> why call LDAP in the outerid for EAP- surely call it in the inner-tunnel
> instead
> (and put some protection around it so that its only called when needed - right
> now, if you look, you'll see your LDAP whacked all over the place during
> requests
> coming through - at least 3x more queries
Hi,
>copy_request_to_tunnel = yes
>
>As mentioned earlier, I am assigning a standard RADIUS attribute, but the
>value I'm passing to it is not there when I call it, which is in the
>post_auth of the outer virtual server.. I figured it made sense to put it
>there, since I call
> > Thanks, I'll give it a try and post the debug. Am I wrong to be
> >surprised
> > that there is no answer for the first question, though? There has to be
> >a
> > great many users out there using EAP and assigning dynamic VLAN based on
> &g
Hi,
>Thanks, I'll give it a try and post the debug. Am I wrong to be surprised
>that there is no answer for the first question, though? There has to be a
>great many users out there using EAP and assigning dynamic VLAN based on
> LDAP attributes or, not?
I
(s) can I use to run a simple EAP test that would still use AD
> > for authentication and LDAP for authorization?
>
> eapol_test ?
Thanks, I'll give it a try and post the debug. Am I wrong to be surprised that
there is no answer for the first question, though? There has to be a great
Hi,
>>> I still cannot figure out how to pass this value from authorize to
>>> post-auth.
>>
>> It works for PAP. The only reason it doesn't work is you're running
>> EAP, and that's more complicated.
>
>Is there something extra that needs to be done in order for the valu
>> I still cannot figure out how to pass this value from authorize to
>> post-auth.
>
> It works for PAP. The only reason it doesn't work is you're running
> EAP, and that's more complicated.
Is there something extra that needs to be done in order for the value to be
preserved when running EAP?
Adam Track wrote:
> I recently saw another question along the same lines as this, so decided
> to give this another go...
> Am now running 2.1.10, and yes, Person-Type is defined in dictionary and
> ldap.attrmap. I've also defined in dictionary the following in hopes of
> passing on the value of P
Houston-III, Lester L wrote:
> Is there a way to truncate the UID used by the LDAP module? My system
> is using an UID structured like an email I would like to use everything
> in front of the ‘@’ as the UID. Is this possible?
Yes. See "realms"
Alan DeKok.
-
List info/subscribe/unsubscribe
Is there a way to truncate the UID used by the LDAP module? My system is using
an UID structured like an email I would like to use everything in front of the
'@' as the UID. Is this possible?
Lester Houston 111
Boeing Research & Technology
Electronics Prototyping and Integration Center (EPIC)
This might help.
Then I want to map certain attribute like employeeStatus from our
iPlanet ldap server to some radius attribute, so I can manipulate it
in the post-auth section.
I put the following line in etc/raddb/dictionary
ATTRIBUTE My-Local-employeeStatus 3000string
and the followi
On 11/01/2011 07:41 PM, Adam Track wrote:
> I’m just guessing, and could be WAY off, but may be an inner-tunnel
vs. outer-tunnel thing.
In eap.conf, I've got copy_request_to_tunnel = yes and
use_tunneled_reply = yes. Neither the ldap nor perl modules are called
in the inner-tunnel.
Full debug
> I’m just guessing, and could be WAY
off, but may be an inner-tunnel vs. outer-tunnel thing.
In eap.conf, I've got copy_request_to_tunnel = yes and use_tunneled_reply =
yes. Neither the ldap nor perl modules are called in the inner-tunnel. -
List info/subscribe/unsubscribe? See http://www.free
Behalf Of Adam Track
Sent: Tuesday, November 01, 2011 1:36 PM
To: ' freeradius-users@lists.freeradius.org'
Subject: Referencing LDAP attributes in post-auth
Hello,
I'm sorry for asking such a simple(?) thing, but my lack of understanding is
not due to a lack of reading, searching,
Hello,
I'm sorry for asking such a simple(?) thing, but my lack of understanding is
not due to a lack of reading, searching, trial-and-error... I just can't seem
to figure out how to reference an ldap attribute in post-auth. Using
freeradius 2.1.8, PEAPv0/EAP-MSCHAPv2 with AD for authenticatio
Alexander Clouter wrote:
I thought I remembered this popping up recently, I would have mentioned
it earlier but my Google-Fu at the time was weak and I though I was
imagining things.
