On 07/02/2013 02:30 AM, Matt Zagrabelny wrote:
If a user is not in the secret group, then their login should fail if
the Vendor-3076-Attr-146 = 0x554d44 pair is in the request.
This is pretty easy:
authorize {
...
if (Vendor-3076-Attr-146 == 0x554d44) {
if (SQL-Group == secret) {
On 2 Jul 2013, at 07:18, Phil Mayers p.may...@imperial.ac.uk wrote:
On 07/02/2013 02:30 AM, Matt Zagrabelny wrote:
If a user is not in the secret group, then their login should fail if
the Vendor-3076-Attr-146 = 0x554d44 pair is in the request.
This is pretty easy:
authorize {
...
On 2 Jul 2013, at 07:41, Arran Cudbard-Bell a.cudba...@freeradius.org wrote:
On 2 Jul 2013, at 07:18, Phil Mayers p.may...@imperial.ac.uk wrote:
On 07/02/2013 02:30 AM, Matt Zagrabelny wrote:
If a user is not in the secret group, then their login should fail if
the Vendor-3076-Attr-146
Hi
I'll see if I can send through some dictionary file entries later today
Alan
This smartphone uses eduroam which gives me free WiFi around the world. Now
thats what I call smart!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 07/02/2013 07:52 AM, Arran Cudbard-Bell wrote:
This may work for 2.x.x but definitely wont't work for 3.0 which uses
direct DICT_ATTR pointer comparisons in some places (instead of
comparing vendor/attribute number).
So... what *can* you do with Vendor-X-Attr-Y?
-
List
On 2 Jul 2013, at 08:53, Phil Mayers p.may...@imperial.ac.uk wrote:
On 07/02/2013 07:52 AM, Arran Cudbard-Bell wrote:
This may work for 2.x.x but definitely wont't work for 3.0 which uses
direct DICT_ATTR pointer comparisons in some places (instead of
comparing vendor/attribute number).
(instead
of comparing vendor/attribute number).
So... what *can* you do with Vendor-X-Attr-Y?
Use it to figure out which dictionary entries you're missing.
I was hoping for something more specific than that ;o)
So you can't compare them; can you set them:
update reply {
Vendor-X-Attr-Y = 0xff
Hi,
We have a generic VPN profile that we'd like to allow *all* users to
login to - this works well.
When users login to the secret profile, then the following VPN
attribute is included in the request:
Vendor-3076-Attr-146 = 0x554d44
use/load the dictionary.cisoc.vpn3000 dictionary file
for 3.0 which
uses direct DICT_ATTR pointer comparisons in some places (instead
of comparing vendor/attribute number).
So... what *can* you do with Vendor-X-Attr-Y?
Use it to figure out which dictionary entries you're missing.
I was hoping for something more specific than that ;o
you're missing.
I was hoping for something more specific than that ;o)
It appears Alan has already done what I just suggested below.
update reply {
Vendor-1-Attr-2 := 0x01
}
if (reply:Vendor-1-Attr-2) {
ok
}
(0) update
* you do with Vendor-X-Attr-Y?
Use it to figure out which dictionary entries you're missing.
I was hoping for something more specific than that ;o)
It appears Alan has already done what I just suggested below.
update reply {
Vendor-1-Attr-2 := 0x01
Greetings!
Our Cisco VPN concentrator is sending some RADIUS attributes in the
request packet and if certain values appear, then I'd like to only
allow a subset of users to login.
I've looked at:
http://wiki.freeradius.org/SQL-Huntgroup-HOWTO/dbeef165862fe9ba7ef6f7d011889d1f7212cf9b
the SQL
and the ssh command running ok. Freeradius fires the
script off ok after an accounting session and the bits get written to
the testssh.out file, including the PID of the ssh process but the
command itself doesn't work.
Am I missing something obvious (again)?
Comments welcome on how clever/ridiculous
and the bits get written to
the testssh.out file, including the PID of the ssh process but the
command itself doesn’t work.
Am I missing something obvious (again)?
