Vendor Specific Attributes
Hi,
Is there a way to add vendor specific attributes to the RADIUS response without
adding the vendor to the dictionary.
If the vendor is part of the dictionary, then I use pairmake with the attribute
name as in the dictionary and this works.
pairmake("Cisco-AVpair", "", T_OP_SET);
Thanks,
Latha.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Vendor Specific Attributes
Hello, How do you get FreeRADIUS to stop ingoring VSAs? I have a box that's sending them and FreeRADIUS is simply ignoring them in rad_recv rad_recv: Accounting-Request packet from host 10.10.0.90:1068, id=0, length=58 NAS-Identifier = "acme-sd" Acct-Status-Type = Accounting-On NAS-IP-Address = 10.10.0.90 NAS-Port = 0 Acct-Session-Id = "sd1#28249" I know there are more attributes being sent than that because I can see them in the RADIUS packet. Any help/advice is appriciated. Thanks. -Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Vendor-Specific Attributes
I seem to be missing something. how should the values be defined in the users file to achieve the specification below. Should I separate the Cisco routers and the 3Com switches in the huntgroups file? Is it permissible for there to be multiple Vendors Vendor-Specific values on a "users" entry re: DEFAULT Service-Type == Administrative-User, Autz-Type := ADMINS, Auth-Type := Kerberos Service-Type = Administrative-User, 3com = 3Com-Administrator, Cisco-AVPair = "xxx:whatever=3", Fall-Through = no 3Com Vendor Specific Attribute The default user levels on the Switch (monitor, manager, admin) are supported by a 3Com Vendor Specific Attribute (VSA). The Vendor-ID for 3Com is 43. You must configure the RADIUS server to send this attribute in the Access-Accept message in order to specify the access level required for each user account. The configurable attribute values are: Monitor (1) the user can view all manageable parameters, except special/security features, but cannot change any manageable parameters. Manager (2) the user can access and change the operational parameters but not special/security features. Administrator (3) the user can access and change all manageable parameters. The attribute body consists of a 3Com Vendor type (1), Vendor data length (6) and the Vendor data (4 octet integer containing the access level value), as shown in Figure 25. Figure 25 3Com Vendor Specific Attribute 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type=26 | Length=12 | Vendor-Id = 3Com (43) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Vendor-Id (cont) | 3Com type = 1 | Length = 6 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | User-Access-Level | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ radiusd is receiving: User-Name = "klg" User-Password = "12345678" NAS-Port-Type = Virtual NAS-IP-Address = 111.111.11.111 Service-Type = Administrative-User Framed-MTU = 1024 Calling-Station-Id = "123.123.123.123" Message-Authenticator = 0x3ddf5a8a5d1177f4277dcd8ccc451b8a Client-IP-Address = 123.123.123.124 It's authorizing, authenticating, and replying with Packet-Type = Access-Accept Service-Type = Administrative-User - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Vendor Specific Attributes
Latha Krishnamurthi wrote: > Is there a way to add vendor specific attributes to the RADIUS response > without adding the vendor to the dictionary. What's so hard about adding a dictionary entry for the attribute? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Vendor Specific Attributes
Thanks for the prompt reply. I can defly do that, not an issue. I have a module running in freeradius. Assuming my module already handles delivering vendor specific attribute in the RADIUS response (this is available to me through some shared memory) and tomorrow there is a new vendor, then can I do it without releasing a new code ? Thanks, Latha. --- On Thu, 8/12/10, Alan DeKok wrote: From: Alan DeKok Subject: Re: Vendor Specific Attributes To: "FreeRadius users mailing list" Date: Thursday, August 12, 2010, 1:47 AM Latha Krishnamurthi wrote: > Is there a way to add vendor specific attributes to the RADIUS response > without adding the vendor to the dictionary. What's so hard about adding a dictionary entry for the attribute? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Vendor Specific Attributes
Latha Krishnamurthi wrote: > > Thanks for the prompt reply. I can defly do that, not an issue. I have a > module running in freeradius. > > Assuming my module already handles delivering vendor specific attribute > in the RADIUS response (this is available to me through some shared > memory) and tomorrow there is a new vendor, then can I do it without > releasing a new code ? Update the dictionaries. That's what dictionaries are for. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Vendor Specific Attributes
Thanks Alan. Will do that. -Latha. --- On Thu, 8/12/10, Alan DeKok wrote: From: Alan DeKok Subject: Re: Vendor Specific Attributes To: "FreeRadius users mailing list" Date: Thursday, August 12, 2010, 12:40 PM Latha Krishnamurthi wrote: > > Thanks for the prompt reply. I can defly do that, not an issue. I have a > module running in freeradius. > > Assuming my module already handles delivering vendor specific attribute > in the RADIUS response (this is available to me through some shared > memory) and tomorrow there is a new vendor, then can I do it without > releasing a new code ? Update the dictionaries. That's what dictionaries are for. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Vendor specific attributes, tags
Hi,
I have a question regarding Vendor Specific Radius attributes in Freeradius.
I have a Vendor specific Radius attribute which is tagged with one byte in the
beginning of the value field in the attribute. Currently we use Mysql database
for writing the values of all attributes into the database. So when I have a
vendor specific tagged attribute which comes i.e. twice in a Radius-Packet, I
want to bring the data of the attribute with tag 1 into field 1 and with tag 2
into field 2 in mysql. But Sql.conf has only one variable (%{Attribute}) for
that. I didn't find any spec which allows vendor specific tagging. Can someone
help me ?
Regards
Frédéric
---
Frédéric-Philippe Metz, Tel.: +49 911 6910 7712
Deutsche Telekom AG, T-Com, Research & Development
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Vendor specific attributes, tags
Hi,
I have a question
regarding Vendor Specific Radius attributes in Freeradius.
I have a Vendor
specific Radius attribute which is tagged with one byte in the beginning of the
value field in the attribute. Currently we use Mysql database for writing the
values of all attributes into the database. So when I have a vendor specific
tagged attribute which comes i.e. twice in a Radius-Packet, I want to bring the
data of the attribute with tag 1 into field 1 and with tag 2 into field 2 in
mysql. But Sql.conf has only one variable (%{Attribute}) for that. I didn't
find any spec which allows vendor specific tagging. Can
someone help me ?
