Re: Realm attribute population
On 25/07/13 10:43, stefan.pae...@diamond.ac.uk wrote:
Alan,
https://confluence.terena.org/display/H2eduroam/freeradius-sp implies that after v2.1.9,
"%{Realm}" would contain "DEFAULT", not whatever the realm extracted from
User-Name was, when used in logging... Hence my question.
Of course, if this is no longer an issue, then I'll happily amend our instructions to
leave the DEFAULT realm as-is. Also, when I wrote "DEFAULT {}", it was a
shortening (for the sake of brevity) of:
realm DEFAULT {
authhost = blah
etc etc etc
}
I was just trying to save some lines and extraneous text here.
IMHO you're much better off avoiding the "realm" module, and handling
the processing yourself in unlang, particularly if you're using doing an
eduroam or other federation. This lets "Realm" and "Proxy-To-Realm" be
different values, and for extended checking to be done on the realm value.
We do something like this:
authorize {
if (User-Name =~ /^(.*)@(.+)$/) {
update request {
Stripped-User-Name := "%{1}"
Realm := "%{toupper:%{2}}"
}
if ((Realm == "MY.REALM1") || (Realm == "MY.REALM2")) {
update control {
Proxy-To-Realm := "MYREALM"
}
}
elsif (Realm !~ /^([-A-Z0-9]+\.)+[-A-Z0-9]+/) {
# invalid realm format
reject
}
else {
update control {
Proxy-To-Realm := "EDUROAM"
}
}
}
else {
reject
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Realm attribute population
Alan,
https://confluence.terena.org/display/H2eduroam/freeradius-sp implies that
after v2.1.9, "%{Realm}" would contain "DEFAULT", not whatever the realm
extracted from User-Name was, when used in logging... Hence my question.
Of course, if this is no longer an issue, then I'll happily amend our
instructions to leave the DEFAULT realm as-is. Also, when I wrote "DEFAULT {}",
it was a shortening (for the sake of brevity) of:
realm DEFAULT {
authhost = blah
etc etc etc
}
I was just trying to save some lines and extraneous text here.
Stefan
> -Original Message-
> From: freeradius-users-
> bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
> [mailto:freeradius-users-
> bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of
> Alan DeKok
> Sent: 25 July 2013 01:47
> To: FreeRadius users mailing list
> Subject: Re: Realm attribute population
>
> stefan.pae...@diamond.ac.uk wrote:
> > After FreeRADIUS 2.10, we had to replace the DEFAULT {} stanza with
> the below in proxy.conf to ensure that the Realm attribute was
> correctly populated:
>
> Huh? That's wrong. The DEFAULT realm works just fine.
>
> And it's not "DEFAULT {}". See raddb/proxy.conf for details.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
--
This e-mail and any attachments may contain confidential, copyright and or
privileged material, and are for the use of the intended addressee only. If you
are not the intended addressee or an authorised recipient of the addressee
please notify us of receipt by returning the e-mail and do not use, copy,
retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not
necessarily of Diamond Light Source Ltd.
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments
are free from viruses and we cannot accept liability for any damage which you
may sustain as a result of software viruses which may be transmitted in or with
the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and
Wales with its registered office at Diamond House, Harwell Science and
Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm attribute population
stefan.pae...@diamond.ac.uk wrote:
> After FreeRADIUS 2.10, we had to replace the DEFAULT {} stanza with the below
> in proxy.conf to ensure that the Realm attribute was correctly populated:
Huh? That's wrong. The DEFAULT realm works just fine.
And it's not "DEFAULT {}". See raddb/proxy.conf for details.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Realm attribute population
Hi,
After FreeRADIUS 2.10, we had to replace the DEFAULT {} stanza with the below
in proxy.conf to ensure that the Realm attribute was correctly populated:
realm "~.+$" {
authhost = "host to deal with other realms"
:
:
}
Is that still necessary for FR 3.0? I'm just updating some of our internal
documentation here and wanted to make sure that I don't add extraneous stuff
when it's not necessary.
:-)
Stefan Paetow
Software Engineer
+44 1235 778812
Diamond Light Source Ltd.
Diamond House, Harwell Science and Innovation Campus
Didcot, Oxfordshire, OX11 0DE
--
This e-mail and any attachments may contain confidential, copyright and or
privileged material, and are for the use of the intended addressee only. If you
are not the intended addressee or an authorised recipient of the addressee
please notify us of receipt by returning the e-mail and do not use, copy,
retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not
necessarily of Diamond Light Source Ltd.
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments
are free from viruses and we cannot accept liability for any damage which you
may sustain as a result of software viruses which may be transmitted in or with
the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and
Wales with its registered office at Diamond House, Harwell Science and
Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3.0 regex realm syntax
Brian Julin wrote:
> Would it require too much tokenization witchdoctoring to make:
>
> realm /regexp\.edu/ {
> }
>
> ...work?
No. We'll wait for 3.0.1, though.
> Also I find a note in my config file comments about some regexp
> availability in the "hints" file being in-transition and so not
> to use it, but cannot remember what that was about, it has been
> so long, and there seems to be no example in the stock configs.
I don't recall.
> I'm looking forward to finally bumping to 3.0 on our non-RadSec
> servers as soon as things look to test out right and we can tell
> the boss that the package is supported on our distro. We'll
> be getting rid of a LOT of cruft in config files during the
> process due to the many new ease-of-use features. Things
> are sure looking up :-)
Yup. And there's a LOT more to come.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
3.0 regex realm syntax
It seems to be last call for refactoring some of the user-visible
config items that are easier to change when bumping a major
rev number. The syntax for regexp-based realms has always
struck me as a bit hinky:
realm "~regexp\\.edu" {
}
Would it require too much tokenization witchdoctoring to make:
realm /regexp\.edu/ {
}
...work?
Also I find a note in my config file comments about some regexp
availability in the "hints" file being in-transition and so not
to use it, but cannot remember what that was about, it has been
so long, and there seems to be no example in the stock configs.
I'm looking forward to finally bumping to 3.0 on our non-RadSec
servers as soon as things look to test out right and we can tell
the boss that the package is supported on our distro. We'll
be getting rid of a LOT of cruft in config files during the
process due to the many new ease-of-use features. Things
are sure looking up :-)
--
Brian S. Julin
Network Administrator
Clark University
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reject a specific realm from a client
Hello,
I have two clients that proxy access requests to me. The realm varies, but the
format is always userid@realm.whatever
Is there a way that I can deny a specific realm when an access request is
received from a specific client?
I tried adding something to policy.conf but I couldn't get the syntax right:
#Prevent secretrealm from logging in off-campus
remote_secret_reject
if ("%{Realm}" == "secretrealm.ca") && ((Client-Shortname == "proxy-client1")
|| (Client-Shortname == "proxy-client2"))) {
reject
}
Is there a different way that I should be doing this?
Thanks,
Dave
Dave Aldwinckle
Network Support Specialist
Information Systems and Technology
Phone: (519)-888-4567 ext. 31145
E-Mail: daldw...@uwaterloo.ca<mailto:daldw...@uwaterloo.ca>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: stripping the realm
Ross wrote: > Ok, so where do I setup the realm and then strip the realm? I'm using > mysql. > Some assistance would be greatly appreciated :) All realms are defined in raddb/proxy.conf. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: stripping the realm
Answer my own question, it's in the dialup.conf
root@chronos:~# vim /etc/freeradius/sql/mysql/dialup.conf
Uncomment this line;
sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}"
###
# Query config: Username
###
# This is the username that will get substituted, escaped, and added
# as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used
below
# everywhere a username substitution is needed so you you can be
sure
# the username passed from the client is escaped properly.
#
# Uncomment the next line, if you want the sql_user_name to mean:
#
#Use Stripped-User-Name, if it's there.
#Else use User-Name, if it's there,
#Else use hard-coded string "DEFAULT" as the user name.
sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}"
#
sql_user_name = "%{User-Name}"
Thanks me :)
On Mon, Jun 10, 2013 at 9:20 AM, Ross wrote:
>
> On 09/06/2013 11:01 PM, "Alan DeKok" wrote:
> >
> > geebs wrote:
> > > I don't recall having to setup a realm in previous installs.
> >
> > You always had to set up a realm in previous installs.
> >
> > Alan DeKok.
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> Ok, so where do I setup the realm and then strip the realm? I'm using
> mysql.
> Some assistance would be greatly appreciated :)
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: stripping the realm
On 09/06/2013 11:01 PM, "Alan DeKok" wrote: > > geebs wrote: > > I don't recall having to setup a realm in previous installs. > > You always had to set up a realm in previous installs. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ok, so where do I setup the realm and then strip the realm? I'm using mysql. Some assistance would be greatly appreciated :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: stripping the realm
geebs wrote: > I don't recall having to setup a realm in previous installs. You always had to set up a realm in previous installs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
stripping the realm
Hello,
Not sure what I'm missing here, i seem to not be able to get this to work.
One of those things, I've done it many times yet I've missed a step I think.
This server is used to authenticate pppoe connections on a cisco router.
I just want freeradius to strip the realm every time.
Debian Wheezy
freeradius -XX
Sun Jun 9 16:43:58 2013 : Info: FreeRADIUS Version 2.1.12, for host
x86_64-pc-linux-gnu, built on Dec 16 2012 at 13:28:43
It works fine without a realm, returns all the right values;
root@chronos:/etc/freeradius# radtest testaccount test1234 localhost 0
testing123
Sending Access-Request of id 95 to 127.0.0.1 port 1812
User-Name = "testaccount"
User-Password = "test1234"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=95,
length=56
Framed-IP-Address = 10.8.13.19
Tunnel-Type:0 = L2TP
Tunnel-Medium-Type:0 = IPv4
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Netmask = 255.255.255.255
root@chronos:/etc/freeradius#
With a realm, no good.
rad_recv: Access-Request packet from host 127.0.0.1 port 52011, id=44,
length=92
User-Name = "testacco...@domain.com"
User-Password = "test1234"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x6c233bef9def046c0b422486e2aef3a1
Sun Jun 9 16:46:05 2013 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Sun Jun 9 16:46:05 2013 : Info: +- entering group authorize {...}
Sun Jun 9 16:46:05 2013 : Info: ++[preprocess] returns ok
Sun Jun 9 16:46:05 2013 : Info: ++[chap] returns noop
Sun Jun 9 16:46:05 2013 : Info: ++[mschap] returns noop
Sun Jun 9 16:46:05 2013 : Info: ++[digest] returns noop
Sun Jun 9 16:46:05 2013 : Info: [suffix] Looking up realm "domain.com" for
User-Name = "testacco...@domain.com"
Sun Jun 9 16:46:05 2013 : Info: [suffix] No such realm "domain.com"
Sun Jun 9 16:46:05 2013 : Info: ++[suffix] returns noop
Sun Jun 9 16:46:05 2013 : Info: [eap] No EAP-Message, not doing EAP
Sun Jun 9 16:46:05 2013 : Info: ++[eap] returns noop
Sun Jun 9 16:46:05 2013 : Info: ++[files] returns noop
Sun Jun 9 16:46:05 2013 : Info: [sql] expand: %{User-Name} ->
testacco...@domain.com
Sun Jun 9 16:46:05 2013 : Info: [sql] sql_set_user escaped user --> '
testacco...@domain.com'
Sun Jun 9 16:46:05 2013 : Debug: rlm_sql (sql): Reserving sql socket id: 3
Sun Jun 9 16:46:05 2013 : Info: [sql] expand: SELECT id, username,
attribute, value, op FROM radcheck WHERE username =
'%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute,
value, op FROM radcheck WHERE username = '
testacco...@domain.com' ORDER BY id
Sun Jun 9 16:46:05 2013 : Info: [sql] expand: SELECT groupname
FROM radusergroup WHERE username = '%{SQL-User-Name}'
ORDER BY priority -> SELECT groupname FROM radusergroup
WHERE username = 'testacco...@domain.com' ORDER BY priority
Sun Jun 9 16:46:05 2013 : Debug: rlm_sql (sql): Released sql socket id: 3
Sun Jun 9 16:46:05 2013 : Info: [sql] User testacco...@domain.com not found
Sun Jun 9 16:46:05 2013 : Info: ++[sql] returns notfound
Sun Jun 9 16:46:05 2013 : Info: ++[expiration] returns noop
Sun Jun 9 16:46:05 2013 : Info: ++[logintime] returns noop
Sun Jun 9 16:46:05 2013 : Info: [pap] WARNING! No "known good" password
found for the user. Authentication may fail because of this.
Sun Jun 9 16:46:05 2013 : Info: ++[pap] returns noop
Sun Jun 9 16:46:05 2013 : Info: ERROR: No authenticate method (Auth-Type)
found for the request: Rejecting the user
Sun Jun 9 16:46:05 2013 : Info: Failed to authenticate the user.
