClass=group)(member=%{control:Ldap-UserDn}))
That's what I've done and now it is working like a charme.
Regards,
Tobias Hachmer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Search Questions
Can someone throw me a bone here? This is really the last step in my process in getting FreeRadius production ready. -- View this message in context: http://freeradius.1045715.n5.nabble.com/LDAP-Search-Questions-tp5565845p5571520.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Search Questions
Hi, Can someone throw me a bone here? This is really the last step in my process in getting FreeRadius production ready. i'd advise getting a basic grasp of LDAP and terminology before using it as a tool - plenty of free resources out there. you have a group RADIUS that you want to check membership of - so when you talk to the LDAP you need to filter for the user you are dealing with - so have appropriate filter line (you know your DN/CN/DC etc to get the right tree/branch) and then do the correct attribute match (be that memberOf etc). alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Search Questions
On 14/03/12 19:04, ryuukuu wrote: Hello All, I've got a question about the settings for limiting access/authenticating to a specific LDAP group. I have setup a group on my OpenLDAP called RADIUS and I want the users in there to be the only ones that have access. The problem I am having is with the filters. Below is my /etc/raddb/modules/ldap (given I cleaned up alot of the comments just for posting reasons) What is the question? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP Search Questions
Hello All,
I've got a question about the settings for limiting access/authenticating to
a specific LDAP group. I have setup a group on my OpenLDAP called RADIUS
and I want the users in there to be the only ones that have access. The
problem I am having is with the filters. Below is my /etc/raddb/modules/ldap
(given I cleaned up alot of the comments just for posting reasons)
server = example.com
port = 389
identity = cn=example,dc=company,dc=local
password = x
basedn = ou=People,dc=company,dc=local
# access_attr = ?
# filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})
# filter = (objectclass=ogranizationalPerson)(de
# base_filter = (objectclass=organizationalPerson)
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
# cacertfile= /path/to/cacert.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
# require_cert = demand
}
# default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA
# profile_attribute = radiusProfileDn
# access_attr = dialupAccess
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${confdir}/ldap.attrmap
password_attribute = userPassword
auto_header = yes
# groupname_attribute = cn
# groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
# groupmembership_attribute = radiusGroupName
# compare_check_items = yes
# do_xlat = yes
# chase_referrals = yes
# set_auth_type = yes
}
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/LDAP-Search-Questions-tp5565845p5565845.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius questions
On 2012/02/28 07:06 PM, James DeLuca wrote:
Module: Checking post-auth {...} for more modules to load }
radiusd: Opening IP addresses and Ports listen {
type = auth
ipaddr = 10.0.8.9
You've configures your server to NOT listen on localhost.
Sending to localhost will therefore not work.
--
Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782
Before acting on this email or opening any attachments
you should read Cape PC Service's email disclaimer at:
http://www.pcservices.co.za/disclaimer.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius questions
Hope you can help us out. First time dealing with RADIUS servers. Following
your instructions. Seem to have missed something along the way.
We are running FreeRadius(Version 2.1.1) on a SLES version 11 server. The
serve has a static IP address.
We have tried both of the following setting in our client.conf
file(/etc/raddb/clients.conf). Neither have produced good results.
client localhost {
ipadddr = 127.0.0.1
require_message_authenticator = no
secret = x
nastype = other
}
client localhost {
ipadddr = 10.0.xxx.xxx
require_message_authenticator = no
secret = x
nastype = other
}
We entered a user in our user(/etc/raddb/users) file
bob Cleartext-Password := hello
Started two terminal sessions. In the first session we ran /usr/sbin/radiusd -X
And received these results
FreeRADIUS Version 2.1.1, for host i686-suse-linux-gnu, built on Feb 23 2009 at
21:34:25 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the GNU General
Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf including configuration
file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/ including configuration file
/etc/raddb/modules/detail including configuration file
/etc/raddb/modules/preprocess including configuration file
/etc/raddb/modules/ippool including configuration file
/etc/raddb/modules/inner-eap including configuration file
/etc/raddb/modules/checkval including configuration file
/etc/raddb/modules/ldap including configuration file
/etc/raddb/modules/sradutmp including configuration file
/etc/raddb/modules/attr_filter including configuration file
/etc/raddb/modules/policy including configuration file
/etc/raddb/modules/always including configuration file
/etc/raddb/modules/etc_group including configuration file
/etc/raddb/modules/logintime including configuration file
/etc/raddb/modules/passwd including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/krb5 including configuration
file /etc/raddb/modules/echo including configuration file
/etc/raddb/modules/expiration including configuration file
/etc/raddb/modules/expr including configuration file
/etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/pam including configuration
file /etc/raddb/modules/files including configuration file
/etc/raddb/modules/smbpasswd including configuration file
/etc/raddb/modules/attr_rewrite including configuration file
/etc/raddb/modules/linelog including configuration file
/etc/raddb/modules/detail.log including configuration file
/etc/raddb/modules/unix including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/radutmp including configuration
file /etc/raddb/modules/acct_unique including configuration file
/etc/raddb/modules/digest including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/sql_log including configuration
file /etc/raddb/modules/mschap including configuration file
/etc/raddb/modules/counter including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/mac2vlan including
configuration file /etc/raddb/modules/mac2ip including configuration file
/etc/raddb/modules/wimax including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf including configuration file
/etc/raddb/sql/mysql/dialup.conf including configuration file
/etc/raddb/sql/mysql/counter.conf including configuration file
/etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default including
configuration file /etc/raddb/sites-enabled/inner-tunnel
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary main {
prefix = /usr
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/lib/freeradius
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 10.0.8.9
require_message_authenticator = no
secret = testing123
nastype = other
}
radiusd:
Re: FreeRadius questions
hi, you have configured your server to listen for authentications on IP 10.0.8.9 ..but then you try sending a request to 127.0.0.1 (localhost) of course it isnt going to work. either configure the server to listen on all interfaces (*) as a default install would, or use 10.0.8.9 as the destination address with radtest alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius questions
Firewall is turned off on the server at this time.
From: freeradius-users-bounces+jdeluca=wiu.k12.pa...@lists.freeradius.org
[mailto:freeradius-users-bounces+jdeluca=wiu.k12.pa...@lists.freeradius.org] On
Behalf Of hashim zayed
Sent: Tuesday, February 28, 2012 2:16 PM
To: FreeRadius users mailing list
Subject: Re: FreeRadius questions
Please make sure that port 1812/1813 are enabled on your server firewall.
Hashim Mohammed Zayed
Moeen IT
On 2012 2 28 17:10, James DeLuca
jdel...@wiu.k12.pa.usmailto:jdel...@wiu.k12.pa.us wrote:
Hope you can help us out. First time dealing with RADIUS servers. Following
your instructions. Seem to have missed something along the way.
We are running FreeRadius(Version 2.1.1) on a SLES version 11 server. The
serve has a static IP address.
We have tried both of the following setting in our client.conf
file(/etc/raddb/clients.conf). Neither have produced good results.
client localhost {
ipadddr = 127.0.0.1
require_message_authenticator = no
secret = x
nastype = other
}
client localhost {
ipadddr = 10.0.xxx.xxx
require_message_authenticator = no
secret = x
nastype = other
}
We entered a user in our user(/etc/raddb/users) file
bob Cleartext-Password := hello
Started two terminal sessions. In the first session we ran /usr/sbin/radiusd -X
And received these results
FreeRADIUS Version 2.1.1, for host i686-suse-linux-gnu, built on Feb 23 2009 at
21:34:25 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the GNU General
Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf including configuration
file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/ including configuration file
/etc/raddb/modules/detail including configuration file
/etc/raddb/modules/preprocess including configuration file
/etc/raddb/modules/ippool including configuration file
/etc/raddb/modules/inner-eap including configuration file
/etc/raddb/modules/checkval including configuration file
/etc/raddb/modules/ldap including configuration file
/etc/raddb/modules/sradutmp including configuration file
/etc/raddb/modules/attr_filter including configuration file
/etc/raddb/modules/policy including configuration file
/etc/raddb/modules/always including configuration file
/etc/raddb/modules/etc_group including configuration file
/etc/raddb/modules/logintime including configuration file
/etc/raddb/modules/passwd including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/krb5 including configuration
file /etc/raddb/modules/echo including configuration file
/etc/raddb/modules/expiration including configuration file
/etc/raddb/modules/expr including configuration file
/etc/raddb/modules/detail.example.comhttp://detail.example.com
including configuration file /etc/raddb/modules/pam including configuration
file /etc/raddb/modules/files including configuration file
/etc/raddb/modules/smbpasswd including configuration file
/etc/raddb/modules/attr_rewrite including configuration file
/etc/raddb/modules/linelog including configuration file
/etc/raddb/modules/detail.log including configuration file
/etc/raddb/modules/unix including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/radutmp including configuration
file /etc/raddb/modules/acct_unique including configuration file
/etc/raddb/modules/digest including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/sql_log including configuration
file /etc/raddb/modules/mschap including configuration file
/etc/raddb/modules/counter including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/mac2vlan including
configuration file /etc/raddb/modules/mac2ip including configuration file
/etc/raddb/modules/wimax including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf including configuration file
/etc/raddb/sql/mysql/dialup.conf including configuration file
/etc/raddb/sql/mysql/counter.conf including configuration file
/etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default including
configuration file /etc/raddb/sites-enabled/inner-tunnel
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary main {
prefix = /usr
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/lib/freeradius
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
RE: FreeRadius questions
