Radius Integration with Active Directory
Hi all, I have installed a freeradius machine on ubuntu server, now my boss wants me to integrate it with the Active directory so that the users can be authenticated through it. I was wondering design wise does it make sense to have a free radius server in between if we can run radius on the windows machine itself? what are security best practices in this case? Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius Integration with Active Directory
While MS ISA is fine for very small deployments it cannot scale very well in my experience. While FR scales extremely well. While MS ISA will start to really putter out at about 50-100 NASs (depending on your hardware) FR will happily hum along with THOUSANDS of NASs. Jake Sallee Network Engineer University of Mary Hardin-Baylor Fone: 254-295-4658 Phax: 254-295-4221 From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On Behalf Of Raheel Itrat Sent: Friday, March 25, 2011 1:08 AM To: freeradius-users@lists.freeradius.org Subject: Radius Integration with Active Directory Hi all, I have installed a freeradius machine on ubuntu server, now my boss wants me to integrate it with the Active directory so that the users can be authenticated through it. I was wondering design wise does it make sense to have a free radius server in between if we can run radius on the windows machine itself? what are security best practices in this case? Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radgroup replay
Hello guys, I was bothering you one month ago about my radius problem with centile ( problem was that centile was not sending right secret). We have finally fixed this issue and now the call goes through. I am facing different problem. After I answer on phone my call is being dropped by centile because radius is not sending back few parameters. Do I have to put this parameters in radgroupreplay? thank you!!! Miha -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radgroup-replay-tp4263674p4263674.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sending detailed log to centralization logs server
Pierre Durand wrote: But how sending also detailed logs (/var/log/freeradius/radacct/IP/detail-* i need? raddb/sites-available/copy-acct-to-home-server Sorry, the purpose is to send detailled logs to a centralization logs server, not to another freeradius server -- 11 ... 51 Pierre Durand D.S.I - Université Pierre MENDES FRANCE 151 Avenue des Universités BP 47 38040 Grenoble Cedex 9 T. 04 76 82 59 45 Bureau 31 LNT 3° étage courriel: pierre.dur...@upmf-grenoble.fr *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wrong packing of attributes?
radiusd: FreeRADIUS Version 3.0.0, for host i686-pc-linux-gnu, built on
Mar 24 2011 at 15:45:30
I'm on a bit of a limb here, but I think I might have found a bug. Far
from sure though, so please don't kill me if I'm wrong.
Example of authentication reply:
Sending Access-Accept of id 162 to 192.168.106.240 port 1812
WiMAX-R3-IF-Name = KRIS
01 06 4b 52 49 53
WiMAX-PDFID = 1
02 04 00 01
*WiMAX-R3-IF-Descriptor = ...*- *Perfect*
1a 13 60b5 (24757) 8b 0d 00 01 06 4b 52 49 53 02 04 00 01
WiMAX-Packet-Data-Flow-Id = 1
01 04 00 01
WiMAX-Direction = Bi-Directional
04 03 03
WiMAX-Transport-Type = Ethernet
06 03 03
WiMAX-Uplink-QOS-Id = 1
07 03 01
WiMAX-Downlink-QOS-Id = 1
08 03 01
WiMAX-ClassifierID = 1
01 03 01
WiMAX-Classifier-Priority = 1
02 03 01
WiMAX-Classifier-Direction = Bi-Directional
04 03 03
WiMAX-VLAN-ID = 50
09 04 00 32
*WiMAX-Classifier = ...* - *Perfect*
0b 0f 01 03 01 02 03 01 04 03 03 09 04 00 32
WiMAX-QoS-Id = 1
01 03 01
WiMAX-Schedule-Type = Best-Effort
04 03 02
WiMAX-Traffic-Priority = 1
05 03 01
WiMAX-Maximum-Sustained-Traffic-Rate = 200
06 06 00 1e 84 80
WiMAX-Packet-Flow-Descriptor = ...
1a 37 60b5 (24757) 1c 31 00 01 04 00 01 04 03 03 06 03
03 07 03 01 08 03 01
*0b 0f 01 03 01 02 03 01 04 03 03 09 04 00 32 01 *-Our classifier has
been packed in the flow descriptor
03 01 04 03 02 05 03 01 06 06 00 1e 84 80
Calling-Station-Id = 00-10-E7-AA-40-C4
1f 13 30 30 2d 31 30 2d 45 37 2d 41 41 2d 34 30 2d 43
34
EAP-Message = 0x03070004
4f 06 03 07 00 04
Message-Authenticator = 0x
50 12 ...
User-Name = {am=1}34f1c6d378383b0a78a50d1d61c14976
01 28 7b 61 6d 3d 31 7d 33 34 66 31 63 36 64 33 37 38
33 38 33 62 30 61 37 38 61 35 30 64 31 64 36 31
63 31 34 39 37 36
WiMAX-AAA-Session-Id =
0x3635613865393037626230306231653539633164643033626162353832353630
1a 29 60b5 (24757) 04 23 00 36 35 61 38 65 39 30 37 62
62 30 30 62 31 65 35
39 63 31 64 64 30 33 62 61 62 35 38 32 35 36 30
WiMAX-MSK =
0xbb7ceda36bf48308924b3c134c73a576e4f0a290ee7e099070d0b6efe09a98032a0a4f93e626a3a1c803ca964d0288da345587f2c8b64d76c39957e482662b4a
1a 5b 60b5 (24757) 05 55 00 87 2b dc 67 b2 50 8a 3f 02
95 25 c3 d2 c2 52 d2
07 50 3b a1 a9 e0 53 48 3a a2 74 3f 86 5c 22 17
a2 a6 72 64 c9 0e de 93 53 a7 18 a4 92 40 79 6e
54 d3 81 c5 9e c7 3c ac 2c 53 12 c8 b0 63 81 a5
8e ca ed c4 f8 ed 05 29 42 4a 40 98 56 8b 34 8b
b5 2f
Code:2
Id:162
Length:309
Vector:8b8551e57f89b4247daf7b2f0d312efa
Data:1a 13 60b5 (24757) 8b 0d 00 01 06 4b 52 49 53 02
04 00 01
1a 37 60b5 (24757) 1c 31 00 01 04 00 01 04 03 03 06 03
03 07 03 01
08 03 01 0b 0f 01 03 01 02 03 01 04 03 03 09 04
00 32 01 03 01 04 03 02 05 03 01 06 06 00 1e 84
80
1f 13 30 30 2d 31 30 2d 45 37 2d 41 41 2d 34 30 2d 43
34
4f 06 03 07 00 04
50 12 b5 7e 69 23 2f d4 52 d0 5b 8d de e2 83 41 c3 22
01 28 7b 61 6d 3d 31 7d 33 34 66 31 63 36 64 33 37 38
33 38 33 62 30 61 37 38 61 35 30 64 31 64 36 31
63 31 34 39 37 36
1a 29 60b5 (24757) 04 23 00 36 35 61 38 65 39 30 37 62
62 30 30 62
31 65 35 39 63 31 64 64 30 33 62 61 62 35 38 32
35 36 30
1a 5b 60b5 (24757) 05 55 00 87 2b dc 67 b2 50 8a 3f 02
95 25 c3 d2
c2 52 d2 07 50 3b a1 a9 e0 53 48 3a a2 74 3f 86
5c 22 17 a2 a6 72 64 c9 0e de 93 53 a7 18 a4 92
40 79 6e 54 d3 81 c5 9e c7 3c ac 2c 53 12 c8 b0
63 81 a5 8e ca ed c4 f8 ed 05 29 42 4a 40 98 56
8b 34 8b b5 2f
Fri Mar 25 09:15:51 2011 : Info: (6) Finished request.