Regards
Frédéric
---
Frédéric-Philippe Metz,
Tel.: +49 911 6910 7712
Deutsche Telekom AG, T-Com,
Research & Development
---
RE: Vendor Specific Attributes
Which VSAs are you sending in the accounting packet? Are they correctly enumerated in a dictionary file? Is the dictionary file referenced in the main dictionary file? Can you send us the accounting packet you're seeing? Rgds, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Corbe Sent: 20 October 2005 15:52 To: FreeRadius users mailing list Subject: Vendor Specific Attributes Hello, How do you get FreeRADIUS to stop ingoring VSAs? I have a box that's sending them and FreeRADIUS is simply ignoring them in rad_recv rad_recv: Accounting-Request packet from host 10.10.0.90:1068, id=0, length=58 NAS-Identifier = "acme-sd" Acct-Status-Type = Accounting-On NAS-IP-Address = 10.10.0.90 NAS-Port = 0 Acct-Session-Id = "sd1#28249" I know there are more attributes being sent than that because I can see them in the RADIUS packet. Any help/advice is appriciated. Thanks. -Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Vendor Specific Attributes
Daniel Corbe <[EMAIL PROTECTED]> wrote: > How do you get FreeRADIUS to stop ingoring VSAs? I have a box that's > sending them and FreeRADIUS is simply ignoring them in rad_recv If you're using 1.0.5, it will accept any kind of VSA in any format. > I know there are more attributes being sent than that because I can > see them in the RADIUS packet. Using what tool? rad_recv() prints out the attributes it receives. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Vendor-Specific Attributes
Kenneth Grady <[EMAIL PROTECTED]> wrote: > I seem to be missing something. how should the values be defined in the > users file to achieve the specification below. Use the 3com dictionary from the latest CVS snapshot. > 3com = 3Com-Administrator, That won't work. See the 3com dictionary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Vendor-Specific attributes in Modules
Hi there, I'm working on a module on radius for a Nokia client. Somehow, by dumping, I was able to verify that the Vendor Spcific attrib is using code 1. So I just added this entry in the dictionary.nokia (as there are no code 1 in the present dictionary) I named this attribute Nokia-Avpair Going back, I'm creating a module that gets the value of these attributes. But for now I'm just testing how to get the values of these attributes. According to the modules wiki http://wiki.freeradius.org/Modules#Accessing_Radius_Request_Attributes I just have to put NOKIA_AVPAIR to get the value but it isn't recognized if I compile the module: /usr/local/src/freeradius-server-2.0.3/libtool --mode=compile gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -I/usr/local/src/freeradius-server-2.0.3/src -I/usr/local/src/freeradius-server-2.0.3/libltdl -I/usr/include -c rlm_sqlite.c gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -I/usr/local/src/freeradius-server-2.0.3/src -I/usr/local/src/freeradius-server-2.0.3/libltdl -I/usr/include -c rlm_sqlite.c -fPIC -DPIC -o .libs/rlm_sqlite.o rlm_sqlite.c: In function `sqlite_accounting': rlm_sqlite.c:186: error: `NOKIA_AVPAIR' undeclared (first use in this function) rlm_sqlite.c:186: error: (Each undeclared identifier is reported only once rlm_sqlite.c:186: error: for each function it appears in.) rlm_sqlite.c:174: warning: unused variable `reply' rlm_sqlite.c:175: warning: unused variable `state' rlm_sqlite.c:179: warning: unused variable `buf' make: *** [rlm_sqlite.lo] Error 1 I don't know if I'm just wrong here or something. Creating modules for freeradius is a little bit new to me. Hope someone can help me. Thanks! Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxim Wireless - Vendor Specific Attributes
All, Will FreeRADIUS support Proxim Wireless (IANA ID - 841) - Vendor Specific Attributes? I have few Tsunami 8000 - MP-8100-BSU and MP-8150-CPEs and need to provision VLAN and QoS using FreeRADIUS. Any information in this regard will be helpful. BR, Simha. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Vendor specific attributes, tags
"Metz, Frederic" <[EMAIL PROTECTED]> wrote:
> I have a Vendor specific Radius attribute which is tagged with one byte
> in the beginning of the value field in the attribute.
That's pretty non-standard.
> So when I have a vendor specific tagged attribute which comes
> i.e. twice in a Radius-Packet, I want to bring the data of the
> attribute with tag 1 into field 1 and with tag 2 into field 2 in mysql.
> But Sql.conf has only one variable (%{Attribute}) for that. I didn't
> find any spec which allows vendor specific tagging. Can someone help me
I've never heard of this before, which is why there's no support for
it in the server. i.e. You're the first person to ask for this.
My suggestion is code modifications to convert the VSA into a more
standard format. There's really no simple way to do it without
writing C code.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Vendor specific attributes, tags
Hi,
so Alan, one more question:
what is non-standard ?? maybe there was a misunderstanding.
I have a usual vendor specific attribute, but in the beginning of the "String"
field there is a tag of 1 byte. Isn't it right that you can put anything in the
"string" field in case of vendor specific attributes, thats the argument of the
vendor, which also delivers the Radius-Server :-) but we want to use
freeRadius. Another argument of the vendor is that our Radius-Server
(freeRadius) isn't able to understand vendor-specific attributes with tagged
fields.
I am quite a bit confused now. So this attribute is conform to the RFC?, but
the credentials are in proprietary format, right ??
Thanks a lot.
Frederic
-Ursprungliche Nachricht-
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Auftrag von Alan
DeKok
Gesendet: Freitag, 13. Mai 2005 18:30
An: freeradius-users@lists.freeradius.org
Betreff: Re: Vendor specific attributes, tags
"Metz, Frederic" <[EMAIL PROTECTED]> wrote:
> I have a Vendor specific Radius attribute which is tagged with one byte
> in the beginning of the value field in the attribute.
That's pretty non-standard.
> So when I have a vendor specific tagged attribute which comes
> i.e. twice in a Radius-Packet, I want to bring the data of the
> attribute with tag 1 into field 1 and with tag 2 into field 2 in mysql.
> But Sql.conf has only one variable (%{Attribute}) for that. I didn't
> find any spec which allows vendor specific tagging. Can someone help me
I've never heard of this before, which is why there's no support for
it in the server. i.e. You're the first person to ask for this.