Changed the radtest to radtest bob hello 10.0.8.9 0 testing123 Now in the terminal windows where we ran radiusd -X we get the following error Ignoring request to authentication address 10.0.8.9 port 1812 from unknown client 10.0.8.9 port 56524 The terminal session we ran the radtest bob hello 10.0.8.9 0 testing123 still has the no response message. From: freeradius-users-bounces+jdeluca=wiu.k12.pa...@lists.freeradius.org [freeradius-users-bounces+jdeluca=wiu.k12.pa...@lists.freeradius.org] on behalf of Alan Buxey [a.l.m.bu...@lboro.ac.uk] Sent: Tuesday, February 28, 2012 2:50 PM To: FreeRadius users mailing list Subject: Re: FreeRadius questions hi, you have configured your server to listen for authentications on IP 10.0.8.9 ..but then you try sending a request to 127.0.0.1 (localhost) of course it isnt going to work. either configure the server to listen on all interfaces (*) as a default install would, or use 10.0.8.9 as the destination address with radtest alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius questions
James DeLuca wrote: Changed the radtest to radtest bob hello 10.0.8.9 0 testing123 Now in the terminal windows where we ran radiusd -X we get the following error Ignoring request to authentication address 10.0.8.9 port 1812 from unknown client 10.0.8.9 port 56524 So... what do you think you should do? Read the previous message as a hint. The terminal session we ran the radtest bob hello 10.0.8.9 0 testing123 still has the no response message. We assume a certain basic understanding of IP networking. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius questions
Hi, radtest bob hello 10.0.8.9 0 testing123 Now in the terminal windows where we ran radiusd -X we get the following error Ignoring request to authentication address 10.0.8.9 port 1812 from unknown client 10.0.8.9 port 56524 is 10.0.8.9 listed in clients.conf ? you will see no response in the radtest window as, as the server says, the request is being ignored... you'll just get a time out alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Juniper Questions (MX/ERX)
Paul Stewart p...@paulstewart.org writes: I'm trying to get an understanding on a FreeRadius installation how to enable the unisphere.dictionary. There are specific attributes in that file that we need such as Unisphere-Ingress-Policy-Name. By default, this dictionary file is commented out due to attribute conflicts. Can someone share a bit more info? I need unisphere attributes and also erx attributes to function on the same FreeRadius system ultimately .. We have a mixture of Juniper ERX equipment and Juniper MX equipment that needs to talk to FreeRadius. So do we. And it does work very well with the default FreeRADIUS dictionaries. When I try to add a Unisphere-Ingress-Policy-Name = 512k for example in the users file I get invalid integer error. There is no Unishpere dictionary. It has always been dictionary.erx from the beginning of FreeRADIUS. And the attributes all have ERX prefix, even those that are JUNOS specific (with the exception of some Sdx attributes. Don't know how that happend. Hope it wasn't me :-). I chose to continue using the ERX prefix for the latest batch of JUNOS specific attributes, to keep the vendor id to attribute prefix mapping consistent. I'd like to hear comments on that decision from other FreeRADIUS and multi-platform Juniper customers. Juniper themselves use a mix of Jnpr, Unisphere, Sdx and Erx as prefixes depending on which system the attribute is for. But that does not really work either, as some of the attributes are really multi-system. Like ERX-Virtual-Router-Name (26-1) which is just as valid on both JUNOS (MX access) and JUNOSe (ERX). This was one of the main reasons why I decided not to follow their route to confusion. The other reason was remembering when they renamed a few com.unisphere.* java classes to net.juniper.* without thinking about the unnecessary confusion that would create. Made me aware that they really don't have a clue about stable naming... All in all, I believe the current FreeRADIUS dictionary makes more sense than any of the alternatives. And if in doubt you can always match up the actual attribute codes. Juniper are nice enough to document them. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Juniper Questions (MX/ERX)
Hi there.. I'm trying to get an understanding on a FreeRadius installation how to enable the unisphere.dictionary. There are specific attributes in that file that we need such as Unisphere-Ingress-Policy-Name. By default, this dictionary file is commented out due to attribute conflicts. Can someone share a bit more info? I need unisphere attributes and also erx attributes to function on the same FreeRadius system ultimately .. We have a mixture of Juniper ERX equipment and Juniper MX equipment that needs to talk to FreeRadius. When I try to add a Unisphere-Ingress-Policy-Name = 512k for example in the users file I get invalid integer error. Thanks for any insight. Paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Juniper Questions (MX/ERX)
Paul Stewart wrote: I’m trying to get an understanding on a FreeRadius installation how to enable the unisphere.dictionary. There are specific attributes in that file that we need such as “Unisphere-Ingress-Policy-Name”. By default, this dictionary file is commented out due to “attribute conflicts”. Which file is that? The server doesn't have any unisphere.dictionary file, or any dictionary.unisphere Make sure you're running a recent version of the server. It really helps. Can someone share a bit more info? I need unisphere attributes and also erx attributes to function on the same FreeRadius system ultimately …. We have a mixture of Juniper ERX equipment and Juniper MX equipment that needs to talk to FreeRadius. Which attributes do you need? List them by Vendor ID number. When I try to add a “Unisphere-Ingress-Policy-Name = 512k” for example in the users file I get “invalid integer” error. There's no such invalid integer error in FreeRADIUS. Are you sure you're using FreeRADIUS? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Juniper Questions (MX/ERX)
Paul, It means that there are conflicting definitions for an attribute number associated with the Juniper vendor ID. Look for an attribute with the same number as defined for Unisphere-Ingress-Policy-Name in the Juniper dictionary file, and comment it out. It sounds like the conflicting attribute is an integer, and its definition is being used over Unisphere-Ingress-Policy-Name which is obviously a string. -Arran On 24 Jan 2012, at 21:33, Paul Stewart wrote: Hi there.. I’m trying to get an understanding on a FreeRadius installation how to enable the unisphere.dictionary. There are specific attributes in that file that we need such as “Unisphere-Ingress-Policy-Name”. By default, this dictionary file is commented out due to “attribute conflicts”. Can someone share a bit more info? I need unisphere attributes and also erx attributes to function on the same FreeRadius system ultimately …. We have a mixture of Juniper ERX equipment and Juniper MX equipment that needs to talk to FreeRadius. When I try to add a “Unisphere-Ingress-Policy-Name = 512k” for example in the users file I get “invalid integer” error. Thanks for any insight… Paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@networkradius.com Technical consultant and solutions architect 15 Ave. du Granier, Meylan, France +33 4 69 66 54 50 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Juniper Questions (MX/ERX)
Hi, When I try to add a “Unisphere-Ingress-Policy-Name = 512k” for example in the users file I get “invalid integer” error. 512k isnt a valid integer - 'k' means nothing - change that to the real value in bytes - whether thats just 512 or 524288 would be down to the kit. regarding the dictionary - so long as the values dont clash with others you need in your system, then just reinclude it - check the dictionary for its values and see what it clashes with (comment out all the dictionaries you dont use/need) - and hope it doesnt clash with other kit you have - its really annoying when vendors clash in RADIUS space - particularly if thats in reserved IANA space :-| alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/tls questions with freeradius
On 12/26/2011 02:44 PM, vazoumana fofana wrote:
sorry, i ve got persistents problems :
- i filter client certificate under authenticate section (under eap)
with : Auth-Type eap {
if ( %{TLS-Client-Cert-Subject} =~ /OU=x/ ) {
reject
}
}.
Firstly, it s' written on default file :
/Please do not put unlang configurations into the authenticate
# section. Put them in the post-auth section instead. That's what
# the post-auth section is for./
But, according to me , it's not right because i don't want to enter into
post-auth. It must be rejected before.
This is not easy at the moment I'm afraid.
Basically, the problem is that the authorize part of the eap module
doesn't do much. All the work is done inside the authenticate section.
This means that TLS-* attributes may not be present in authorize.
You are correct that performing a reject in post-auth is not the
right thing to do.
It might be an idea in future to add an inner-tunnel feature for
EAP-TLS which sends a plain PAP packet with the TLS-* attributes, which
allows this kind of checking.
You need to use the verify { } option under the tls { } config to
run an external script. Like so:
eap {
tls {
verify {
client = /path/to/my/script ...
}
}
}
This is documented with examples in eap.conf
But really, you're doing it wrong.
If you don't want a particular cert to authenticate, revoke it and use
CRLs or OSCP.
Why do you think you want to check the cert subject?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap/tls questions with freeradius
sorry, i ve got persistents problems :
- i filter client certificate under authenticate section (under eap) with :
Auth-Type eap {
if ( %{TLS-Client-Cert-Subject} =~ /OU=x/ ) {
reject
}
}.
Firstly, it s' written on default file :
Please do not put unlang configurations into the authenticate
# section. Put them in the post-auth section instead. That's what
# the post-auth section is for.
But, according to me , it's not right because i don't want to enter into
post-auth. It must be rejected before.
secondly,
with this configuration, i try to authenticate a client with certificate
OU=x. According to mode debug, it seemed to work. Client (windows XP)
requested 21 times without sucess. But at 22nd, it seemed authenticate
sucessful because i see client which is associated to AP. after times (5-10
minutes), Client seemed to be detached and entered in authenticating loop until
succeed authenticating.
do you know why client success authenticating for a time ?
Is it possible to avoid request of certain client ?
I restrict authentication request to chooser NAS. I want to avoid clients to
enter loop authentication. But these client can request authentication through
NAS choosen.
Cheers.
From: zoumlan...@hotmail.com
To: freeradius-users@lists.freeradius.org
Subject: RE: eap/tls questions with freeradius
Date: Fri, 23 Dec 2011 10:32:54 +
Thanks!!!
Date: Fri, 23 Dec 2011 16:26:20 +0700
Subject: Re: eap/tls questions with freeradius
From: l...@fajar.net
To: freeradius-users@lists.freeradius.org
On Fri, Dec 23, 2011 at 3:54 PM, vazoumana fofana
zoumlan...@hotmail.com wrote:
Do you know where i can insert script to add new fonctions like described
in my previous email ?
When client sends its certificate , server checks before username or
certificate validity ?
Try:
- http://wiki.freeradius.org/Sites%20configuration
- http://freeradius.org/radiusd/man/unlang.html
- http://wiki.freeradius.org/Rlm_perl
Use unlang and attributes (such as TLS-Client-Cert-Common-Name) to do
whatever filtering you want. If you need complex processing, you might
have to use rlm_perl as well.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/tls questions with freeradius
On Mon, Dec 26, 2011 at 9:44 PM, vazoumana fofana
zoumlan...@hotmail.com wrote:
sorry, i ve got persistents problems :
- i filter client certificate under authenticate section (under eap) with :
Auth-Type eap {
if ( %{TLS-Client-Cert-Subject} =~ /OU=x/ ) {
reject
}
}.