The problem here though, is that the following attributes:
*WiMAX-QoS-Id* = 1
01 03 01
*WiMAX-Schedule-Type* = Best-Effort
04 03 02
*WiMAX-Traffic-Priority* = 1
05 03 01
*WiMAX-Maximum-Sustained-Traffic-Rate* = 200
Should really be packed into a WiMAX-QoS-Descriptor,as far as I can see?
Cut'n'paste from Dictionary:
ATTRIBUTE WiMAX-QoS-Descriptor29 tlv
ATTRIBUTE WiMAX-QoS-Id29.1byte
ATTRIBUTE WiMAX-Global-Service-Class-Name 29.2string #
6 octets
ATTRIBUTE WiMAX-Service-Class-Name29.3string
ATTRIBUTE WiMAX-Schedule-Type 29.4byte
ATTRIBUTE WiMAX-Traffic-Priority 29.5byte
ATTRIBUTE WiMAX-Maximum-Sustained-Traffic-Rate29.6integer
ATTRIBUTE
freeradius
i have a freeradius server with 25 vpn servers. i enabled simultaneous-use = 1, menaing only 1 user can login at a time the problem is, some vpn reboots suddently, so they didnt sent STOP packets to the radius server to close user connections. so when a vps suddenly reboots, there are still user sessions there but infact, they are not coz the vpn server shutdown suddently. so when these users tried to login, they cant coz there is still a ghost session. are there any means to solve this problem? pls help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sending detailed log to centralization logs server
Pierre Durand pierre.dur...@upmf-grenoble.fr writes: Pierre Durand wrote: But how sending also detailed logs (/var/log/freeradius/radacct/IP/detail-* i need? raddb/sites-available/copy-acct-to-home-server Sorry, the purpose is to send detailled logs to a centralization logs server, not to another freeradius server You should expect to get a FreeRADIUS solution when you ask on a FreeRADIUS mailing list. If you want a NFS solution then you have to find a NFS mailing list. Likewise for FTP, SMB or whatever protocol you want to use. But if you already decided, why ask at all? Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius
friend, can u help me i have a freeradius server with 25 vpn servers. i enabled simultaneous-use = 1, menaing only 1 user can login at a time the problem is, some vpn reboots suddently, so they didnt sent STOP packets to the radius server to close user connections. so when a vps suddenly reboots, there are still user sessions there but infact, they are not coz the vpn server shutdown suddently. so when these users tried to login, they cant coz there is still a ghost session. are there any means to solve this problem? pls help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Integration with Active Directory
Sallee, Stephen (Jake) wrote: While MS ISA will start to really putter out at about 50-100 NASs (depending on your hardware) FR will happily hum along with THOUSANDS of NASs. I've done tests with 500,000 clients in the clients.conf file. The server uses a fair bit of RAM, but performance is largely unaffected. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius
Rtz Poknat wrote: so when a vps suddenly reboots, there are still user sessions there but infact, they are not coz the vpn server shutdown suddently. so when these users tried to login, they cant coz there is still a ghost session. How do you know that the NAS rebooted? are there any means to solve this problem? pls help When the NAS reboots, clear out the existing sessions. See radzap. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wrong packing of attributes?
Kristoffer Milligan wrote: Am I messing up something here, or could there be a bug in the encoder? Bug in the encoder. Fixed pushed to git. WiMAX is *weird*. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Attribute of User-name in Access-Accept paket does not match request User-name.
hello. I use EAP-TLS authentication in freeRADIUS v2.1.10. Windows7 Computer authentication in EAP-TLS. Access-Request : User-Name = host/user Access-Accept : User-Name = user === degug message === rad_recv: Access-Request packet from host 192.168.1.102 port 4181, id=236, len gth=168 User-Name = host/user Cisco-AVPair = ssid=tsunami2 NAS-IP-Address = 192.168.1.102 Called-Station-Id = 00409635c604 Calling-Station-Id = 0013ce2ce98c NAS-Identifier = AP340-35c604 NAS-Port = 37 Framed-MTU = 1400 State = 0xf63891eaf5349cad6a56444fd9199aec NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x020c00060d00 Message-Authenticator = 0xa007aa9e6ef0359c5b6b5edffe00ecbc === Sending Access-Accept of id 236 to 192.168.1.102 port 4181 Termination-Action = RADIUS-Request Session-Timeout = 1800 MS-MPPE-Recv-Key = 0x27a0af9b85abaccd7314693a3d18bcf32b04534287bbc839219d99cb 9500a6a3 MS-MPPE-Send-Key = 0x080829ecf636d5d7b8201accbf272cd5cf9fc4241a45dbf98fb2b580 139ada58 EAP-Message = 0x030c0004 Message-Authenticator = 0x User-Name = user === hints file : === DEFAULT Prefix == host/ === When Stripped-User-Name was set, this value is set to the User-Name attribute of the Access-Accept packet. Is this the wanted behaviour of v2.1.x? (changed from v1.1.x?) == Satoshi Hirabayashi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Integration with Active Directory
Raheel Itrat wrote: I have installed a freeradius machine on ubuntu server, now my boss wants me to integrate it with the Active directory so that the users can be authenticated through it. I was wondering design wise does it make sense to have a free radius server in between if we can run radius on the windows machine itself? what are security best practices in this case? FreeRADIUS doesn't (yet) run on Windows. Just run it on another server. Or, run it on a VMware image on the Windows server. It will use minimal CPU, disk, and RAM. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate Auth: Login OK:
Fajar A. Nugraha wrote: I believe there's also another (possibly related) bug: I disabled eap completely (comment-out the line $INCLUDE eap.conf on radiusd.conf, removed sites-enabled/inner-tunnel, and removed all reference to eap on sites-available/default and my virtual server), yet with a simple radtest radius.log shows this: Fri Mar 25 10:42:08 2011 : Auth: Login OK: [@myrealm] (from client localhost port 0 via TLS tunnel) Two issues: 1) Why aren't you runnin in debugging mode, as suggested in the FAQ, README, INSTALL, and daily on this list? Honestly, it's not that hard. 2) No, you didn't disable EAP. Fri Mar 25 10:42:08 2011 : Auth: Login OK: [@myrealm] (from client localhost port 0) So far it's only annoying, so I just ignore it. It would help to pay attention to what the system is doing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius
I know coz one morning, i used radwho and saw this one client connected for like 8 hrs straight. then i doubled check the vpn server hes connected and its been shutdown. is there a way to fix it? thank you alan dekok From: Alan DeKok al...@deployingradius.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, March 25, 2011 4:58:39 PM Subject: Re: freeradius Rtz Poknat wrote: so when a vps suddenly reboots, there are still user sessions there but infact, they are not coz the vpn server shutdown suddently. so when these users tried to login, they cant coz there is still a ghost session. How do you know that the NAS rebooted? are there any means to solve this problem? pls help When the NAS reboots, clear out the existing sessions. See radzap. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wrong packing of attributes?