Sun Jun 9 16:46:05 2013 : Info: Using Post-Auth-Type Reject
Sun Jun 9 16:46:05 2013 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Sun Jun 9 16:46:05 2013 : Info: +- entering group REJECT {...}
Sun Jun 9 16:46:05 2013 : Info: [attr_filter.access_reject]expand:
%{User-Name} -> testacco...@domain.com
Sun Jun 9 16:46:05 2013 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Sun Jun 9 16:46:05 2013 : Info: ++[attr_filter.access_reject] returns
updated
Sun Jun 9 16:46:05 2013 : Info: Delaying reject of request 0 for 1 seconds
Sun Jun 9 16:46:05 2013 : Debug: Going to the next request
Sun Jun 9 16:46:05 2013 : Debug: Waking up in 0.9 seconds.
Sun Jun 9 16:46:06 2013 : Info: Sending delayed reject for request 0
Sending Access-Reject of id 44 to 127.0.0.1 port 52011
Sun Jun 9 16:46:06 2013 : Debug: Waking up in 4.9 seconds.
I don't recall having to setup a realm in previous installs.
However I did used to use an older version of freeradius.
Thanks in advance :)
Jules.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Trying to do proxy using realm and 2 VS
Hi all,
I'm currently working on a fresh FreeRadius 2.x install, in order to separate
Radius auth for Administrators (Firewall, Routeurs & Switchs administration)
and Customers access (VPN SSL / IPSec).
My first try was to rewrite all the config into virtual servers (previously,
all was written into radiusd.conf :().
So what I did :
[root@server /etc/raddb]$ ll sites-enabled/
total 0
lrwxrwxrwx. 1 root root 33 Mar 19 12:01 administrator ->
/etc/raddb/sites-available/administrator
lrwxrwxrwx. 1 root root 43 Mar 26 18:16 customer ->
/etc/raddb/sites-available/coreye_customers
This is my two VS :
server administrator {
# Authenticate / Authorize listener
listen {
ipaddr = *
port = 1600
type = auth
}
# Accounting listener
listen {
ipaddr = *
port = 1601
type = acct
}
[...]
server customer {
# Authenticate / Authorize listener
listen {
ipaddr = *
port = 1602
type = auth
}
# Accounting listener
listen {
ipaddr = *
port = 1603
type = acct
}
[...]
And in order to proxy, I want to forward using proxy depending realm
(proxy.conf)
realm ".*customer$" {
virtual_server = customer
}
realm ".*admin$" {
virtual_server = administrator
}
realm NULL {
virtual_server = administrator
}
But when logging into Radius, it works for VS Administrator (login admin or
user@admin), but if I try using login@customer, it's never proxy to virtual
server customer.
I tried different methods always shown in the mailing list, but no way, it's
never working ...
Proxy to realm into authorize section :
if (Realm == customer) {
update control {
Proxy-To-Realm := customer
}
}
Not working ... The request is always managed by administrator vs.
Always played using dynamic clients example and
FreeRADIUS-Client-Virtual-Server = "customer", but not working again.
I suspect the problem located in my NAS MySQL table, where "server" column is
forced to virtual server "administrator"
Is anything I missed to do ? What's the best solution to do this kind of
configuration when nas are stored in MySQL DB, and some of the nas clients
could be used by different virtual servers ? What the is the best way to have a
single radius IP server, and two different virtual servers with two different
set of rules ?
Thanks in advance for your help !
Fabien VINCENT
http://www.coreye.fr<http://www.coreye.fr/>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DEFAULT realm proxy fail over
Bertalan Voros wrote: > There is a freeradius server that is proxying every mschapv2 request to > a homeserver using the DEFAULT realm. > > The same server is also handling EAP requests and then proxying the > inner request through the DEFAULT realm. > > Is is possible to set up fail-over using two home servers in this scenario? Yes. You configure fail-over as documented in proxy.conf. Do you have a *specific* question about it? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DEFAULT realm proxy fail over
Hello All, I would like to get help with the following. There is a freeradius server that is proxying every mschapv2 request to a homeserver using the DEFAULT realm. The same server is also handling EAP requests and then proxying the inner request through the DEFAULT realm. Is is possible to set up fail-over using two home servers in this scenario? Thank you and best regards, Bertalan Voros - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pb with realm
I've done it...it seems working.
Thank a lot.
Le 06/02/2013 11:40, Phil Mayers a écrit :
On 06/02/13 10:03, Hocine M wrote:
Hi ,
I have a problem with some user proxied.
In the accounting-request the username is stripped and realm is NULL.
Why le realm is lost?
The User-Name in the accounting packets is overridden by the User-Name
in the Access-Accept. In your case, your upstream proxy is returning a
bare username in the Accept:
rad_recv: Access-Accept packet from host 193.51.224.109 port 1812,
id=223, length=182
User-Name = "pierre.dupont\000"
...which you then send back to the NAS:
Sending Access-Accept of id 13 to 192.168.58.5 port 20007
User-Name = "pierre.dupont\000"
You can (and indeed, should) use a piece of "unlang" to re-insert /
validate the realm in the case; we have this config:
post-proxy {
# Clean up the reply username
if (proxy-reply:User-Name =~ /^(.*)@.*/) {
# rewrite user@anything to user@theauthrealm
# i.e. we don't trust the reply realm
update proxy-reply {
User-Name := "%{1}@%{Realm}"
}
}
elsif (proxy-reply:User-Name) {
# no @ i.e. realm in the reply username
# append the realm used for forwarding
update proxy-reply {
User-Name := "%{proxy-reply:User-Name}@%{Realm}"
}
}
else {
# no reply username at all. add one
update proxy-reply {
User-Name := "%{request:User-Name}"
}
}
}
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pb with realm
On 06/02/13 10:03, Hocine M wrote:
Hi ,
I have a problem with some user proxied.
In the accounting-request the username is stripped and realm is NULL.
Why le realm is lost?
The User-Name in the accounting packets is overridden by the User-Name
in the Access-Accept. In your case, your upstream proxy is returning a
bare username in the Accept:
rad_recv: Access-Accept packet from host 193.51.224.109 port 1812,
id=223, length=182
User-Name = "pierre.dupont\000"
...which you then send back to the NAS:
Sending Access-Accept of id 13 to 192.168.58.5 port 20007
User-Name = "pierre.dupont\000"
You can (and indeed, should) use a piece of "unlang" to re-insert /
validate the realm in the case; we have this config:
post-proxy {
# Clean up the reply username
if (proxy-reply:User-Name =~ /^(.*)@.*/) {
# rewrite user@anything to user@theauthrealm
# i.e. we don't trust the reply realm
update proxy-reply {
User-Name := "%{1}@%{Realm}"
}
}
elsif (proxy-reply:User-Name) {
# no @ i.e. realm in the reply username
# append the realm used for forwarding
update proxy-reply {
User-Name := "%{proxy-reply:User-Name}@%{Realm}"
}
}
else {
# no reply username at all. add one
update proxy-reply {
User-Name := "%{request:User-Name}"
}
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm
thanks!
MIha
Dne 1/23/2013 3:58 PM, piše Phil Mayers:
On 23/01/13 14:47, Miha wrote:
Hi,
my radius client is sending with user-name and password aslo realm. I
can not disable sending realm, is it possible to configure radius that
will not user realm with user-name (user-name@realm)?
[digest] Digest-Attributes look OK. Converting them to something more
usful.
*Digest-User-Name = "018108500"*
*Digest-Realm = "test1.opensips.softnet.si"*
Digest-Nonce = "510001fb0006c9cc728438be21e324f917a5ea234380"
Digest-URI = "sip:+3858...@test1.opensips.test.si"
Digest-Method = "INVITE"
[digest] Adding Auth-Type = DIGEST
++[digest] returns ok
[suffix] Looking up realm "test1.opensips.softnet.si" for User-Name =
*"018108500@test1.opensips.**test.si*"
[suffix] No such realm "test1.opensips.softnet.si"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{User-Name} -> *018108500@test1.opensips.**test.si*
Radius will need to chack only user-name (*018108500*).
Sure. The easiest option is something like this:
authorize {
...
if (User-Name =~ /^(.+)@(.+)$/) {
update request {
Stripped-User-Name := "%{1}"
Realm := "%{2}"
}
}
...
}
...and then ensure your SQL/files/whatever modules use an appropriate
expansion for their "key" value e.g.
sql {
...
sql_user_name = "%{%{Stripped-User-Name}:-%{User-Name}}"
...
}
This is the default. So basically, you identify the realm yourself,
set "Stripped-User-Name", and use that.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm
On Wed, Jan 23, 2013 at 2:47 PM, Miha wrote: > Hi, > > my radius client is sending with user-name and password aslo realm. I can > not disable sending realm, is it possible to configure radius that will not > user realm with user-name (user-name@realm)? > > i only know that it is function of proxy (realm), if helps. Are you > including proxy.conf ? > R M - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm
On 23/01/13 14:47, Miha wrote:
Hi,
my radius client is sending with user-name and password aslo realm. I
can not disable sending realm, is it possible to configure radius that
will not user realm with user-name (user-name@realm)?
[digest] Digest-Attributes look OK. Converting them to something more
usful.
*Digest-User-Name = "018108500"*
*Digest-Realm = "test1.opensips.softnet.si"*
Digest-Nonce = "510001fb0006c9cc728438be21e324f917a5ea234380"
Digest-URI = "sip:+3858...@test1.opensips.test.si"
Digest-Method = "INVITE"
[digest] Adding Auth-Type = DIGEST
++[digest] returns ok
[suffix] Looking up realm "test1.opensips.softnet.si" for User-Name =
*"018108500@test1.opensips.**test.si*"
[suffix] No such realm "test1.opensips.softnet.si"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{User-Name} -> *018108500@test1.opensips.**test.si*
Radius will need to chack only user-name (*018108500*).
Sure. The easiest option is something like this:
authorize {
...
if (User-Name =~ /^(.+)@(.+)$/) {
update request {
Stripped-User-Name := "%{1}"
Realm := "%{2}"
}
}
...
}
...and then ensure your SQL/files/whatever modules use an appropriate
expansion for their "key" value e.g.
sql {
...
sql_user_name = "%{%{Stripped-User-Name}:-%{User-Name}}"
...
}
This is the default. So basically, you identify the realm yourself, set
"Stripped-User-Name", and use that.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Realm
Hi,
my radius client is sending with user-name and password aslo realm. I
can not disable sending realm, is it possible to configure radius that
will not user realm with user-name (user-name@realm)?
[digest] Digest-Attributes look OK. Converting them to something more
usful.
*Digest-User-Name = "018108500"*
*Digest-Realm = "test1.opensips.softnet.si"*
Digest-Nonce = "510001fb0006c9cc728438be21e324f917a5ea234380"
Digest-URI = "sip:+3858...@test1.opensips.test.si"
Digest-Method = "INVITE"
[digest] Adding Auth-Type = DIGEST
++[digest] returns ok
[suffix] Looking up realm "test1.opensips.softnet.si" for User-Name =
*"018108500@test1.opensips.**test.si*"
[suffix] No such realm "test1.opensips.softnet.si"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{User-Name} -> *018108500@test1.opensips.**test.si*
Radius will need to chack only user-name (*018108500*).
Thanks!
Miha
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous Proxy of Acct Messages to two External Radius Servers Using Replicate-To-Realm
Jason Everard wrote: > We have been trying to get it to work with "Replicate-To-Realm := ISE" > in the corresponding virtual-server configuration, however it doesn't > work. See the FAQ for "it doesn't work". If you want to get replication to work, read raddb/modules/replicate. This *IS* documented. If you don't have that file, upgrade. > We are running 2.1.12 currently. Is this maybe a bug that is fixed in 2.2.0? Read doc/ChangeLog Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous Proxy of Acct Messages to two External Radius Servers Using Replicate-To-Realm
We have been trying to get freeradius to work to do something I know works
because I have seen it posted to this list on a few occasions.
We have a Radius NAS (Cisco WLC) that is sending auth data to multiple
Radius servers (not freeradius rather MS NPS and Cisco ACS and Cisco ISE)
Problem is that we have several Radius receivers that need to see all of
the accounting records from the WLC to make decisions re: the 802.11i
session.
So the sole function of the freeradius deployment is to proxy all received
accounting packets to multiple Radius receivers simultaneously.
We have been trying to get it to work with "Replicate-To-Realm := ISE" in
the corresponding virtual-server configuration, however it doesn't work.