PATH
Use the complete filename for all executables in the shell script.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
something
Franks Andy (RLZ) IT Systems Engineer wrote:
The problem is it doesn’t work. I can run the script from a shell prompt
and the backup functions fine, the variables outputting to the
testssh.out file and the ssh command running ok. Freeradius fires the
script off ok after an accounting
Hello Joël,
I've adjusted some paths and other little things.
Freeradius is up
smsotpd is up
I've populated the berkeley db with my identifiant
don't use the smsotpd, use the rlm_perl which is a complete different
setup. The mininimal config you find in the README in the
Hi!
I want to build eap/tls so i need to produce a client certificate. in
the certs catalog there are ca.pem and server.pem,but not
client.pem.so I should use command make client.pem.
in the README file there are some words:Be sure that the commonName
field here is the User-Name that will be used
Christ Schlacta wrote:
I'm not really sure how to accomplish authorizing a certificate that's
already passed tls authentication, but if it's possible, I know you
folks will be able to point me to a guide or provide some input as to
how to accomplish this.
Read raddb/sites-available/default
I've currently got a single host configured to have a certificate, the
certificate is issued on a per-host basis. I want to somehow link a
specific machine to a specific ssl certificate. it's my understanding
that openldap or mysql can do this. I'd prefer not to use mysql as the
mysql
Alan DeKok wrote:
Johan Meiring wrote:
To sum up my understanding of how freeradius works.
authorise = select auth type
OK... a database would be better, but fine.
I assume sql module in authorise.
I basically want freeradius to do the PAP/CHAP stuff and AFTER that I
want to do
Johan Meiring wrote:
To sum up my understanding of how freeradius works.
authorise = select auth type
authenticate = run the appropriate auth method
And post-auth: do any post-authentication processing.
Currently I do the following
authorise = set Auth-Type to perl
authenticate = run
Hi,
Let me start off with that a have a perfectly working freeradius setup
authenticating a bunch of hotspots (coova-chilli). Thanks freeradius!!!
All is done using custom code in rlm_perl during authentication.
I check the password
I check the users cap
I check a bunch of other stuff
I
Version 2.0.4
We use digest authentication. It works properly.
(with a little problem I will ask in another thread)
The essential part of the debug:
Thu May 21 09:41:17 2009 : Debug: ++[digest] returns ok
Thu May 21 09:41:17 2009 : Auth: Login OK: [...@10.14.2.10/via Auth-Type =
DIGEST]
Version 2.0.4
We use digest authentication. It works properly.
(with a little problem I will ask in another thread)
The essential part of the debug:
Thu May 21 09:41:17 2009 : Debug: ++[digest] returns ok
Thu May 21 09:41:17 2009 : Auth: Login OK: [...@10.14.2.10/via Auth-Type
=
authenticate
rlm_digest: Converting Digest-Attributes to something sane...
Digest-Realm = tequet
Digest-Nonce = 4a1527742cb58a911390a13daeab535c71b92a74
Digest-URI = sip:
Digest-Method = INVITE
Digest-CNonce = 1242900340
Digest-Nonce-Count = 0001
Hi,
How to insert Session-Timeout into the reply message?
use what ever method you want to insert it PERL, unlang etc.
a simple 'fix' that would be global in this example:
for 2.1.x in section of sites-enabled/default
post-auth {
Post-Auth-Type REJECT {
Dana 17/11/2008, NiTr0 [EMAIL PROTECTED] piše:
I use FreeRADIUS v2.0.1 on server side and FreeRADIUS client library
v1.1.6 with pptpd/pppd on client side. Is there something like
Mpd-drop-user attribute for MPD5? Or I must hangup sessions only by
unusual way with 3rd-party client
On Mon, Nov 17, 2008 at 02:28:20AM +0200, NiTr0 wrote:
I use FreeRADIUS v2.0.1 on server side and FreeRADIUS client library
v1.1.6 with pptpd/pppd on client side. Is there something like
Mpd-drop-user attribute for MPD5? Or I must hangup sessions only by
unusual way with 3rd-party
I use FreeRADIUS v2.0.1 on server side and FreeRADIUS client library
v1.1.6 with pptpd/pppd on client side. Is there something like
Mpd-drop-user attribute for MPD5? Or I must hangup sessions only by
unusual way with 3rd-party client-server apps (for ex., telnet, snmp,
etc)?