If you checkout v2.1.x[1] and then type:
$ git checkout -b foreach
$ git cherry-pick a3221304
$ git cher
Jason Antman wrote:
>
> I don't really know anything about it, and haven't seen mention of it
> outside of the modules list, but perhaps I could use rlm_perl or
> rlm_python? Does anyone know about the efficiency of these? I know I'm
> approaching this from the standpoint of a traditional prog
Alexander Clouter wrote:
Peter Lambrechtsen wrote:
I find the easist way to do it is to use a custom "users" file to allow /
prevent access based on exact matches of LDAP attributes.
then you can say if STAFF = Accept, if STAFF OFFSITE Accept, otherwise
reject.
This is how we
Peter Lambrechtsen wrote:
>
> I find the easist way to do it is to use a custom "users" file to allow /
> prevent access based on exact matches of LDAP attributes.
>
> then you can say if STAFF = Accept, if STAFF OFFSITE Accept, otherwise
> reject.
>
> Th
I find the easist way to do it is to use a custom "users" file to allow /
prevent access based on exact matches of LDAP attributes.
then you can say if STAFF = Accept, if STAFF OFFSITE Accept, otherwise
reject.
This is how we do it here:
http://lists.freeradius.org/pipermail/freera
Greetings,
I have to control authorization based on a (possibly) multi-valued LDAP
reply attribute called employeeType. I have all of the LDAP code working
fine, but seem to have hit a snag. Each user has 1 to ??? (usually a max
of 5 or so) employeeType values. The pertinent ones include "STAF
Thanks Alan,
I added an reply message item inside the authentication section which
expands the My-Local-LDAP-Comment attribute.
It now works as expected.
Thanks,
Sigurd
On Thu, Aug 26, 2010 at 11:53 AM, Alan DeKok wrote:
> Sigurd Foshaug wrote:
> > I have added the My-Local-LDAP-Comment into th
Sigurd Foshaug wrote:
> I have added the My-Local-LDAP-Comment into the raddb/dictionary file
> like this:
>
> ATTRIBUTE My-Local-LDAP-Comment 3000string
...
> Now, what I am failing to understand is how I can get the proxy server
> to receive the My-Local-LDAP-Comment attribute from R
Hi all,
I have a freeradius 2.1.3 running and I can successfully authenticate users.
I would like to use a users LDAP attribute so I can provide them with
different permissions on the proxy server.
I have currently mapped a RADIUS attribute to the LDAP attribute and it
successfully reads the attr
>any chance you can provide the actual syntax of whats required?
Syntax is the same as for other entries:
replyItem radiusAttribute ldapAttribute
so something like:
replyItem Service-Type radiusServiceType
replyItem Juniper-Local-User-Name juniperLocalName
>replyItem
Hi
any chance you can provide the actual syntax of whats required?
replyItem Service-Type Administrative-User
replyItem Juniper-Local-User-Name DEV
Sorry, a bit of a novice freeraidus user
thanks
Ivan
2008/8/29 Ivan Kalik <[EMAIL PROTECTED]>:
> Yes. Add
Yes. Add the reply attributes to ldap.attrmap.
Ivan Kalik
Kalik Informatika ISP
Dana 28/8/2008, "Ivan ." <[EMAIL PROTECTED]> piše:
>Hi
>
>I have Freeradius configured with a backend of OpenLdap for user management.
>
>I would like to be able to pass attributes for Nortel and Juniper
>gear, whic
Hi
I have Freeradius configured with a backend of OpenLdap for user management.
I would like to be able to pass attributes for Nortel and Juniper
gear, which when statically defining users in user file is done via:
user Auth-type:=Local, User-Password := "test"
Juniper-Local-User-Name =
Hello all,
I have a question regarding returning attributes from LDAP with freeRadius.
I need to do some logic comparing and the only way I have been able to get
close is to use the post-auth section, enable 'exec' and push out some data
to an external program were I can do some patter matching.
Jóhann B. Guðmundsson wrote:
I was wondering what is the proper way to enable ldap attributes in
radius.conf
for example Ldap-Group
groupmembership_attribute = radiusGroupName
will then other ldap attributes be matched in the same way?
Ldap-Callingstationid
callingstationid_attribute
I was wondering what is the proper way to enable ldap attributes in
radius.conf
for example Ldap-Group
groupmembership_attribute = radiusGroupName
will then other ldap attributes be matched in the same way?