Firstly, it s' written on default file :
Please do not put unlang configurations into the authenticate
# section. Put them in the post-auth section instead. That's what
# the post-auth section is for.
But, according to me , it's not right because i don't want to enter into
post-auth. It must be rejected before.
Try authorize section. The usual method in authorize would be
update control {
Auth-Type := reject
}
secondly,
with this configuration, i try to authenticate a client with certificate
OU=x. According to mode debug, it seemed to work.
Client (windows XP)
requested 21 times without sucess. But at 22nd, it seemed authenticate
sucessful because i see client which is associated to AP. after times (5-10
minutes), Client seemed to be detached and entered in authenticating loop
until succeed authenticating.
what does the debug log say? Did FR send access-accept?
do you know why client success authenticating for a time ?
If FR send access-accept, look at debug log to see why it's accepting
the request.
If FR does NOT send access-accept, it's probably a bug in NAS.
Is it possible to avoid request of certain client ?
If they have a disctinct attribute (e.g. certificate, user-name,
calling-station-id, whatever), you can just use unlang.
I restrict authentication request to chooser NAS. I want to avoid clients to
enter loop authentication. But these client can request authentication
through NAS choosen.
I have no idea what that means. Did you want to allow client A to
login from NAS X, but reject it if it tries to login from NAS Y? If
yes, try http://wiki.freeradius.org/Huntgroups or
http://wiki.freeradius.org/SQL%20Huntgroup%20HOWTO
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap/tls questions with freeradius
Do you know where i can insert script to add new fonctions like described in my previous email ? When client sends its certificate , server checks before username or certificate validity ? From: zoumlan...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: RE: eap/tls questions with freeradius Date: Tue, 20 Dec 2011 16:13:55 + Precisely, i search check_cert_subject wich checks client's certificate field. From: zoumlan...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: eap/tls questions with freeradius Date: Tue, 20 Dec 2011 12:23:50 + Hi , i've got a question : i've set up a freeradius server with EAP/TLS. In my configuration, i use check_cert_issuer in order to check certificate. Is there any functions wich allows me to check client's certificate subject (C,O,OU ??) ? Further more, i got an other question : when a client requests authentication, server checks before users file then certificate validity of a client ? Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/tls questions with freeradius
On Fri, Dec 23, 2011 at 3:54 PM, vazoumana fofana zoumlan...@hotmail.com wrote: Do you know where i can insert script to add new fonctions like described in my previous email ? When client sends its certificate , server checks before username or certificate validity ? Try: - http://wiki.freeradius.org/Sites%20configuration - http://freeradius.org/radiusd/man/unlang.html - http://wiki.freeradius.org/Rlm_perl Use unlang and attributes (such as TLS-Client-Cert-Common-Name) to do whatever filtering you want. If you need complex processing, you might have to use rlm_perl as well. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap/tls questions with freeradius
Thanks!!! Date: Fri, 23 Dec 2011 16:26:20 +0700 Subject: Re: eap/tls questions with freeradius From: l...@fajar.net To: freeradius-users@lists.freeradius.org On Fri, Dec 23, 2011 at 3:54 PM, vazoumana fofana zoumlan...@hotmail.com wrote: Do you know where i can insert script to add new fonctions like described in my previous email ? When client sends its certificate , server checks before username or certificate validity ? Try: - http://wiki.freeradius.org/Sites%20configuration - http://freeradius.org/radiusd/man/unlang.html - http://wiki.freeradius.org/Rlm_perl Use unlang and attributes (such as TLS-Client-Cert-Common-Name) to do whatever filtering you want. If you need complex processing, you might have to use rlm_perl as well. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap/tls questions with freeradius
Hi , i've got a question : i've set up a freeradius server with EAP/TLS. In my configuration, i use check_cert_issuer in order to check certificate. Is there any functions wich allows me to check client's certificate subject (C,O,OU ??) ? Further more, i got an other question : when a client requests authentication, server checks before users file then certificate validity of a client ? Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap/tls questions with freeradius
Precisely, i search check_cert_subject wich checks client's certificate field. From: zoumlan...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: eap/tls questions with freeradius Date: Tue, 20 Dec 2011 12:23:50 + Hi , i've got a question : i've set up a freeradius server with EAP/TLS. In my configuration, i use check_cert_issuer in order to check certificate. Is there any functions wich allows me to check client's certificate subject (C,O,OU ??) ? Further more, i got an other question : when a client requests authentication, server checks before users file then certificate validity of a client ? Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newbie starting up - with problem, of course; and questions
On Thu, Oct 13, 2011 at 6:02 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, What startup script in Debian starts freeradius? I would like to add the -X option to it. why? just run 'radiusd -X' - as the main service script isnt designed to be run in foreground (it would be a standard backgrounded daemon My first problem is I can't get radtest to work. The only thing I have modified is the User file. I searched the FAQs and maillist archives to no avail. Top lines in User file: � � � � bob Cleartext-Password := hello � � � � Reply-Message = Hello, BOB � � � � testing Cleartext-Password := password � � � � Reply-Message = Testing in Progress you did tab indent the reply lines? ie username Cleartext-Password := password Reply-Message = This is a reply item your debug shows no pacets arriving at the server alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yes, I did indent the reply line. Found that out the hard way. I indented the user line also. I'll take out the user name line indent and try that. Dale -- Dale Grice Staff Engineer, Lab Architect; Motorola - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newbie starting up - with problem, of course; and questions
Dale Grice wrote: Yes, I did indent the reply line. Found that out the hard way. I indented the user line also. I'll take out the user name line indent and try that. Read man users, or the comments at the top of the users file, or the examples in the user file. This is documented. Trial and error isn't necessary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newbie starting up - with problem, of course; and questions
I am running freeradius 2.1.10 on Debian 6.0.3. What startup script in Debian starts freeradius? I would like to add the -X option to it. My first problem is I can't get radtest to work. The only thing I have modified is the User file. I searched the FAQs and maillist archives to no avail. Top lines in User file: bob Cleartext-Password := hello Reply-Message = Hello, BOB testing Cleartext-Password := password Reply-Message = Testing in Progress # My radtest: root@Mikado:/etc/freeradius# radtest bob hello localhost 0 testing123 Sending Access-Request of id 171 to 127.0.0.1 port 1812 User-Name = bob User-Password = hello NAS-IP-Address = 10.56.1.11 NAS-Port = 0 radclient: Failed to send packet for ID 171: (unknown error) Sending Access-Request of id 171 to 127.0.0.1 port 1812 User-Name = bob User-Password = hello NAS-IP-Address = 10.56.1.11 NAS-Port = 0 radclient: Failed to send packet for ID 171: (unknown error) Sending Access-Request of id 171 to 127.0.0.1 port 1812 User-Name = bob User-Password = hello NAS-IP-Address = 10.56.1.11 NAS-Port = 0 radclient: Failed to send packet for ID 171: (unknown error) radclient: no response from server for ID 171 socket 3 Debug output: FreeRADIUS Version 2.1.10, for host i486-pc-kfreebsd-gnu, built on Nov 15 2010 at 09:02:02 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in
Re: Newbie starting up - with problem, of course; and questions
Hi, What startup script in Debian starts freeradius? I would like to add the -X option to it. why? just run 'radiusd -X' - as the main service script isnt designed to be run in foreground (it would be a standard backgrounded daemon My first problem is I can't get radtest to work. The only thing I have modified is the User file. I searched the FAQs and maillist archives to no avail. Top lines in User file: � � � � bob Cleartext-Password := hello � � � � Reply-Message = Hello, BOB � � � � testing Cleartext-Password := password � � � � Reply-Message = Testing in Progress you did tab indent the reply lines? ie username Cleartext-Password := password Reply-Message = This is a reply item your debug shows no pacets arriving at the server alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Questions about status counters
Hi, Thanks, this is indeed interesting. Cheers, tamas -Original Message- From: freeradius-users-bounces+tamas.becz=ericsson@lists.freeradius.org [mailto:freeradius-users-bounces+tamas.becz=ericsson@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: Friday, August 12, 2011 3:14 PM To: FreeRadius users mailing list Subject: Re: Questions about status counters Here might be a start... https://github.com/alandekok/freeradius-server/tree/master/scripts/snmp-proxy -Arran On 12 Aug 2011, at 14:54, Tamás Becz wrote: Hi, I'm trying to collect some statistics about my freeradius servers with nagios. Before I've been doing this with some perl code digging through the logs, and doing stats (plus generating gnuplot graphs out etc) but I'd rather have something more flexible, so I tought I'd put together some small script for nagios that can query those stats more flexible. Basically I just want to see successful and unsuccesful logins, maybe home server deads and alives, nothing really fancy. We are actually just proxying requests so I just need to see the ammount of logins through us, and the health of the service (we have had trouble with the party doing the real authentication, and high faliure rate is a good sign I can look for). I can set up the status server all right, but I'm a bit stuck with how to interpret the things I get. I've been through some searching of docs, wiki and mans, but couldn't get a pointer. 1) Is there some documentation on the values I got there? I of course see dictionary.freeradius, and the names are pretty self-explanatory, but we all know devil is in the details :) 2) If I understand well, then these counters are simply monotonously increasing values. I can live with that of course, and do the math. I just like to see if my assumption is correct. 3) Also, I see that if the server is restarted, the values are reset to 0. Can freeradius be told not to do this, but retain the values? Currently we do restarts on a regular basis now and then, to update a clients.conf file. I suppose I more or less could handle this, but at least would lose the stats that happened after the last check, but before the restart. 4) I'm I looking at the good direction at all, or should I rather start reading up how accounting works or something else? Really, I'm good with and RTFM as long as you could point me to where to look :) (Oh, I'm using 2.1.10, but plan to update to 2.1.11 in the near future). Thanks! tamas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Questions about status counters
Hi Alan, The values are taken from the SNMP MIBs for RADIUS. See doc/rfc/ Thanks, that'll do. You don't need to restart the server to update clients. See raddb/sites-available/dynamic-clients, and raddb/modules/dynamic_clients I will, thanks for the pointer. Wait a bit for 2.1.12. I plan to follow all updates by hand, I just need to put together some build infrastructure behind it, Centos 5 ships really old stuff unfortunately. Alan DeKok. Thanks, tamas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying based on a regex (now with more questions)
Jacob Dawson wrote:
So, according to the docs in proxy.conf and Arran's comment here, the regex
stuff should work fine…but in 2.1.11, we're not seeing that behavior. Right
now, requests are only getting proxied properly if it's an exact match on the
realm name ( realm hokies { or realm w2k.vt.edu { ), whereas the regex
realm syntax doesn't seem to be working at all ( realm ~hokies { or realm
~.*w2k\\.vt\\.edu { aren't matched).
