Realm question
Hi all, Sorry if this question has been answered (I did search the archives and google to no avail): I have subscribers that connect with 2 realms as the prefix. How do I strip both and just authenticate locally? IE: username: realm1/realm2/username or realm1/realm3/username. Realm1 will always be present followed by either realm2 or realm3 (no others). Thanks, Jeff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
realm question
Hi there, I have a question about prefix realms and stripping them. I have a provider that allows roaming dialup for our customers. They require the username to be in a format of idm/something/username. I get the whole idm/something/username delivered to me as the authentication. I have tried using the IPASS prefix to remove the idm/something, but it just returns the realm of idm and I am still left with stripped-user-name of something/username, I have also tried just adding a realm of "idm/something" to the proxy.conf and it didn't work. I am currently running freeradius 2.0.5 with a SQL (mysql) back end. Can I strip the "idm/something/" somehow? Thanks, Jeff. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
realm question
hi again, i got a username with realms like this: realm1/foobar%realm2 is there a way to use realm2 as proxy realm local and get realm1 stripped away? i dont want realm1 for authorizing, authentication and accounting. thanks in advance, christian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Realm question..
Hi all We have a radius setup that we use to authenticate our own adsl users as well as proxying radius to 2 other sources. Our own radius entries use a realm after each username, a typical entry is: [EMAIL PROTECTED] Password == secret Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 10.0.0.3, Framed-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobsen-TCP-IP ### Is there a way of getting radius to authenicate on the username before the @ sign and ignore the realm? Obviously if the realm is one that we proxy then it should be proxied as such and any that aren't in the proxy.conf file authenticated locally. This may sound like an odd request but in the case of users typing the realm incorrect but the username is Ok they can be authenticated still. Since we only get sent authentication requests from realms that belong to us or the people we proxy for locally it doesn't really matter what the realm is, the user still has to have the correct password to authenticate. In the case the user is one we proxy and the user types the realm incorrect then they just won't be authenticated since it wouldn't be proxied and the username would not exist in our radius users file, this is fine. I've tried adding "strip" to the LOCAL entry in proxy.conf and also just adding the entry: user1 Password == secret Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 10.0.0.3, Framed-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobsen-TCP-IP ### to the radius users file but it won't authenticate. Thanks Tony - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm question
Hmmm this might be overly complicated but you could configure realm1 to proxy back to yourself, stripping the realm, then configure each of the other two as local realms? I imagine there must be a nicer way... Alex On 20/08/07, Jeff Crowe <[EMAIL PROTECTED]> wrote: > Hi all, > > Sorry if this question has been answered (I did search the archives and > google to no avail): I have subscribers that connect with 2 realms as the > prefix. How do I strip both and just authenticate locally? > > IE: username: realm1/realm2/username or realm1/realm3/username. Realm1 > will always be present followed by either realm2 or realm3 (no others). > > Thanks, > > Jeff > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: realm question
Hi,
> Can I strip the "idm/something/" somehow?
sure. a simple strip in the config would work...
or unlang of course.
eg in radiusd.conf
attr_rewrite copy.user-name {
attribute = Stripped-User-Name
new_attribute = yes
searchfor = ""
searchin = packet
replacewith = "%{User-Name}"
}
attr_rewrite remove-junk {
attribute = Stripped-User-Name
searchfor = "/idm\/something\/"
searchin = packet
new_attribute = no
replacewith = ""
}
then in sites-enabled/default (or usual server) add
copy.user-name
remove-junk
in the authorize section alongside prefix, suffix, ntrealm etc
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: realm question
Subject: Re: realm question
Hi,
> Can I strip the "idm/something/" somehow?
sure. a simple strip in the config would work...
or unlang of course.
eg in radiusd.conf
attr_rewrite copy.user-name {
attribute = Stripped-User-Name
new_attribute = yes
searchfor = ""
searchin = packet
replacewith = "%{User-Name}"
}
attr_rewrite remove-junk {
attribute = Stripped-User-Name
searchfor = "/idm\/something\/"
searchin = packet
new_attribute = no
replacewith = ""
}
then in sites-enabled/default (or usual server) add
copy.user-name
remove-junk
in the authorize section alongside prefix, suffix, ntrealm etc
--
Hi Alan,
Thank you for your reply, it worked great with a couple of tweaks. For
those trying to implement the same type of idea, the code works great when
added to the modules/attr_rewrite module instead of in the radiusd.conf
file.
In your sites-available/whatever, the order of the processing is important.
I have a realm setup to strip off after the @domain, but if the attr_rewrite
modules are called before the suffix module, the suffix module will not pass
the stripped-user-name that was required in my case, it will pass the whole
[EMAIL PROTECTED] as the username.
If you place the rewrite modules names after the suffix, everything works
great.
Cheers,
Jeff.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: realm question
On Thursday 13 May 2004 09:19, jesk wrote: > hi again, > > i got a username with realms like this: realm1/foobar%realm2 > is there a way to use realm2 as proxy realm local and get > realm1 stripped away? > i dont want realm1 for authorizing, authentication and accounting. > > thanks in advance, > christian > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html am i right, that there is no way to do it? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: realm question
jesk <[EMAIL PROTECTED]> wrote: > am i right, that there is no way to do it? Yes, there is. See the "realms" module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm question..