Ldap-Callingstationid
callingstationid_attribute = radiusCallingStationId
Ldap-Realm
Stefan Winter <[EMAIL PROTECTED]> wrote:
> I'm trying to retrieve some replyItems from an AD backend. It works fine as
> expected with most attributes, but there are some string attributes which
> contain spaces
Either put quotes around the string, or hack rlm_ldap to pull the
*entire* string fr
Hi,
I'm trying to retrieve some replyItems from an AD backend. It works fine as
expected with most attributes, but there are some string attributes which
contain spaces like
displayName = aaa Restena, Fondation
with ldap.attrmap
RESTENA-Full-Name displayName
(RESTENA-Full-Name
Joe H <[EMAIL PROTECTED]> wrote:
> Where else do I need to add the new attribute No-Pool in order for
> freeradius to use it?
raddb/dictionary See also "man dictionary"
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Here is my goal:
I would like to assign an attribute to certain users in ldap and have
freeradius look for that attribute to determine whether or not to reply
back to the NAS device with an IP address pool name. The users with the
attribute set would not have the Pool sent and the users witho
clerc sylvain <[EMAIL PROTECTED]> wrote:
> In reality, I must link my freeradius server with an Active Directory
> and not a real ldap database and someone tells me that active
> directory understand only PEAP ( I believe it was in this mailing list
> but I don't remember exactly).
No. Active d
> > My server is running in PEAP mschapv2 and I've a problem when I want
> > to authenticate a user with a ldap database
>
> No, you don't. LDAP is NOT an authentication server.
I'm sorry the ldap database is linked to my freeradius (which is an
authentication server, isn't it?)
>
> > apparen
clerc sylvain <[EMAIL PROTECTED]> wrote:
> My server is running in PEAP mschapv2 and I've a problem when I want
> to authenticate a user with a ldap database
No, you don't. LDAP is NOT an authentication server.
> apparently, the ldap can't find the User-Name attribute Could it
> be because
Hello all,
My server is running in PEAP mschapv2 and I've a problem when I want
to authenticate a user with a ldap database (all is ok without the
ldap). My version of freeradius is 1.0.2
apparently, the ldap can't find the User-Name attribute Could it
be because of mschapv2
I try to cha
Michael Mitchell <[EMAIL PROTECTED]> wrote:
> Running the server in DEBUG mode is one of the fastest ways of
> discovering what processing the server performs on the requests it
> receives...
It's also what the developers do. To put it another way:
The people who understand FreeRADIUS best A
On Mon, 14 Mar 2005, [iso-8859-1] Benoît Bianchi wrote:
> Im desperately trying to get LDAP attributes sent back to NAS without any
> success...
> I've add RADIUS-LDAPv3.schema to my LDAP schema, and set radiusClass
> attribute for my test user.
> I can do successful authenti
Benoît Bianchi wrote:
As you suggest I have already search on the Web for an answer to my trouble,
anyway there wasn't...
I never told you to go away and search for the answer yourself... I told
you that if you run the server in DEBUG mode you'll see what it is
doing, and hopefully where the resu
ginal Message-
> From: [EMAIL PROTECTED] [mailto:freeradius-
> [EMAIL PROTECTED] On Behalf Of Michael Mitchell
> Sent: Monday, March 14, 2005 10:50 AM
> To: freeradius-users@lists.freeradius.org
> Subject: Re: LDAP attributes
>
> >
> > Please help ...
> >
>
Please help ...
As per the FAQ, README, various other documents, and many responses to
questions on this list, please run the server in debug mode (radiusd -X)
to see what it is doing, and why it is not doing what you expect. If you
still can't work it out, post the output back to the list and s
Hi
Did you uncomment ldap in the authorize and
authenticate section?
Do you really have an access_attr "dialupAccess" which is
TRUE or FALSE?
hth
peda
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Im desperately trying to get LDAP attributes sent back to NAS without any
success...
I've add RADIUS-LDAPv3.schema to my LDAP schema, and set radiusClass
attribute for my test user.