Regex matching works for me...
What does debug mode say?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Questions about status counters
Hi, I'm trying to collect some statistics about my freeradius servers with nagios. Before I've been doing this with some perl code digging through the logs, and doing stats (plus generating gnuplot graphs out etc) but I'd rather have something more flexible, so I tought I'd put together some small script for nagios that can query those stats more flexible. Basically I just want to see successful and unsuccesful logins, maybe home server deads and alives, nothing really fancy. We are actually just proxying requests so I just need to see the ammount of logins through us, and the health of the service (we have had trouble with the party doing the real authentication, and high faliure rate is a good sign I can look for). I can set up the status server all right, but I'm a bit stuck with how to interpret the things I get. I've been through some searching of docs, wiki and mans, but couldn't get a pointer. 1) Is there some documentation on the values I got there? I of course see dictionary.freeradius, and the names are pretty self-explanatory, but we all know devil is in the details :) 2) If I understand well, then these counters are simply monotonously increasing values. I can live with that of course, and do the math. I just like to see if my assumption is correct. 3) Also, I see that if the server is restarted, the values are reset to 0. Can freeradius be told not to do this, but retain the values? Currently we do restarts on a regular basis now and then, to update a clients.conf file. I suppose I more or less could handle this, but at least would lose the stats that happened after the last check, but before the restart. 4) I'm I looking at the good direction at all, or should I rather start reading up how accounting works or something else? Really, I'm good with and RTFM as long as you could point me to where to look :) (Oh, I'm using 2.1.10, but plan to update to 2.1.11 in the near future). Thanks! tamas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions about status counters
Here might be a start... https://github.com/alandekok/freeradius-server/tree/master/scripts/snmp-proxy -Arran On 12 Aug 2011, at 14:54, Tamás Becz wrote: Hi, I'm trying to collect some statistics about my freeradius servers with nagios. Before I've been doing this with some perl code digging through the logs, and doing stats (plus generating gnuplot graphs out etc) but I'd rather have something more flexible, so I tought I'd put together some small script for nagios that can query those stats more flexible. Basically I just want to see successful and unsuccesful logins, maybe home server deads and alives, nothing really fancy. We are actually just proxying requests so I just need to see the ammount of logins through us, and the health of the service (we have had trouble with the party doing the real authentication, and high faliure rate is a good sign I can look for). I can set up the status server all right, but I'm a bit stuck with how to interpret the things I get. I've been through some searching of docs, wiki and mans, but couldn't get a pointer. 1) Is there some documentation on the values I got there? I of course see dictionary.freeradius, and the names are pretty self-explanatory, but we all know devil is in the details :) 2) If I understand well, then these counters are simply monotonously increasing values. I can live with that of course, and do the math. I just like to see if my assumption is correct. 3) Also, I see that if the server is restarted, the values are reset to 0. Can freeradius be told not to do this, but retain the values? Currently we do restarts on a regular basis now and then, to update a clients.conf file. I suppose I more or less could handle this, but at least would lose the stats that happened after the last check, but before the restart. 4) I'm I looking at the good direction at all, or should I rather start reading up how accounting works or something else? Really, I'm good with and RTFM as long as you could point me to where to look :) (Oh, I'm using 2.1.10, but plan to update to 2.1.11 in the near future). Thanks! tamas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions about status counters
Tamás Becz wrote: 1) Is there some documentation on the values I got there? I of course see dictionary.freeradius, and the names are pretty self-explanatory, but we all know devil is in the details :) The values are taken from the SNMP MIBs for RADIUS. See doc/rfc/ 2) If I understand well, then these counters are simply monotonously increasing values. I can live with that of course, and do the math. I just like to see if my assumption is correct. Yes. That's what the MIBs say. 3) Also, I see that if the server is restarted, the values are reset to 0. Can freeradius be told not to do this, but retain the values? Currently we do restarts on a regular basis now and then, to update a clients.conf file. I suppose I more or less could handle this, but at least would lose the stats that happened after the last check, but before the restart. Where? You don't need to restart the server to update clients. See raddb/sites-available/dynamic-clients, and raddb/modules/dynamic_clients 4) I'm I looking at the good direction at all, or should I rather start reading up how accounting works or something else? It should all work. Really, I'm good with and RTFM as long as you could point me to where to look :) (Oh, I'm using 2.1.10, but plan to update to 2.1.11 in the near future). Wait a bit for 2.1.12. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying based on a regex (now with more questions)
So, according to the docs in proxy.conf and Arran's comment here, the regex
stuff should work fine…but in 2.1.11, we're not seeing that behavior. Right
now, requests are only getting proxied properly if it's an exact match on the
realm name ( realm hokies { or realm w2k.vt.edu { ), whereas the regex
realm syntax doesn't seem to be working at all ( realm ~hokies { or realm
~.*w2k\\.vt\\.edu { aren't matched).
The first example isn't a huge loss, but not being able to use regex match on
suffix domains is a real problem. Regex matching seemed to work in 2.1.9,
2.1.10, and earlier candidates for 2.1.11, so I'm not coming up with a good
answer as to why this shouldn't be working now. I can confirm that the
Proxy-To-Realm attribute is being correctly set in the control list within the
authorize stanza. Am I misinterpreting the instructions, or is this unintended
behavior?
Thanks much,
Jacob M. Dawson
On 25 Jul 2011, at 16:37, Arran Cudbard-Bell wrote:
Sorry only first one is fictitious, second one should work fine :)
-Arran
On 25 Jul 2011, at 22:33, Arran Cudbard-Bell wrote:
Impressive, you've both made up entirely fictitious syntaxes for doing
proxying... Um anyway.
if(User-Name =~ /REGEX/){
update control {
Proxy-To-Realm := 'my_proxy_realm'
}
}
Then configure the realm in proxy.conf. Subcapture groups can provide you
with parts of the User-Name string and can be accessed using the %{0}, %{1},
%{2}... etc variables
You don't need to do anything if you're just doing local authentication
-Arran
On 25 Jul 2011, at 22:20, Sallee, Stephen (Jake) wrote:
We did this through our realms see code:
In your proxy.conf
realm ~.*umhb\\.edu$ {
some code here###
###usually the virtual server you want to proxy them to###
}
If I am understanding your question right that should do it, but others may
have a better way .. or I could be on crack ...
-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org]
On Behalf Of Charles Plater
Sent: Monday, July 25, 2011 3:05 PM
To: freeradius-users@lists.freeradius.org
Subject: Proxying based on a regex
I'm trying to configure our FreeRadius (2.1.9) server to proxy based on the
format of the ID. I have a working regex that determines the domain to
which the request should be sent, but I'm having a hard time figuring out
the syntax of the proxy statement. Here's what I've tried:
if (User-Name !~ REGEX) {
proxy: domain.name
else {
proxy: LOCAL
}
}
FWIW, I can successfully authenticate do the domain.name realm by using
use...@domain.name.
Can anyone offer any suggestions? Thanks in advance.