My suggestion is code modifications to convert the VSA into a more
standard format. There's really no simple way to do it without
writing C code.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Vendor specific attributes, tags
"Metz, Frederic" <[EMAIL PROTECTED]> wrote: ... PLEASE don't CC me on posts to the list. I already get enough mail. If I get enough duplicates from someone, I just delete all of their messages unread. > what is non-standard ?? maybe there was a misunderstanding. non-standard == not defined in the RFC's. > I have a usual vendor specific attribute, but in the beginning of > the "String" field there is a tag of 1 byte. Yes, I'm very clear on that. > Isn't it right that you can put anything in the "string" field in > case of vendor specific attributes, thats the argument of the > vendor, which also delivers the Radius-Server :-) Yes, that's true. > but we want to use freeRadius. Another argument of the vendor is > that our Radius-Server (freeRadius) isn't able to understand > vendor-specific attributes with tagged fields. *No* RADIUS server I know of supports that. It's non-standard. If your client uses it, then *no* radius server will be able to understand those attributes. > I am quite a bit confused now. So this attribute is conform to the > RFC?, but the credentials are in proprietary format, right ?? Yes. But you also said: > > I want to bring the data of the attribute with tag 1 into field 1 > > and with tag 2 into field 2 in mysql. Let me repeat myself again: NO RADIUS SERVER I KNOW OF CAN DO THIS TODAY. It's non-standard. If you want FreeRADIUS to do it, then write C code to interpret the attributes, because the default configuration of FreeRADIUS does not understand these attribures, because they're non-standard. In nearly 10 years of working RADIUS, this is the first time I've seen this kind of attribute. The benefit with using FreeRADIUS is that you *can* fix it to do what you want. With commercial servers, you can't. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Vendor-Specific attributes in Modules
Vincent Arniego wrote: > I'm creating a module that gets the value of these attributes. > But for now I'm just testing how to get the values of these attributes. > > According to the modules wiki > http://wiki.freeradius.org/Modules#Accessing_Radius_Request_Attributes > I just have to put NOKIA_AVPAIR to get the value No. The attribute names for *compilation* are define in src/include/radius.h. If you need a nokia VSA, define it there. Look at PW_MSCHAP_RESPONSE for an example of defining a VSA. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Vendor-Specific attributes in Modules
Hi Alan, Thanks for the help, it worked. Were getting the attributes But somehow the messages we're getting have that attribute around 3 times in the request. This is from the file were feeding radclient: Nokia-Avpair="ita:ubi=0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0" Nokia-Avpair+="ita:ubo=0/231/75672/97893/864/55/5676/247/235578/46759/110/12118/76812/1978453/1534/15359/11246" Nokia-Avpair+="ita:sc=0/1/2/3/4/5/6/7/8/9/10/11/12/13/14/15/16" How do we distinguish each of the values for parsing in the module? Thanks! - Original Message From: Alan DeKok <[EMAIL PROTECTED]> To: FreeRadius users mailing list Sent: Friday, April 18, 2008 5:15:13 PM Subject: Re: Vendor-Specific attributes in Modules Vincent Arniego wrote: > I'm creating a module that gets the value of these attributes. > But for now I'm just testing how to get the values of these attributes. > > According to the modules wiki > http://wiki.freeradius.org/Modules#Accessing_Radius_Request_Attributes > I just have to put NOKIA_AVPAIR to get the value No. The attribute names for *compilation* are define in src/include/radius.h. If you need a nokia VSA, define it there. Look at PW_MSCHAP_RESPONSE for an example of defining a VSA. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Vendor-Specific attributes in Modules
Vincent Arniego wrote: > But somehow the messages we're getting have that attribute around 3 > times in the request. That's allowed in RADIUS. > This is from the file were feeding radclient: > > Nokia-Avpair="ita:ubi=0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0" > Nokia-Avpair+="ita:ubo=0/231/75672/97893/864/55/5676/247/235578/46759/110/12118/76812/1978453/1534/15359/11246" > Nokia-Avpair+="ita:sc=0/1/2/3/4/5/6/7/8/9/10/11/12/13/14/15/16" > > How do we distinguish each of the values for parsing in the module? The attributes are in a "linked list" in request->packet->vps. Look at the rest of the code to see how it manipulates the list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Vendor-Specific attributes in Modules
Thanks Alan, I'll take a look at it and hopefully I can get the value. Thanks again! - Original Message From: Alan DeKok <[EMAIL PROTECTED]> To: FreeRadius users mailing list Sent: Friday, April 18, 2008 5:58:23 PM Subject: Re: Vendor-Specific attributes in Modules Vincent Arniego wrote: > But somehow the messages we're getting have that attribute around 3 > times in the request. That's allowed in RADIUS. > This is from the file were feeding radclient: > > Nokia-Avpair="ita:ubi=0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0" > Nokia-Avpair+="ita:ubo=0/231/75672/97893/864/55/5676/247/235578/46759/110/12118/76812/1978453/1534/15359/11246" > Nokia-Avpair+="ita:sc=0/1/2/3/4/5/6/7/8/9/10/11/12/13/14/15/16" > > How do we distinguish each of the values for parsing in the module? The attributes are in a "linked list" in request->packet->vps. Look at the rest of the code to see how it manipulates the list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question on implementing Vendor-Specific Attributes
Hi Ivan, Actually there are two attributes, and the values of attributes are not static - they vary based on the NAS-IDentifider attribute values. (I can set up VSA to send static values - just the dynamic part, I dont have good ideas). Thanks for the help. BC >If it's just one attribute why bother with VSA. Use Reply-Message. >Create DEFAULT entries in users file to send replies. >Ivan Kalik >Kalik Informatika ISP Dana 20/10/2008, "A BlueCoder" <[EMAIL PROTECTED]> piše: >On Mon, Oct 20, 2008 at 12:09 AM, A BlueCoder <[EMAIL PROTECTED]>wrote: > >> Hi, >> >> I have a need to implement Vendor-Specific Attributes using a FreeRadius >> approach (version 0.9.3 on Solaris). >> >> I understand probably rewriting a rml module would solve this problem and >> probably the most effective way. However, given the shortage of time, i >> would like to explore configuration options (without code writing) if >> possible. >> >> Here are the requirements: >> >> 1. Access-Request Requests; >> >> 2. Request Attributes -- with VSA (implemented with a Vendor-specific >> dictionary). >> >> 3. Response Attributes -- with VSA (implemented with a Vendor-specific >> dictionary). >> >> 4. There is a map from attributes in (2) to (3), which is what i am trying >> to implement. >> >> e.g. >> >> If the request NAS-IP-Address = 111.111.111.111, i would like to response >> with attribute: VSA1 = 1001, >> If the request NAS-IP-Address = 111.111.111.112, i would like to >> response with attribute: VSA1 = 1002, >> If the request NAS-IP-Address = 111.111.111.113, i would like to >> response with attribute: VSA1 = 1003, >> If the request NAS-IP-Address = 111.111.111.114, i would like to >> response with attribute: VSA1 = 1004, >> >> etc >> >> What's the best way which i can configur without writing a full-fledge rlm >> module? >> >> Thanks in advance, >> >> BC >> >> >> >> > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