-
List
Hello,
I try to use EAP-TLS authentication.
Here is a part to the debugging messages :
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
TLS_accept: SSLv3 read client hello A
TLS_accept:
OLIVER Patrice wrote:
I try to use EAP-TLS authentication.
With which version of FreeRADIUS?
Here is a part to the debugging messages :
...
rlm_eap: SSL error error::lib(0):func(0):reason(0)
In SSL Handshake Phase
In SSL Accept mode
What's about this error ?
It looks like
I am running Redhat version 3.0 with Freeradius 1.0.1 bundled.
I would like to upgrade to Freeradius 1.1.4.
Is their documentation available (installation requirements) that I
could review that would specify
if Freeradius 1.1.4 will run under Redhat version 3.0, etc? Basically,
release notes for
Hi,
I am running Redhat version 3.0 with Freeradius 1.0.1 bundled.
I would like to upgrade to Freeradius 1.1.4.
Is their documentation available (installation requirements) that I
could review that would specify
if Freeradius 1.1.4 will run under Redhat version 3.0, etc? Basically,
Here are parts of my config as well as parts from debug, and I must be doing
something wrong or missed something.
I am trying to set the NAS-Identifier, since it is not sent in the
access-request packet, and use this later in the post-auth section.
As you can see, later in the post-auth section
Duane Cox wrote:
users file (lines 18-21)
DEFAULT NAS-IP-Address == 192.168.0.251, NAS-Identifier := LAB_CCU
Fall-Through = Yes
DEFAULT User-Name =~ ^6[0-9a-f]:[0-9a-f]\{2}:[0-9a-f]\{2}$, Post-Auth-Type
:= waverider
Attribute := Value
Always matches as a check
I really don't know why everybody is telling that such config would be
impossible.
It's impossible to enforce traffic limiting *during* a users
session. So if a user is a tiny bit below their limit and logs in
again, they can go over their limit. The server will only catch
enforce
It's impossible to enforce traffic limiting *during* a users
session. So if a user is a tiny bit below their limit and logs in
again, they can go over their limit. The server will only catch
enforce their limit on the next login.
It is possible, but that depends on your NAS
Jonathan De Graeve [EMAIL PROTECTED] wrote:
...
That's the reason (IMHO) most people want the possibility to set the
reply attribute.
So submit a patch, or find a patch that exists, and say publicly
that it works for you.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
Damjan wrote:
I limit users by bytes transfered, so I need to sum AcctInputOctets
and AcctOutputOctets, compare that sum to a check attribute (let's
call it Max-All-Transfer) and return a coresponding
ChilliSpot-Max-Total-Octets.
I beleive this is not configurable in rlm_sqlcounter?
attribute? Couldn't this be used for Damjan's purpose then?
Regards,
Edvin
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nicolas
Baradakis
Sent: Dienstag, 20. Dezember 2005 11:48
To: FreeRadius users mailing list
Subject: Re: rlm_sqlcounter and something else
Seferovic Edvin wrote:
I think he wants Session-Octets-Limit to be sent back for limiting traffic
passed thru for each user. I've changed the plain counter module so it sends
back my attribute ;), and I think this could be done for sqlcounter as well.
Are you using version 1.0.5 or a CVS
Seferovic Edvin [EMAIL PROTECTED] wrote:
I really don't know why everybody is telling that such config would be
impossible.
It's impossible to enforce traffic limiting *during* a users
session. So if a user is a tiny bit below their limit and logs in
again, they can go over their limit. The
something
like telnet scripts, snmp, radius packet of disconnect and so on so forth.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: Dienstag, 20. Dezember 2005 17:30
To: [EMAIL PROTECTED]; FreeRadius users mailing list
Subject: Re: rlm_sqlcounter and something else than Session-Timeout
Seferovic Edvin [EMAIL PROTECTED
Seferovic Edvin [EMAIL PROTECTED] wrote:
I do NOT want to limit or change the limit during a session. I just want to
limit it for a session
As I was trying to say that in general, you CANNOT do this. You can
check if they're over the limit at the START of a session. The NAS
will *not* check
Seferovic Edvin wrote:
If you know what you want, write a patch, and we'll review it.