The only way we can get the freeradius installation to send accounting
packets to another external radius box is to use "Proxy-To-Realm" which
requires a response from the server and does not seem to send the radius
accounting packets to more than the first realm listed, i.e.
preacct {
preprocess
update control {
Replicate-To-Realm := ISE
Replicate-To-Realm += BlueCoat
}
Doesn't work at all. However, the following will send the accounting
packets to the ISE realm and NOT to the BlueCoat realm until the ISE realm
is marked dead.
preacct {
preprocess
update control {
Proxy-To-Realm := ISE
Proxy-To-Realm += BlueCoat
}
We want the Replicate-To-Realm functionality where the behaviour is to
"send-and-forget" and to NOT require an accounting response from either
server and where all packets are sent to ALL realms listed.
We are running 2.1.12 currently. Is this maybe a bug that is fixed in 2.2.0?
Regards,
Jason
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Realm in table radacct
On Mon, Oct 22, 2012 at 11:13 PM, wrote: > Hi Guys, > > thank you for your answers. I killed the attribute user-name on my global > radius server in post-proxy and post-auth sections by unlang. > > Now I have got the full username on my server, because it is not overwritten > by other radius communicatons. > > The realm is not in the radacct table of server A. But I kow the reason, > because FR doesn't know this realms. But thats ok. Good to know. > >>What I don't understand is how come the reply that FR sends STILL contains >>User-Name. >>Reading raddb/attrs and raddb/modules/attr_filter, it looks like FR should >>never allow User-Name on Access-Accept. >>Did you REMOVE attr_filter.post-proxy from raddb/sites-available/default or >>whatever virtual server you're using? > > Sry, I don't understand the problem. I see more attributes than just > user-name. All filters are disabled by default. > A filter is only for rejecting requests, which are not matching. Right? No. And that, is the root of your problem: blindly changing config files without knowing what it's for. Had you left it the way it was in the first place, you wouldn't have had this problem. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Realm in table radacct
Hi Guys, thank you for your answers. I killed the attribute user-name on my global radius server in post-proxy and post-auth sections by unlang. Now I have got the full username on my server, because it is not overwritten by other radius communicatons. The realm is not in the radacct table of server A. But I kow the reason, because FR doesn't know this realms. But thats ok. >What I don't understand is how come the reply that FR sends STILL contains >User-Name. >Reading raddb/attrs and raddb/modules/attr_filter, it looks like FR should >never allow User-Name on Access-Accept. >Did you REMOVE attr_filter.post-proxy from raddb/sites-available/default or >whatever virtual server you're using? Sry, I don't understand the problem. I see more attributes than just user-name. All filters are disabled by default. A filter is only for rejecting requests, which are not matching. Right? And sorry again for my bad english. ;-) Ulf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Realm in table radacct
Sending Access-Accept of id 188 to 172.16.3.225 port 1814
User-Name = "markus"
MS-MPPE-Recv-Key =
0x19bfda63662c5eda0d0cfd34c617f262ae8611b10aab33c89598e9478000e667
MS-MPPE-Send-Key =
0xa653fb00f50ffb9b86c15b777bc4d6807912c23511749aef1d030b87cb3b0619
EAP-Message = 0x03e4
Message-Authenticator = 0x
3Com-Ip-Host-Addr = "123.456.789.012"
Proxy-State = 0x323437
Proxy-State = 0x323132
You should add "nostrip" into your local realm definition:
# raddb/proxy.conf
realm kl-dfki.de {
nostrip
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Realm in table radacct
Long answers available but the shirt version is local sites want their kit to show the real user not the anonymous one but then forget to do define policy for external requests.. other sites also don't want to receive remote accounting packets so strip the realm out so they won't get them. For proper handling of remote accounting you need to do a lot of extra work. 1 you need to handle all the bad stuff that NAS kit can sendso that's above and beyond all the local work for your own NAS, then , to keep realm you need to create a look up table for nas/csi to keep the original outer realm so that it can be re-applied when stripped accounting username come your way alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Realm in table radacct
On Sun, Oct 21, 2012 at 12:25 AM, Matthew Newton wrote: > On Sat, Oct 20, 2012 at 11:17:21PM +0700, Fajar A. Nugraha wrote: >> Short version, your NAS (172.16.18.82) sends inconsistent user name. >> It sends "mar...@kl-dfki.de" for access-request, but "markus" for >> accounting. Fix the NAS. Period. > > I don't know about different NASes, but ours send the User-Name in > the Accounting-Request that was returned to the NAS in the > Access-Accept, not the User-Name that they used in the > Access-Request. Therefore the result from FreeRADIUS does directly > affect what is sent for Accounting. In that case you need to tell the owner of the remote radius (172.16.3.225) to fix their system. Cause FR pretty much only proxy what they send. Sending Access-Request of id 147 to 172.16.3.225 port 1812 User-Name = "mar...@kl-dfki.de" NAS-IP-Address = 172.16.18.82 ... Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Accept packet from host 172.16.3.225 port 1812, id=147, length=172 User-Name = "markus" AFAIK many people on this list use eduroam (I don't, BTW). If you take some time to ask your question in a more understandable manner, they might be able to help you more. But they can't do anything if they don't even understand your question. What I don't understand is how come the reply that FR sends STILL contains User-Name. Reading raddb/attrs and raddb/modules/attr_filter, it looks like FR should never allow User-Name on Access-Accept. Did you REMOVE attr_filter.post-proxy from raddb/sites-available/default or whatever virtual server you're using? You might want to try simply REMOVE User-Name attribute from the Access-Accept packet using unlang. If you want to try this, see the man page, look for "-=". You should be able to add it in post-proxy section. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Realm in table radacct
On Sat, Oct 20, 2012 at 11:17:21PM +0700, Fajar A. Nugraha wrote: > Short version, your NAS (172.16.18.82) sends inconsistent user name. > It sends "mar...@kl-dfki.de" for access-request, but "markus" for > accounting. Fix the NAS. Period. I don't know about different NASes, but ours send the User-Name in the Accounting-Request that was returned to the NAS in the Access-Accept, not the User-Name that they used in the Access-Request. Therefore the result from FreeRADIUS does directly affect what is sent for Accounting. Cheers, Matthew -- Matthew Newton, Ph.D. Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Realm in table radacct
On Sat, Oct 20, 2012 at 7:15 PM, wrote: > I want to send attributes in the accounting area and put them into the > radacct table. > But not without the forwarding of the accounting request. > > The transmission of some attribute works in authorize. > > Do you understand my problem? No. I'm having a hard time understanding your english. You'd probably be able to find more help if you spend some more time determening what your problems are, and write them in an understandable manner. Anyway, I'm going to take a guess based on the debug log you posted earler. Here's another hint: you'd be able to get more help if you: (1) Try to read and understand the log first. Often the logs tell you everything you need if you just read them. (2) Paste it directly inline instead of in pastebin. Anyway, back to the log. I'm using the one you posted as "Location A http://pastebin.com/A1HNtSeu ". In it there's these entries: ... rad_recv: Accounting-Request packet from host 172.16.18.82 port 53432, id=35, length=189 Acct-Session-Id = "50758488-0002" Acct-Status-Type = Stop Acct-Authentic = RADIUS User-Name = "markus" ... and ... rad_recv: Access-Request packet from host 172.16.18.82 port 36327, id=36, length=175 User-Name = "mar...@kl-dfki.de" NAS-IP-Address = 172.16.18.82 ... Short version, your NAS (172.16.18.82) sends inconsistent user name. It sends "mar...@kl-dfki.de" for access-request, but "markus" for accounting. Fix the NAS. Period. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Realm in table radacct
Hello, in the radacct table are saved the authorized sessions of the user. I use the database schema of daloradius. There is a column with realm, which is empty. It would be nice, if there is something into to work with it. And without the full userdetails the accounting is not working. Cause the local server knows only "markus" he send his Account-Request to DEFAULT and this server can not proxy this one. Cause he has no realm, too. I'm wondering me, cause this "Global" Server now replies this request. I want to send attributes in the accounting area and put them into the radacct table. But not without the forwarding of the accounting request. The transmission of some attribute works in authorize. Do you understand my problem? Thanks Ulf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Realm in table radacct
xylak...@vorsicht-bissig.de wrote: > So I thought Realm is a Radius Attribute, but now I think its only a > temporay variable on the radius server. Cause I can't find it on IANA > Attributes. That's right. It doesn't ever go into a RADIUS packet. > Please tell me, what and where I can fix that. You don't. The NAS only understands attributes in its internal dictionary. Adding a realm to the FreeRADIUS dictionary doesn't change the NAS. Please explain why you need to send the realm to the NAS, and why you think the NAS will understand it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Realm in table radacct
Here I'm again, ;-)
so worked on my problem this evening, but all the time without success. :-(
So I thought Realm is a Radius Attribute, but now I think its only a
temporay variable on the radius server. Cause I can't find it on IANA
Attributes.
So this is the wrong way to submit the realm adress of the user.
The users are saved in the database without the realm suffix. ( "markus" ).
I watched my user-name in post-auth, before it is sending the access-accept
message:
expand: %{Realm} -> kl-dfki.de
++[reply] returns ok
expand: %{User-Name} -> mar...@kl-dfki.de
++[reply] returns ok
Like I said in my last mail, the username is in the access-accept message
is only "markus" and no realm attribute.
Please tell me, what and where I can fix that.
Ulf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Realm in table radacct
Hello again,
sorry for the late answer, but I tried to resolve the problem for myself
and learnd more about the process of freeradius.
So my problem is always that the radius doesn't reply the realm of the
authenticated user.
The server dectects the realm and knows about it ( %{Realm} ->.
"kl-dfki.de" ).
But in the Access-Accept is not the realm attribute. I tried to update it
manualy without success. Other attributes like 3Com-Ip-Host-Addr are
possible to send.