--
Charles Plater
Lead Application Technical Analyst
Internet Services
+1-313-577-4620
ab3...@wayne.edu
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS Questions
I've been running FreeRadius 2 on Centos 5.5 for a while now. So far so good. I'm now looking to make connecting to our WPA secured wireless easier. The RADIUS server is running in a VM and since the system is in use I have copied the original and used that copy to create a test environment. I have run through all system updates and have upgraded all relevant packages. The test system is at 5.6 now. Currently with Windows machines I can't just connect to the SSID and enter in a username and password. I have to go and manually add the SSID, modify some settings; specifically turning off validating server certificate, turning off automatically use my Windows login, and turning on User or computer authentication mode. We also have some OS X clients. Fortunately connecting via OS X is easier. The catch is that I have to join the machine to our domain. After that it's pretty much username and password, and they are on. Ideally I would like to have a simple connect to this SSID, enter your username and password and that's it solution and still have all requests checked against our Active Directory server. On a side note. I'm going through my settings trying to get this working more smoothly and I ran across: wbinfo --a user%password (yes I'm adding in my username and pass) plaintext password authentication succeeded challenge/response password authentication failed error code was NT_STATUS_ACCESS_DENIED (0xc022) error messsage was: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. Could not authenticate user MYUSERNAME with challenge/response I know the 2 error lines are permissions related. I'm not sure what the permissions should be on this file/folder. Can someone let me know this? The tutorial from FreeRadius says that I should get output similar to: plaintext password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc064) error message was: No such user Could not authenticate user CHSchwartz%mypassword with plaintext password Yet ntlm_auth --request-nt-key --domain=MYDOMAIN --username=MYUSERNAME NT_STATUS_OK: Success (0x0) So the Auth is working. I don't understand though why my AD server is letting cleartext passwords through. It shouldn't right? Any help would be greatly appreciated. Dan http://www.liai.org http://www.liai.org http://www.liai.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS Questions
You didn't give much information regarding your environment, so some of the responses below are based upon assumptions: that you manage all devices that are connecting, that they are joined to your A/D domain and that you are using the Windows supplicant. You haven't said what version of Windows you are running and what version of FreeRADIUS you are running! Currently with Windows machines I can't just connect to the SSID and enter in a username and password. I have to go and manually add the SSID, modify some settings; If you are referring to PEAP vs. TLS, that's a Windows XP issue. XP defaults to TLS and won't connect automatically if you are using PEAP. However, you can push wireless policy to your Windows devices using A/D group policy and set this up automatically. specifically turning off validating server certificate This is a bad idea as you could be passing your credentials to someone else's RADIUS server. It's best to generate a certificate signed by an internal Certificate Authority and require a cert signed by that CA in your 802.1x config. This too can be pushed to Windows devices as part of your A/D policy assuming they are joined to your domain and run Windows. turning off automatically use my Windows login, and turning on User or computer authentication mode. Why do you want to use manual authentication as opposed to automatic? If the machines that are connecting are joined to your A/D domain, you may want to consider using machine authentication. User authentication, in the current release, doesn't support MS-CHAP password change. Also, user authentication with the Windows supplicant requires the presence of cached credentials (because you logon locally first and then connect to the wireless network) which may not match current A/D credentials. error messsage was: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. Use sudo wbinfo or run it as root if you don't use sudo. That said, wbinfo isn't used by FreeRADIUS to authenticate to A/D (ntlm_auth is used for PEAP/MS-CHAPv2). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS Questions
Garber, Thanks for your reply. We do not manage every machine in the building. We allow for users to bring in there personal laptops to work and they vary in manufacture and OS. We have machines with Windows versions ranging from XP to 7. Same is true with Mac OS X, the oldest version we run is 10.4.11 and the newest is 10.6.8. We have some Linux clients be these are all hardwired so they aren't a concern. All of the Macs in our building, that is the ones that aren't personal machines, are joined to our domain. The few PC machines that we do manage are joined to our AD server but I would say that the vast majority of the PCs are not managed and not joined to out AD server. All windows systems--XP through 7--have to be setup the way I described earlier in order for this to work.http://www.liai.org I don't think that I'm using the supplicant but I could be wrong. I'm running FreeRadius 2.1.7-7.e15 ( I believe this is the latest) with freeradius2-krb5-2.1.7-7.e15 and freeradius2-utils-2.1.7-7.e15. I'm pretty sure I'm using PEAP. I realize that and I'm going to work on using our wild card cert to better secure this. However the question still arises on will our SSL cert validate properly on a Windows system. When I initially set this up I never saw anything regarding and 802.11x config. After updating I seem to remember seeing this config file mentioned. Why do you want to use manual authentication as opposed to automatic? If the machines that are connecting are joined to your A/D domain, you may want to consider using machine authentication. User authentication, in the current release, doesn't support MS-CHAP password change. Also, user authentication with the Windows supplicant requires the presence of cached credentials (because you logon locally first and then connect to the wireless network) which may not match current A/D credentials. Like I mentioned above not all, actually few machines, are managed via our AD server. I would love to change this but it would require far more administrative changes that I'm unable to make. Dan Like I mentioned our Windows versions vary from XP to 7. On 7/26/11 12:30 PM, Garber, Neal wrote: You didn't give much information regarding your environment, so some of the responses below are based upon assumptions: that you manage all devices that are connecting, that they are joined to your A/D domain and that you are using the Windows supplicant. You haven't said what version of Windows you are running and what version of FreeRADIUS you are running! Currently with Windows machines I can't just connect to the SSID and enter in a username and password. I have to go and manually add the SSID, modify some settings; If you are referring to PEAP vs. TLS, that's a Windows XP issue. XP defaults to TLS and won't connect automatically if you are using PEAP. However, you can push wireless policy to your Windows devices using A/D group policy and set this up automatically. specifically turning off validating server certificate This is a bad idea as you could be passing your credentials to someone else's RADIUS server. It's best to generate a certificate signed by an internal Certificate Authority and require a cert signed by that CA in your 802.1x config. This too can be pushed to Windows devices as part of your A/D policy assuming they are joined to your domain and run Windows. turning off automatically use my Windows login, and turning on User or computer authentication mode. Why do you want to use manual authentication as opposed to automatic? If the machines that are connecting are joined to your A/D domain, you may want to consider using machine authentication. User authentication, in the current release, doesn't support MS-CHAP password change. Also, user authentication with the Windows supplicant requires the presence of cached credentials (because you logon locally first and then connect to the wireless network) which may not match current A/D credentials. error messsage was: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. Use sudo wbinfo or run it as root if you don't use sudo. That said, wbinfo isn't used by FreeRADIUS to authenticate to A/D (ntlm_auth is used for PEAP/MS-CHAPv2). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS Questions
On 07/26/2011 04:10 PM, Dan wrote: I'm running FreeRadius 2.1.7-7.e15 ( I believe this is the latest) with freeradius2-krb5-2.1.7-7.e15 and freeradius2-utils-2.1.7-7.e15. 2.1.7 is the latest in RHEL5. 2.1.11 is the latest from the FreeRADIUS project (just released a few weeks ago). Fedora has the latest upstream 2.1.11, but RHEL does not, why? See: http://wiki.freeradius.org/Red_Hat_FAQ We've been rebasing FreeRADIUS in the RHEL versions on average every other update cycle, no guarantee though. RHEL is generally not amenable to software rebases (i.e. changing to a new upstream version) because it's in conflict with RHEL's goal of long term stability. But we've got special dispensation for FreeRADIUS because of it's high churn rate. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS Questions
I don't think that I'm using the supplicant but I could be wrong. The supplicant is the software on the client device that manages wireless profiles/connections. If Windows controls the wireless connections (Wireless Zero Config service) then you are using the Windows supplicant. I'm running FreeRadius 2.1.7-7.e15 ( I believe this is the latest) with freeradius2-krb5-2.1.7-7.e15 and freeradius2- utils-2.1.7-7.e15. 2.1.7 is old! 2.1.11 is the latest version of FreeRADIUS.. I'm pretty sure I'm using PEAP. This would be obvious in the wireless settings on the device. I realize that and I'm going to work on using our wild card cert to better secure this. However the question still arises on will our SSL cert validate properly on a Windows system. When I initially set this up I never saw anything regarding and 802.11x config. After updating I seem to remember seeing this config file mentioned. Windows clients require that certain extensions be present in the certificate (you can thank Microsoft for that - it's not a FreeRADIUS issue). If most of the machines are not joined to your domain and are personal devices and you want easy access, you'll want to use a certificate signed by a CA that's in the Windows root CA list. Just be aware that this is not as secure as an internal or self-signed cert. because any certificate from the CA you choose would be accepted (even if it's from someone else's RADIUS server); but, the alternative is that you would need to distribute the CA's cert to each user that wants to connect. I can't answer your question regarding whether your SSL cert will validate properly on Windows because you haven't said how it was generated? Is it self-signed? Is it signed by a CA that's in the root CA list of a device you were using to test? Does it include the required Windows extensions? There have been considerable discussion on the mailing list regarding the creation of certs that will work with Windows clients. Google is your friend (along with the doc inside the FR files). Like I mentioned above not all, actually few machines, are managed via our AD server. I would love to change this but it would require far more administrative changes that I'm unable to make. Makes sense.. Like I mentioned our Windows versions vary from XP to 7. I thought, but can't verify right now, that starting with Vista, Windows will connect using PEAP without manual wireless configuration (i.e., it doesn't assume TLS as a default the way XP does). Perhaps your only issue with Vista/7 is that the cert doesn't have the required extensions or isn't signed by a CA that's in the root CA list of the device? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: questions about RADIUS-LDAP integrations
mat...@crs4.it wrote:
I'm using freeradius since 1 month. I'm running freeradius 2.1.9 on
fedora 13 with EAP-TTLS and PAP inside the tunnel. The users are
authenticated against OpenLDAP. Even if the password is cleartext (PAP),
it should be protected by the crypted tunnel. Then the first question is:
Is this mechanism quite secure or do you suggest using another mechanism?
It's fine.
If I'm not wrong, there should be two different methods to get
authentication with LDAP as backend. The first is just pass the
credentials to the ldap server and try to authenticate. The second is
freeradius obtain the password from ldap, strip the header (i.e {crypt}
), take the first two characters of the salt and use it to crypt the
password sent by the . If the two hash are the same, the user is
authenticated. In this case wich is the best method and how the relevant
files have to be modified? Should I modify also ldap.attmap?
The best method is to uncomment the ldap entries in
raddb/sites-enabled/default, and let the server figure it out.
i.e. Make minimal edits. *Don't* make a lot of changes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
questions about RADIUS-LDAP integrations
Hello list,
I'm using freeradius since 1 month. I'm running freeradius 2.1.9 on
fedora 13 with EAP-TTLS and PAP inside the tunnel. The users are
authenticated against OpenLDAP. Even if the password is cleartext
(PAP), it should be protected by the crypted tunnel. Then the first
question is:
Is this mechanism quite secure or do you suggest using another mechanism?
If I'm not wrong, there should be two different methods to get
authentication with LDAP as backend. The first is just pass the
credentials to the ldap server and try to authenticate. The second is
freeradius obtain the password from ldap, strip the header (i.e
{crypt} ), take the first two characters of the salt and use it to
crypt the password sent by the . If the two hash are the same, the
user is authenticated. In this case wich is the best method and how
the relevant files have to be modified? Should I modify also
ldap.attmap?
Thanks a lot.