"TS" <[EMAIL PROTECTED]> wrote: > Is there a way of getting radius to authenicate on the username before the @ > sign and ignore the realm? Yes, but you have to edit the "users" file to get rid of the "@realm" portion, and configure the realms as LOCAL ones. > Obviously if the realm is one that we proxy then it should be proxied as > such and any that aren't in the proxy.conf file authenticated locally. That's what LOCAL is for. See proxy.conf. > I've tried adding "strip" to the LOCAL entry in proxy.conf and also just > adding the entry: ... > to the radius users file but it won't authenticate. What does debugging mode say? What has to be updated in the documentation to convince people to run the server in debugging mode, and to read the output? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Realm question..
>> Is there a way of getting radius to authenicate on the username before >>the @ sign and ignore the realm? > Yes, but you have to edit the "users" file to get rid of the >"@realm" portion, and configure the realms as LOCAL ones. The object is to not to have to configure any realms as local. So that Radius will try to auth any realm that isn't to be proxied. If I have a user whose username is [EMAIL PROTECTED] I can easily specify arealm.com as local. But if by mistake the user types the username as [EMAIL PROTECTED] auth will just fail because the realm isn't specified in proxy.conf. > What does debugging mode say? Exactly what you'd expect it to say if the realm isn't in proxy.conf: # rad_recv: Access-Request packet from host 127.0.0.1:33499, id=115, length=68 User-Name = "[EMAIL PROTECTED]" User-Password = "acc355" NAS-IP-Address = 255.255.255.255 NAS-Port = 1645 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: Looking up realm "arealm.com" for User-Name = "[EMAIL PROTECTED]" rlm_realm: No such realm "arealm.com" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 2 modcall[authorize]: module "files" returns notfound for request 2 modcall: group authorize returns ok for request 2 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED]/acc355] (from client localhost port 1645) Delaying request 2 for 1 seconds Finished request 2 ## The user doesn't exist as the entry in users just has the username as "user1" and the request is sending [EMAIL PROTECTED] I want radius to first check to see if the request needs to be proxied. If not then authenticate it locally no matter what the realm is but before authenticating it strip off the realm and just use everything before the @ sign as the username. Tony - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm question..
"TS" <[EMAIL PROTECTED]> wrote: > The object is to not to have to configure any realms as local. That conflicts directly with your requirement to allow users to log in as "user" or "[EMAIL PROTECTED]". > If I have a user whose username is [EMAIL PROTECTED] I can easily specify > arealm.com as local. But if by mistake the user types the username as > [EMAIL PROTECTED] auth will just fail because the realm isn't specified in > proxy.conf. Then you can't use realms. You've got to configure a module to strip out everything after the "@" sign. The 'realms" module, and proxy.conf are meant to deal with known realms. If you want to deal with unknown realms, you have to use something else. > If not then authenticate it locally no matter what the realm is but before > authenticating it strip off the realm and just use everything before the @ > sign as the username. Then configure it to do that, but you can't use realms. You'll have to use another module to re-write the username for the packets that aren't proxied. The simplest thing for you to do might be to create a wildcard realm by modifying rlm_realm. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm question..
On Tuesday 25 April 2006 01:43, TS wrote: > > What does debugging mode say? > > Exactly what you'd expect it to say if the realm isn't in proxy.conf: > > # > rad_recv: Access-Request packet from host 127.0.0.1:33499, id=115, > length=68 User-Name = "[EMAIL PROTECTED]" > User-Password = "acc355" > ... > > The user doesn't exist as the entry in users just has the username as > "user1" and the request is sending [EMAIL PROTECTED] The original users example you posted had the username of "[EMAIL PROTECTED]" with a password of "secret". Here you say the users file has just "user1". Which is correct? > I want radius to first check to see if the request needs to be proxied. It will do this if you have a realm module listed in the authorize section. The suffix realm module is listed in the default config. > If not then authenticate it locally no matter what the realm is but before > authenticating it strip off the realm and just use everything before the @ > sign as the username. Alan's hint to use LOCAL is still correct. If you know the realms people will be using, you can list them in the proxy.conf file. If you want to catch any realm not already defined and send that to local auth, that is pretty easy to accomplish. Please read doc/proxy for a better understanding of how realms work with proxying, and also how the 2 special realms work. If you're still stumped, post back with your questions. Kevin Bonner pgpQo5jKw4rh6.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and realm question.
Realm - since you are not using realms it is as expected. You can forget
about that one.
EAP - yes, your AP doesn't have EAP (802.1x) enabled.
Ivan Kalik
Kalik Informatika ISP
Dana 16/9/2007, "Piero Giobbi" <[EMAIL PROTECTED]> piše:
>Hi again all, sorry for spamming the list.
>
>I have two questions regarding EAP an REALM, realm first.
>
>In every request i get:
> rlm_realm: No '@' in User-Name = "00-17-f2-ea-b1-3e", looking up
>realm NULL
> rlm_realm: No such realm "NULL"
>
>I wonder what that mean if/how to turn that off? Or should i even care?