Sending Access-Accept of id 188 to 172.16.3.225 port 1814
User-Name = "markus"
MS-MPPE-Recv-Key =
0x19bfda63662c5eda0d0cfd34c617f262ae8611b10aab33c89598e9478000e667
MS-MPPE-Send-Key =
0xa653fb00f50ffb9b86c15b777bc4d6807912c23511749aef1d030b87cb3b0619
EAP-Message = 0x03e4
Message-Authenticator = 0x
3Com-Ip-Host-Addr = "123.456.789.012"
Proxy-State = 0x323437
Proxy-State = 0x323132
In "post-auth" of my "default" config:
update reply {
#Realm
Realm = "%{Realm}"
}
update reply {
3Com-Ip-Host-Addr = 123.456.789.012
}
Here you can see the log: http://pastebin.com/fhvtnyv8
I hope you can help me. Thanks Ulf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Realm in table radacct
A quick guess, your mysql user-name is set to be stripped-user-name? Check sql.conf and dialup.conf alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Realm in table radacct
The user mar...@kl-dfki.de is saved in the mySql database as user markus on Server B. So i activate module suffix to check for the realm and then it checks this user in the database. This works, but the server answers only, that he knows "markus", not "mar...@kl-dfki.de". What should I do to configure my radiusserver to recive the realm of "markus"? THX - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Realm in table radacct
xylak...@vorsicht-bissig.de wrote: > Yes I, know. I always read the debug. But I don't know to change it! The User-Name comes from the user. Log in using a realm, and FreeRADIUS will use it. > My biggest problem is, that I can't find any good descriptions about > freeradius config. I guess the thousands of lines of documentation in the config files don't help. > Everything I learn by reading other stuff from forum and blogs. The wiki > of freeradius is bad. It is written by volunteers. > I've got a old book Radius from O'reilley, but this so about freeradius v1. And it's content is largely copied from the FreeRADIUS documentation. > So couldy you help me? With *what*? Ask good questions. What do you want to do? Magically invent a realm where none exists? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Realm in table radacct
Yes I, know. I always read the debug. But I don't know to change it! My biggest problem is, that I can't find any good descriptions about freeradius config. Everything I learn by reading other stuff from forum and blogs. The wiki of freeradius is bad. I've got a old book Radius from O'reilley, but this so about freeradius v1. So couldy you help me? Thank you > > Original-Nachricht > Datum: Wed, 10 Oct 2012 10:32:02 -0400 > Von: Alan DeKok > An: FreeRadius users mailing list > Betreff: Re: No Realm in table radacct > > xylak...@vorsicht-bissig.de wrote: > > Authentication and accounting works with realm, but the field realm is > > empty in table radacct. > > Does the accounting packet have a username with a realm? The debug > log says "no". > > Please *read* the debug log. It has a lot of information and can be > hard to understand. But it shouldn't be hard to look for an accounting > packet, and then look for "realm". If there are no references to > "realm"... that explains why the realm isn't in the radacct table. > > > You can see my Debuglogs with a Login by mar...@kl-dfki.de > > No. Read the debug log. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Realm in table radacct
xylak...@vorsicht-bissig.de wrote: > Authentication and accounting works with realm, but the field realm is > empty in table radacct. Does the accounting packet have a username with a realm? The debug log says "no". Please *read* the debug log. It has a lot of information and can be hard to understand. But it shouldn't be hard to look for an accounting packet, and then look for "realm". If there are no references to "realm"... that explains why the realm isn't in the radacct table. > You can see my Debuglogs with a Login by mar...@kl-dfki.de No. Read the debug log. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No Realm in table radacct
Hello together, I have setuped a radius system like eduroam with 3 server. I use "daloradius" for user and accounting management. Authentication and accounting works with realm, but the field realm is empty in table radacct. Furthermore, I want to know how I use / configure Hot Spots in "daloradius". I can't find any description about that. It's rly hard to learn freeradius without a good wiki or something else. There are two locations A @sb-dfki.de and B @kl-dfki.de with their radius server. And a global Server only for Radius proxyforwarding. I've got my client and an access point 172.16.18.82 on location A. I think my configuration is ok. If not, pls tell me. You can see my Debuglogs with a Login by mar...@kl-dfki.de Location A http://pastebin.com/A1HNtSeu Location B http://pastebin.com/Q2DWbTes Thank you! Xylakant - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic realm+home_server_pool from LDAP/SQL
Wilco Baan Hofman wrote: > Okay, I understand this.. I was actually looking more for specifics on > how you would want to have this implemented. Perhaps similarly to the > dynamic clients using unlang? Or perhaps by configuring a configuration > backend for realms or something.. I would start off by moving the realm code to rlm_realm. There's really no reason it should be in the server core. > There are several approaches to do this.. and I'm guessing you have some > ideas about this :) Some. There are also many things I want to do, which I can't... because I'm not sure how. Adding dynamic home servers is one of them. They're pretty welded into the server core. Fixing that involves a lot of changes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic realm+home_server_pool from LDAP/SQL
On Fri, 2012-09-21 at 13:05 +0200, Alan DeKok wrote: > Wilco Baan Hofman wrote: > > I'm looking through the code and documentation of freeradius now to see > > if it is possible to use freeradius with a backend database for realms. > > I'm looking to implement this if it's not there, in what way can I do > > this where my patches would be accepted (assuming clean code obviously)? > > Use github. Fork the code, and do it there. > > Any major changes like this MUST be done in the "master" branch. The > v2.1.x branch is stable, and will have minimal changes. > Okay, I understand this.. I was actually looking more for specifics on how you would want to have this implemented. Perhaps similarly to the dynamic clients using unlang? Or perhaps by configuring a configuration backend for realms or something.. There are several approaches to do this.. and I'm guessing you have some ideas about this :) Regards, Wilco Baan Hofman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic realm+home_server_pool from LDAP/SQL
Wilco Baan Hofman wrote: > I'm looking through the code and documentation of freeradius now to see > if it is possible to use freeradius with a backend database for realms. Realms, maybe. It's a lot more difficult with home servers. > For clients this can be fixed with dynamic clients and overwriting > attributes.. but for realms this does not seem possible. Did I miss > something? No. If it worked, it would be documented. > I'm looking to implement this if it's not there, in what way can I do > this where my patches would be accepted (assuming clean code obviously)? Use github. Fork the code, and do it there. Any major changes like this MUST be done in the "master" branch. The v2.1.x branch is stable, and will have minimal changes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic realm+home_server_pool from LDAP/SQL
> I'm looking through the code and documentation of freeradius now to see > if it is possible to use freeradius with a backend database for realms. Not to define new realms no. > For clients this can be fixed with dynamic clients and overwriting > attributes.. but for realms this does not seem possible. Did I miss > something? It's not possible. IIRC there was talk of possible sponsorship to add this functionality, but it's non trivial. > I'm looking to implement this if it's not there, in what way can I do > this where my patches would be accepted (assuming clean code obviously)? It's non trivial. I'll let Alan D comment as he was look at this recently. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic realm+home_server_pool from LDAP/SQL
Hi, I'm looking through the code and documentation of freeradius now to see if it is possible to use freeradius with a backend database for realms. For clients this can be fixed with dynamic clients and overwriting attributes.. but for realms this does not seem possible. Did I miss something? I'm looking to implement this if it's not there, in what way can I do this where my patches would be accepted (assuming clean code obviously)? Regards, Wilco Baan Hofman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Per-realm post-proxy
Shaun Lowry wrote: > Is it possible to have a per-realm post-proxy section? No. But you can have pre/post proxy sections for home server pools. See proxy.conf. > We need to add a > couple of attributes to our Access-Accepts which vary in content > depending on which realm we've proxied. Otherwise, is there an easy way > to distinguish realm in the global post-proxy section? It's in the "Realm" attribute? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Per-realm post-proxy
Hi,
> Is it possible to have a per-realm post-proxy section? We need to
> add a couple of attributes to our Access-Accepts which vary in
> content depending on which realm we've proxied. Otherwise, is there
> an easy way to distinguish realm in the global post-proxy section?
well, there are a couple of ways.
1) use virtual servers and have completely seperate post-proxy
sections (by way of them being in different VS files) for each realm
2) use unlang in the post-proxy section of your current config e.g.
(uick nasty code from head so dont copy without checking!!)
if (%{Realm} == "blah-blah.com"){
update reply {
Session-Timeout := "3600"
}
}
..there is a third option...and thats to call a PERL/Python/PHP etc script
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Per-realm post-proxy
On 13/08/12 17:16, Shaun Lowry wrote:
Is it possible to have a per-realm post-proxy section? We need to add a
couple of attributes to our Access-Accepts which vary in content
depending on which realm we've proxied. Otherwise, is there an easy way
to distinguish realm in the global post-proxy section?
Just refer to it.
post-proxy {
if (Realm == abc) {
update reply {
...
}
}
elsif (Realm ...) {
}
}
...or:
post-proxy {
switch (Realm) {
case "abc" {
}
case "def" {
}
case {
}
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Per-realm post-proxy
Is it possible to have a per-realm post-proxy section? We need to add a couple of attributes to our Access-Accepts which vary in content depending on which realm we've proxied. Otherwise, is there an easy way to distinguish realm in the global post-proxy section? Shaun. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Setting realm from called station id regex
That worked, thanks. Just had to fix your example from "calling" to "called".
Other than that, perfect.
Chris
From: freeradius-users-bounces+cmanigan=towerstream@lists.freeradius.org
[freeradius-users-bounces+cmanigan=towerstream@lists.freeradius.org] on
behalf of Phil Mayers [p.may...@imperial.ac.uk]
Sent: Monday, July 23, 2012 11:29 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: Setting realm from called station id regex
On 23/07/12 16:03, Christopher Manigan wrote:
> Hello,
>
>
> I have some devices that report to radius accounting but do not do any
> authentication or authorization. For these sessions in accounting, I would
> like to set a realm based on the called station id. The called station id
> ends with a colon and the SSID. I thought I could write a simple regular
> expression for the ssid and set the realm. Here is what I have right now,
> but it does not seem to be working:
>
>
>
> DEFAULT Called-Station-Id =~ "myssid"
>Realm = "myrealm"
That's probably updating the reply, which is not even meaningful for
accounting.
You need to use unlang, so that you can specify which variable list to
update. For example:
preacct {
if (Calling-Station-Id =~ /myssid/) {
update request {
Realm := myrealm
}
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting realm from called station id regex
On 23/07/12 16:03, Christopher Manigan wrote:
Hello,
I have some devices that report to radius accounting but do not do any
authentication or authorization. For these sessions in accounting, I would
like to set a realm based on the called station id. The called station id ends
with a colon and the SSID. I thought I could write a simple regular expression
for the ssid and set the realm. Here is what I have right now, but it does not
seem to be working:
DEFAULT Called-Station-Id =~ "myssid"
Realm = "myrealm"
That's probably updating the reply, which is not even meaningful for
accounting.
You need to use unlang, so that you can specify which variable list to
update. For example:
preacct {
if (Calling-Station-Id =~ /myssid/) {
update request {
Realm := myrealm
}
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting realm from called station id regex
Hello, I have some devices that report to radius accounting but do not do any authentication or authorization. For these sessions in accounting, I would like to set a realm based on the called station id. The called station id ends with a colon and the SSID. I thought I could write a simple regular expression for the ssid and set the realm. Here is what I have right now, but it does not seem to be working: DEFAULT Called-Station-Id =~ "myssid" Realm = "myrealm" Any help is greatly appreciated. Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP fails when proxying to a realm
Hi, upgarde to 2.1.12 - it has fixes for proxy errors as for username - you cannot play with User-Name with EAP - use Stripped-User-Name - see examples alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP fails when proxying to a realm
Thanks for pointing those things out to me. I am no longer proxying back to myself like that, and I've told the sql module to use stripped user name when possible and it looks like it's all working now. Best wishes, Chris From: freeradius-users-bounces+cmanigan=towerstream@lists.freeradius.org [freeradius-users-bounces+cmanigan=towerstream@lists.freeradius.org] on behalf of Phil Mayers [p.may...@imperial.ac.uk] Sent: Thursday, June 28, 2012 12:49 PM To: freeradius-users@lists.freeradius.org Subject: Re: EAP fails when proxying to a realm On 28/06/12 17:33, Christopher Manigan wrote: > I am trying to use MSCHAPv2 to authenticate users. This works ok, except > when I try to proxy to a realm. Pasted below is the debug of a user trying > to authenticate. The realm is a prefix of the username. What I see buried > in the debug is: > > > # radiusd -X > FreeRADIUS Version 2.1.11, for host i686-pc-linux-gnu, built on Jun 28 2012 > at 11:37:39 Upgrade to 2.1.12 if possible > Sending Access-Request of id 22 to 127.0.0.1 port 1812 Why on earth are you proxying back to yourself, to the same virtual server no less? I suspect this is confusing the server, since it fails inside the handler further down. > [eap] Identity does not match User-Name, setting from EAP Identity. You are rewriting the username. This doesn't work with EAP. Don't do that. If you need to strip realms etc. use "Stripped-User-Name". Leave the original username alone. > [eap] Failed in handler > ++[eap] returns invalid > Failed to authenticate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP fails when proxying to a realm
On 28/06/12 17:33, Christopher Manigan wrote: I am trying to use MSCHAPv2 to authenticate users. This works ok, except when I try to proxy to a realm. Pasted below is the debug of a user trying to authenticate. The realm is a prefix of the username. What I see buried in the debug is: # radiusd -X FreeRADIUS Version 2.1.11, for host i686-pc-linux-gnu, built on Jun 28 2012 at 11:37:39 Upgrade to 2.1.12 if possible Sending Access-Request of id 22 to 127.0.0.1 port 1812 Why on earth are you proxying back to yourself, to the same virtual server no less? I suspect this is confusing the server, since it fails inside the handler further down. [eap] Identity does not match User-Name, setting from EAP Identity. You are rewriting the username. This doesn't work with EAP. Don't do that. If you need to strip realms etc. use "Stripped-User-Name". Leave the original username alone. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP fails when proxying to a realm
I am trying to use MSCHAPv2 to authenticate users. This works ok, except when
I try to proxy to a realm. Pasted below is the debug of a user trying to
authenticate. The realm is a prefix of the username. What I see buried in the
debug is:
# radiusd -X
FreeRADIUS Version 2.1.11, for host i686-pc-linux-gnu, built on Jun 28 2012 at
11:37:39
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/redis
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/control-socket
main {
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_att
Re: realm rewrite or alias?
Beau Sapach wrote: > I’ve got FreeRADIUS running to proxy requests from a wireless controller > to a domain controller (NPS). The realm name is being passed to NPS as > the logon domain, which is fine but I’d like to catch a number of > different possible realms that users may put into the login and > ‘rewrite’ them to the proper domain name so that the domain controller > doesn’t reject the login and we get fewer helpdesk calls. That might work. But if you're doing EAP, it won't. > After looking > through the config files an doing a bit of searching online I still > haven’t found a way to do that, is it possible? $ man unlang You can re-write any attribute. You can use regular expressions, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
realm rewrite or alias?
Hello everyone, I've got FreeRADIUS running to proxy requests from a wireless controller to a domain controller (NPS). The realm name is being passed to NPS as the logon domain, which is fine but I'd like to catch a number of different possible realms that users may put into the login and 'rewrite' them to the proper domain name so that the domain controller doesn't reject the login and we get fewer helpdesk calls. After looking through the config files an doing a bit of searching online I still haven't found a way to do that, is it possible? Beau - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using different realm in the same server
Hi all,
I'm trying to use different realm into the same server, but I probably
miss something.