returning Vendor specific attributes to aruba
We are trying to use vendor specific attributes to provide different services to users authenticating to our local radius system, rather than users authenticating via proxy'd eduraom systems. we are using freeradius version 2.1.10 and have added the below to the users file DEFAULT Suffix == "@port.ac.uk" Aruba-User-Role = ROLE-EDUROAM-INT, Aruba-User-Vlan = 128, Class = ROLE-EDUROAM-INT, Fall-Through = Yes As far as I can tell, from the reply-detail log below & wirehark, Radius is returning the values. But the support guy is not seeing them on his wireless server. The first packets he sees are the MS-MPPE- packets. Can anyone advise as to to get this working. Packet-Type = Access-Accept Aruba-User-Role = "ROLE-EDUROAM-INT" Aruba-User-Vlan = 128 Class = 0x524f4c452d454455524f414d2d494e54 MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 MS-MPPE-Send-Key = 0xd1b37a684ca34b56aac068907f687067 MS-MPPE-Recv-Key = 0x0bb8b13849577453ba36e4de9dd7aafc EAP-Message = 0x030c0004 Message-Authenticator = 0x User-Name = "knighta" Thu Jul 14 10:30:31 2011 Packet-Type = Access-Accept MS-MPPE-Recv-Key = 0xf83b0cc1823377adaf6a4439054fd198eb9fb762b47dd4eaea5c8a90383af353 MS-MPPE-Send-Key = 0x98085e780f78ef5837581667c796ddbf3d8c317cdcd1c7b4b5b9742091b84253 EAP-MSK = 0xf83b0cc1823377adaf6a4439054fd198eb9fb762b47dd4eaea5c8a90383af35398085e780f78ef5837581667c796ddbf3d8c317cdcd1c7b4b5b9742091b84253 EAP-EMSK = 0x4268b7d02ec96bd566a0bb48ae21733f55f1da5ec296f959c84a83bd67a2cc45ce19f0c69924b9e9ed034f74eac19c8d904efbd4279b31499df4366ab6bbcf11 EAP-Message = 0x030d0004 Message-Authenticator = 0x User-Name = "monkey" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxim Wireless - Vendor Specific Attributes
On 20 Jul 2012, at 19:49, Simha wrote: > All, > > Will FreeRADIUS support Proxim Wireless (IANA ID - 841) - Vendor Specific > Attributes? > > I have few Tsunami 8000 - MP-8100-BSU and MP-8150-CPEs and need to provision > VLAN and QoS using FreeRADIUS. > > Any information in this regard will be helpful. I don't know… will it? Are they in some way magical and non standard? -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxim Wireless - Vendor Specific Attributes
Simha wrote: > Will FreeRADIUS support Proxim Wireless (IANA ID - 841) - Vendor > Specific Attributes? See the "share" directory in the distribution "tar" file. If it has a proxim dictionary, then it's supported. Otherwise, not. > I have few Tsunami 8000 - MP-8100-BSU and MP-8150-CPEs and need to > provision VLAN and QoS using FreeRADIUS. > > Any information in this regard will be helpful. This is an open source project. ALL information is open and available. There is no hidden set of secret dictionaries. You can look at the source yourself to see which dictionaries are supported. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging Vendor Specific Attributes in MySQL
I have just got freeradius 1.0.1 up on a solaris 9 machine, and my boss wants to be able to log some of the vendor specific information in the start/stop packets. Anyone have a pointer where I should look to be able to add those attributes to the logging ? Thanks in advance Wade - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adding vendor specific attributes to dictionary
Hi all :) Hope someone can point me in the right direction once again! freeradius v 2.1.3 I am attempting to add vendor specific attributes to my dictionary without success :( I was given the following information to add: Class Number Attribute Value Type VENDORATTR 12345 Vendor-Attribute-A 1 string VENDORATTR 12345 Vendor-Attribute-A 2 string Now since VENDORATTR is not a freeradius dictionary format I assume this comes from a different RADIUS server, which I need to now implement in my freeradius dicitonary. I have had a look at the dictionary man page, and see that one can use ATTRIBUTE for this, but since the Number is the same for both attributes I would assume that I need to define a vendor specific attribute encapsulation so that I can list multiple attributes for this vendor, but this does not seem to be working for me - This is what I have done: File dictionary: $INCLUDE/usr/share/freeradius/dictionary $INCLUDE/etc/raddb/dictionary.myvendor File dictionary.myvendor: - VENDOR MyVendor 12345 BEGIN-VENDOR MyVendor ATTRIBUTE Vendor-Attribute-A 1 string ATTRIBUTE Vendor-Attribute-B 2 string END-VENDOR MyVendor When I attempt to start my freeradius server with this dictionary file all I get is the following message to std out: Errors reading dictionary: dict_init: /etc/raddb/dictionary.myvendor[1]: dict_init: /etc/raddb/dictionary.myvendor[1]: dict_init: /etc/ Thats it - even in debug mode no other message is printed. Any pointers would as always be very much appreciated :) Many thanks and have a great Friday, Patric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
HUAWEI MA5200G and Vendor Specific Attributes
Hello All
I’m using freeradius 1.1.8 with a C external program for auth/acct. I’m
sending attributes to RAS by printf . RAS type is HUAWEI MA5200G And I send
attributes as follows:
printf("Session-Timeout=%d",session_time);
printf(",\nInput-Peak-Rate=%d",(int)rx_burst);
printf (",\nInput-Average-Rate=%d",(int)rx_rate);
printf(",\nOutput-Peak-Rate=%d",(int)tx_burst);
printf(",\nOutput-Average-Rate=%d",(int)tx_burst);
the last 4 lines are HUAWEI vendor specific attributes. MA5200G RAS Debug
does not show any attributes inside of auth request. I remove the HUAWEI
vendor specific attributes (the last 4 lines), RAS shows the standard
attributes correctly. What is the problem? HUAWEI says it support only
radius 1.1, So does freeradius support 1.1 when sending attributes by printf
via external program or not?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on implementing Vendor-Specific Attributes
On Mon, Oct 20, 2008 at 12:09 AM, A BlueCoder <[EMAIL PROTECTED]>wrote: > Hi, > > I have a need to implement Vendor-Specific Attributes using a FreeRadius > approach (version 0.9.3 on Solaris). > > I understand probably rewriting a rml module would solve this problem and > probably the most effective way. However, given the shortage of time, i > would like to explore configuration options (without code writing) if > possible. > > Here are the requirements: > > 1. Access-Request Requests; > > 2. Request Attributes -- with VSA (implemented with a Vendor-specific > dictionary). > > 3. Response Attributes -- with VSA (implemented with a Vendor-specific > dictionary). > > 4. There is a map from attributes in (2) to (3), which is what i am trying > to implement. > > e.g. > > If the request NAS-IP-Address = 111.111.111.111, i would like to response > with attribute: VSA1 = 1001, > If the request NAS-IP-Address = 111.111.111.112, i would like to > response with attribute: VSA1 = 1002, > If the request NAS-IP-Address = 111.111.111.113, i would like to > response with attribute: VSA1 = 1003, > If the request NAS-IP-Address = 111.111.111.114, i would like to > response with attribute: VSA1 = 1004, > > etc > > What's the best way which i can configur without writing a full-fledge rlm > module? > > Thanks in advance, > > BC > > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on implementing Vendor-Specific Attributes