I can do successful authentication but the value of this attribute is never
sent back by freeradius to th
On Fri, 23 Jul 2004, Daniel Epstein wrote:
> Greetings all,
>
> We run a freeradius-0.9.3 installation handling authentications for a
> number of different NASs on our campus. The RADIUS servers are using
> an openldap directory as the primary user credentials store. For a
> number of reasons, w
Greetings all,
We run a freeradius-0.9.3 installation handling authentications for a
number of different NASs on our campus. The RADIUS servers are using
an openldap directory as the primary user credentials store. For a
number of reasons, we designed our LDAP schema such that authorization
for
Lew A wrote:
I'm trying to set it up so, when a connection comes in from a certain
NAS-IP-Address, and the user trying to connect has a specific Ldap
Attribute set they won't be able to connect. I haven't been able to
successfully figure out how to do this. I'm using FreeRadius 0.98. It
matches def
I'm trying to set it up so, when a connection comes in from a certain
NAS-IP-Address, and the user trying to connect has a specific Ldap
Attribute set they won't be able to connect. I haven't been able to
successfully figure out how to do this. I'm using FreeRadius 0.98. It
matches default 93, then
On Wed, 21 Apr 2004, Hans Fiedler wrote:
> I need to allow users from a wireless access point by MAC address (it comes
> as a userid) and then if the MAC address is not defined in the users file to
> check their userid/password against a LDAP database. I now had an
> additional requirement put on
On Wed, Apr 21, 2004 at 10:13:23PM -0400, Alan DeKok wrote:
> Hans Fiedler <[EMAIL PROTECTED]> wrote:
> > I can't get the attribute value checking to work. I've tried mapping the
> > attribute in the ldap.attrmap file,
> >
> > checkItem WirelessStatus WirelessStatus
> >
>
Hans Fiedler <[EMAIL PROTECTED]> wrote:
> I can't get the attribute value checking to work. I've tried mapping the
> attribute in the ldap.attrmap file,
>
> checkItem WirelessStatus WirelessStatus
>
> and checking the value in the users file. I'm not getting that to work.
I need to allow users from a wireless access point by MAC address (it comes
as a userid) and then if the MAC address is not defined in the users file to
check their userid/password against a LDAP database. I now had an
additional requirement put on that I need to check the values of an
attribute i
Hello Michael,
Saturday, April 10, 2004, 1:07:14 AM, you wrote:
MG> On Fri, 2004-04-09 at 15:05, Alexander Lunyov wrote:
>> "192684935" is a sql query result. But before minus there
>>must be Rad-Traffic-Limit, am i right? Where is it go to?
MG> I think I see the problem... Try changing
On Fri, 2004-04-09 at 15:05, Alexander Lunyov wrote:
> "192684935" is a sql query result. But before minus there
>must be Rad-Traffic-Limit, am i right? Where is it go to?
I think I see the problem... Try changing your %{expr: block per the
following: Replace %{Rad-Traffic-Limit} with
%
Hello Michael,
Friday, April 9, 2004, 11:11:43 PM, you wrote:
>> rlm_ldap: Adding radiusTrafficLimit as Rad-Traffic-Limit, value 314572800 & op=11
>>
>> radius_xlat: '-192684935'
>>
>> Traffic-Limit := 0
>> Rad-Traffic-Limit = 314572800
>>
>> I don't understand it... Rad-Traffi
On Fri, 2004-04-09 at 13:06, Alexander Lunyov wrote:
> rlm_ldap: Adding radiusTrafficLimit as Rad-Traffic-Limit, value 314572800 & op=11
>
> radius_xlat: '-192684935'
>
> Traffic-Limit := 0
> Rad-Traffic-Limit = 314572800
>
> I don't understand it... Rad-Traffic-Limit have value
Hello Kostas,
Friday, April 9, 2004, 2:12:37 PM, you wrote:
KK> On Thu, 8 Apr 2004, Alexander Lunyov wrote:
>> Hello freeradius-users,
>>
>> I need to differentiate users with their traffic limits, so i have
>> common traffic limit digit in LDAP in
>> cn=radprofile,dc=domain,dc=com, and fo
On Thu, 8 Apr 2004, Alexander Lunyov wrote:
> Hello freeradius-users,
>
> I need to differentiate users with their traffic limits, so i have
> common traffic limit digit in LDAP in
> cn=radprofile,dc=domain,dc=com, and for some users i have set their own
> traffic limits in their own entri
Hello freeradius-users,
I need to differentiate users with their traffic limits, so i have
common traffic limit digit in LDAP in
cn=radprofile,dc=domain,dc=com, and for some users i have set their own
traffic limits in their own entries (like uid=lan,ou=users,dc=domain,dc=com).