I just want to check my users in radcheck table as user@realm, but I
can't get it working. here you are my radcheck table
mysql> select * from radcheck where username like 'tesths%';
++--+++--+
| id | username | attribute | op | value|
++--+++--+
| 5 | tesths2 | Cleartext-Password | := | tesths2 |
| 4 | tesths@drupalAP1 | Cleartext-Password | := | tesths |
| 11 | tesths@drupalAP1 | Login-Time | := | Any1000-2000 |
| 8 | tesths@drupalAP1 | Max-Daily-Session | := | 36000|
| 12 | tesths@drupalAP1 | Expiration | := | 31 Mar 2012 |
++--+++--+
5 rows in set (0.03 sec)
Following the output of freeradius -X replying to my Access-Request. As
you can see it search for the cleartext password for tesths@drupalAP1,
but it doesn't find it:
rad_recv: Access-Request packet from host 213.144.94.217 port 2060,
id=64, length=322
ChilliSpot-Version = "1.2.7-svn"
User-Name = "tesths@drupalAP1"
CHAP-Challenge = 0x1d5cbf018e5c3e1f0f27db84019d6334
CHAP-Password = 0x00e56e25844efe021fe0ada407d300798d
Service-Type = Login-User
Acct-Session-Id = "4f2815590001"
Framed-IP-Address = 10.1.0.3
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
NAS-Port-Id = "0001"
Calling-Station-Id = "48-5D-60-71-DC-CC"
Called-Station-Id = "58-6D-8F-B4-69-F7"
NAS-IP-Address = 192.168.2.152
NAS-Identifier = "coovaAP01"
WISPr-Location-ID = "isocc=,cc=,ac=,network=Coova,Coova_HotSpot01"
WISPr-Location-Name = "My_HotSpot"
WISPr-Logoff-URL = "http://10.1.0.1:3660/logoff";
Message-Authenticator = 0xcbdb61af05f57eb2c5ef22c62a339623
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "drupalAP1" for User-Name = "tesths@drupalAP1"
[suffix] No such realm "drupalAP1"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{User-Name} -> tesths@drupalAP1
[sql] sql_set_user escaped user --> 'tesths@drupalAP1'
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'tesths@drupalAP1' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'tesths@drupalAP1' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority ->
SELECT groupname FROM radusergroup WHERE username =
'tesths@drupalAP1' ORDER BY priority
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT SUM(acctsessiontime -
GREATEST((1327964400 - UNIX_TIMESTAMP(acctstarttime)), 0))
FROM radacct WHERE username = '%{User-Name}' AND
UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1327964400''
[dailycounter] expand: SELECT SUM(acctsessiontime -
GREATEST((1327964400 - UNIX_TIMESTAMP(acctstarttime)), 0))
FROM radacct WHERE username = '%{User-Name}' AND
UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1327964400' -> SELECT
SUM(acctsessiontime - GREATEST((1327964400 -
UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE
username = 'tesths@drupalAP1' AND
UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1327964400'
sqlcounter_expand: '%{sql:SELECT SUM(acctsessiontime -
GREATEST((1327964400 - UNIX_TIMESTAMP(acctstarttime)), 0))
FROM radacct WHERE username = 'tesths@drupalAP1' AND
UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1327964400'}'
[dailycounter] sql_xlat
[dailycounter] expand: %{User-Name} -> tesths@drupalAP1
[
Re: FreeRadius radrelay and proxying the Realm attribute to the home_server
Hi Matthew
Thanks for your response. This turns out to be exactly the configuration I
needed! I've tested it successfully on a failover pair of servers each
replicating accounting packets to each other using radrelay.
Many thanks!
Arch
On Fri, Dec 16, 2011 at 6:17 PM, Matthew Newton wrote:
> Hi,
>
> On Fri, Dec 16, 2011 at 03:52:39PM +0200, Arch Mangle wrote:
> > I have a working radrelay configuration running on FreeRADIUS Version
> > 2.1.10 for debian linux (squeeze/sid). It successfully duplicates radius
> > accounting packets from the detail file to the remote server. However, I
> > see that the "Realm" Attribute, while logged in the detail file of the
> > local system, is not written to the radrelay detail file and proxied to
> my
> > remote server.
>
> Realm appears in dictionary.freeradius.internal as an internal
> attribute, i.e. one that doesn't go out on the wire.
>
> > For easing my particular process of radius accounting/billing, I'd like
> to
> > have this attribute written to the radrelay detail file in addition to
> that
> > of the local server. How would I accomplish this ?
>
> I did it by adding my own attribute to the local dictionary file
> (e.g. /etc/freeradius/dictionary). I added a new vendor (using our
> IANA enterprise number) with a new attribute:
>
> VENDOR Leicester 3385
> BEGIN-VENDORLeicester
> ...
> ATTRIBUTE UoL-Log-Realm 4 string
> ...
> END-VENDOR Leicester
>
> (Use your own vendor/attribute names/numbers.)
>
> Then in preacct I do:
>
>update request {
>UoL-Log-Realm := "%{Realm}"
>}
>
> Remember that you'll need the dictionary set on both servers, and that it
> will
> arrive in the relayed packet as your named attribute, not as 'Realm'.
>
> (Of course, there may be a better way to do it, but that works for us.)
>
> Cheers,
>
> Matthew
>
>
> --
> Matthew Newton, Ph.D.
>
> Systems Architect (UNIX and Networks), Network Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253,
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius radrelay and proxying the Realm attribute to the home_server
Hi,
On Fri, Dec 16, 2011 at 03:52:39PM +0200, Arch Mangle wrote:
> I have a working radrelay configuration running on FreeRADIUS Version
> 2.1.10 for debian linux (squeeze/sid). It successfully duplicates radius
> accounting packets from the detail file to the remote server. However, I
> see that the "Realm" Attribute, while logged in the detail file of the
> local system, is not written to the radrelay detail file and proxied to my
> remote server.
Realm appears in dictionary.freeradius.internal as an internal
attribute, i.e. one that doesn't go out on the wire.
> For easing my particular process of radius accounting/billing, I'd like to
> have this attribute written to the radrelay detail file in addition to that
> of the local server. How would I accomplish this ?
I did it by adding my own attribute to the local dictionary file
(e.g. /etc/freeradius/dictionary). I added a new vendor (using our
IANA enterprise number) with a new attribute:
VENDOR Leicester 3385
BEGIN-VENDORLeicester
...
ATTRIBUTE UoL-Log-Realm 4 string
...
END-VENDOR Leicester
(Use your own vendor/attribute names/numbers.)
Then in preacct I do:
update request {
UoL-Log-Realm := "%{Realm}"
}
Remember that you'll need the dictionary set on both servers, and that it will
arrive in the relayed packet as your named attribute, not as 'Realm'.
(Of course, there may be a better way to do it, but that works for us.)
Cheers,
Matthew
--
Matthew Newton, Ph.D.
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius radrelay and proxying the Realm attribute to the home_server
Hi List I have a working radrelay configuration running on FreeRADIUS Version 2.1.10 for debian linux (squeeze/sid). It successfully duplicates radius accounting packets from the detail file to the remote server. However, I see that the "Realm" Attribute, while logged in the detail file of the local system, is not written to the radrelay detail file and proxied to my remote server. For easing my particular process of radius accounting/billing, I'd like to have this attribute written to the radrelay detail file in addition to that of the local server. How would I accomplish this ? Here's what a typical accounting packet looks like on my local server's detail file (the proxy-ing server): --- Fri Dec 16 13:16:00 2011 User-Name = "morp...@ankh.morpork.org" Service-Type = Framed-User NAS-IP-Address = 199.55.541.8 NAS-Identifier = "199.55.541.8" NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = "1234" Acct-Status-Type = Start Called-Station-Id = "123456789" Calling-Station-Id = "987654321" Acct-Delay-Time = 0 Acct-Unique-Session-Id = "ee50b494e1ff4c15" Realm = "ankh.morpork.org" Timestamp = 1324034160 Request-Authenticator = Verified --- And here's how it typically shows up on my remote_home server's detail file after being radrelay'ed: --- Fri Dec 16 13:15:59 2011 User-Name = "morp...@ankh.morpork.org" Service-Type = Framed-User NAS-IP-Address = 199.55.541.8 NAS-Identifier = "199.55.541.8" NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = "1234" Acct-Status-Type = Start Called-Station-Id = "123456789" Calling-Station-Id = "987654321" Acct-Delay-Time = 0 Proxy-State = 0x3435323833 Acct-Unique-Session-Id = "a1affd962a445d0c" Timestamp = 1324034159 Request-Authenticator = Verified --- I'd like to write (or otherwise shoehorn :P ) in the "Realm" attribute to the radrelay detail file. What would be the simplest way to do this? Note that my server handles multiple realms. Many thanks in advance, Arch Mangle - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: username@realm append to realm\username
Hi Alan,
thanks for a quick response, would this how it is suppose to be done:
if (User-Name =~ /^(.*)@(.*)/) {
update request {
NT-Domain := "staff"
}
} else {
mschap
}
Thanks in advance
Cheers
Vikash
On Fri, Dec 16, 2011 at 9:31 AM, Alan Buxey wrote:
> Hi,
>
> >+- entering group MS-CHAP {...}
> >[mschap] Told to do MS-CHAPv2 for [2]u...@example.com.au with
> NT-Password
> >[mschap] � � � �expand: --username=%{mschap:User-Name} ->
> >--username=[3]u...@example.com.au
> >[mschap] No NT-Domain was found in the User-Name.
> >[mschap] � � � �expand: --domain=%{mschap:NT-Domain} -> --domain=
>
> change this ntlm_auth command so tat if mschap:NT-Domain DOESNT exist, then
> another is used
>
> eg
>
> --domain=%{mschap:NT-Domain:-example.com.au}
>
> man unlang
>
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: username@realm append to realm\username
Hi,
>+- entering group MS-CHAP {...}
>[mschap] Told to do MS-CHAPv2 for [2]u...@example.com.au with NT-Password
>[mschap] � � � �expand: --username=%{mschap:User-Name} ->
>--username=[3]u...@example.com.au
>[mschap] No NT-Domain was found in the User-Name.
>[mschap] � � � �expand: --domain=%{mschap:NT-Domain} -> --domain=
change this ntlm_auth command so tat if mschap:NT-Domain DOESNT exist, then
another is used
eg
--domain=%{mschap:NT-Domain:-example.com.au}
man unlang
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: canceling/redirecting realm in pre-proxy ?
On Fri, Oct 7, 2011 at 10:01 PM, Robert Roll wrote:
> +++[control] returns noop
>
> Does this mean it did NOT set the value local in Proxy-To-Realm ?
>
> Thanks,
>
> Robert
>
>
>
> pre-proxy {
>
> if( "%{Packet-Src-IP-Address}" == '160.36.188.8' ) {
> update control {
> Proxy-To-Realm := 'local'
> }
> }
>
> }
Sorry, my mistake. It should be in authorize section. I just tested
this and it works.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: canceling/redirecting realm in pre-proxy ?
Below is my pre-proxy paragraph.. Below that is some output..
It just continues to loop..
It looks like the the test is working..
I don't know if it is meaningful or not, but..
+++[control] returns noop
Does this mean it did NOT set the value local in Proxy-To-Realm ?
Thanks,
Robert
pre-proxy {
if( "%{Packet-Src-IP-Address}" == '160.36.188.8' ) {
update control {
Proxy-To-Realm := 'local'
}
}
}
# Executing section pre-proxy from file
/opt/Radius/freeradius/Configs/BackEnd/etc/raddb/proxy.conf
+- entering group pre-proxy {...}
++? if ("%{Packet-Src-IP-Address}" == '160.36.188.8' )
expand: %{Packet-Src-IP-Address} -> 160.36.188.8
? Evaluating ("%{Packet-Src-IP-Address}" == '160.36.188.8' ) -> TRUE
++? if ("%{Packet-Src-IP-Address}" == '160.36.188.8' ) -> TRUE
++- entering if ("%{Packet-Src-IP-Address}" == '160.36.188.8' ) {...}
+++[control] returns noop
++- if ("%{Packet-Src-IP-Address}" == '160.36.188.8' ) returns noop
From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org
[freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] On Behalf
Of Fajar A. Nugraha [l...@fajar.net]
Sent: Friday, October 07, 2011 8:41 AM
To: FreeRadius users mailing list
Subject: Re: canceling/redirecting realm in pre-proxy ?
On Fri, Oct 7, 2011 at 8:28 PM, Robert Roll wrote:
> Good thought, but it doesn't seem to do the trick, but thanks..
Really? Where did you put it, in authorize?
It should work in pre-proxy
>
>>Why don't you just avoid starting the proxy in the first place...
>
> I want to actually proxy to a remote server, but they might send it back for
> further authentication..
> I need to detect and handle that, otherwise there would be a loop...
for complex scenarios it might be easier to use rlm_perl, or even rlm_exec.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: canceling/redirecting realm in pre-proxy ?