On 03/25/2011 09:59 AM, Alan DeKok wrote: Kristoffer Milligan wrote: Am I messing up something here, or could there be a bug in the encoder? Bug in the encoder. Fixed pushed to git. WiMAX is *weird*. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Wohoo! I managed to spot something! :) Anyway, ~/freeradius-server# git pull Already up-to-date. Did it push to production? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wrong packing of attributes?
Kristoffer Milligan wrote: Anyway, ~/freeradius-server# git pull Already up-to-date. Did it push to production? It should be there now. Alan deKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dlopen issues in 2.1.10
John Dennis wrote: I finally tracked this down and since it affects other people building 2.1.10 I thought I would pass along the info. Alan please also note there is a git formatted patch attached against the v2.1.x git branch and I think you also need to run autogen.sh again (see below). OK. I've added the autogen patch, and regenerated autoconf.h.in. The fixes for HAVE_HAVE... were already in configure.in for the v2.1.x branch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius
Mr. Alan DeKok My NAS is not a physical hardware. Its actually a radius client. Im using openVPN together with this radiusplugin : www.nongnu.org/radiusplugin/ But the question is, radcheck only works in real hardware right, like cisco, etc. From: Alan DeKok al...@deployingradius.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, March 25, 2011 5:24:30 PM Subject: Re: freeradius Rtz Poknat wrote: I know coz one morning, i used radwho and saw this one client connected for like 8 hrs straight. then i doubled check the vpn server hes connected and its been shutdown. is there a way to fix it? thank you alan dekok Perhaps I was unclear: *you* need to determine when the NAS reboots. How that happens is up to you. Only you have access to the NAS. Only you know what make, model, and version of the NAS it is. Only you can see when it reboots. When you've decided that the NAS has rebooted, run radzap. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius
Rtz Poknat wrote: My NAS is not a physical hardware. Its actually a radius client. sigh That has nothing to do with the problem. But the question is, radcheck only works in real hardware right, like cisco, etc. If you're not going to read my messages, I don't see why you're asking questions on this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate Auth: Login OK:
Hi, I believe there's also another (possibly related) bug: I disabled eap completely (comment-out the line $INCLUDE eap.conf on radiusd.conf, removed sites-enabled/inner-tunnel, and removed all reference to eap on sites-available/default and my virtual server), yet with a simple radtest radius.log shows this: if you did this...and restarted the server, then something is not right. i would suggest that you didnt edit the files that the server was actually using alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strip off the domain part from the User-Name
On 25/03/11 09:39, Thomas Wunder wrote:
On Thursday 24 March 2011 09:36:28 Phil Mayers wrote:
Please post a full debug. It's not possible to find the real cause of
your problem from the snippet.
(see attachment)
I am guessing that you're attempting to modify the username; you can't
do that, EAP will complain (as you're seeing)
Yes, I've tried to modify the username (using a policy which I've invoked as
the first item of my authorize blocks in inner-tunnel and default) but since I
realized that this doesn't help either I don't do so any more (removed the
policy).
By the way this was the policy which I have used:
strip_off_domain{
if( User-Name =~ /^(.*)\\(.*)/ ){
update request {
User-Name := %{2}
}
}
}
Apart from this, what can I do have rlm_mschap cope with the domain prefix?
Use %{mschap:User-Name} everywhere; this will give the bare username
(and also correctly translate host/name.domain.com, if you later do
machine auth)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radutmp help
Hello Community,
I am unable to understand why my radutmp file is not being created.
Can some body point me where I can be wrong.
FreeRadius version 2.1.10
below is a snippet from log.
[radutmp] expand: /usr/local/var/log/radius/radutmp -
/usr/local/var/log/radius/radutmp
Fri Mar 25 15:41:53 2011 : Debug: [radutmp] expand: %{User-Name}
- 002682A4E826@test_cpe.com
Fri Mar 25 15:41:53 2011 : Debug: ++[radutmp] returns noop
and in configuration
session {
radutmp
#
# See Simultaneous Use Checking Queries in sql.conf
# sql
}
Thank you.
Waqas Toor
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Wrong packing of attributes?
If you are working on a VPWS service flow in an Alvarion 4-Motion base
station you will have to do some steps to fix the NAS.
1.Update to the latest version for 2.2
2. Define the R3 attributes in a separate dictionary.
3. Update the main dictionary.wimax to make sure all of the Alvarion
WiMAX- attributes are added to that dictionary
4. Let me know any success as I have yet to get the NAS to properly
accept the service flow.
Let me know if you need any dictionary files for that NAS.
David
From:
freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org
[mailto:freeradius-users-bounces+david.peterson=acc-corp.net@lists.freeradiu
s.org] On Behalf Of Kristoffer Milligan
Sent: Friday, March 25, 2011 4:26 AM
To: FreeRadius users mailing list
Subject: Wrong packing of attributes?
radiusd: FreeRADIUS Version 3.0.0, for host i686-pc-linux-gnu, built on Mar
24 2011 at 15:45:30
I'm on a bit of a limb here, but I think I might have found a bug. Far from
sure though, so please don't kill me if I'm wrong.
Example of authentication reply:
Sending Access-Accept of id 162 to 192.168.106.240 port 1812
WiMAX-R3-IF-Name = KRIS
01 06 4b 52 49 53
WiMAX-PDFID = 1
02 04 00 01
WiMAX-R3-IF-Descriptor = ...- Perfect
1a 13 60b5 (24757) 8b 0d 00 01 06 4b 52 49 53 02 04 00 01
WiMAX-Packet-Data-Flow-Id = 1
01 04 00 01
WiMAX-Direction = Bi-Directional
04 03 03
WiMAX-Transport-Type = Ethernet
06 03 03
WiMAX-Uplink-QOS-Id = 1
07 03 01
WiMAX-Downlink-QOS-Id = 1
08 03 01
WiMAX-ClassifierID = 1
01 03 01
WiMAX-Classifier-Priority = 1
02 03 01
WiMAX-Classifier-Direction = Bi-Directional
04 03 03
WiMAX-VLAN-ID = 50
09 04 00 32
WiMAX-Classifier = ... - Perfect
0b 0f 01 03 01 02 03 01 04 03 03 09 04 00 32
WiMAX-QoS-Id = 1
01 03 01
WiMAX-Schedule-Type = Best-Effort
04 03 02
WiMAX-Traffic-Priority = 1
05 03 01
WiMAX-Maximum-Sustained-Traffic-Rate = 200
06 06 00 1e 84 80
WiMAX-Packet-Flow-Descriptor = ...