Matteo
This message was sent using IMP, the Internet Messaging Program.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Quick IPv6 related questions
Hello all, I am running FreeRadius 2.1.8 with two NAS clients and a couple of end devices being authenticated successfully with EAP-TTLS. My setup was running just fine on IPv4 and I would like to jump to IPv6. My first trial seems ok, but not ideal, so here are my IPv6 related questions : a) Why am I seeing in my radius -X output lines as the following : ++[detail] returns ok [unix] IPv6 is not supported! ++[unix] returns noop rlm_radutmp: IPv6 not supported! ++[radutmp] returns noop What could trigger that IPv6 is not supported output? Is there something that might be going wrong, because clients get authenticated successfully as far as I can tell but I am afraid that something else might be broken. b) My FreeRadius machine has an easy to remember IPv6 address e.g. 2001:a::1 and NAS clients are using this to send packets to FR. However it seems that FR is configuring another IPv6 address from the router advertisements that it gets from the access network. The problem is that when this happens FR replies to NAS with packets coming from the autoconfigured address as source and thus breaks the setup as NAS are waiting packets from 2001:a::1. Is there a way to force FR to generate packets coming from the manually configured IP (2001:a::1) ? c) Is there a plan to get a dual stack FreeRadius? It would be really advantageous to be able to run FreeRadius in both ipv4 and ipv6 at the same time. Thanks a lot in advance, Panos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quick IPv6 related questions
Panagiotis Georgopoulos wrote: a) Why am I seeing in my radius –X output lines as the following : [unix] IPv6 is not supported! The unix module stores user login information into a wtmp style file. It doesn't support IPv6. rlm_radutmp: IPv6 not supported! Same thing here. It stores user login information into a utmp style file. It doesn't support IPv6. What could trigger that “IPv6 is not supported” output? Is there something that might be going wrong, because clients get authenticated successfully as far as I can tell but I am afraid that something else might be broken. If you don't use radlast and radwho, you can delete the unix and radutmp entries from the accounting section. Nothing else will be affected. b) My FreeRadius machine has “an easy to remember” IPv6 address e.g. 2001:a::1 and NAS clients are using this to send packets to FR. However it seems that FR is configuring another IPv6 address from the router advertisements that it gets from the access network. No. FreeRADIUS doesn't configure IPv6 addresses. Your OS does. The problem is that when this happens FR replies to NAS with packets coming from the autoconfigured address as source and thus breaks the setup as NAS are waiting packets from 2001:a::1. Is there a way to force FR to generate packets coming from the manually configured IP (2001:a::1) ? Update the listen section to bind to that specific IP. c) Is there a plan to get a dual stack FreeRadius? It would be really advantageous to be able to run FreeRadius in both ipv4 and ipv6 at the same time. Uh... it's *already* dual stack. You are running it dual stack right now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Quick IPv6 related questions
Hello Alan, Thanks for your replies, they are helpful. Regarding the last question... c) Is there a plan to get a dual stack FreeRadius? It would be really advantageous to be able to run FreeRadius in both ipv4 and ipv6 at the same time. Uh... it's *already* dual stack. You are running it dual stack right now. I guess the emphasis on my question above is on *at the same time*. Now radiusd.conf explicitly says : # OR, you can use an IPv6 address, but not both # at the same time. In other words FR to listen to both an IPv4 and an IPv6 address simultaneously for ipv4 and ipv6 NAS clients. Cheers, Panos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quick IPv6 related questions
Panagiotis Georgopoulos wrote: I guess the emphasis on my question above is on *at the same time*. Now radiusd.conf explicitly says : # OR, you can use an IPv6 address, but not both # at the same time. In other words FR to listen to both an IPv4 and an IPv6 address simultaneously for ipv4 and ipv6 NAS clients. You cannot have one listen section accept packets on BOTH IPv4 and IPv6 addresses. You CAN have two listen sections, one accepting IPv4, and one accepting IPv6. Just like you can have two listen sections, one for authentication, and the other for accounting. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Quick IPv6 related questions
Hi Alan, Panagiotis Georgopoulos wrote: I guess the emphasis on my question above is on *at the same time*. Now radiusd.conf explicitly says : # OR, you can use an IPv6 address, but not both # at the same time. In other words FR to listen to both an IPv4 and an IPv6 address simultaneously for ipv4 and ipv6 NAS clients. You cannot have one listen section accept packets on BOTH IPv4 and IPv6 addresses. You CAN have two listen sections, one accepting IPv4, and one accepting IPv6. Just like you can have two listen sections, one for authentication, and the other for accounting. Very Useful, thanks a lot, Panos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quick IPv6 related questions
Hi, In other words FR to listen to both an IPv4 and an IPv6 address simultaneously for ipv4 and ipv6 NAS clients. simply define another virtual server...exactly the same as default, but listing to the IPv6 instead? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Some questions about freeradius for WiMAX
Since I see this from time to time I've attached a fairly functional virtual server and policy for use with a WiMAX ASN-GW. Some notes: - You may want to merge some of the configuration files (dictionary/policy.conf/etc) to avoid overwriting any site local updates that already exist. - We use EAP-TTLS so this is more tested, however EAP-TLS should be more or less functional. - Configure your requests from your ASN-GW to use this virtual server. HA-RK and associated lifetimes need to be calculated using some method of your choice. We don't use Mobile IP or a Home Agent so I have not developed policy to calculate and retrieve the required key context. Note that at this time FR is not able to properly generate the RRQ-MN-HA-Key and will not be able to do so without code updates. It has been my experience while testing several different ASN-GWs that using the standard default/inner-tunnel virtual servers will result in a successful network entry. Some ASN-GWs may require additional work, and if you plan to use MIP you will have additional requirements to generate and retrieve the appropriate key context. Ben -Original Message- From: freeradius-users-bounces+wiechman.lists=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+wiechman.lists=gmail@lists.freeradius.o rg] On Behalf Of WWF Sent: Tuesday, June 08, 2010 2:29 AM To: freeradius-users Subject: Some questions about freeradius for WiMAX Hi,all! I have several questions about fr 2.19 for WiMAX systems. 1. My network is a private network and does not need accounting.Then if I reply access accept with Accounting-capabilities = 0, whether the ms can know about it and won't send accounting packets to my freeradius? 2. How to set values for these attributes: WiMAX-AAA-Session-ID = ? WiMAX-HA-RK-SPI = ? WiMAX-HA-RK-Lifetime = ? 3. How to add support for the Error-Cause attribute defined in rfc 3576. It seems no code for it in current implementation of 2.1.9 fr. 4. What the disconnect request message for? (for accounting?) I found in wiki that current implementation does not support this message. Thanks for your relpy. 2010-06-08 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html freeradius-wimax-policy.tar.gz Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Some questions about freeradius for WiMAX
Hi,all! I have several questions about fr 2.19 for WiMAX systems. 1. My network is a private network and does not need accounting.Then if I reply access accept with Accounting-capabilities = 0, whether the ms can know about it and won't send accounting packets to my freeradius? 2. How to set values for these attributes: WiMAX-AAA-Session-ID = ? WiMAX-HA-RK-SPI = ? WiMAX-HA-RK-Lifetime = ? 3. How to add support for the Error-Cause attribute defined in rfc 3576. It seems no code for it in current implementation of 2.1.9 fr. 4. What the disconnect request message for? (for accounting?) I found in wiki that current implementation does not support this message. Thanks for your relpy. 2010-06-08 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Some questions about freeradius for WiMAX
WWF wrote: Hi,all! I have several questions about fr 2.19 for WiMAX systems. 1. My network is a private network and does not need accounting.Then if I reply access accept with Accounting-capabilities = 0, whether the ms can know about it and won't send accounting packets to my freeradius? Read your NAS (ASN-GW) documentation to see how it behaves. 2. How to set values for these attributes: WiMAX-AAA-Session-ID = ? WiMAX-HA-RK-SPI = ? WiMAX-HA-RK-Lifetime = ? You need to invent values for those attributes, and set them using the normal server methods. 3. How to add support for the Error-Cause attribute defined in rfc 3576. It seems no code for it in current implementation of 2.1.9 fr. Because you need to set the error-cause. The server doesn't do this. 4. What the disconnect request message for? (for accounting?) I found in wiki that current implementation does not support this message. 2.1.9 supports disconnect. It's for disconnecting users. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radreply and proxied packet questions
Hi. I have an installation with Freeradius and MySQL and have a few question. 1. Values in radreply seem to be ignored from the reply to AAA-client when proxying packets? Is this by design or have i configured something wrong? 2. Is it possible to do this in the post-proxy section of /sites-enabled/default? If Access-accept is received from backend server, return per user values from radreply table If Access-reject is received, reject the user and send no attributes. If the above is possible, can someone give me an example of how this is to be configured? how the if, then, else should/could look like? Thanks in advance. /Mika -- View this message in context: http://www.nabble.com/radreply-and-proxied-packet-questions-tp25147932p25147932.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radreply and proxied packet questions
1. Values in radreply seem to be ignored from the reply to AAA-client when proxying packets? Is this by design or have i configured something wrong? You should do it in post-proxy. 2. Is it possible to do this in the post-proxy section of /sites-enabled/default? Yes. List sql.authorize there. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radreply and proxied packet questions
2. Is it possible to do this in the post-proxy section of /sites-enabled/default? Yes. List sql.authorize there. I am sorry Ivan, i don´t understand your answer. What do you mean by listing sql.authorize? Is sql.authorize a module or file formatted in a special way? Or is it just to add a line with sql.authorize in the post-proxy section? Thanks again. /newbie -- View this message in context: http://www.nabble.com/radreply-and-proxied-packet-questions-tp25147932p25151108.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radreply and proxied packet questions
2. Is it possible to do this in the post-proxy section of /sites-enabled/default? Yes. List sql.authorize there. I am sorry Ivan, i don´t understand your answer. What do you mean by listing sql.authorize? Is sql.authorize a module or file formatted in a special way? It is the part of the sql module called when sql is listed in authorize section. Or is it just to add a line with sql.authorize in the post-proxy section? Yes. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl authorization/authentication and %RAD_CONFIG questions
I am running FreeRADIUS Version 2.1.5, for host i686-pc-linux-gnu, have successfully configured rlm_perl and have it working with a modified example.pl file. I have noticed that the authorize callback in example.pl gets called before the authentication callback. From http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg01706.html , this looks like this is expected behavior. I apologize if I am missing something, but shouldn't authentication come before authorization? Shouldn't those two functions be called in reverse order? Also, I would like to pass in some configuration parameters to the example.pl script. I assume that is what the %RAD_CONFIG variable is there for, but I cannot seem to get anything meaningful into that hash ( as a test, I print out all hash keys for %RAD_CONFIG whenever a callback in the example.pl is called, and all I can see is a null valued 'Auth-Type' field ). I looked briefly at the source, but nothing jumped out at me as being obviously associated with configuration values and the %RAD_CONFIG variable. I was hoping someone could tell me how to get access to configuration value pairs from the example.pl file (hopefully without parsing the files myself from within the perl script) or at the very least point me in the right direction in the source so that I can figure this out myself. Thank you, dorkusmonkey - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl authorization/authentication and %RAD_CONFIG questions
dorkusmonkey wrote: I am running FreeRADIUS Version 2.1.5, for host i686-pc-linux-gnu, have successfully configured rlm_perl and have it working with a modified example.pl file. I have noticed that the authorize callback in example.pl gets called before the authentication callback. From http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg01706.html , this looks like this is expected behavior. I apologize if I am missing something, but shouldn't authentication come before authorization? Shouldn't those two functions be called in reverse order? The names are there for historical reasons. The original version of FreeRADIUS had only two processing sections: authenticate and authorize. Later versions added more sections, but did not change the functionality of the existing sections. i.e. Do not get worried about the names. They are just names. There is a pre-authentication process, an authentication process, and a post-authentication process. Also, I would like to pass in some configuration parameters to the example.pl script. I assume that is what the %RAD_CONFIG variable is there for, but I cannot seem to get anything meaningful into that hash ( as a test, I print out all hash keys for %RAD_CONFIG whenever a callback in the example.pl is called, and all I can see is a null valued 'Auth-Type' field ). Huh? The field shouldn't be NULL. Ever. I looked briefly at the source, but nothing jumped out at me as being obviously associated with configuration values and the %RAD_CONFIG variable. I was hoping someone could tell me how to get access to configuration value pairs from the example.pl file (hopefully without parsing the files myself from within the perl script) or at the very least point me in the right direction in the source so that I can figure this out myself. It looks like you're accessing the pairs that exist. What *else* did you expect to see there? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: questions regarding sql xlat
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Uwe Kastens wrote:
Hello list,
I am trying to use some internal database function to calculate the
Session-Timeout.