If it's just one attribute why bother with VSA. Use Reply-Message. Create DEFAULT entries in users file to send replies. Ivan Kalik Kalik Informatika ISP Dana 20/10/2008, "A BlueCoder" <[EMAIL PROTECTED]> piše: >On Mon, Oct 20, 2008 at 12:09 AM, A BlueCoder <[EMAIL PROTECTED]>wrote: > >> Hi, >> >> I have a need to implement Vendor-Specific Attributes using a FreeRadius >> approach (version 0.9.3 on Solaris). >> >> I understand probably rewriting a rml module would solve this problem and >> probably the most effective way. However, given the shortage of time, i >> would like to explore configuration options (without code writing) if >> possible. >> >> Here are the requirements: >> >> 1. Access-Request Requests; >> >> 2. Request Attributes -- with VSA (implemented with a Vendor-specific >> dictionary). >> >> 3. Response Attributes -- with VSA (implemented with a Vendor-specific >> dictionary). >> >> 4. There is a map from attributes in (2) to (3), which is what i am trying >> to implement. >> >> e.g. >> >> If the request NAS-IP-Address = 111.111.111.111, i would like to response >> with attribute: VSA1 = 1001, >> If the request NAS-IP-Address = 111.111.111.112, i would like to >> response with attribute: VSA1 = 1002, >> If the request NAS-IP-Address = 111.111.111.113, i would like to >> response with attribute: VSA1 = 1003, >> If the request NAS-IP-Address = 111.111.111.114, i would like to >> response with attribute: VSA1 = 1004, >> >> etc >> >> What's the best way which i can configur without writing a full-fledge rlm >> module? >> >> Thanks in advance, >> >> BC >> >> >> >> > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on implementing Vendor-Specific Attributes
A BlueCoder wrote: > Actually there are two attributes, and the values of attributes are not > static - they vary based on the NAS-IDentifider attribute values. $ man unlang You can create attributes based on the value of other attributes. > (I can set up VSA to send static values - just the dynamic part, I dont > have good ideas). This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: returning Vendor specific attributes to aruba
On 14/07/11 13:34, Phil Brown wrote:
As far as I can tell, from the reply-detail log below& wirehark, Radius
is returning the values. But the support guy is not seeing them on his
wireless server. The first packets he sees are the MS-MPPE- packets.
Can anyone advise as to to get this working.
A full debug is needed to advise really.
Wild guess; you are setting these attributes in "inner-tunnel" server,
and you don't have:
peap {
use_tunneled_reply = yes
}
ttls {
use_tunneled_reply = yes
}
Packet-Type = Access-Accept
Aruba-User-Role = "ROLE-EDUROAM-INT"
Aruba-User-Vlan = 128
Class = 0x524f4c452d454455524f414d2d494e54
MS-MPPE-Encryption-Policy = 0x0001
MS-MPPE-Encryption-Types = 0x0006
MS-MPPE-Send-Key = 0xd1b37a684ca34b56aac068907f687067
MS-MPPE-Recv-Key = 0x0bb8b13849577453ba36e4de9dd7aafc
EAP-Message = 0x030c0004
Message-Authenticator = 0x
User-Name = "knighta"
Thu Jul 14 10:30:31 2011
Packet-Type = Access-Accept
MS-MPPE-Recv-Key =
Where did the above output come from? As in, where did you capture the
packet?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging Vendor Specific Attributes in MySQL
Wade Kemp <[EMAIL PROTECTED]> wrote: > I have just got freeradius 1.0.1 up on a solaris 9 machine, and my boss > wants to be able to log some of > the vendor specific information in the start/stop packets. Anyone have > a pointer where I should look to be able to add those attributes to the > logging ? raddb/sql.conf contains the queries which log attributes. The schemas are in src/modules/rlm_sql/drivers/rlm_sql_whatever/ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding vendor specific attributes to dictionary
> I am attempting to add vendor specific attributes to my dictionary > without success :( > > I was given the following information to add: > > Class Number Attribute Value Type > VENDORATTR 12345 Vendor-Attribute-A 1 string > VENDORATTR 12345 Vendor-Attribute-A 2 string > > > Now since VENDORATTR is not a freeradius dictionary format I assume this > comes from a different RADIUS server, which I need to now implement in > my freeradius dicitonary. > > I have had a look at the dictionary man page, and see that one can use > ATTRIBUTE for this, but since the Number is the same for both attributes > I would assume that I need to define a vendor specific attribute > encapsulation so that I can list multiple attributes for this vendor, > but this does not seem to be working for me - This is what I have done: > > File dictionary: > > > $INCLUDE/usr/share/freeradius/dictionary > $INCLUDE/etc/raddb/dictionary.myvendor > > > File dictionary.myvendor: > - > > VENDOR MyVendor 12345 > BEGIN-VENDOR MyVendor > ATTRIBUTE Vendor-Attribute-A 1 string > ATTRIBUTE Vendor-Attribute-B 2 string > END-VENDOR MyVendor That looks OK. > When I attempt to start my freeradius server with this dictionary file > all I get is the following message to std out: > > Errors reading dictionary: dict_init: /etc/raddb/dictionary.myvendor[1]: > dict_init: /etc/raddb/dictionary.myvendor[1]: dict_init: /etc/ Check stuff like permissions on the file. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding vendor specific attributes to dictionary
Ivan Kalik wrote: ... File dictionary.myvendor: - VENDOR MyVendor 12345 BEGIN-VENDOR MyVendor ATTRIBUTE Vendor-Attribute-A 1 string ATTRIBUTE Vendor-Attribute-B 2 string END-VENDOR MyVendor That looks OK. As always thank you for your reply Ivan :) I have narrowed the problem down to the number field. The actual number I have been given to use is 32768, and the problem seems to be the fact that the number is 5 digits long. If I make the number 4 digits long my server starts up without complaint. Any suggestions? Many thanks, Patric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding vendor specific attributes to dictionary
Patric wrote: > I have narrowed the problem down to the number field. The actual number > I have been given to use is 32768, Install 2.1.7. See doc/ChangeLog Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding vendor specific attributes to dictionary
>>> File dictionary.myvendor: >>> - >>> >>> VENDOR MyVendor 12345 >>> BEGIN-VENDOR MyVendor >>> ATTRIBUTE Vendor-Attribute-A 1 string >>> ATTRIBUTE Vendor-Attribute-B 2 string >>> END-VENDOR MyVendor >> >> >> That looks OK. > > I have narrowed the problem down to the number field. The actual number > I have been given to use is 32768, and the problem seems to be the fact > that the number is 5 digits long. If I make the number 4 digits long my > server starts up without complaint. > > Any suggestions? Vendor number must be smaller than 32K. 32766 is max. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding vendor specific attributes to dictionary
Alan DeKok wrote: Patric wrote: I have narrowed the problem down to the number field. The actual number I have been given to use is 32768, Install 2.1.7. See doc/ChangeLog Aaah, 2.1.7 Changelog: * Allowed vendor IDs to be be higher than 32767. Fantastic, upgrading now, thank you once again Alan & Ivan :) Have a great weekend, Patric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HUAWEI MA5200G and Vendor Specific Attributes
Ali Majdzadeh wrote:
> I’m using freeradius 1.1.8
Upgrade.