1a 37 60b5 (24757) 1c 31 00 01 04 00 01 04 03 03 06 03 03 07
03 01 08 03 01
0b 0f 01 03 01 02 03 01 04 03 03 09 04 00 32 01 -Our classifier
has been packed in the flow descriptor
03 01 04 03 02 05 03 01 06 06 00 1e 84 80
Calling-Station-Id = 00-10-E7-AA-40-C4
1f 13 30 30 2d 31 30 2d 45 37 2d 41 41 2d 34 30 2d 43
34
EAP-Message = 0x03070004
4f 06 03 07 00 04
Message-Authenticator = 0x
50 12 ...
User-Name = {am=1}34f1c6d378383b0a78a50d1d61c14976
01 28 7b 61 6d 3d 31 7d 33 34 66 31 63 36 64 33 37 38
33 38 33 62 30 61 37 38 61 35 30 64 31 64 36 31
63 31 34 39 37 36
WiMAX-AAA-Session-Id =
0x3635613865393037626230306231653539633164643033626162353832353630
1a 29 60b5 (24757) 04 23 00 36 35 61 38 65 39 30 37 62 62 30
30 62 31 65 35
39 63 31 64 64 30 33 62 61 62 35 38 32 35 36 30
WiMAX-MSK =
0xbb7ceda36bf48308924b3c134c73a576e4f0a290ee7e099070d0b6efe09a98032a0a4f93e6
26a3a1c803ca964d0288da345587f2c8b64d76c39957e482662b4a
1a 5b 60b5 (24757) 05 55 00 87 2b dc 67 b2 50 8a 3f 02 95 25
c3 d2 c2 52 d2
07 50 3b a1 a9 e0 53 48 3a a2 74 3f 86 5c 22 17
a2 a6 72 64 c9 0e de 93 53 a7 18 a4 92 40 79 6e
54 d3 81 c5 9e c7 3c ac 2c 53 12 c8 b0 63 81 a5
8e ca ed c4 f8 ed 05 29 42 4a 40 98 56 8b 34 8b
b5 2f
Code:2
Id:162
Length:309
Vector:8b8551e57f89b4247daf7b2f0d312efa
Data:1a 13 60b5 (24757) 8b 0d 00 01 06 4b 52 49 53 02 04 00
01
1a 37 60b5 (24757) 1c 31 00 01 04 00 01 04 03 03 06 03 03 07
03 01
08 03 01 0b 0f 01 03 01 02 03 01 04 03 03 09 04
00 32 01 03 01 04 03 02 05 03 01 06 06 00 1e 84
80
1f 13 30 30 2d 31 30 2d 45 37 2d 41 41 2d 34 30 2d 43
34
4f 06 03 07 00 04
50 12 b5 7e 69 23 2f d4 52 d0 5b 8d de e2 83 41 c3 22
01 28 7b 61 6d 3d 31 7d 33 34 66 31 63 36 64 33 37 38
33 38 33 62 30 61 37 38 61 35 30 64 31 64 36 31
63 31 34 39 37 36
1a 29 60b5 (24757) 04 23 00 36 35 61 38 65 39 30 37 62 62 30
30 62
31 65 35 39 63 31 64 64 30 33 62 61 62 35 38 32
35 36 30
1a 5b 60b5 (24757) 05 55 00 87 2b dc 67 b2 50 8a 3f 02 95 25
c3 d2
c2 52 d2 07 50 3b a1 a9 e0 53 48 3a a2 74 3f 86
5c 22 17 a2 a6 72 64 c9 0e de 93 53 a7 18 a4 92
40 79 6e 54 d3 81 c5 9e c7 3c ac 2c 53 12 c8 b0
63 81 a5 8e ca ed c4 f8 ed 05 29 42 4a 40 98 56
8b 34 8b b5 2f
Fri Mar 25 09:15:51 2011 : Info: (6)
RE: Radius Integration with Active Directory
Alright thats from performance point of view, but if we integrate it with Active Directory then wouldn't that be a security issue to use protocol like NTLM?. I'd appreciate if someone can provide me a good howto link for freradius integration with Microsoft AD Date: Fri, 25 Mar 2011 09:55:54 +0100 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: Radius Integration with Active Directory Sallee, Stephen (Jake) wrote: While MS ISA will start to really putter out at about 50-100 NASs (depending on your hardware) FR will happily hum along with THOUSANDS of NASs. I've done tests with 500,000 clients in the clients.conf file. The server uses a fair bit of RAM, but performance is largely unaffected. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate Auth: Login OK:
On Fri, Mar 25, 2011 at 4:01 PM, Alan DeKok al...@deployingradius.com wrote:
Fajar A. Nugraha wrote:
I believe there's also another (possibly related) bug:
I disabled eap completely (comment-out the line $INCLUDE eap.conf on
radiusd.conf, removed sites-enabled/inner-tunnel, and removed all
reference to eap on sites-available/default and my virtual server),
yet with a simple radtest radius.log shows this:
Fri Mar 25 10:42:08 2011 : Auth: Login OK: [@myrealm] (from client
localhost port 0 via TLS tunnel)
Two issues:
1) Why aren't you runnin in debugging mode, as suggested in the FAQ,
README, INSTALL, and daily on this list? Honestly, it's not that hard.
Sorry about that.
The server was configured for production environment so the debug log
will contaion sensitive information. This issue was low on my priority
list until I saw John's post who also got two Auth: Login OK: log.
I've created a test case with as little modification as possible from
the default config file, just enough to reproduce the problem. Here's
the debug log
#=
FreeRADIUS Version 2.1.10, for host x86_64-redhat-linux-gnu, built on
Mar 24 2011 at 17:49:28
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/virtual-myrealm
including configuration file /etc/raddb/sites-available/default
including configuration file /etc/raddb/sites-enabled/control-socket
main {
user = radiusd
group = radiusd
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/lib64/freeradius
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
Re: Radius Integration with Active Directory
On Fri, Mar 25, 2011 at 6:19 PM, Raheel Itrat raheel...@hotmail.com wrote: Alright thats from performance point of view, but if we integrate it with Active Directory then wouldn't that be a security issue to use protocol like NTLM?. Why would it be security issue? No clear-text password would be transmitted. I'd appreciate if someone can provide me a good howto link for freradius integration with Microsoft AD Start with http://deployingradius.com/documents/configuration/active_directory.html Or use freeradius to proxy the request to MS IAS. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wrong packing of attributes?