If I set the value for Session-Timeout to a integer like 123, its
correctly delivered as answer to my request.
If I try to use sql xlat I will get the answer:
Error: rlm_sql: Failed to create the pair: Unknown value %{sql:SELECT
disctime.time FROM `disctime` WHERE disctime.user = %{User-Name}} for
attribute Session-Timeout
Sun Apr 19 20:11:03 2009 : Error: rlm_sql (sql): Error getting data from
database
I tried several different things: Use a select statement to query the
integer directly. I ends up in the same error. I am using:
*sigh* single quotation marks around %{User-Name}, it's still a string
remember
- freeradius: FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu,
built on Sep 7 2008 at 23:35:34
- Debian GNU/Linux 5.0 (lenny)
- postgresql 8.3.7-0lenny1
BR
Uwe
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAknsLZAACgkQcaklux5oVKJICwCdGQ8po+i46xN3uXUyp0GGDwOr
xWIAn22YpKHnqtJse1rCGRFow+KHc6hq
=1D2m
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: questions regarding sql xlat
Arran,
If I try to use sql xlat I will get the answer:
Error: rlm_sql: Failed to create the pair: Unknown value %{sql:SELECT
disctime.time FROM `disctime` WHERE disctime.user = %{User-Name}} for
attribute Session-Timeout
Sun Apr 19 20:11:03 2009 : Error: rlm_sql (sql): Error getting data from
database
I tried several different things: Use a select statement to query the
integer directly. I ends up in the same error. I am using:
*sigh* single quotation marks around %{User-Name}, it's still a string
remember
So this should work? ATM I am nearly sure that this could never work,
since the 1st query will deliver the string, that rlm_sql should expand
with another query.
But it would be great if it will work :-)
BR
Uwe
--
kiste lat: 54.322684, lon: 10.13586
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: questions regarding sql xlat
On 20/4/09 09:34, Uwe Kastens wrote:
Arran,
If I try to use sql xlat I will get the answer:
Error: rlm_sql: Failed to create the pair: Unknown value %{sql:SELECT
disctime.time FROM `disctime` WHERE disctime.user = %{User-Name}} for
attribute Session-Timeout
Sun Apr 19 20:11:03 2009 : Error: rlm_sql (sql): Error getting data from
database
I tried several different things: Use a select statement to query the
integer directly. I ends up in the same error. I am using:
*sigh* single quotation marks around %{User-Name}, it's still a string
remember
So this should work? ATM I am nearly sure that this could never work,
since the 1st query will deliver the string, that rlm_sql should expand
with another query.
But it would be great if it will work :-)
rlm_sql does recursive xlat, all xlat expansions in the SQL query are
done before the query string is passed off to the SQL libraries. The
xlat parser is just looking for a string bounded by %{ }.
Your query should be:
%{sql:SELECT disctime.time FROM `disctime` WHERE disctime.user =
'%{User-Name}'}
It's not a problem in FreeRADIUS it's a problem in your SQL syntax :)
Arran
--
Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
fixed = Re: questions regarding sql xlat
Hi list,
So this should work? ATM I am nearly sure that this could never work,
since the 1st query will deliver the string, that rlm_sql should expand
with another query.
But it would be great if it will work :-)
rlm_sql does recursive xlat, all xlat expansions in the SQL query are
done before the query string is passed off to the SQL libraries. The
xlat parser is just looking for a string bounded by %{ }.
Your query should be:
%{sql:SELECT disctime.time FROM `disctime` WHERE disctime.user =
'%{User-Name}'}
It's not a problem in FreeRADIUS it's a problem in your SQL syntax :)
Both :-)
I missed some backticks:
`%{sql: select sessionto('%{User-Name}') }`
is working. sessionto is a postgres function which calculates the
session-timeout.
Thanks
BR
uwe
--
kiste lat: 54.322684, lon: 10.13586
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
questions regarding sql xlat
Hello list,
I am trying to use some internal database function to calculate the
Session-Timeout.
If I set the value for Session-Timeout to a integer like 123, its
correctly delivered as answer to my request.
If I try to use sql xlat I will get the answer:
Error: rlm_sql: Failed to create the pair: Unknown value %{sql:SELECT
disctime.time FROM `disctime` WHERE disctime.user = %{User-Name}} for
attribute Session-Timeout
Sun Apr 19 20:11:03 2009 : Error: rlm_sql (sql): Error getting data from
database
I tried several different things: Use a select statement to query the
integer directly. I ends up in the same error. I am using:
- freeradius: FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu,
built on Sep 7 2008 at 23:35:34
- Debian GNU/Linux 5.0 (lenny)
- postgresql 8.3.7-0lenny1
BR
Uwe
--
kiste lat: 54.322684, lon: 10.13586
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2 , TTLS/PAP, multiples questions
Hi,
I'm trying to configure Freeradius 2 to implement EAP/TTLS-PAP
authentication method on my Cisco AP1242. It works but I'd like some
precisions to get configuration files as small as possible.
What is the shortest way to configure it ?
authorize {
preprocess
auth_log
suffix
eap {
ok = return
}
files
ldap
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type LDAP {
ldap
}
eap
}
Are the lines correct ?
Moreover, I've got trouble to implement few functions.
First, what's the right way to implement check for Simultaneous-Use ?
For cisco nas type, Freeradius seems to use snmp check but where should
I configure SNMP read community in order to make it possible ?
Then, during EAP process, is it possible to check if inner identity
equal outer identity and if not to reject request ?
Finally, I've got problem with NetworkManager under Fedora 9 (not tested
on other distribution). If Session resumption / fast reauthentication
cache is not enabled, clients can't reassociate and ask for session
resumption again. Is there a workaround ?
Thanks
--
Jérôme BERTHIER
Network administrator
INRIA Bordeaux - Sud-Ouest
Service des Moyens Informatiques
05 24 57 40 50
smime.p7s
Description: S/MIME Cryptographic Signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2 , TTLS/PAP, multiples questions
Jérôme BERTHIER wrote: I'm trying to configure Freeradius 2 to implement EAP/TTLS-PAP authentication method on my Cisco AP1242. It works but I'd like some precisions to get configuration files as small as possible. Why? It's not like there are any CPU / memory / disk issues with having the files 10K larger than their optimal size. What is the shortest way to configure it ? Have test cases for what you need. Delete modules until the test cases fail. Then, ensure that only those modules are in the configuration. First, what's the right way to implement check for Simultaneous-Use ? For cisco nas type, Freeradius seems to use snmp check but where should I configure SNMP read community in order to make it possible ? In the checkrad script. Then, during EAP process, is it possible to check if inner identity equal outer identity and if not to reject request ? Yes. See man unlang. You can check inner/outer attributes. Finally, I've got problem with NetworkManager under Fedora 9 (not tested on other distribution). If Session resumption / fast reauthentication cache is not enabled, clients can't reassociate and ask for session resumption again. Is there a workaround ? What does that mean? if session resumption isn't enabled, clients ask for session resumption ? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2 , TTLS/PAP, multiples questions
Alan DeKok a écrit : Jérôme BERTHIER wrote: I'm trying to configure Freeradius 2 to implement EAP/TTLS-PAP authentication method on my Cisco AP1242. It works but I'd like some precisions to get configuration files as small as possible. Why? It's not like there are any CPU / memory / disk issues with having the files 10K larger than their optimal size. Files could be read more easily. :-) First, what's the right way to implement check for Simultaneous-Use ? For cisco nas type, Freeradius seems to use snmp check but where should I configure SNMP read community in order to make it possible ? In the checkrad script. OK Then, during EAP process, is it possible to check if inner identity equal outer identity and if not to reject request ? Yes. See man unlang. You can check inner/outer attributes. OK I'm going to read this man page. Finally, I've got problem with NetworkManager under Fedora 9 (not tested on other distribution). If Session resumption / fast reauthentication cache is not enabled, clients can't reassociate and ask for session resumption again. Is there a workaround ? What does that mean? if session resumption isn't enabled, clients ask for session resumption ? Sorry. It means that when the NAS asks for reauthentification (after reauth-period timeout has expired), clients won't stop trying to re-connect using session resumption option again and again Here, an extract from freeradius debug : [ttls] eaptls_process returned 3 [ttls] Skipping Phase2 due to session resumption [ttls] FAIL: Forcibly stopping session resumption as it is not allowed. This problem is not present on Windows SecureW2 client cause fast reauthentification is an option. On NetworkManager, I don't find any similar option. Thanks -- Jérôme BERTHIER INRIA Bordeaux - Sud-Ouest Service des Moyens Informatiques 05 24 57 40 50 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2 , TTLS/PAP, multiples questions
Jérôme BERTHIER wrote: Sorry. It means that when the NAS asks for reauthentification (after reauth-period timeout has expired), clients won't stop trying to re-connect using session resumption option again and again Here, an extract from freeradius debug : [ttls] eaptls_process returned 3 [ttls] Skipping Phase2 due to session resumption [ttls] FAIL: Forcibly stopping session resumption as it is not allowed. What's reauth-period? If the session cache is enabled, then the entries should be deleted after lifetime hours. Once the entries are deleted, they will not be in the cache, and attempts to re-used the cached session should cause a re-negotiation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2 , TTLS/PAP, multiples questions
Alan DeKok a écrit : Jérôme BERTHIER wrote: Sorry. It means that when the NAS asks for reauthentification (after reauth-period timeout has expired), clients won't stop trying to re-connect using session resumption option again and again Here, an extract from freeradius debug : [ttls] eaptls_process returned 3 [ttls] Skipping Phase2 due to session resumption [ttls] FAIL: Forcibly stopping session resumption as it is not allowed. What's reauth-period? If the session cache is enabled, then the entries should be deleted after lifetime hours. Once the entries are deleted, they will not be in the cache, and attempts to re-used the cached session should cause a re-negotiation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html reauth-period is a NAS parameter. It specifies period after reauthentification is needed. When no cache is enabled on radius (eap.conf / cache / enable=no), clients using NetworkManager are not able to re-negociate authentification because they are always trying to resume their session. I can't find any option to fix that on the client. -- Jérôme BERTHIER INRIA Bordeaux - Sud-Ouest Service des Moyens Informatiques 05 24 57 40 50 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2 , TTLS/PAP, multiples questions
Jérôme BERTHIER wrote: When no cache is enabled on radius (eap.conf / cache / enable=no), clients using NetworkManager are not able to re-negociate authentification because they are always trying to resume their session. Maybe I'm missing something... those clients worked with 2.0.5, didn't they? If you disable the session cache, then OpenSSL should tell the clients during SSL negotiation that sessions can't be resumed. FreeRADIUS sets the no cache flag in OpenSSL. But... that flag wasn't set in earlier versions of FreeRADIUS. So maybe setting it causes OpenSSL to *allow* session resumption? I don't know... OpenSSL is *weird*. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy setup questions
freeradius version: 1.0.1 (Centos4)
I have the need to proxy requests based on @domain.com to different
radius servers. I thought this would be fairly simple after reading
proxy.conf, but I must be missing something!