> with a C external program for auth/acct. I’m
> sending attributes to RAS by printf . RAS type is HUAWEI MA5200G And I
> send attributes as follows:
...
> printf(",\nInput-Peak-Rate=%d",(int)rx_burst);
Read dictionary.huawei. These are not the correct attribute names.
> the last 4 lines are HUAWEI vendor specific attributes. MA5200G RAS
> Debug
Run the server in debugging mode as suggested in the FAQ, README,
INSTALL, "man" page, web pages, and daily on this list.
Really. Reading the RAS debug log is a waste of your time. Reading
the *existing* FreeRADIUS documentation isn't.
> What is the problem?
You're not following the existing documentation.
> HUAWEI says it support only radius 1.1,
They have no idea what they're talking about. Ignore them.
> So does freeradius support 1.1 when sending
> attributes by printf via external program or not?
The question makes no sense, and no answer is possible.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem of proxying Vendor Specific Attributes (VSA)!
Hi, > How can i indicate to the proxy to keep the VSA it receive from the Radius > Server? there is no option in the configuration files to force him to keep > the VSA? What do you mean by "keeping"? Logging it? In that case, enable post_proxy_detail and pre_proxy_detail logging, they log everything that goes through. BTW: please ask via the mailing list. Others may have the same question. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpozBJ95QhsH.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem of proxying Vendor Specific Attributes (VSA)!
> >What do you mean by "keeping"? Logging it? In that case, enable > >post_proxy_detail and pre_proxy_detail logging, they log everything that > > goes > > >through. > > In fact , i would like to know if there is an option to specify the proxy > not deleting the VSA located in the access-reject response of the server > when the proxy send the access-reject to the client?(keep the VSA) > > Clearer, currently, my Radius server send to the proxy an access-reject > with VSA and when the proxy receive these packet, it send the same packet > to the client so an access-reject packet but with no VSA (it seem to delete > them). > > So currently, i have: > *Server Radius*>>>*packet access-reject with VSA**Proxy > Radius*>>>*packet access-reject without VSA>>**Client Radius* > > > > So what i would like is: > > *Server Radius*>>>*packet access-reject with VSA**Proxy > Radius*>>>*packet access-reject with VSA>>**Client Radius* > > ** you've asked that question before. My answer was: this is not supposed to work because it probably violates the RFC. What you could try is to add your VSAs to the FreeRADIUS dictionaries, and specify in "attrs" the exact VSA you want to, not the generic VSA identifier for your vendor id. Maybe you can convince the server then. I wouldn't bet on it though. Further messages via private mail will be ignored, ask the _mailing list_. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpXp1umBACHz.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 2.1.7-7.el5 - How to get vendor specific attributes from LDAP
Hello,
please can anybody give me a hint how to get vendor specific atributes
from LDAP and send it to the NAS? My freeradius version is 2.1.7-7.el5.
When I authenticate against the users file, everything works well.
rad_recv: Access-Request packet from host 31.186.188.2 port 60528,
id=101, length=73
User-Name = "rad-oper"
User-Password = "rad-oper"
NAS-Identifier = "ar-srx100-default"
NAS-IP-Address = 31.186.188.2
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "rad-oper", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry rad-oper at line 53
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "rad-oper"
[pap] Using clear text password "rad-oper"
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 101 to 31.186.188.2 port 60528
Juniper-Local-User-Name := "class2"
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 101 with timestamp +302
Ready to process requests.
As you can see, I need to send Vendor Specific Attribute :
Juniper-Local-User-Name := "class2" which is associated with group of
availalble commands on device.
On OpenLDAP I edited the schema and added
attributetype ( 1.3.6.1.1.1.1.28 NAME 'radiusJuniperLocalUserName'
DESC 'Juniper Auth Class'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
objectclass ( 1.3.6.1.1.1.2.13 NAME 'radiusprofile'
DESC 'Abstraction of an account with RADIUS attributes'
SUP top AUXILIARY
MAY radiusJuniperLocalUserName )
Then I've added theese items to my test user "pech".
On freeradius server I've edited:
1. ldap.attrmap
checkItem Juniper-Local-User-Name radiusJuniperLocalUserName
replyItem Juniper-Local-User-Name radiusJuniperLocalUserName
2. modules/ldap
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = "10.10.x.y"
identity = "cn=sa,dc=viphone,dc=eu"
password = testtest
basedn = "dc=viphone,dc=eu"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
#base_filter = "(objectclass=radiusprofile)"
Now when I try to authenticate LDAP user "pech" I'll get:
rad_recv: Access-Request packet from host 31.186.188.2 port 60647,
id=85, length=69
User-Name = "pech"
User-Password = "securepassword"
NAS-Identifier = "ar-srx100-default"
NAS-IP-Address = 31.186.188.2
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "pech", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "securepassword"
[pap] Using CRYPT encryption.
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 85 to 31.186.188.2 port 60647
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 85 with timestamp +17
Ready to process requests.
So the user is authenticated but no Juniper-Local-User-Name attribute
have been sent.
Thank you very much for your help.
Kind regards,
Jakub Pech
System Developer
--
Spinoco Czech Republic, a.s.