David Peterson wrote: 1.Update to the latest version for 2.2 It's now pre-3.0 2. Define the R3 attributes in a separate dictionary. Already in share/dictionary.alvarion.wimax.v2_2 3. Update the main dictionary.wimax to make sure all of the Alvarion WiMAX- attributes are added to that dictionary Already in share/dictionary.wimax.alvarion 4. Let me know any success as I have yet to get the NAS to properly accept the service flow. Some fixes went in recently for encoding WiMAX attributes. The new -Xxx feature is very useful for debugging the detailed contents of packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radutmp help
Waqas Toor wrote: Hello Community, I am unable to understand why my radutmp file is not being created. This is in the FAQ. Is the server receiving Accounting-Request packets? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate Auth: Login OK:
Fajar A. Nugraha wrote: I've created a test case with as little modification as possible from the default config file, just enough to reproduce the problem. Here's the debug log Which helps. The issue is you're proxying it to an internal virtual server, just like EAP does. This confused the section of code that produced the log message Login OK. The message will be updated for 2.1.11 so that it's clearer. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate Auth: Login OK:
On Fri, Mar 25, 2011 at 7:54 PM, Alan DeKok al...@deployingradius.com wrote: Fajar A. Nugraha wrote: I've created a test case with as little modification as possible from the default config file, just enough to reproduce the problem. Here's the debug log Which helps. The issue is you're proxying it to an internal virtual server, just like EAP does. This confused the section of code that produced the log message Login OK. The message will be updated for 2.1.11 so that it's clearer. Thanks for the explanation. So back to John's issue, his duplicate Auth: Login OK: is also caused by the virtual server (inner-tunnel) and the default virtual server, right? Is there a way (preferably with unlang) to enable auth logging selectively (e.g if EAP is used, disable auth logging on the default virtual server)? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Wrong packing of attributes?
Excellent! I just ran a git pull but not sure if I am set up correctly. Here is the output I received. From git://git.freeradius.org/freeradius-server 03f1be4..92caaa4 master - origin/master 2ae298a..14f534a v2.1.x - origin/v2.1.x Should I make some changes to my git setup? David -Original Message- From: Alan DeKok [mailto:al...@deployingradius.com] Sent: Friday, March 25, 2011 8:44 AM To: David Peterson-WirelessConnections; FreeRadius users mailing list Subject: Re: Wrong packing of attributes? David Peterson wrote: 1.Update to the latest version for 2.2 It's now pre-3.0 2. Define the R3 attributes in a separate dictionary. Already in share/dictionary.alvarion.wimax.v2_2 3. Update the main dictionary.wimax to make sure all of the Alvarion WiMAX- attributes are added to that dictionary Already in share/dictionary.wimax.alvarion 4. Let me know any success as I have yet to get the NAS to properly accept the service flow. Some fixes went in recently for encoding WiMAX attributes. The new -Xxx feature is very useful for debugging the detailed contents of packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radutmp help
Thank you Alan, you are always there to help :) On Fri, Mar 25, 2011 at 5:50 PM, Alan DeKok al...@deployingradius.com wrote: Waqas Toor wrote: Hello Community, I am unable to understand why my radutmp file is not being created. This is in the FAQ. Is the server receiving Accounting-Request packets? yes, accounting is working fine. Now please tell, is NAS-Port attribute is a *must* to get this radutmp to work ? as my ASN is not sending NAS-Port attribute in its accounting packet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wrong packing of attributes?
You want the master branch mate, git clone git://git.freeradius.org/freeradius-server.git http://git.freeradius.org/ On 03/25/2011 02:06 PM, David Peterson wrote: Excellent! I just ran a git pull but not sure if I am set up correctly. Here is the output I received. From git://git.freeradius.org/freeradius-server 03f1be4..92caaa4 master - origin/master 2ae298a..14f534a v2.1.x - origin/v2.1.x Should I make some changes to my git setup? David -Original Message- From: Alan DeKok [mailto:al...@deployingradius.com] Sent: Friday, March 25, 2011 8:44 AM To: David Peterson-WirelessConnections; FreeRadius users mailing list Subject: Re: Wrong packing of attributes? David Peterson wrote: 1.Update to the latest version for 2.2 It's now pre-3.0 2. Define the R3 attributes in a separate dictionary. Already in share/dictionary.alvarion.wimax.v2_2 3. Update the main dictionary.wimax to make sure all of the Alvarion WiMAX- attributes are added to that dictionary Already in share/dictionary.wimax.alvarion 4. Let me know any success as I have yet to get the NAS to properly accept the service flow. Some fixes went in recently for encoding WiMAX attributes. The new -Xxx feature is very useful for debugging the detailed contents of packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Wrong packing of attributes?
Thanks! OK I am now getting this on compile... I must have screwed something up: make[4]: Entering directory `/usr/src/freeradius-server/freeradius-server/src/ma in' /usr/src/freeradius-server/freeradius-server/libtool --mode=compile gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointe r-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-p rototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef - I/usr/src/freeradius-server/freeradius-server/src -DHOSTINFO=\i686-pc-linux-gnu \ -DRADIUSD_VERSION=\3.0.0\ -DOPENSSL_NO_KRB5 -c acct.c mkdir .libs gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wsha dow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-dec ls -Wundef -I/usr/src/freeradius-server/freeradius-server/src -DHOSTINFO=\i686- pc-linux-gnu\ -DRADIUSD_VERSION=\3.0.0\ -DOPENSSL_NO_KRB5 -c acct.c -fPIC -D PIC -o .libs/acct.o gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wsha dow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-dec ls -Wundef -I/usr/src/freeradius-server/freeradius-server/src -DHOSTINFO=\i686- pc-linux-gnu\ -DRADIUSD_VERSION=\3.0.0\ -DOPENSSL_NO_KRB5 -c acct.c -o acct.o /dev/null 21 /usr/src/freeradius-server/freeradius-server/libtool --mode=compile gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointe r-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-p rototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef - I/usr/src/freeradius-server/freeradius-server/src -DHOSTINFO=\i686-pc-linux-gnu \ -DRADIUSD_VERSION=\3.0.0\ -DOPENSSL_NO_KRB5 -c auth.c gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wsha dow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-dec ls -Wundef -I/usr/src/freeradius-server/freeradius-server/src -DHOSTINFO=\i686- pc-linux-gnu\ -DRADIUSD_VERSION=\3.0.0\ -DOPENSSL_NO_KRB5 -c auth.c -fPIC -D PIC -o .libs/auth.o auth.c: In function 'auth_name': auth.c:51: error: too few arguments to function 'pairfind' make[4]: *** [auth.lo] Error 1 -Original Message- From: Kristoffer Milligan [mailto:kristof...@nextnet.no] Sent: Friday, March 25, 2011 9:42 AM To: David Peterson-WirelessConnections; FreeRadius users mailing list Subject: Re: Wrong packing of attributes? You want the master branch mate, git clone git://git.freeradius.org/freeradius-server.git http://git.freeradius.org/ On 03/25/2011 02:06 PM, David Peterson wrote: Excellent! I just ran a git pull but not sure if I am set up correctly. Here is the output I received. From git://git.freeradius.org/freeradius-server 03f1be4..92caaa4 master - origin/master 2ae298a..14f534a v2.1.x - origin/v2.1.x Should I make some changes to my git setup? David -Original Message- From: Alan DeKok [mailto:al...@deployingradius.com] Sent: Friday, March 25, 2011 8:44 AM To: David Peterson-WirelessConnections; FreeRadius users mailing list Subject: Re: Wrong packing of attributes? David Peterson wrote: 1.Update to the latest version for 2.2 It's now pre-3.0 2. Define the R3 attributes in a separate dictionary. Already in share/dictionary.alvarion.wimax.v2_2 3. Update the main dictionary.wimax to make sure all of the Alvarion WiMAX- attributes are added to that dictionary Already in share/dictionary.wimax.alvarion 4. Let me know any success as I have yet to get the NAS to properly accept the service flow. Some fixes went in recently for encoding WiMAX attributes. The new -Xxx feature is very useful for debugging the detailed contents of packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho shows only the last user logged.