Here's the relevant portion of my proxy.conf:
realm test.com {
type = radius
authhost = 10.19.3.8:1812
accthost = LOCAL
secret = testing123
}
realm test2.com {
type = radius
authost = 10.19.3.9:1812
accthost = LOCAL
secret = testing123
}
When testing via radtest using t...@test.com the expected behavior
happens - I see the request proxied to 1.1.1.1:
SNIP
rad_recv: Access-Request packet from host 127.0.0.1:53468, id=229, length=65
User-Name = t...@test.com
User-Password = test
NAS-IP-Address = 255.255.255.255
NAS-Port = 123
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
rlm_realm: Looking up realm test.com for User-Name = t...@test.com
rlm_realm: Found realm test.com
rlm_realm: Adding Stripped-User-Name = test
rlm_realm: Proxying request from user test to realm test.com
rlm_realm: Adding Realm = test.com
rlm_realm: Preparing to proxy authentication request to realm
test.com
SNIP
Sending Access-Request of id 0 to 10.19.3.8:1812
User-Name = test
User-Password = test
NAS-IP-Address = 255.255.255.255
NAS-Port = 123
Proxy-State = 0x323239
Great!
Now I try it with t...@test2.com:
rad_recv: Access-Request packet from host 127.0.0.1:53482, id=7, length=66
User-Name = t...@test2.com
User-Password = test
NAS-IP-Address = 255.255.255.255
NAS-Port = 123
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
rlm_realm: Looking up realm test2.com for User-Name = t...@test2.com
rlm_realm: Found realm test2.com
rlm_realm: Adding Stripped-User-Name = test
rlm_realm: Proxying request from user test to realm test2.com
rlm_realm: Adding Realm = test2.com
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 0
Why would it make the Authentication realm LOCAL? If I move the realm
test2.com above test.com in proxy.conf then test2.com works test.com
doesn't.
Can someone point me in the right direction? I've read included
doc/proxy, proxy.conf the online wiki sections on proxy. It seems so
simple, yet I can't seem to figure it out!
Thanks in advance.
-dallas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy setup questions
Dallas Helquist dal...@oldbrownjeep.net wrote: freeradius version: 1.0.1 (Centos4) http://freeradius.org/getting.html 2004, a fine vintage... Cheers -- Alexander Clouter .sigmonster says: Sex is like air. It's only a big deal if you can't get any. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy setup questions
On 2/4/09 19:22, Alexander Clouter wrote: Dallas Helquistdal...@oldbrownjeep.net wrote: freeradius version: 1.0.1 (Centos4) http://freeradius.org/getting.html 2004, a fine vintage... Cheers You know a guy at NW was making a good point when he said that a lot of the enterprise Linux stuff runs with packages of software *years* out of date, and how it was annoying that users on the FR list would only shout UPGRADE when presented with a version anything older than the latest point release. But hell if you can't figure out how to set up a compiler and build the thing from source, should you really be managing such a complex bit of software :). -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy setup questions
Alexander Clouter wrote: Dallas Helquist dal...@oldbrownjeep.net wrote: freeradius version: 1.0.1 (Centos4) http://freeradius.org/getting.html 2004, a fine vintage... Agreed, but I try to avoid using packages not included with whatever distribution a machine is running. Not opposed to using src when necessary, makes it more of a pita to maintain long term for me. Does anyone know for sure whether proxy is borked in the 1.0.1 (Redhat EL 4/Centos 4)? I can't find any conclusive searches saying it is..so I'm more inclined to think I've screwed up something somewhere! -dallas SNIP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy setup questions
Arran Cudbard-Bell wrote: You know a guy at NW was making a good point when he said that a lot of the enterprise Linux stuff runs with packages of software *years* out of date, and how it was annoying that users on the FR list would only shout UPGRADE when presented with a version anything older than the latest point release. Tough. If he's chosen to run software that's no longer supported, that's his problem. If he's buying support for an enterprise Linux distribution then THEY can support the old version of the server. If he's willing to pay, he can click on the support link on freeradius.org. Otherwise... upgrade. But hell if you can't figure out how to set up a compiler and build the thing from source, should you really be managing such a complex bit of software :). The official story for not upgrading is usually either lack of support, or consistency of the system. The responses are: a) Great! Buy support from someone (OS vendor, etc.) If not, good luck getting the problem fixed. b) Live with a system that's consistent, but doesn't do what you want, and isn't supported. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy setup questions
Dallas Helquist wrote: Agreed, but I try to avoid using packages not included with whatever distribution a machine is running. Not opposed to using src when necessary, makes it more of a pita to maintain long term for me. Huh? The server comes with sample spec files. You can create your own packages, and install those. Does anyone know for sure whether proxy is borked in the 1.0.1 (Redhat EL 4/Centos 4)? I can't find any conclusive searches saying it is..so I'm more inclined to think I've screwed up something somewhere! Proxying works in 1.0.1. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy setup questions
Hi, Here's the relevant portion of my proxy.conf: although old, proxying works in 1.0.1. the bit that doesnt work here is when you say 'relevant portion' - no, its not the relevant portion at all - you've got something else going on in proxy.conf please supply rhe whole file - I dont care if you obfuscate IP addresses, realms and secrets. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy setup questions
Dallas Helquist wrote: Agreed, but I try to avoid using packages not included with whatever distribution a machine is running. Not opposed to using src when necessary, makes it more of a pita to maintain long term for me. Huh? The server comes with sample spec files. You can create your own packages, and install those. http://wiki.freeradius.org/Red_Hat_FAQ#How_to_build_an_SRPM Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy setup questions
a.l.m.bu...@lboro.ac.uk wrote:
Hi,
Here's the relevant portion of my proxy.conf:
although old, proxying works in 1.0.1.
the bit that doesnt work here is when you say
'relevant portion' - no, its not the relevant portion
at all - you've got something else going on in proxy.conf
please supply rhe whole file - I dont care if you obfuscate
IP addresses, realms and secrets.
Here is the full proxy.conf file. A few minor changes from what I
posted earlier (realm names changed, accthost changed).
## begin proxy.conf
proxy server {
synchronous = yes
retry_delay = 5
retry_count = 3
dead_time = 60
default_fallback = no
post_proxy_authorize = yes
}
realm test.com {
type = radius
authhost = 10.19.3.8:1812
accthost = 10.19.3.8:1813
secret = testing123
}
realm blah.com {
type = radius
authost = 10.19.3.9:1812
accthost = 10.19.3.9:1813
secret = testing123
}
realm LOCAL {
type= radius
authhost= LOCAL
accthost= LOCAL
}
## end proxy.conf
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy questions
thanks !! unfortunately i was not the one who installed our current freeradius and i have to add that i am quickly learning how to use it :) i installed v2.x on another server works like a charm .. but i have to make it work on the current one for the moment, would adding an entry in the users file help ? thanks again seb On Wed, Mar 25, 2009 at 1:17 PM, Alan DeKok al...@deployingradius.com wrote: Sebastien Boucher wrote: thanks for your answer alan, i do want our users to be authenticated by LDAP ( and it works fine ) .. but my question now is where do i change the config to tell it not to use ldap for the IPASS realm or what document or man page do i need to read. In 2.1, the unlang manual page explains how to conditionally call modules. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy questions
unfortunately i was not the one who installed our current freeradius and i have to add that i am quickly learning how to use it :) i installed v2.x on another server works like a charm .. but i have to make it work on the current one for the moment, would adding an entry in the users file help ? In old version you had to make Autz-Types and force them in users file. It's nowhere near what unlang can do. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