On 7 Oct 2011, at 15:28, Robert Roll wrote:
> Good thought, but it doesn't seem to do the trick, but thanks..
>
>> Why don't you just avoid starting the proxy in the first place...
>
> I want to actually proxy to a remote server, but they might send it back for
> further authentication..
> I need to detect and handle that, otherwise there would be a loop...
Ditch rlm_realm and use your own condition in authorize.
authorize {
preprocess
split_username_nai
if(Stripped-User-Domain != 'my_local_realm' && Huntgroup-Name !=
'servers_I_might_proxy_to'){
update control {
Proxy-To-Relam := 'my_remote_realm'
}
}
else {
# Local processing...
}
}
You can also use %{Proxy-State[#]} to determine whether the request has already
been proxied
if("%{Proxy-State[#]}"){
# This request was received from a proxy server
}
-Arran
>
>
> Thanks,
>
> Robert
>
>
>
> From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org
> [freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] On
> Behalf Of Arran Cudbard-Bell [a.cudba...@freeradius.org]
> Sent: Thursday, October 06, 2011 12:58 PM
> To: FreeRadius users mailing list
> Subject: Re: canceling/redirecting realm in pre-proxy ?
>
> On 6 Oct 2011, at 20:19, Robert Roll wrote:
>
>> There seems to be some comments about being able
>> to "cancel" a proxy in the pre-proxy section..
>>
>> # When the server decides to proxy a request to a home server,
>> # the proxied request is first passed through the pre-proxy
>> # stage. This stage can re-write the request, or decide to
>> # cancel the proxy.
>>
>> What I really want to do is test some variables (unlang) and based
>> on the outcome, I want to actually handle the request locally
>> rather than proxy. Maybe this is obvious, but I am not seeing it ?
>
>
> update control {
>Proxy-To-Realm := 'local'
> }
> Why d
> Maybe... I'm not sure if it'll work. Why don't you just avoid starting the
> proxy in the first place...
>
> -Arran
>
> Arran Cudbard-Bell
> a.cudba...@freeradius.org
>
> Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
Arran Cudbard-Bell
a.cudba...@networkradius.com
Technical consultant and solutions architect
15 Ave. du Granier, Meylan, France
+33 4 69 66 54 50
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: canceling/redirecting realm in pre-proxy ?
On Fri, Oct 7, 2011 at 8:28 PM, Robert Roll wrote: > Good thought, but it doesn't seem to do the trick, but thanks.. Really? Where did you put it, in authorize? It should work in pre-proxy > >>Why don't you just avoid starting the proxy in the first place... > > I want to actually proxy to a remote server, but they might send it back for > further authentication.. > I need to detect and handle that, otherwise there would be a loop... for complex scenarios it might be easier to use rlm_perl, or even rlm_exec. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: canceling/redirecting realm in pre-proxy ?
Good thought, but it doesn't seem to do the trick, but thanks..
>Why don't you just avoid starting the proxy in the first place...
I want to actually proxy to a remote server, but they might send it back for
further authentication..
I need to detect and handle that, otherwise there would be a loop...
Thanks,
Robert
From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org
[freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] On Behalf
Of Arran Cudbard-Bell [a.cudba...@freeradius.org]
Sent: Thursday, October 06, 2011 12:58 PM
To: FreeRadius users mailing list
Subject: Re: canceling/redirecting realm in pre-proxy ?
On 6 Oct 2011, at 20:19, Robert Roll wrote:
> There seems to be some comments about being able
> to "cancel" a proxy in the pre-proxy section..
>
> # When the server decides to proxy a request to a home server,
> # the proxied request is first passed through the pre-proxy
> # stage. This stage can re-write the request, or decide to
> # cancel the proxy.
>
> What I really want to do is test some variables (unlang) and based
> on the outcome, I want to actually handle the request locally
> rather than proxy. Maybe this is obvious, but I am not seeing it ?
update control {
Proxy-To-Realm := 'local'
}
Why d
Maybe... I'm not sure if it'll work. Why don't you just avoid starting the
proxy in the first place...
-Arran
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: canceling/redirecting realm in pre-proxy ?
On 6 Oct 2011, at 20:19, Robert Roll wrote:
> There seems to be some comments about being able
> to "cancel" a proxy in the pre-proxy section..
>
> # When the server decides to proxy a request to a home server,
> # the proxied request is first passed through the pre-proxy
> # stage. This stage can re-write the request, or decide to
> # cancel the proxy.
>
> What I really want to do is test some variables (unlang) and based
> on the outcome, I want to actually handle the request locally
> rather than proxy. Maybe this is obvious, but I am not seeing it ?
update control {
Proxy-To-Realm := 'local'
}
Maybe... I'm not sure if it'll work. Why don't you just avoid starting the
proxy in the first place...
-Arran
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
canceling/redirecting realm in pre-proxy ?
There seems to be some comments about being able to "cancel" a proxy in the pre-proxy section.. # When the server decides to proxy a request to a home server, # the proxied request is first passed through the pre-proxy # stage. This stage can re-write the request, or decide to # cancel the proxy. What I really want to do is test some variables (unlang) and based on the outcome, I want to actually handle the request locally rather than proxy. Maybe this is obvious, but I am not seeing it ? Thanks, Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying Based on Criteria Other Than REALM
Hey thanks! :)
From: Phil Mayers
To: freeradius-users@lists.freeradius.org
Sent: Thursday, September 1, 2011 10:04 PM
Subject: Re: Proxying Based on Criteria Other Than REALM
On 01/09/11 14:53, det.explo...@yahoo.com wrote:
>> Hi,
>>
>> Is it possible to proxy based on a group the user belongs to? Or
>> attribute? Or based on NAS from where the request was received?
>>
>> Aside from REALM, is there any other criteria that can be used to
>> decide whether or not to proxy a request?
There are two attributes:
1. "Realm"; added to the request by e.g. the "suffix" module. Doesn't actually
do anything; just used for logging.
2. "Proxy-To-Realm"; added to the "control" items by the "suffix" module, or by
other config. This is what actually controls proxying.
So for example you can do this:
authorize {
...
if (NAS-IP-Address == 192.0.2.1) {
update control {
Proxy-To-Realm := OTHERSERVER
}
}
...
}
As you can see, you can therefore proxy on any attribute you like, or even on
the output of a script, SQL query, etc.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying Based on Criteria Other Than REALM
On 01/09/11 14:53, det.explo...@yahoo.com wrote:
Hi,
Is it possible to proxy based on a group the user belongs to? Or
attribute? Or based on NAS from where the request was received?
Aside from REALM, is there any other criteria that can be used to
decide whether or not to proxy a request?
There are two attributes:
1. "Realm"; added to the request by e.g. the "suffix" module. Doesn't
actually do anything; just used for logging.
2. "Proxy-To-Realm"; added to the "control" items by the "suffix"
module, or by other config. This is what actually controls proxying.
So for example you can do this:
authorize {
...
if (NAS-IP-Address == 192.0.2.1) {
update control {
Proxy-To-Realm := OTHERSERVER
}
}
...
}
As you can see, you can therefore proxy on any attribute you like, or
even on the output of a script, SQL query, etc.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying Based on Criteria Other Than REALM
> From: "det.explo...@yahoo.com" > Date: September 1, 2011 9:51:33 PM GMT+08:00 > To: FreeRadius users mailing list > > Hi, > > Is it possible to proxy based on a group the user belongs to? Or attribute? > Or based on NAS from where the request was received? > > Aside from REALM, is there any other criteria that can be used to decide > whether or not to proxy a request? > > > Thanks, > Det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm parsing and \r => =0D
> It should be set in the configuration of the "realm" module. > Where does it say that "suffix" is deprecated? Sorry, my misread again! # As of 2.0. the old-style "realms" file is deprecated, and is not # used by FreeRADIUS. Having never used freeradius 1, I thought this referred to /etc/raddb/modules/realm(without the s), and so I tried to avoid it. Editing proxy.conf to add ignore_null to just my specific realms appeared not to override the default behavior of suffix, which is to thunk to null, giving ntdomain no chance. So I went to modules/realm. All better now, thanks. The downstream behavior, whereby DOMAIN\realname and probably DOMAIN\name got turned into CRLF when passed to buffered-[my]sql, might still merit consideration, but the right fix is in realm(without the s). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm parsing and \r => =0D
Rich Graves wrote: > I found the documentation of what needs to be done to support both NTDOMAIN\ > and @realm styles in the same vhost. In sites-available/inner-tunnel, it says: > > # If you are using multiple kinds of realms, you probably > # want to set "ignore_null = yes" for all of them. > # Otherwise, when the first style of realm doesn't match, > # the other styles won't be checked. > > What this fails to say is where ignore_null needs to be set. Despite the > comments to the effect that modules/suffix is deprecated and no longer used > by freeradius 2, editing modules/suffix appears to work. Is there a > non-deprecated fix? It should be set in the configuration of the "realm" module. Where does it say that "suffix" is deprecated? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticate realm no matter what username is
Same thing unfortunately…
Users file
DEFAULT User-Name =~ ".*\\.xnet\\.co\\.nz$"
Auth-Type := Accept,
Pool-Name := un-auth,
Service-Type = Framed-User,
Framed-Protocol = PPP,
Cisco-Avpair += "ip:vrf-id=Suspended",
Cisco-Avpair += "ip:ip-unnumbered=Loopback 1000",
root@radius01-new:~# radtest ba...@adsl.xnet.co.nz password localhost:1812
1812 testing123
Sending Access-Request of id 77 to 127.0.0.1 port 1812
User-Name = "ba...@adsl.xnet.co.nz"
User-Password = "password"
NAS-IP-Address = 120.136.0.21
NAS-Port = 1812
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=77, length=20
Debug
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 48547, id=77, length=73
User-Name = "ba...@adsl.xnet.co.nz"
User-Password = "password"
NAS-IP-Address = 120.136.0.21
NAS-Port = 1812
+- entering group authorize {...}
++[preprocess] returns ok
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "adsl.xnet.co.nz" for User-Name =
"ba...@adsl.xnet.co.nz"
[suffix] Found realm "DEFAULT"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
expand: %{User-Name} -> ba...@adsl.xnet.co.nz
[files] users: Matched entry DEFAULT at line 236
++[files] returns ok
expand: %{User-Name} -> ba...@adsl.xnet.co.nz
[sql] sql_set_user escaped user --> 'ba...@adsl.xnet.co.nz'
rlm_sql (sql): Reserving sql socket id: 3
expand: SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,
username, attribute, value, op FROM radcheck WHERE username
= 'ba...@adsl.xnet.co.nz' ORDER BY id
expand: SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority -> SELECT groupname
FROM radusergroup WHERE username = 'ba...@adsl.xnet.co.nz'
ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
[sql] User ba...@adsl.xnet.co.nz not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
Login incorrect: [ba...@adsl.xnet.co.nz/password] (from client localhost port
1812)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
expand: %{User-Name} -> ba...@adsl.xnet.co.nz
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 77 to 127.0.0.1 port 48547
Waking up in 4.9 seconds.
Cleaning up request 1 ID 77 with timestamp +34
Ready to process requests.
Thanks
Barry
From: Arran Cudbard-Bell
mailto:a.cudba...@freeradius.org>>
Reply-To: FreeRadius users mailing list
mailto:freeradius-users@lists.freeradius.org>>
Date: Fri, 26 Aug 2011 11:26:52 +0200
To: FreeRadius users mailing list
mailto:freeradius-users@lists.freeradius.org>>
Subject: Re: authenticate realm no matter what username is
On 26 Aug 2011, at 11:16, Barry Murphy wrote:
Hey guys,
We're an ISP providing ADSL services ourselves and on behalf of our
wholesalers. I have a bunch of realms that are LOCAL and proxied which work
with no issues. I'm trying to add realms of competitors to our radius so when
customers are migrated from our competitors to our network they get
authenticated and I drop them into a VRF displaying to them they need to change
their login details. I've already got the VRF working, the forwarder page etc,
I just can't seem to get users to authenticate with a wildcard
*@dsl.competitor.co.nz<mailto:*@dsl.competitor.co.nz>
I have tried the following varies in users file…
DEFAULT User-Name =~ "~*\\.xnet\\.co\\.nz$"
Surely you want
User-Name =~ ".*\\.xnet\\.co\\.nz$" ?