Hello guys, I have a question. I'm using freeradius 2.1.10 on debian squezze. I am using multiple databases for authentication, in an LDAP, and SQL in another. Each using a different Realm. Regarding the authentication, everything is working normally. But when I try to check the server how many users are logged via the command radwho, it returns me only the last user who logged in, I think he should show everyone who is authenticated at this point right?? Regards. John -- João Paulo de Lima Barbosa Fone: (45) 9938-8399 Blog: http://joao.us Twitter: @joaocdc O erro dos que tem poder é colocar barreiras para que ninguém os alcance, incentivando-nos a buscar todas as formas que encontramos para alcança-los. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_linelog and syslog over UDP
Hi, are there any plans to add logging to *remote* syslog servers to the rlm_linelog module? Would be kinda cute; we want to log authentication results to a central statistics collection host - and going through re-send on the local syslog instance is a superfluous extra step. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wrong packing of attributes?
David Peterson wrote: I just ran a git pull but not sure if I am set up correctly. Here is the output I received. You should be able to do git pull origin master:master Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_linelog and syslog over UDP
Stefan Winter wrote: are there any plans to add logging to *remote* syslog servers to the rlm_linelog module? Would be kinda cute; we want to log authentication results to a central statistics collection host - and going through re-send on the local syslog instance is a superfluous extra step. I see what you mean, but that involves writing a module which opens a UDP socket to a remote syslog server, and then creates syslog-formatted messages. That's probably not hard (~500 lines?), but not a priority right now. RFC 5424 also says that TCP/TLS should be preferred to UDP for sending to remote machines. So sure.. send a patch. :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho shows only the last user logged.
joao...@gmail.com wrote: But when I try to check the server how many users are logged via the command radwho, it returns me only the last user who logged in, I think he should show everyone who is authenticated at this point right?? Your NAS is sending NAS-Port = 0 for all of the users. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wrong packing of attributes?
David Peterson wrote: OK I am now getting this on compile... I must have screwed something up: git pull again. Dang API differences between 2.1 and 3.0. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radutmp help
Waqas Toor wrote: yes, accounting is working fine. Now please tell, is NAS-Port attribute is a *must* to get this radutmp to work ? as my ASN is not sending NAS-Port attribute in its accounting packet. Yes, it's required. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radutmp help
On Fri, Mar 25, 2011 at 7:32 PM, Alan DeKok al...@deployingradius.com wrote: Waqas Toor wrote: yes, accounting is working fine. Now please tell, is NAS-Port attribute is a *must* to get this radutmp to work ? as my ASN is not sending NAS-Port attribute in its accounting packet. Yes, it's required. Makes sense, Thanks Alan DeKok. Waqas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Wrong packing of attributes?
That fixed it. Thanks! David -Original Message- From: Alan DeKok [mailto:al...@deployingradius.com] Sent: Friday, March 25, 2011 10:32 AM To: David Peterson-WirelessConnections; FreeRadius users mailing list Subject: Re: Wrong packing of attributes? David Peterson wrote: OK I am now getting this on compile... I must have screwed something up: git pull again. Dang API differences between 2.1 and 3.0. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strip off the domain part from the User-Name
On Friday 25 March 2011 11:15:58 you wrote:
Use %{mschap:User-Name} everywhere; this will give the bare username
That sounds consequent but what exactly do you mean by everywhere?
I use the policy.conf (as you can see by the debug output from my previous
posting) to define some policies that are later on used within the 'authorize
{...}' groups of sites-available/default and sites-available/inner-tunnel. I
don't utilize rlm_files any more but I use rlm_ldap to retrieve user/group
information from my LDAP-server. The only place where I consciously reference
any User-Name attribute is the modules/ldap and there I already do as you
suggest (see attachment).
Where else do I need to explicitly specify '%{mschap:User-Name}' to have
rlm_mschap accept user names that incorporate a NT-domain name (i.e. to have
rlm_mschap ignore the domain component of the user name)?
My modules/mschap config file is pretty lucid at present:
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = no
}
And what about the realms approach? Can I save the trouble?
(and also correctly translate host/name.domain.com, if you later do
machine auth)
Thanks!
policy {
prefer_kerberos{
if( User-Password ){
update control {
Auth-Type:=Kerberos
}
}
else {
#update control {
# Auth-Type:=MS-CHAP
#}
mschap
}
}
swt_vpn_policy{
if( Called-Station-Id == vpn1 LDAP-Group == vpn-staff ){
update control {
Pool-Name:=vpn_staff
Auth-Type:=MS-CHAP
}
}
elsif( Called-Station-Id == vpn2 LDAP-Group ==
vpn-others ){
update control {
Pool-Name:=vpn_others
Auth-Type:=MS-CHAP
}
}
#elsif( Called-Station-Id == c0-91-34-c3-44-00 (
LDAP-Group == swtswitch01-staff || LDAP-Group == swtswitch01-others ) ){
# prefer_kerberos
#}
}
swt_policy{
#
# STAFF Logins
#
if( ( outer.request:Called-Station-Id ==
02-6F-83-3A-AD-B8:staff.1.swt.wiai.uni-bamberg.de || Called-Station-Id ==
02-6F-83-3A-AD-B8:staff.1.swt.wiai.uni-bamberg.de ) LDAP-Group ==
ap_llab-staff ){
prefer_kerberos
}
elsif( ( outer.request:Called-Station-Id == 0013100adbcf ||
Called-Station-Id == 0013100adbcf ) LDAP-Group==ap_llab-staff ){
prefer_kerberos
}
elsif( ( outer.request:Called-Station-Id ==
02-6F-83-3A-B5-E8:staff.2.swt.wiai.uni-bamberg.de || Called-Station-Id ==
02-6F-83-3A-B5-E8:staff.2.swt.wiai.uni-bamberg.de ) LDAP-Group ==
ap_slab-staff ){
prefer_kerberos
}
#
# OTHERS Logins
#
elsif( outer.request:Called-Station-Id ==
02-6F-83-3A-AD-B9:others.1.swt.wiai.uni-bamberg.de || Called-Station-Id ==
02-6F-83-3A-AD-B9:others.1.swt.wiai.uni-bamberg.de ){
prefer_kerberos
}
elsif( outer.request:Called-Station-Id ==
02-6F-83-3A-B5-E9:others.2.swt.wiai.uni-bamberg.de || Called-Station-Id ==
02-6F-83-3A-B5-E9:others.2.swt.wiai.uni-bamberg.de ){
prefer_kerberos
}
#
# Wired 802.1X Logins (OTHERS/STAFF)
#
elsif( ( outer.request:Called-Station-Id == c0-91-34-c3-44-00
|| Called-Station-Id == c0-91-34-c3-44-00 ) ( LDAP-Group ==
swtswitch01-staff || LDAP-Group == swtswitch01-others ) ){
prefer_kerberos
Re: Strip off the domain part from the User-Name
freeradius 2.1.8:
My environment uses ntlm_auth and ldap modules.