Šafránkova 1243/3
155 00 Praha 5
tel +420 257 895 495
jakub.p...@spinoco.com
www.spinoco.com
Spinoco – firemní komunikace
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.7-7.el5 - How to get vendor specific attributes from LDAP
Jakub Pech wrote: > please can anybody give me a hint how to get vendor specific atributes > from LDAP and send it to the NAS? My freeradius version is 2.1.7-7.el5. See the ldap.attrmap file. This is documented. VSAs are just attributes. Use the name. Nothing else needs to be done. > When I authenticate against the users file, everything works well. ... > So the user is authenticated but no Juniper-Local-User-Name attribute > have been sent. Well... where did you define it? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.7-7.el5 - How to get vendor specific attributes from LDAP
Hi, > See the ldap.attrmap file. This is documented. I sent the rows I've added to ldap.attrmap in my previous mail. Is there anything wrong?? > Well... where did you define it? First in users file for testing purposes. Worked OK. Then in LDAP. Thanks Jakub Dne 24.11.11 13:08, Alan DeKok napsal(a): Jakub Pech wrote: please can anybody give me a hint how to get vendor specific atributes from LDAP and send it to the NAS? My freeradius version is 2.1.7-7.el5. See the ldap.attrmap file. This is documented. VSAs are just attributes. Use the name. Nothing else needs to be done. When I authenticate against the users file, everything works well. ... So the user is authenticated but no Juniper-Local-User-Name attribute have been sent. Well... where did you define it? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.7-7.el5 - How to get vendor specific attributes from LDAP
On Thu, Nov 24, 2011 at 7:30 PM, Jakub Pech wrote: > Hi, > >> See the ldap.attrmap file. This is documented. > I sent the rows I've added to ldap.attrmap in my previous mail. Is there > anything wrong?? Normally an ldap attribute will be translated as a radius check or reply item, not both (which is what you did). -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.7-7.el5 - How to get vendor specific attributes from LDAP
Hi, >Normally an ldap attribute will be translated as a radius check or reply item, not both (which is what you did). First I had only "radius check". I added "radius reply" later while testing. I'm almost sure that that is not the cause of my problem. Please can anybody send me the steps to get some attribute from LDAP server? Mayby I've only missed some configuration step or something like that. 1. Do I have to run the LDAP service on the same server as I'm running freeradius? 2. Do I have to add my LDAP schema to some freeradius configuration file? I did: 1/set up the connection with remote LDAP server 2/set radius check item in ldap.attrmap. Thanks for the help, I'm googling it 4th day in a row. Jakub Dne 24.11.11 13:37, Fajar A. Nugraha napsal(a): On Thu, Nov 24, 2011 at 7:30 PM, Jakub Pech wrote: Hi, See the ldap.attrmap file. This is documented. I sent the rows I've added to ldap.attrmap in my previous mail. Is there anything wrong?? Normally an ldap attribute will be translated as a radius check or reply item, not both (which is what you did). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.7-7.el5 - How to get vendor specific attributes from LDAP
In documentation of freeradius 1.x I found that I have to import RADIUS-LDAPv3.schema to OpenLDAP. If I understand right radius server need to know the LDAP structure to be able to get values from defined attributes. But in freeradius 2.x there is no RADIUS-LDAPv3.schema and I did not find any other schema file where I should add my LDAP attributes. Do I have to import my OpenLDAP schema to freeradius to be able to get Vendor Specific Attributes from it? Jakub Dne 24.11.11 13:08, Alan DeKok napsal(a): Well... where did you define it? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.7-7.el5 - How to get vendor specific attributes from LDAP
Jakub Pech wrote: > But in freeradius 2.x there is no RADIUS-LDAPv3.schema and I did not > find any other schema file where I should add my LDAP attributes. See doc/examples/ > Do I have to import my OpenLDAP schema to freeradius to be able to get > Vendor Specific Attributes from it? You'll need to edit the schema for VSAs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.7-7.el5 - How to get vendor specific attributes from LDAP
Alan DeKok napsal(a): See doc/examples/ I've edited openldap.schema and add new attributetype + add new attribute to radiusprofile class. This schema I applied also to my OpenLDAP server. Does freeradius get the LDAP schema from docs/examples/openldap.schema file? The path docs/examples is confusing me. You'll need to edit the schema for VSAs. The schema have been edited but there is no change in behaviour. Do I have to import edited schema to freeradius somehow? Thanks Jakub Pech - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.7-7.el5 - How to get vendor specific attributes from LDAP
Hi,
> >See doc/examples/
> I've edited openldap.schema and add new attributetype + add new
> attribute to radiusprofile class. This schema I applied also to my
> OpenLDAP server. Does freeradius get the LDAP schema from
> docs/examples/openldap.schema file? The path docs/examples is confusing me.
no. it doesnt.
docs/ is just a documentation folder...and examples are just examples within!
the server reads the configurations from its usual path
if you read the docs, the wiki and the config files, you will see that in
modules/ldap
the following is listed
dictionary_mapping = ${confdir}/ldap.attrmap
so, just edit ldap.attrmap in the raddb config directory - and use the schema
file to update your LDAP
this document might help you further
http://freeradius.org/radiusd/doc/ldap_howto.txt
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.7-7.el5 - How to get vendor specific attributes from LDAP
On Thu, Nov 24, 2011 at 9:43 PM, Jakub Pech wrote: > Hi, > >>Normally an ldap attribute will be translated as a radius check or reply >> item, not both (which is what you did). > First I had only "radius check". I added "radius reply" later while testing. > I'm almost sure that that is not the cause of my problem. Why are you doing that? Your "working" debug log says Sending Access-Accept of id 101 to 31.186.188.2 port 60528 Juniper-Local-User-Name := "class2" Finished request 0. Something that you send to the NAS is a reply item. Why did you put it as radius check? And if you're sure it's not the problem (meaning you already know what the source of problem is), then why ask here? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.7-7.el5 - How to get vendor specific attributes from LDAP
Dne 24.11.11 22:27, Fajar A. Nugraha napsal(a): Hi, > >>Normally an ldap attribute will be translated as a radius check or reply >> item, not both (which is what you did). > First I had only "radius check". I added "radius reply" later while testing. > I'm almost sure that that is not the cause of my problem. Why are you doing that? Your "working" debug log says Sending Access-Accept of id 101 to 31.186.188.2 port 60528 Juniper-Local-User-Name := "class2" Finished request 0. This is the log from testing to authenticate user against the users file. My problem is that I'm not able to do the same against the LDAP. Something that you send to the NAS is a reply item. Why did you put it as radius check? And if you're sure it's not the problem (meaning you already know what the source of problem is), then why ask here? First I undrestanded that the radius check are items that radius checks in LDAP. But since I havent found any documentation to ldap.attrmap file (i found only that it may be included in man users, but it isn't in freeradius2) I tried both: radiuscheck / radiusreply / radiuscheck and radius reply together. Nothing worked for me. That Is the reason why I'm almost sure that this isn't the cause of my problem. Thank you for the information that attribute which I'd like to check in LDAP and send it to the NAS is reply item in ldap.attrmap. Is there anything else then ldap.attrmap that should be set up for sending vendor specific attributes from LDAP? Thank you Jakub Pech - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.7-7.el5 - How to get vendor specific attributes from LDAP