Arran Cudbard-Bell
a.cudba...@freeradius.org<mailto:a.cudba...@freeradius.org>
RADIUS - Half the complexity of Diameter
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm parsing and \r => =0D
I found the documentation of what needs to be done to support both NTDOMAIN\ and @realm styles in the same vhost. In sites-available/inner-tunnel, it says: # If you are using multiple kinds of realms, you probably # want to set "ignore_null = yes" for all of them. # Otherwise, when the first style of realm doesn't match, # the other styles won't be checked. What this fails to say is where ignore_null needs to be set. Despite the comments to the effect that modules/suffix is deprecated and no longer used by freeradius 2, editing modules/suffix appears to work. Is there a non-deprecated fix? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticate realm no matter what username is
On 26 Aug 2011, at 11:16, Barry Murphy wrote: > Hey guys, > > We're an ISP providing ADSL services ourselves and on behalf of our > wholesalers. I have a bunch of realms that are LOCAL and proxied which work > with no issues. I'm trying to add realms of competitors to our radius so when > customers are migrated from our competitors to our network they get > authenticated and I drop them into a VRF displaying to them they need to > change their login details. I've already got the VRF working, the forwarder > page etc, I just can't seem to get users to authenticate with a wildcard > *@dsl.competitor.co.nz > > I have tried the following varies in users file… > > DEFAULT User-Name =~ "~*\\.xnet\\.co\\.nz$" > Surely you want User-Name =~ ".*\\.xnet\\.co\\.nz$" ? Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authenticate realm no matter what username is
Hey guys, We're an ISP providing ADSL services ourselves and on behalf of our wholesalers. I have a bunch of realms that are LOCAL and proxied which work with no issues. I'm trying to add realms of competitors to our radius so when customers are migrated from our competitors to our network they get authenticated and I drop them into a VRF displaying to them they need to change their login details. I've already got the VRF working, the forwarder page etc, I just can't seem to get users to authenticate with a wildcard *@dsl.competitor.co.nz I have tried the following varies in users file… DEFAULT User-Name =~ "~*\\.xnet\\.co\\.nz$" Auth-Type := Accept, Pool-Name := un-auth, Service-Type = Framed-User, Framed-Protocol = PPP, Cisco-Avpair += "ip:vrf-id=Suspended", Cisco-Avpair += "ip:ip-unnumbered=Loopback 1000", Cisco-Avpair += "ip:dns-servers=14.1.33.1 120.136.0.25" DEFAULT Realm == "ihug.co.nz", Auth-Type := Accept None work and all look for a username. So in the above scenarios I want anyth...@dsl.xnet.co.nz or whate...@ihug.co.nz to authenticate and be assigned an IP address from the pool and dropped into the vrf Suspended where I do my tricks based on their IP address to display a splash page advising the customer its time to modify their username & password on their router. I've found many examples based on MAC authentication but none that work unfortunately. Any help would be much appreciated Thanks Barry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm parsing and \r => =0D
Rich Graves wrote:
>
> I've got freeradius-2.1.10-5.el6.x86_64 on fully patched RHEL6.1.
> PEAP+MSCHAPv2 for wireless 802.1x, intending to federate with eduroam.
>
> Within a day, I had the configuration I wanted, or so I thought.
>
> Empty stanzas for realms u...@carleton.edu, ADS\user, and bare
> username get authenticated with mschapv2. Otherwise, regex realm *@*.*
> gets routed to the eduroam upstream radius hierarchy.
>
If you are going 'eduroam' you really need to reject *everything*
eduroam SSID/802.1X related that is not of the form user@realm. If you
permit combinations then you will find users can use 'eduroam' locally
with no problems but then when they go roaming, their workstation does
not tell the visited site the realm (in the form '@example.edu') and so
can only reject it.
The result, very unhappy users.
If you reject *today* NULL, then your helpdesk *have* to configure
people correctly. These are the words from a bitten before eduroam
sysadmin :)
As for your realm fun, this is what we do:
templates.conf
templates {
# PROXY
eduroam-proxy {
type= auth+acct
port= 1812
require_message_authenticator = yes
status_check= status-server
}
eduroam-proxy6 {
src_ipaddr = ${local.MY.addr.v6}
$template eduroam-proxy
}
eduroam-proxy4 {
src_ipaddr = ${local.MY.addr.v4}
$template eduroam-proxy
}
}
proxy.conf
## eduroam
# roaming0.ja.net
home_server jrs.0.v6 {
ipv6addr= ${local.jrs.0.addr.v6}
secret = ${local.jrs.0.secret}
$template eduroam-proxy6
}
home_server jrs.0.v4 {
ipaddr = ${local.jrs.0.addr.v4}
secret = ${local.jrs.0.secret}
$template eduroam-proxy4
}
# roaming1.ja.net
home_server jrs.1.v6 {
ipv6addr= ${local.jrs.1.addr.v6}
secret = ${local.jrs.1.secret}
$template eduroam-proxy6
}
home_server jrs.1.v4 {
ipaddr = ${local.jrs.1.addr.v4}
secret = ${local.jrs.1.secret}
$template eduroam-proxy4
}
# roaming2.ja.net
home_server jrs.2.v6 {
ipv6addr= ${local.jrs.2.addr.v6}
secret = ${local.jrs.2.secret}
$template eduroam-proxy6
}
home_server jrs.2.v4 {
ipaddr = ${local.jrs.2.addr.v4}
secret = ${local.jrs.2.secret}
$template eduroam-proxy4
}
home_server_pool eduroam {
type= keyed-balance
home_server = jrs.0.v6
home_server = jrs.0.v4
home_server = jrs.1.v6
home_server = jrs.1.v4
home_server = jrs.2.v6
home_server = jrs.2.v4
}
realm NULL {
}
realm LOCAL {
}
realm soas.ac.uk {
}
realm auth.virtual {
virtual_server = auth
}
realm DEFAULT {
pool = eduroam
nostrip
}
# blackhole routing
realm myabc.com {
nostrip
}
realm "~\\.3gppnetwork\\.org$" {
nostrip
}
The virtual server looks vaguely like (for *all* users onsite, the 'our
users visiting elsewhere' is simpler):
authorize {
preprocess
suffix
# detail
rewrite.called_station_id
rewrite.calling_station_id
update request {
Operator-Name := "1%{config:local.MY.realm}"
}
eap {
ok = return
}
# Reject Calling-Station-Id-less authentications
if (!(Calling-Station-Id)) {
update reply {
Reply-Message := "No Calling-Station-Id"
}
reject
}
elsif (Calling-Station-Id =~
/^%{config:policy.mac-addr}(:(.+))?$/i) {
update control {
Local-MAC-Address := "%{1}%{2}%{3}%{4}%{5}%{6}"
}
}
if (!(User-Name)) {
update reply {
Reply-Message := "No User-Name"
}
reject
}
validate_username
# handle realmless authentications
if ((EAP-Message) && Realm == NULL) {
update reply {
Reply-Message := "No Realm"
}
reject
Realm parsing and \r => =0D
I've got freeradius-2.1.10-5.el6.x86_64 on fully patched RHEL6.1. PEAP+MSCHAPv2
for wireless 802.1x, intending to federate with eduroam.
Within a day, I had the configuration I wanted, or so I thought.
Empty stanzas for realms u...@carleton.edu, ADS\user, and bare username get
authenticated with mschapv2.
Otherwise, regex realm *@*.* gets routed to the eduroam upstream radius
hierarchy.
I configured bufffered-sql for logging.
It all "works." Except... I noticed that my entries appeared in SQL-land as
ADS=0Dgraves. So, it seems that the ADS\ realm is recognized (successfully
authenticated locally, not sent to eduroam), but not stripped. Worse, the \r in
ADS\rgraves is interpreted as a carriage return by the time it gets to
SQL-User-Name.
I guess my conclusion is that I am very confused about where realms get
configured, and which entries in the example config files are examples and
which are metareferences to other code.
Is the "realm ntdomain" that appears in modules/realm, with a commented-out
reference in sites-available/default, an example of handling an example NT
Domain named "ntdomain," or is it a directive analogous to format = suffix? I
was sure of the former, but am less sure now. "suffix" is overloaded as both a
format type and as a example realm that happens to be of type suffix, right?
I'm pretty sure that I need ADS, carleton.edu, and null to be recognized in
proxy.conf, to distinguish what goes to inner-tunnel from what does to eduroam
upstream; and I am pretty sure that I need carleton.edu stripped in or before
inner-tunnel. MSCHAPv2 will accept both ADS\username and username, so it's not
critical to strip the former. However, it seems critical that ADS\ be stripped
or more thoroughly escaped before or during transformation of sql_user_name to
SQL-User-Name, because rendering ADS\rgraves as ADS=0Dgraves is just wrong.
I am also very confused about whether and where I want "ignore-null = yes."
It's mentioned in the shipped modules/realms but not in proxy.conf.
The realm stanzas I have thus far are below. inner-tunnel, default, and
buffered-sql are pretty much as shipped, except for the obvious DB
configuration.
realm ADS {
format = prefix
delimiter = '\\'
accthost = LOCAL
authhost = LOCAL
}
realm carleton.edu {
format = suffix
delimiter = "@"
accthost = LOCAL
authhost = LOCAL
}
realm "~.*\\..*" { {
format = suffix
delimiter = "@"
accthost = eduroam1.ns.utk.edu
authhost = eduroam1.ns.utk.edu
secret = notpostedhere
nostrip
}
# This could probably just be realm NULL
realm DEFAULT {
type = radius
accthost = LOCAL
authhost = LOCAL
}
At the point where I realized I was turning things on and off just to see if
radiusd -X would run, I decided that I should stick with clear, simple things
like sendmail.cf, and ask for pointers.
--
Rich Graves http://claimid.com/rcgraves
Carleton.edu Sr UNIX and Security Admin
CMC135: 507-222-7079 Cell: 952-292-6529
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxing (auth and accounting request) based on a username (not realm)
On 26/07/11 12:00, Samantha wrote:
Guys
Looking for some help in the following scenerio
Fred tries to authenticate a 3g mobile broadband device and I don't have
there id on my radius database so I need to send to another provider who has
the account on their radius database. The other provider terminates "fred
3g mobile device" on their lns and issues the framed ip and route requests -
I also send the accounting data to them as well
Easy:
authorize {
if (User-Name == Fred) {
update control {
Proxy-To-Realm := OTHER_PROVIDER
}
}
}
...then define the realm & home servers for "OTHER_PROVIDER" in proxy.conf.
Obviously you can use SQL, rlm_passwd, "files" modules to do the lookup.
Secondly
Looking for script to count both in and out data traffic.
Your question is unclear. Be more specific.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxing (auth and accounting request) based on a username (not realm)
Guys Looking for some help in the following scenerio Fred tries to authenticate a 3g mobile broadband device and I don't have there id on my radius database so I need to send to another provider who has the account on their radius database. The other provider terminates "fred 3g mobile device" on their lns and issues the framed ip and route requests - I also send the accounting data to them as well Secondly Looking for script to count both in and out data traffic. Kind Regards Samantha Scafe System Administrator The Smelly Black Dog Company Pty Ltd t/as IP NETWORKS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL - One RADIUS database per realm
I think that multiple SQL instances are exactly what I'm looking for! Thank
you for the information!
On Mon, Jul 25, 2011 at 2:54 PM, Danny Stemmet wrote:
> Hi Dave,
>
> I have not tested this, but I will try it as soon as I have a chance..
>
> Create a sql.conf file per client.
>
> Be sure to create an "instance" of type sql per client/realm.
> eg.
> client1_sql sql {
> .
> lots of configuration parameter (configurable per client, including
> server/database/tables/queries)
> .
> }
>
> In the main server configuration you can then proxy to a client's virtual
> server.
>
>
> Best Regards,
> Danny Stemmet
>
> MSB micro systems
>
>
> On 25 Jul 2011, at 17:37, Dave Thompson wrote:
>
> > At my place of employment we have a web frontend to our radius server.
> This frontend will be used by several different clients. We want to store
> each client's usernames/passwords and MAC addresses in their own database.
> The database name will be the client's realm name.
> > The reason we want this database separation is to hide users and MAC
> addresses that don't belong to a client from the web frontend. For obvious
> reasons, the client should only be able to see and modify the authentication
> details that belong to them.
> > I haven't been able to find much documentation on the subject, leading me
> to believe that either A) This is not a smart idea and not recommended or B)
> Stuff like this isn't done often and therefore there isn't much
> documentation.
> > So, my question is this: Is there a better way for me to achieve the
> desired results of client separation(modify the frontend and use one
> database probably)? Or, if this is possible, any instructions would be
> greatly appreciated.
> > Thank you.
> >
> > --
> > - Dave
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
- Dave
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL - One RADIUS database per realm
Hi Dave,
I have not tested this, but I will try it as soon as I have a chance..
Create a sql.conf file per client.
Be sure to create an "instance" of type sql per client/realm.
eg.
client1_sql sql {
.
lots of configuration parameter (configurable per client, including
server/database/tables/queries)
.
}
In the main server configuration you can then proxy to a client's virtual
server.