in mschap module, i have a line like:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-re$
also, in ldap:
filter = ((sAMAccountName=%{Stripped-User-Name:-%{User-Name}}))
no edits to default or inner-tunnel (other than to uncomment the ntlm_auth and
mschap lines).
I use this method to auth users connecting to wireless APs with xp, ios, linux,
and win7 machines. I want users to be forced to enter their password to
connect, so the clients are configured not to use the domain\username, just
username and pw. Set up this way, a client sending username in domain\username
form will be rejected. I am not sure this is right, but it allows me to use
mschap auth with several different types of clients, and control access with an
ldap group without worrying about the domain\user nonsense. Of course, i only
have a single domain which simplifies things.
Nolan
On 3/25/2011 at 7:41 AM, in message
201103251541.07053.thomas.wun...@swt-bamberg.de, Thomas Wunder
thomas.wun...@swt-bamberg.de wrote:
On Friday 25 March 2011 11:15:58 you wrote:
Use %{mschap:User-Name} everywhere; this will give the bare username
That sounds consequent but what exactly do you mean by everywhere?
I use the policy.conf (as you can see by the debug output from my previous
posting) to define some policies that are later on used within the 'authorize
{...}' groups of sites-available/default and sites-available/inner-tunnel. I
don't utilize rlm_files any more but I use rlm_ldap to retrieve user/group
information from my LDAP-server. The only place where I consciously reference
any User-Name attribute is the modules/ldap and there I already do as you
suggest (see attachment).
Where else do I need to explicitly specify '%{mschap:User-Name}' to have
rlm_mschap accept user names that incorporate a NT-domain name (i.e. to have
rlm_mschap ignore the domain component of the user name)?
My modules/mschap config file is pretty lucid at present:
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = no
}
And what about the realms approach? Can I save the trouble?
(and also correctly translate host/name.domain.com, if you later do
machine auth)
Thanks!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho shows only the last user logged.
OK Alan, First thanks for listening. Actually my NAS is sending the same port for all my users, but the door that she is sending is NAS-Port = 29. How can I configure it? is the radius or the NAS? If the radius, how do I setup? Thanks. 2011/3/25 Alan DeKok al...@deployingradius.com joao...@gmail.com wrote: But when I try to check the server how many users are logged via the command radwho, it returns me only the last user who logged in, I think he should show everyone who is authenticated at this point right?? Your NAS is sending NAS-Port = 0 for all of the users. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- João Paulo de Lima Barbosa Fone: (45) 9938-8399 Blog: http://joao.us Twitter: @joaocdc O erro dos que tem poder é colocar barreiras para que ninguém os alcance, incentivando-nos a buscar todas as formas que encontramos para alcança-los. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Strip off the domain part from the User-Name
We're currently running 2.1.10..
I seemed to notice that the Out of the Box Config does not seem to actually
create
a Stripped-Username and Realm. I did find that when I created a real realm in
the proxy.conf
file, then a Stripped-Username and Realm were available. So, I thought that if
I really wanted
ALL usernames stripped into their component parts, I would just change the
example.com realm
in the proxy.conf file to be DEFAULT ? This then seemed to send the request
into some sort of
endless loop ?
Thanks,
Robert
From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org
[freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] On Behalf
Of Nolan King [nk...@mnwd.com]
Sent: Friday, March 25, 2011 10:35 AM
To: freeradius list
Subject: Re: Strip off the domain part from the User-Name
freeradius 2.1.8:
My environment uses ntlm_auth and ldap modules.
in mschap module, i have a line like:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-re$
also, in ldap:
filter = ((sAMAccountName=%{Stripped-User-Name:-%{User-Name}}))
no edits to default or inner-tunnel (other than to uncomment the ntlm_auth and
mschap lines).
I use this method to auth users connecting to wireless APs with xp, ios, linux,
and win7 machines. I want users to be forced to enter their password to
connect, so the clients are configured not to use the domain\username, just
username and pw. Set up this way, a client sending username in domain\username
form will be rejected. I am not sure this is right, but it allows me to use
mschap auth with several different types of clients, and control access with an
ldap group without worrying about the domain\user nonsense. Of course, i only
have a single domain which simplifies things.
Nolan
On 3/25/2011 at 7:41 AM, in message
201103251541.07053.thomas.wun...@swt-bamberg.de, Thomas Wunder
thomas.wun...@swt-bamberg.de wrote:
On Friday 25 March 2011 11:15:58 you wrote:
Use %{mschap:User-Name} everywhere; this will give the bare username
That sounds consequent but what exactly do you mean by everywhere?
I use the policy.conf (as you can see by the debug output from my previous
posting) to define some policies that are later on used within the 'authorize
{...}' groups of sites-available/default and sites-available/inner-tunnel. I
don't utilize rlm_files any more but I use rlm_ldap to retrieve user/group
information from my LDAP-server. The only place where I consciously reference
any User-Name attribute is the modules/ldap and there I already do as you
suggest (see attachment).
Where else do I need to explicitly specify '%{mschap:User-Name}' to have
rlm_mschap accept user names that incorporate a NT-domain name (i.e. to have
rlm_mschap ignore the domain component of the user name)?
My modules/mschap config file is pretty lucid at present:
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = no
}
And what about the realms approach? Can I save the trouble?
(and also correctly translate host/name.domain.com, if you later do
machine auth)
Thanks!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mac Auth and post-auth logging to SQL
Hello,
I'm running FreeRADIUS 2.1.7 on CentOS 5, and trying to configure MAC
Auth Bypass. I got everything functioning correctly using the Mac-Auth
Wiki page as a guide, including placement of the actual CSID
authentication code in the post-auth section. However, I just enabled
SQL in the post-auth section, and everything is getting logged to SQL
with reply Access-Accept, even if it matched the reject statement.
