Re: something like huntgroups?

2013-07-01 Thread Arran Cudbard-Bell
On 2 Jul 2013, at 07:18, Phil Mayers wrote: > On 07/02/2013 02:30 AM, Matt Zagrabelny wrote: > >> If a user is not in the secret group, then their login should fail if >> the Vendor-3076-Attr-146 = 0x554d44 pair is in the request. > > This is pretty easy: > > authorize { > ... > if (Vendor-

Re: Using freeradius as proxy for EAP-SIM/EAP-AKA

2013-07-01 Thread Iliya Peregoudov
On 01.07.2013 18:34, Alan DeKok wrote: It's not possible for one proxy radius to send request to different EAP SIM/EAP AKA radius server (based on certain criteria) ? When you're proxying an EAP packet, the ONLY criteria you have is the EAP identity. You do NOT have the EAP type available.

Re: something like huntgroups?

2013-07-01 Thread Phil Mayers
On 07/02/2013 02:30 AM, Matt Zagrabelny wrote: If a user is not in the secret group, then their login should fail if the Vendor-3076-Attr-146 = 0x554d44 pair is in the request. This is pretty easy: authorize { ... if (Vendor-3076-Attr-146 == 0x554d44) { if (SQL-Group == secret) {

something like huntgroups?

2013-07-01 Thread Matt Zagrabelny
Greetings! Our Cisco VPN concentrator is sending some RADIUS attributes in the request packet and if certain values appear, then I'd like to only allow a subset of users to login. I've looked at: http://wiki.freeradius.org/SQL-Huntgroup-HOWTO/dbeef165862fe9ba7ef6f7d011889d1f7212cf9b the SQL Hun

Re: multiple entries per radius_check table

2013-07-01 Thread Matt Zagrabelny
On Mon, Jul 1, 2013 at 3:30 PM, Arran Cudbard-Bell wrote: > > On 1 Jul 2013, at 17:59, Matt Zagrabelny wrote: > >> Greetings, >> >> I am using a Pg datastore to hold authentication data and using the Pg >> module for FR to hook into it. >> >> I am using a basic view for the radius_check table: >>

Re: multiple entries per radius_check table

2013-07-01 Thread Arran Cudbard-Bell
On 1 Jul 2013, at 17:59, Matt Zagrabelny wrote: > Greetings, > > I am using a Pg datastore to hold authentication data and using the Pg > module for FR to hook into it. > > I am using a basic view for the radius_check table: > > # SELECT * from radius_check_users where username = 'mzagrabe';

multiple entries per radius_check table

2013-07-01 Thread Matt Zagrabelny
Greetings, I am using a Pg datastore to hold authentication data and using the Pg module for FR to hook into it. I am using a basic view for the radius_check table: # SELECT * from radius_check_users where username = 'mzagrabe'; id | username | attribute| op | value

Re: Using freeradius as proxy for EAP-SIM/EAP-AKA

2013-07-01 Thread Alan DeKok
Ming-Ching Tiew wrote: > If I understand you correctly, it means it is only possible to have ONE > radius server which does EAP SIM/EAP AKA authentication in the entire > chain of connections ? No. It means that you don't KNOW it's EAP-SIM until after you decide to proxy it. > It's not possi

Re: freeradius ldap auth "sort of" working ?

2013-07-01 Thread A . L . M . Buxey
Hi, > and this is the output from radius (ran as radiusd -X) > http://pastebin.com/MT0txW2c please post to the list - avoids more work at this end. the output shows this: Found Auth-Type = LDAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group LDAP {...} [ldap] logi

Re: freeradius ldap auth "sort of" working ?

2013-07-01 Thread Arran Cudbard-Bell
On 1 Jul 2013, at 12:27, Horatiu Nimigean wrote: > Greetings. > I have a problem with freeradius using ldap to auth, here are my system specs: > > Centos 6 64bit > freeradius installed from repo >> rpm -qa | grep -i freeradius >> freeradius-ldap-2.1.12-4.el6_3.x86_64 >> freeradius-2.1.12-4.el6_

freeradius ldap auth "sort of" working ?

2013-07-01 Thread Horatiu Nimigean
Greetings. I have a problem with freeradius using ldap to auth, here are my system specs: Centos 6 64bit freeradius installed from repo rpm -qa | grep -i freeradius freeradius-ldap-2.1.12-4.el6_3.x86_64 freeradius-2.1.12-4.el6_3.x86_64 freeradius-utils-2.1.12-4.el6_3.x86_64 ldap already up and

Re: eap sim authentication for multiple clients

2013-07-01 Thread Iliya Peregoudov
There is a clear distinction between the two cases. First case: user record is found in users file: rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=1, length=215 [skipped] +- entering group authorize {...} [skipped] [files] users: Matched entry 1510019760806...@wlan.mn

Re: Freeradius-Users Digest, Vol 98, Issue 89

2013-07-01 Thread diwakara googly
Jt Adrada Arrea Te tata art Rey sxhxgh gfgg the hggvbodfsx.vn it it bbb ..# te On 27 Jun 2013 15:31, wrote: > Send Freeradius-Users mailing list submissions to > freeradius-users@lists.freeradius.org > > To subscribe or unsubscribe via the World Wide Web, visit >

Re: Using freeradius as proxy for EAP-SIM/EAP-AKA

2013-07-01 Thread Ming-Ching Tiew
If I understand you correctly, it means it is only possible to have ONE radius server which does EAP SIM/EAP AKA authentication in the entire chain of connections ?   It's not possible for one proxy radius to send request to different EAP SIM/EAP AKA radius server (based on certain criteria) ?

Re: Using freeradius as proxy for EAP-SIM/EAP-AKA

2013-07-01 Thread Muhammad Nadeem
-->I am wondering if it is possible to proxy EAP-SIM/EAP-AKA authentication using FreeRadius ? yes it is possible , but you have to make sure that all requests of an EAP session are being entertain by the same server, ( as proxy can have multipile freeradius servers), Read proxy.config, it hav