Best Regards,
Danny Stemmet
MSB micro systems
On 25 Jul 2011, at 17:37, Dave Thompson wrote:
> At my place of employment we have a web frontend to our radius server. This
> frontend will be used by several different clients. We want to store each
> client's usernames/passwords and MAC addresses in their own database. The
> database name will be the client's realm name.
> The reason we want this database separation is to hide users and MAC
> addresses that don't belong to a client from the web frontend. For obvious
> reasons, the client should only be able to see and modify the authentication
> details that belong to them.
> I haven't been able to find much documentation on the subject, leading me to
> believe that either A) This is not a smart idea and not recommended or B)
> Stuff like this isn't done often and therefore there isn't much documentation.
> So, my question is this: Is there a better way for me to achieve the desired
> results of client separation(modify the frontend and use one database
> probably)? Or, if this is possible, any instructions would be greatly
> appreciated.
> Thank you.
>
> --
> - Dave
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL - One RADIUS database per realm
At my place of employment we have a web frontend to our radius server. This frontend will be used by several different clients. We want to store each client's usernames/passwords and MAC addresses in their own database. The database name will be the client's realm name. The reason we want this database separation is to hide users and MAC addresses that don't belong to a client from the web frontend. For obvious reasons, the client should only be able to see and modify the authentication details that belong to them. I haven't been able to find much documentation on the subject, leading me to believe that either A) This is not a smart idea and not recommended or B) Stuff like this isn't done often and therefore there isn't much documentation. So, my question is this: Is there a better way for me to achieve the desired results of client separation(modify the frontend and use one database probably)? Or, if this is possible, any instructions would be greatly appreciated. Thank you. -- - Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.6 add realm to User-Name before Proxy by listening port
Yes! Finally.. Thanks Alan & Alan. I missed the obvious conf files... instantiate section in radiusd.conf didn´t contain sql. Thanks again to this great FreeRadius list! /M -- View this message in context: http://freeradius.1045715.n5.nabble.com/FR-2-1-6-add-realm-to-User-Name-before-Proxy-by-listening-port-tp3303117p3390284.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.6 add realm to User-Name before Proxy by listening port
Mika wrote: > Hello. > Removed sql from the authorize section and got the below error (unknown > module sql..). Add "sql" to the "instantiate" section of "radiusd.conf" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.6 add realm to User-Name before Proxy by listening port
Hi, > Hello. > Removed sql from the authorize section and got the below error (unknown > module sql..). > What else could i have missed? you're calling SQL somwehere in your authorize config - check all your config files for anything mentioning sql. since you arent running that module then anything trying to call it will fail alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.6 add realm to User-Name before Proxy by listening port
Hello.
Removed sql from the authorize section and got the below error (unknown
module sql..).
What else could i have missed?
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 192.168.199.5 port 21000 as server
SERVER-21000
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.199.9 port 56379, id=234,
length=60
User-Name = "testuser"
User-Password = "testpass"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
server SERVER-21000 {
# Executing section authorize from file /etc/raddb/sites-enabled/all-servers
+- entering group authorize {...}
++[preprocess] returns ok
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
WARNING: Unknown module "sql" in string expansion "%"
++[request] returns noop
expand: %{User-Name}@%{Tmp-String-0} -> testuser@
++[request] returns noop
++[control] returns noop
} # server SERVER-21000
WARNING: Empty pre-proxy section. Using default return values.
Sending Access-Request of id 247 to 164.9.250.252 port 1812
User-Name = "testuser@"
User-Password = "testpass"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Proxy-State = 0x323334
Proxying request 0 to home server 164.9.250.252 port 1812
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/FR-2-1-6-add-realm-to-User-Name-before-Proxy-by-listening-port-tp3303117p3389818.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.6 add realm to User-Name before Proxy by listening port
Mika wrote:
> Do i need to use the queries/definitions in dialup.conf?
No.
> Does the User-Name need to exist in the SQL database to be able to add a
> realm to it?
No.
> server SERVER-21000 {
> authorize {
> preprocess
> pap
> sql
Why is "sql" here? You can probably just delete that line, and it
will work.
> [sql] expand: %{User-Name} -> testuser
> [sql] sql_set_user escaped user --> 'testuser'
> rlm_sql (sql): Reserving sql socket id: 4
> [sql] expand: ->
> [sql] Error generating query; rejecting user
You deleted the default SQL queries. Don't do that.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.6 add realm to User-Name before Proxy by listening port
That explains why the variables did not work. Thanks Alan.
I still can´t get my sql queries working though with the below config.
Do i need to use the queries/definitions in dialup.conf?
Does the User-Name need to exist in the SQL database to be able to add a
realm to it?
I would like the server to find the realm in the database and just Proxy the
access-request.
listen {
ipaddr = 192.168.199.5
port = 21000
type=auth
virtual_server = SERVER-21000
}
server SERVER-21000 {
authorize {
preprocess
pap
sql
update request {
Tmp-String-0 = "%{sql:select AccountIDSuffix FROM RequestGroup where
AUTProxyPort = 21000}"
}
update request {
User-Name := "%{User-Name}@%{Tmp-String-0}"
}
update control {
Proxy-To-Realm := "AUT-OTP02"
}
}
}
debug:
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 192.168.199.5 port 21000 as server
SERVER-21000
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.199.9 port 55578, id=50,
length=60
User-Name = "testuser"
User-Password = "testpass"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
server SERVER-21000 {
# Executing section authorize from file /etc/raddb/sites-enabled/all-servers
+- entering group authorize {...}
++[preprocess] returns ok
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
[sql] expand: %{User-Name} -> testuser
[sql] sql_set_user escaped user --> 'testuser'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: ->
[sql] Error generating query; rejecting user
rlm_sql (sql): Released sql socket id: 4
++[sql] returns fail
} # server SERVER-21000
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 50 to 192.168.199.9 port 55578
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/FR-2-1-6-add-realm-to-User-Name-before-Proxy-by-listening-port-tp3303117p3389578.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.6 add realm to User-Name before Proxy by listening port
Mika wrote: > Hello. > Seems that the variables (Tmp-String-0) do not work at all. Even without > sql. You can't add a new attribute *and* use it in the same "update" section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.6 add realm to User-Name before Proxy by listening port
Hello.
Seems that the variables (Tmp-String-0) do not work at all. Even without
sql.
See the below configuration.
Does anyone have a clue what i am missing?
[root@aut-proxy sites-available]# more all-servers
listen {
ipaddr = 192.168.199.5
port = 21000
type=auth
virtual_server = SERVER-21000
}
server SERVER-21000 {
authorize {
preprocess
pap
update request {
Tmp-String-0 = "testrealm"
User-Name := "%{User-Name}@%{Tmp-String-0}"
}
update control {
Proxy-To-Realm := "AUT-OTP02"
}
}
}
--
radiusd -X
Listening on authentication address 192.168.199.5 port 21000 as server
SERVER-21000
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.199.9 port 34238, id=107,
length=60
User-Name = "testuser"
User-Password = "testpass"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
server SERVER-21000 {
# Executing section authorize from file /etc/raddb/sites-enabled/all-servers
+- entering group authorize {...}
++[preprocess] returns ok
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
expand: %{User-Name}@%{Tmp-String-0} -> testuser@
++[request] returns noop
++[control] returns noop
} # server SERVER-21000
WARNING: Empty pre-proxy section. Using default return values.
Sending Access-Request of id 152 to x.x.x.x port 1812
User-Name = "testuser@"
User-Password = "testpass"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Proxy-State = 0x313037
Proxying request 0 to home server x.x.x.x port 1812
Going to the next request
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/FR-2-1-6-add-realm-to-User-Name-before-Proxy-by-listening-port-tp3303117p3389499.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.6 add realm to User-Name before Proxy by listening port
Hello.
Both uppercase and lowercase seem to work fine with isql command-line, so i
think my odbc and freetds config is ok.. see below.
I am wondering if there is something wrong with the way i am trying to use
variablenames?
If i change the variable "realm" to something else the server does not even
start?
I am using 2.1.10 btw.
[root@aut-proxy mssql]# isql AUT-DB dbuser dbpassword
+---+
| Connected!|
| |
| sql-statement |
| help [tablename] |
| quit |
| |
+---+
SQL> select AccountIDSuffix from RequestGroup where AUTProxyPort = 21000
++
| AccountIDSuffix
|
++
| test
|
++
SQLRowCount returns 1
1 rows fetched
SQL>
SQL> SELECT AccountIDSuffix FROM RequestGroup WHERE AUTProxyPort = 21000
++
| AccountIDSuffix
|
++
| test
|
++
SQLRowCount returns 1
1 rows fetched
--
Changed variablename from realm to proxytorealm
update request {
proxytorealm = "%{sql:SELECT AccountIDSuffix FROM RequestGroup WHERE
AUTProxyPort = 21000}"
User-Name := "%{User-Name}@%{proxytorealm}"
-
rlm_sql (sql): Driver rlm_sql_unixodbc (module rlm_sql_unixodbc) loaded and
linked
rlm_sql (sql): Attempting to connect to sa_otp@AUT-DB:1433/VPNOTP
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_unixodbc #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_unixodbc #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_unixodbc #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_unixodbc #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_unixodbc #4
rlm_sql (sql): Connected new DB handle, #4
/etc/raddb/sites-enabled/all-servers[35]: ERROR: Invalid vendor name in
attribute name "proxytorealm"
/etc/raddb/sites-enabled/all-servers[30]: Errors parsing authorize section.
[root@aut-proxy mssql]#
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/FR-2-1-6-add-realm-to-User-Name-before-Proxy-by-listening-port-tp3303117p3389203.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.6 add realm to User-Name before Proxy by listening port
Mika wrote: > [sql] SQL query error; rejecting user The text is not a valid SQL query. Maybe the SELECT needs to be uppercase? How does it work if you type the query into an SQL command-line tool? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.6 add realm to User-Name before Proxy by listening port
Hello.
I am having some problems with the below configuration that does not work.
I have configured a virtual server on port 21000 that is to receive
Access-Request packets, the server is to look for a realm in a mssql
database before another query is done for the authentication server to proxy
to.
I do not want to put my sql queries to dialup.conf, instead i would like the
below logic to work.
But i am missing something vital and probably obvious.
Regards
Mika
virtual-server config in sites-enabled/
listen {
ipaddr = 192.168.199.5
port = 21000
type=auth
virtual_server = SERVER-21000
}
server SERVER-21000 {
authorize {
preprocess
pap
sql
update request {
realm = "%{sql:select AccountIDSuffix FROM RequestGroup where
AUTProxyPort = 21000}"
User-Name := "%{User-Name}@%{realm}"
NAS-IP-Address := "%{Client-IP-Address}"
}
update control {
Tmp-String-0 = "%{sql:select AUTServer FROM RequestGroup where
AUTProxyPort = 21000}"
Proxy-To-Realm := "%{Tmp-String-0}"
}
}
}
---
from radiusd -X
Listening on authentication address 192.168.199.5 port 21000 as server
SERVER-21000
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.199.9 port 46599, id=117,
length=60
User-Name = "testuser"
User-Password = "testpass"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
server SERVER-21000 {
# Executing section authorize from file /etc/raddb/sites-enabled/all-servers
+- entering group authorize {...}
++[preprocess] returns ok
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
[sql] expand: %{User-Name} -> testuser
[sql] sql_set_user escaped user --> 'testuser'
rlm_sql (sql): Reserving sql socket id: 4
[sql] SQL query error; rejecting user
rlm_sql (sql): Released sql socket id: 4
++[sql] returns fail
} # server SERVER-21000
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/FR-2-1-6-add-realm-to-User-Name-before-Proxy-by-listening-port-tp3303117p3389119.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying: 2nd server's database doesn't write the realm field
Marius Pesé wrote: > switched stripping off in radiusd on server1 and restarted the daemon but > nothing seems to have changed. That doesn't make sense. > Server1's DB still has the stripped username in username field and the realm > in realm field, server2 has the stripped username but no realm. Then you didn't disable stripping on server1. There is no other explanation. > Should I send a debug output or can you tell from the top of your head where > I went wrong? *Read* the debug output. The answer is in there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying: 2nd server's database doesn't write the realm field
On Fri, Jan 28, 2011 at 4:15 PM, Marius Pesé wrote: > Hi Alan, > > switched stripping off in radiusd on server1 and restarted the daemon but > nothing seems to have changed. How? Did you enable "nostrip" on proxy.conf? Did you edit the right config file? > Server1's DB still has the stripped username in username field and the realm > in realm field, server2 has the stripped username but no realm. > Should I send a debug output or can you tell from the top of your head where > I went wrong? debug output from server1 should show whether (and why) it's sending usersnames with realm. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