So i nee
On Wed, 17 Mar 2004, Nicolas JUSTIN wrote:
>
> > On Tue, 16 Mar 2004, Nicolas JUSTIN wrote:
> >
> >> Hello,
> >>
> >> I try to authorize users through LDAP, and autorize them by CHAP. I
> >> added LDAP attributes wich I want to be returned to th
> On Tue, 16 Mar 2004, Nicolas JUSTIN wrote:
>
>> Hello,
>>
>> I try to authorize users through LDAP, and autorize them by CHAP. I
>> added LDAP attributes wich I want to be returned to the NAS in
>> ldap.atttrmap, it works perfectly for single value attrib
On Tue, 16 Mar 2004, Nicolas JUSTIN wrote:
> Hello,
>
> I try to authorize users through LDAP, and autorize them by CHAP.
> I added LDAP attributes wich I want to be returned to the NAS in
> ldap.atttrmap, it works perfectly for single value attribute, but not for
> multi-attr
Hello,
I try to authorize users through LDAP, and autorize them by CHAP.
I added LDAP attributes wich I want to be returned to the NAS in
ldap.atttrmap, it works perfectly for single value attribute, but not for
multi-attributes values.
I read in the archive that I have to add a "+=" o
P.
> it is the second which i am currently doign with radiator but would like to
> use freeradius. with radiator, the "environment" consisting of the request,
> reply, check and ldap attributes are passed to user defined hooks, which can
> then use them to delete, modify
ing a standard signle username
> and
> >> use the supplied User-Name to obtain various records...
>
> >This is wrong, the ldap module will connect with the supplied
> username/password
> >for user authentication. Use authorization (ldap attributes extraction) is
> &
o obtain various records...
>This is wrong, the ldap module will connect with the supplied
username/password
>for user authentication. Use authorization (ldap attributes extraction) is
>performed by connecting to the ldap server with the username/password
specified
>in the module configuratio
k at freeradius and the ldap module - i am reaching
> the conclusion that the standard modules and freeradius are not suited to
> this task. for simple tasks such as always adding ldap attributes to reply
> packets then freeradius seems to be fine. there appears to be no easy way to
> e
Tariq Rashid <[EMAIL PROTECTED]> wrote:
> having had an initial look at freeradius and the ldap module - i am reaching
> the conclusion that the standard modules and freeradius are not suited to
> this task. for simple tasks such as always adding ldap attributes to reply
> packe
rateful.
tariq
-Original Message-
From: Tariq Rashid [mailto:[EMAIL PROTECTED]
Sent: 15 March 2004 09:42
To: '[EMAIL PROTECTED]'
Subject: ldap attributes dependent on complex logic - freeradius
suitable?
i've previously used radiator as it is simple to modify the check an
t the standard modules and freeradius are not suited to
this task. for simple tasks such as always adding ldap attributes to reply
packets then freeradius seems to be fine. there appears to be no easy way to
encode any complex decision logic in the configuration files.
(for example, is domain is xx
Thanks!
I'll try it
--
Sergio SAGLIOCCO
SecureLAB - System & Network Security
CSP s.c. a r.l.
Kostas Kalevras wrote:
On Tue, 2 Mar 2004, Sergio Sagliocco wrote:
Hi
thanks for the suggestion.
If I use the compare_check_items keyword it doesn't work because I
think the check operator is
On Tue, 2 Mar 2004, Sergio Sagliocco wrote:
> Hi
> thanks for the suggestion.
> If I use the compare_check_items keyword it doesn't work because I
> think the check operator is forced to "==" .
> I've found the module rlm_checkval: I've compiled it and istalled it.
> Now how I ca use it? I've no
Hi
thanks for the suggestion.
If I use the compare_check_items keyword it doesn't work because I
think the check operator is forced to "==" .
I've found the module rlm_checkval: I've compiled it and istalled it.
Now how I ca use it? I've not found documentation in freeradius
distribution.
Wher
On Wed, 25 Feb 2004, Sergio Sagliocco wrote:
> Hello to the list
>
> I configured my Freeradius to authenticate users with LDAP.
> When one of the clients send a request it includes this attribute:
>
> Cisco-AVPair = "h323-ivr-out=terminal-alias:5854;"
>
> This attribute depends from the user: so
Hello to the list
I configured my Freeradius to authenticate users with LDAP.
When one of the clients send a request it includes this attribute:
Cisco-AVPair = "h323-ivr-out=terminal-alias:5854;"
This attribute depends from the user: so for user U1 it could be
Cisco-AVPair = "h323-ivr-out=termin
77 matches
Mail list logo
