Thanks. I have done your tip but I'm get the follow error
rlm_ldap::ldap_groupcmp: Group cisco not found or user is not a member. [ldap] performing search in o=dohler, with filter (&(cn=cisco)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames (uniquemember=)))) [ldap] object not found I have created the group "cisco" in the Ldap and put the user inside it but the logs from freeradius shows that group not found. maybe there is mismatch at the searching ldap from freeradius that I have fit it. any tip about ? Thanks 2013/10/3 <freeradius-users-requ...@lists.freeradius.org>: > Send Freeradius-Users mailing list submissions to > freeradius-users@lists.freeradius.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freeradius.org/mailman/listinfo/freeradius-users > or, via email, send a message with subject or body 'help' to > freeradius-users-requ...@lists.freeradius.org > > You can reach the person managing the list at > freeradius-users-ow...@lists.freeradius.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeradius-Users digest..." > > > Today's Topics: > > 1. Re: Running RADIUS in permanent debug mode with rotating log > (Arran Cudbard-Bell) > 2. Re: Wifi APs Models compatible with by username dynamic vlan > assignment (Arran Cudbard-Bell) > 3. How to deny access to Switch Cisco by Group (Usu?rio do Sistema) > 4. Re: How to deny access to Switch Cisco by Group (Alan DeKok) > 5. Re: Running RADIUS in permanent debug mode with rotating log > (a.l.m.bu...@lboro.ac.uk) > 6. RE: radwho not working (Clint Petty) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 3 Oct 2013 11:04:42 +0100 > From: Arran Cudbard-Bell <a.cudba...@freeradius.org> > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Subject: Re: Running RADIUS in permanent debug mode with rotating log > Message-ID: <414c50cc-a53f-4480-b111-14fb8a774...@freeradius.org> > Content-Type: text/plain; charset=us-ascii > > > On 3 Oct 2013, at 10:14, <stefan.pae...@diamond.ac.uk> wrote: > >>> How can we run radiusd -x > "logname" such that we have different >>> logname for each day? >> >> Clement, may I suggest a cron job? >> >> At midnight, move the log, kill and restart the radius server with a new log >> in the name? Of course you run the risk of possibly killing any >> authentication attempts that happen at that point in time, but... that's >> something you need to take into account? > > Please don't. Use a crontab by all means but just use the main log file and > enable additional debugging (-xx). > > As of 2.2.1 you can use the radmin control socket to reopen the log file > handle without restarting the server, or sending a -HUP. > > It's not just the fact you'll kill any EAP auth sessions in progress, but > you'll will clear out any cached entries (rlm_cache), > and where proxying is being performed upstream server state will be lost. > > It's also dangerous in that if someone has messed with the configurations, or > overwritten the radiusd/freeradius(debian) binary > you'll experience an unexpected migration to the new binary/config on next > restart. > > Arran Cudbard-Bell <a.cudba...@freeradius.org> > FreeRADIUS Development Team > > > > ------------------------------ > > Message: 2 > Date: Thu, 3 Oct 2013 11:08:34 +0100 > From: Arran Cudbard-Bell <a.cudba...@freeradius.org> > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Subject: Re: Wifi APs Models compatible with by username dynamic vlan > assignment > Message-ID: <f7069ec1-c670-405b-9fc0-b962be10e...@freeradius.org> > Content-Type: text/plain; charset=us-ascii > > > On 3 Oct 2013, at 10:57, matthew pideil <matthew.pid...@teledetection.fr> > wrote: > >> Hello, >> >> I want to perform dynamic VLAN assignment by username through wifi >> access. I set up this configuration few time ago but didn't works. >> >> I want to know which WiFi APs are compatible and/or what is the term to >> search for in devices specifications ... > > > Look for claimed compliance with RFC3580/RFC4675 in the specifications of your > Access-Point. > > -Arran > > Arran Cudbard-Bell <a.cudba...@freeradius.org> > FreeRADIUS Development Team > > > > ------------------------------ > > Message: 3 > Date: Thu, 3 Oct 2013 09:37:57 -0300 > From: Usu?rio do Sistema <maico...@ig.com.br> > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Subject: How to deny access to Switch Cisco by Group > Message-ID: > <camtjhrxn6pq-7dc8bxf8lggbeyuyy4osvo2thn0v3so+vdk...@mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Hello, > I have just installed a FreeRADIUS Version 2.1.12. it's integrate > with OpenLdap and I'm able to use it that way. > my issue is how to deny users aren't member of the any group. > For exemple, I should like authorize users do login in the my devices > Cisco from a group of the my data base LDAP. if user doesn't inside in > that group the freeradius must DENY it. currently my freeradius is > allow any user from LDAP. if the user is created on LDAP it's able > login in my Cisco devices. > how to deny access by group ? if user is member of the group it's able > login in otherwise the user is deny > > thanks > > > ------------------------------ > > Message: 4 > Date: Thu, 03 Oct 2013 08:57:06 -0400 > From: Alan DeKok <al...@deployingradius.com> > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Subject: Re: How to deny access to Switch Cisco by Group > Message-ID: <524d69a2.2040...@deployingradius.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Usu?rio do Sistema wrote: >> how to deny access by group ? if user is member of the group it's able >> login in otherwise the user is deny > > See the FAQ. Put this at the top of the "users" file: > > DEFAULT LDAP-Group != "allowed", Auth-Type := Reject > > > Alan DeKok. > > > ------------------------------ > > Message: 5 > Date: Thu, 3 Oct 2013 16:29:41 +0100 > From: a.l.m.bu...@lboro.ac.uk > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Subject: Re: Running RADIUS in permanent debug mode with rotating log > Message-ID: <20131003152941.ga4...@lboro.ac.uk> > Content-Type: text/plain; charset=us-ascii > > Hi, > > this is FreeRADIUS list, not general Linux lsit - I'd suggest looking at some > guides for > the EXACT thing you need eg > > http://www.cyberciti.biz/faq/linux-unix-formatting-dates-for-display/ > > (and ensure your escape quotes are the right way around) > > alan > > > ------------------------------ > > Message: 6 > Date: Thu, 3 Oct 2013 17:10:17 +0000 > From: Clint Petty <cpe...@luthresearch.com> > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Subject: RE: radwho not working > Message-ID: > > <64d95a19c8744c0ca70e1343e2118...@dm2pr04mb334.namprd04.prod.outlook.com> > > Content-Type: text/plain; charset="us-ascii" > > Hi Alan, > > Below is the results from radiusd -X (debug mode), while logging in: > > rad_recv: Access-Request packet from host xx.xx.xx.79 port 40379, id=79, > length=138 > User-Name = "test" > NAS-Port-Type = Virtual > Service-Type = Framed-User > NAS-Port = 53 > NAS-Port-Id = "ios" > NAS-IP-Address = xx.xx.xx.79 > Called-Station-Id = "xx.xx.xx.79[4500]" > Calling-Station-Id = "xx.xx.xx.150[32055]" > EAP-Message = 0x02000009016a646f65 > NAS-Identifier = "strongSwan" > Message-Authenticator = 0x13a0846c40f521e3c009161546f6f3fb > # Executing section authorize from file /etc/raddb/sites-enabled/default > +- entering group authorize {...} > ++[preprocess] returns ok > ++[chap] returns noop > ++[mschap] returns noop > ++[digest] returns noop > [suffix] No '@' in User-Name = "test", looking up realm NULL > [suffix] No such realm "NULL" > ++[suffix] returns noop > [eap] EAP packet type response id 0 length 9 > [eap] No EAP Start, assuming it's an on-going EAP conversation > ++[eap] returns updated > ++[files] returns noop > [ldap] performing user authorization for test > [ldap] expand: (&(uid=%u)) -> (&(uid=test)) > [ldap] expand: ou=People,dc=company,dc=com -> ou=People,dc=company,dc=com > [ldap] ldap_get_conn: Checking Id: 0 > [ldap] ldap_get_conn: Got Id: 0 > [ldap] attempting LDAP reconnection > [ldap] (re)connect to xx.xx.xx.126:389, authentication 0 > [ldap] bind as cn=Admin,dc=company,dc=com/xxxx to xx.xx.xx.126:389 > [ldap] waiting for bind result ... > [ldap] Bind was successful > [ldap] performing search in ou=People,dc=company,dc=com, with filter > (&(uid=test)) > [ldap] looking for check items in directory... > [ldap] userPassword -> User-Password == "password" > [ldap] userPassword -> Password-With-Header == "password" > [ldap] sambaNtPassword -> NT-Password == 0x38424235443 > [ldap] looking for reply items in directory... > [ldap] user test authorized to use remote access > [ldap] ldap_release_conn: Release Id: 0 > ++[ldap] returns ok > ++[expiration] returns noop > ++[logintime] returns noop > [pap] Config already contains "known good" password. Ignoring > Password-With-Header > [pap] Normalizing NT-Password from hex encoding > [pap] WARNING: Auth-Type already set. Not setting to PAP > ++[pap] returns noop > Found Auth-Type = EAP > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > !!! Replacing User-Password in config items with Cleartext-Password. > !!! > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > !!! Please update your configuration so that the "known good" > !!! > !!! clear text password is in Cleartext-Password, and not in User-Password. > !!! > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > # Executing group from file /etc/raddb/sites-enabled/default > +- entering group authenticate {...