>
>EAP:
>I'm trying to get EAP working with my Proxim AP4000. When i auth. i
>get (Everything works great thou, but i want the "secure line"
>between NAS and server (If i got it right? I don't like clear text.)):
>
>rad_recv: Access-Request packet from host 10.0.5.200:6001, id=4,
>length=151
> User-Name = "00-17-f2-ea-b1-3e"
> User-Password = "00-17-f2-ea-b1-3e"
> NAS-IP-Address = 10.0.5.200
> Called-Station-Id = "00-20-a6-6f-93-bf:My Wireless Network B"
> Calling-Station-Id = "00-17-f2-ea-b1-3e"
> NAS-Port = 9
> NAS-Port-Type = Wireless-802.11
> Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> modcall[authorize]: module "chap" returns noop for request 0
> modcall[authorize]: module "mschap" returns noop for request 0
> rlm_realm: No '@' in User-Name = "00-17-f2-ea-b1-3e", looking up
>realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 0
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop for request 0
> users: Matched entry 00-17-f2-ea-b1-3e at line 96
> modcall[authorize]: module "files" returns ok for request 0
> modcall[authorize]: module "pap" returns updated for request 0
>modcall: leaving group authorize (returns updated) for request 0
> rad_check_password: Found Auth-Type pap
>auth: type "PAP"
> Processing the authenticate section of radiusd.conf
>modcall: entering group PAP for request 0
>rlm_pap: login attempt with password 00-17-f2-ea-b1-3e
>rlm_pap: Using clear text password "00-17-f2-ea-b1-3e".
>rlm_pap: User authenticated successfully
> modcall[authenticate]: module "pap" returns ok for request 0
>modcall: leaving group PAP (returns ok) for request 0
>Sending Access-Accept of id 4 to 10.0.5.200 port 6001
> Calling-Station-Id == "00-17-f2-ea-b1-3e"
> NAS-IP-Address = 82.182.120.201
> Called-Station-Id = "00-20-a6-6f-93-bf:My Wireless Network B"
> NAS-Port = 9
> NAS-Port-Type = Wireless-802.11
> Service-Type = Framed-User
> Framed-Routing = Broadcast-Listen
>Finished request 0
>Going to the next request
>--- Walking the entire request list ---
>Waking up in 6 seconds..
>
>Does that mean that AP4000 doesn't sends a EAP-request or is my
>config somehow broken? Is there any way to tell? I Tried make my own
>cerificates with CA.all in the script folder, but i got stuck on one
>place:
>
>error while loading serial number
>
>I read somewhere that i could put a file in demoCA-folder with
>numbers in but that doesn't work, the file serial "disappears" and
>the same error comes up. Anyone solved this?
>
>Error-message:
>+ openssl ca -policy policy_anything -out newcert.pem -passin
>pass:whatever -key whatever -extensions xpserver_ext -extfile
>xpextensions -infiles newreq.pem
>Using configuration from /usr/local/ssl/openssl.cnf
>../demoCA/serial: No such file or directory
>error while loading serial number
>31237:error:02001002:system library:fopen:No such file or
>directory:bss_file.c:352:fopen('./demoCA/serial','r')
>31237:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
>+ openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert-
>srv.p12 -clcerts -passin pass:whatever -passout pass:whatever
>No certificate matches private key
>+ openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passin
>pass:whatever -passout pass:whatever
>31239:error:0D07207B:asn1 encoding routines:ASN1_get_object:header
>too long:asn1_lib.c:150:
>+ openssl x509 -inform PEM -outform DER -in cert-srv.pem -out cert-
>srv.der
>unable to load certificate
>31240:error:0906D06C:PEM routines:PEM_read_bio:no start
>line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE
>+ echo -e '\n\t\t##\n'
>
>
>Again; Many thx for all help!
>
>p
>
>
>Startup info (Yes, i know the EAP WARNINGS but i can't even get an
>eap-message/error):
>debian:~# /usr/sbin/radiusd -v
>radiusd: FreeRADIUS Version 1.1.7, for host powerpc-unknown-linux-
>gnu, built on Sep 15 2007 at 09:59:30
>Copyright (C) 2000-2007 The FreeRADIUS server project.
>There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
>PARTICULAR PURPOSE.
>You may redistribute copies of FreeRADIUS under the terms of the
>GNU General Public License
Re: EAP and realm question.
Hi, > I have two questions regarding EAP an REALM, realm first. > > In every request i get: > rlm_realm: No '@' in User-Name = "00-17-f2-ea-b1-3e", looking up > realm NULL > rlm_realm: No such realm "NULL" > > I wonder what that mean if/how to turn that off? Or should i even care? dont worry! it simply means that it saw nothing in that User-Name that would make it think there was a realm involved - eg no @ or % or \\ or whatever else you might have defined as a realm seperator. as it saw no realm, then the rlm_realm module does nothing - and reports that you havent defined what to do with a NULL realm (which is handled locally by default) as for EAP - the AP isnt sending EAP packets from client to the server as for certs - you need the right type. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