Alan DeKok.
Alan, I think you are far more better programmer then I am. It shouldn't be
a big trouble to allow another config parameter for sqlcounter. This one
could be named Reply-Attribute and people
So if they're under the limit at the start of the session, they can
go over during the session, and no one will notice. This has NOTHING
to do with changing the limits during a session.
The problem I think most people (and also me) now have appears when you
have max-octet limits. If a
Of Alan
DeKok
Sent: Dienstag, 20. Dezember 2005 19:53
To: freeradius-users@lists.freeradius.org
Subject: Re: rlm_sqlcounter and something else than Session-Timeout
Seferovic Edvin [EMAIL PROTECTED] wrote:
I do NOT want to limit or change the limit during a session. I just want
to
limit
Seferovic Edvin [EMAIL PROTECTED] wrote:
Alan should I write a patch for 1.0.5 or should I wait for 1.1.0, or just
take the daily from CVS?
Make the patch against 1.1.0-pre0, which should be good enough.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
Currently rlm_sqlcounter sums all the session time used by a user, via a
MySQL query (summing all the AcctSessionTime) and returns a coresponding
Session-Timeout reply to the nas.
Now, in my application, I limit users by bytes transfered, so I need to
sum AcctInputOctets and AcctOutputOctets,
that's it for now, exiting
-- The PPP daemon has died. (exit code = 19)
There's an awful lot of output from radius -X running while I attempt
to auth, but here's something that sticks out:
rlm_sql (sql): Released sql socket id: 5
modcall[post-auth]: module sql returns ok for request 1
modcall
Justin M. Parker wrote:
Greetings.
I've got freeradius (radiusd: FreeRADIUS Version 1.0.2, for host ,
Belay last, grabbed the new source, recompiled, and reconfigured.
Everything's peachy now. Thanks anyway!
Long live FreeRadius.
-justin
-
List info/subscribe/unsubscribe? See
Well,
Guys I am back to the list for answers. I am simply tring to prevent
more than one instance of one user logged in at once. I know, before you
yell at me I have read the FAQ and setup just the way it says in
sql.conf. Perhaps I am missing something. I just uncommented
Blake wrote:
Well,
Guys I am back to the list for answers. I am simply tring to prevent
more than one instance of one user logged in at once. I know, before
you yell at me I have read the FAQ and setup just the way it says in
sql.conf. Perhaps I am missing something. I just uncommented
Hi,
Perhaps I am missing something obvious (ok, maybe not
perhaps, maybe it is obvious) but I am trying to use
freeradius with openssl as CA and set up EAP/TLS.
Everything works if I issue a cert for each user account on
the wireless boxes, but here is what I really want to
happen -
Regardless
On Thu, 15 Apr 2004, Kostas Zorbadelos wrote:
Please let me know something about the following situation. Should I
send it to the developers list?
I keep sending this and updates on it for over a week and receive no
answer.
Can I do something else?
I want to add that the bug is irrelevant
Kostas Zorbadelos [EMAIL PROTECTED] wrote:
I am talking about freeradius 0.9.3 and I use it on a production
environment.
Please try the latest CVS snapshot. It has a number of fixes to the
Oracle module.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
Yes, it's me again. :p
I have found out that when using freeradius as a radius proxy, the requests
get transformed while going through Freeradius. The most notable change is
that cisco_vsa_hack applies to proxied requests. As some radius software do
not understand hacked requests, the proxy
Costin Manda [EMAIL PROTECTED] wrote:
I have found out that when using freeradius as a radius proxy, the requests
get transformed while going through Freeradius. The most notable change is
that cisco_vsa_hack applies to proxied requests.
No... it gets applied to *all* requests, because
- Original Message -
From: Alan DeKok [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, March 25, 2004 5:33 PM
Subject: Re: Proxy bug or did I do something wrong?
Why are you logging requests locally *and* proxying them? Or are
you trying to proxy some, and log others?
I
60 matches
Mail list logo