} > [eap] EAP Identity > [eap] processing type md5 > rlm_eap_md5: Issuing Challenge > ++[eap] returns handled > Sending Access-Challenge of id 79 to xx.xx.xx.79 port 40379 > EAP-Message = 0x010100160410c73f50e02103b6473c8f5ed51995e29f > Message-Authenticator = 0x00000000000000000000000000000000 > State = 0x2310bb7d2311bf963fc3fbc63c331669 > Finished request 0. > Going to the next request > Waking up in 4.9 seconds. > rad_recv: Access-Request packet from host xx.xx.xx.79 port 40379, id=80, > length=169 > User-Name = "test" > NAS-Port-Type = Virtual > Service-Type = Framed-User > NAS-Port = 53 > NAS-Port-Id = "ios" > NAS-IP-Address = xx.xx.xx.79 > Called-Station-Id = "xx.xx.xx.79[4500]" > Calling-Station-Id = "xx.xx.xx.150[32055]" > EAP-Message = 0x020100160410958ab4a6a9b38188febc74cc0c573b96 > NAS-Identifier = "strongSwan" > State = 0x2310bb7d2311bf963fc3fbc63c331669 > Message-Authenticator = 0xdb77c116ca06726a60a2d3a224bc2e22 > # Executing section authorize from file /etc/raddb/sites-enabled/default > +- entering group authorize {...} > ++[preprocess] returns ok > ++[chap] returns noop > ++[mschap] returns noop > ++[digest] returns noop > [suffix] No '@' in User-Name = "test", looking up realm NULL > [suffix] No such realm "NULL" > ++[suffix] returns noop > [eap] EAP packet type response id 1 length 22 > [eap] No EAP Start, assuming it's an on-going EAP conversation > ++[eap] returns updated > ++[files] returns noop > [ldap] performing user authorization for test > [ldap] expand: (&(uid=%u)) -> (&(uid=test)) > [ldap] expand: ou=People,dc=company,dc=com -> ou=People,dc=company,dc=com > [ldap] ldap_get_conn: Checking Id: 0 > [ldap] ldap_get_conn: Got Id: 0 > [ldap] performing search in ou=People,dc=company,dc=com, with filter > (&(uid=test)) > [ldap] looking for check items in directory... > [ldap] userPassword -> User-Password == "password" > [ldap] userPassword -> Password-With-Header == "password" > [ldap] sambaNtPassword -> NT-Password == 0x38424235443 > [ldap] looking for reply items in directory... > [ldap] user test authorized to use remote access > [ldap] ldap_release_conn: Release Id: 0 > ++[ldap] returns ok > ++[expiration] returns noop > ++[logintime] returns noop > [pap] Config already contains "known good" password. Ignoring > Password-With-Header > [pap] Normalizing NT-Password from hex encoding > [pap] WARNING: Auth-Type already set. Not setting to PAP > ++[pap] returns noop > Found Auth-Type = EAP > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > !!! Replacing User-Password in config items with Cleartext-Password. > !!! > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > !!! Please update your configuration so that the "known good" > !!! > !!! clear text password is in Cleartext-Password, and not in User-Password. > !!! > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > # Executing group from file /etc/raddb/sites-enabled/default > +- entering group authenticate {...} > [eap] Request found, released from the list > [eap] EAP/md5 > [eap] processing type md5 > [eap] Freeing handler > ++[eap] returns ok > Login OK: [test] (from client localhost port 53 cli xx.xx.xx.150[32055]) > # Executing section post-auth from file /etc/raddb/sites-enabled/default > +- entering group post-auth {...} > ++[exec] returns noop > Sending Access-Accept of id 80 to xx.xx.xx.79 port 40379 > EAP-Message = 0x03010004 > Message-Authenticator = 0x00000000000000000000000000000000 > User-Name = "test" > Finished request 1. > Going to the next request > Waking up in 4.9 seconds. > Cleaning up request 0 ID 79 with timestamp +20 > Cleaning up request 1 ID 80 with timestamp +20 > Ready to process requests. > > > > -----Original Message----- > From: freeradius-users-bounces+me=company....@lists.freeradius.org > [mailto:freeradius-users-bounces+me=company....@lists.freeradius.org] On > Behalf Of a.l.m.bu...@lboro.ac.uk > Sent: Thursday, October 03, 2013 1:32 AM > To: FreeRadius users mailing list > Subject: Re: radwho not working > > Hi, >> I would like to display the active Radius connections. When I run radwho I >> get the following results (showing nothing but the titles) even though I >> know I have an active connection: > > using the utmp/wtmp modules? what does your FreeRADIUS debug show when > someone logging in? > > alan > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > ------------------------------ > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > End of Freeradius-Users Digest, Vol 102, Issue 11 > ************************************************* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