On Fri, Nov 25, 2011 at 4:15 PM, Jakub Pech wrote: > Is there anything else then ldap.attrmap that should be set up for sending > vendor specific attributes from LDAP? Let's try something basic. Were you able to see the attribute (and its value) when you do ldap query for that user (e.g. with ldapsearch)? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.7-7.el5 - How to get vendor specific attributes from LDAP
Jakub Pech wrote: > First I undrestanded that the radius check are items that radius checks > in LDAP. But since I havent found any documentation to ldap.attrmap file Nonsense. The file contains comments which describe what it does. The doc/rlm_ldap file contains additional documentation. > (i found only that it may be included in man users, but it isn't in > freeradius2) I tried both: radiuscheck / radiusreply / radiuscheck and > radius reply together. Nothing worked for me. That Is the reason why I'm > almost sure that this isn't the cause of my problem. You're trying random things because you don't understand how it works. Even worse, you don't understand how RADIUS and LDAP works. Asking if FreeRADIUS reads the LDAP schema is *very* wrong. FreeRADIUS isn't an LDAP server. > Is there anything else then ldap.attrmap that should be set up for > sending vendor specific attributes from LDAP? The schema. Define an LDAP attribute which contains the information for the VSA. Map that attribute to RADIUS in ldap.attrmap. It should take all of 15 minutes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.7-7.el5 - How to get vendor specific attributes from LDAP
Dne 25.11.11 10:34, Alan DeKok napsal(a): Jakub Pech wrote: > First I undrestanded that the radius check are items that radius checks > in LDAP. But since I havent found any documentation to ldap.attrmap file Nonsense. The file contains comments which describe what it does. The doc/rlm_ldap file contains additional documentation. I red mentioned comments/documents MANY times and I didn't noticed anything that will describe de difference between check/reply item. > (i found only that it may be included in man users, but it isn't in > freeradius2) I tried both: radiuscheck / radiusreply / radiuscheck and > radius reply together. Nothing worked for me. That Is the reason why I'm > almost sure that this isn't the cause of my problem. You're trying random things because you don't understand how it works. Yes You are right. And because of it I'm reading the documentations, wiki, descriptions, I'm googling etc. Just normal things when I'm setting up something I haven't set up before. But I didn't find the solution on almost week of working so I'm asking. Even worse, you don't understand how RADIUS and LDAP works. Asking if FreeRADIUS reads the LDAP schema is*very* wrong. FreeRADIUS isn't an LDAP server. > Is there anything else then ldap.attrmap that should be set up for > sending vendor specific attributes from LDAP? The schema. Define an LDAP attribute which contains the information for the VSA. Map that attribute to RADIUS in ldap.attrmap. It should take all of 15 minutes. Ok, you didn't catch my question. Is there anything else then ldap.attrmap and /modules/ldap that should be set up on freeradius server? Of course I have LDAP schema updated on LDAP server. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.7-7.el5 - How to get vendor specific attributes from LDAP
Dne 25.11.11 10:23, Fajar A. Nugraha napsal(a): Is there anything else then ldap.attrmap that should be set up for sending > vendor specific attributes from LDAP? Let's try something basic. Were you able to see the attribute (and its value) when you do ldap query for that user (e.g. with ldapsearch)? Yes I'm. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.7-7.el5 - How to get vendor specific attributes from LDAP
Jakub Pech wrote: > I red mentioned comments/documents MANY times and I didn't noticed > anything that will describe de difference between check/reply item. The entire server is build around the concept of check and reply items. They work the same everywhere, in every module. Perhaps every configuration file should say "this is for FreeRADIUS, which is a RADIUS server, which does RADIUS authentication" ? > Yes You are right. And because of it I'm reading the documentations, > wiki, descriptions, I'm googling etc. Just normal things when I'm > setting up something I haven't set up before. But I didn't find the > solution on almost week of working so I'm asking. As I said, it should take 15 minutes. If you spent a week looking at random files instead of asking questions, all you've done is confuse yourself. > Ok, you didn't catch my question. Is there anything else then > ldap.attrmap and /modules/ldap that should be set up on freeradius > server? Of course I have LDAP schema updated on LDAP server. Read raddb/sites-available/default. Look for "ldap" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.7-7.el5 - How to get vendor specific attributes from LDAP
On Fri, Nov 25, 2011 at 5:14 PM, Jakub Pech wrote: > Dne 25.11.11 10:23, Fajar A. Nugraha napsal(a): >>> >>> Is there anything else then ldap.attrmap that should be set up for >>> sending >>> > vendor specific attributes from LDAP? >> >> Let's try something basic. Were you able to see the attribute (and its >> value) when you do ldap query for that user (e.g. with ldapsearch)? > > Yes I'm. Are you SURE? If ldapsearch (or whatever ldap client you use) can show radiusJuniperLocalUserName attribute correctly when you search for that user, then your /etc/raddb/ldap.attrmap entry should be enough (if you only have it as replyItem, that is). And to be safe, use tabs (like the original entries) instead of space. ... and Alan is right (as usual), your debug log hasn't shown any "ldap" lines in authorize phase. Probably you haven't uncomment it :) Now if you HAVE ldap activated in authorize section, I'd also take a look at this line ++[unix] returns updated That's wrong. You ONLY want to authenticate against LDAP, right? Comment out "unix" line from authorize section. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.7-7.el5 - How to get vendor specific attributes from LDAP
Dne 25.11.11 12:27, Alan DeKok napsal(a): Read raddb/sites-available/default. Look for "ldap" :-) Thank you very very much Alan. This one # I've been searching from monday. If you will be in Prague in Czech republic send me an email. I owe you some beers Have a nice weekend Jakub - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.7-7.el5 - How to get vendor specific attributes from LDAP
Hi, > If you will be in Prague in Czech republic send me an email. I owe you > some beers ...just wondering why these free beer offers seem to always be a few months after peope actually WERE in town ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.7-7.el5 - How to get vendor specific attributes from LDAP
Dne 25.11.11 13:14, Fajar A. Nugraha napsal(a): ... and Alan is right (as usual), your debug log hasn't shown any "ldap" lines in authorize phase. Probably you haven't uncomment it :) Now if you HAVE ldap activated in authorize section, I'd also take a look at this line ++[unix] returns updated That's wrong. You ONLY want to authenticate against LDAP, right? Comment out "unix" line from authorize section. I have already fixed it. After I red the authorize section in /sites-available/default I noticed that I was authorizing against linux users (that are authorized against the same LDAP). Thank you Fajar Jakub - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