It seems to me that it's pretty logical that post-auth would be entered
with Auth-Type == Access-Accept, the SQL log would happen, and *then*
the reject statement would get executed. What I don't understand is
why I shouldn't move the actual authentication
(authorized_macs.authorize) to the auth { } section, or else how I go
about logging rejected requests.
Any advice or guidance would be greatly appreciated.
Thanks,
Jason Antman
--
Jason Antman
System Administrator
Rutgers University
OIT Central Systems Services / NetOps
Office: 732-445-6363
Cell: 732-983-7256
jant...@oit.rutgers.edu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Change session on the fly
http://www.ietf.org/rfc/rfc5176.txt google is your friend... On Thu, Mar 24, 2011 at 7:56 AM, Euler Thomas Garcia euler.gar...@pocos-net.com.br wrote: Hi sorry, I do not know if this issue was discussed earlier. Wonder if it is possible to change parameters of the session on the fly eg Rate-Limit. Thank you for your attention Euler Thomas Garcia email / msn: euler.gar...@pocos-net.com.br - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho shows only the last user logged.
joao...@gmail.com wrote: Actually my NAS is sending the same port for all my users, but the door that she is sending is NAS-Port = 29. So your NAS is broken. I don't know why people do that... How can I configure it? is the radius or the NAS? The NAS. Read the NAS documentation. However, it will likely say *nothing* about this subject. If the NAS vendor understood RADIUS, they wouldn't have this problem. If the radius, how do I setup? Don't use radutmp. Instead, store the sessions in SQL, and edit the SQL configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strip off the domain part from the User-Name
Robert Roll wrote: We're currently running 2.1.10.. I seemed to notice that the Out of the Box Config does not seem to actually create a Stripped-Username and Realm. It creates those attributes if you define a realm. If you don't define a realm, it doesn't know how to create a Realm attribute. I did find that when I created a real realm in the proxy.conf file, then a Stripped-Username and Realm were available. Yes... So, I thought that if I really wanted ALL usernames stripped into their component parts, I would just change the example.com realm in the proxy.conf file to be DEFAULT ? This then seemed to send the request into some sort of endless loop ? Uh.. if you don't read the documentation and don't understand what you're doing, it probably won't do what you want. Rather than randomly making changes, perhaps you could explain what you're trying to do, and why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac Auth and post-auth logging to SQL
Jason Antman wrote:
I'm running FreeRADIUS 2.1.7 on CentOS 5, and trying to configure MAC
Auth Bypass. I got everything functioning correctly using the Mac-Auth
Wiki page as a guide, including placement of the actual CSID
authentication code in the post-auth section. However, I just enabled
SQL in the post-auth section, and everything is getting logged to SQL
with reply Access-Accept, even if it matched the reject statement.
I don't see how that is possible. Are you sure you know what it's
doing? Have you run the server in debugging mode?
It seems to me that it's pretty logical that post-auth would be entered
with Auth-Type == Access-Accept, the SQL log would happen, and *then*
the reject statement would get executed
That makes no sense. If it's accept, it runs reject ?
. What I don't understand is
why I shouldn't move the actual authentication
(authorized_macs.authorize) to the auth { } section, or else how I go
about logging rejected requests.
I have no idea what that means.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Change session on the fly
Thanks, I did several searches on this topic but found no solution. I posted this topic to talk about the solution. I'm working on this topic. I'll post the solution to develop. Thank you for your attention Euler Thomas Garcia email / msn: euler.gar...@gmail.com -- View this message in context: http://freeradius.1045715.n5.nabble.com/Change-session-on-the-fly-tp4262234p4264681.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho shows only the last user logged.
My NAS is cisco is a wireless controller. Any suggestions for settings? And I'm also keeping my sessions in SQL. Att. 2011/3/25 Alan DeKok al...@deployingradius.com joao...@gmail.com wrote: Actually my NAS is sending the same port for all my users, but the door that she is sending is NAS-Port = 29. So your NAS is broken. I don't know why people do that... How can I configure it? is the radius or the NAS? The NAS. Read the NAS documentation. However, it will likely say *nothing* about this subject. If the NAS vendor understood RADIUS, they wouldn't have this problem. If the radius, how do I setup? Don't use radutmp. Instead, store the sessions in SQL, and edit the SQL configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- João Paulo de Lima Barbosa Fone: (45) 9938-8399 Blog: http://joao.us Twitter: @joaocdc O erro dos que tem poder é colocar barreiras para que ninguém os alcance, incentivando-nos a buscar todas as formas que encontramos para alcança-los. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac Auth and post-auth logging to SQL
I'm referencing the Mac-Auth wiki page at:
http://wiki.freeradius.org/Mac-Auth
Alan DeKok wrote:
Jason Antman wrote:
I'm running FreeRADIUS 2.1.7 on CentOS 5, and trying to configure MAC
Auth Bypass. I got everything functioning correctly using the Mac-Auth
Wiki page as a guide, including placement of the actual CSID
authentication code in the post-auth section. However, I just enabled
SQL in the post-auth section, and everything is getting logged to SQL
with reply Access-Accept, even if it matched the reject statement.
I don't see how that is possible. Are you sure you know what it's
doing? Have you run the server in debugging mode?
Yes, I have, and am.
As per the wiki page... I have in authenticate {}:
### snip ###
Auth-Type CSID {
if(Chap-Password){
update control {
Cleartext-Password := %{User-Name}
}
chap
}
else{
ok
}
}
### end snip###
which ALWAYS returns OK. Period.
And in post-auth{}:
### snip ###
if(control:Auth-Type == 'CSID'){
# Authorization happens here
authorized_macs.authorize
if(!ok){
reject
}
}
### end snip ###
If I put a sql line before this, it always logs with Access-Accept,
since that's what authenticate{} ALWAYS returns, and the sql module is
being called before . If I put a sql line after this, it never gets
executed for reject statements...
It seems to me that it's pretty logical that post-auth would be entered
with Auth-Type == Access-Accept, the SQL log would happen, and *then*
the reject statement would get executed
That makes no sense. If it's accept, it runs reject ?
See above.
. What I don't understand is
why I shouldn't move the actual authentication
(authorized_macs.authorize) to the auth { } section, or else how I go
about logging rejected requests.
I have no idea what that means.
Why is the authorize statement in the post-auth { } section? That seems
to be the cause of these problems...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho shows only the last user logged.
Hi, Actually my NAS is sending the same port for all my users, but the door that she is sending is NAS-Port = 29. So your NAS is broken. I don't know why people do that... Hello Cisco! :-) Don't use radutmp. Instead, store the sessions in SQL, and edit the SQL configuration. and dont use the NAS-Port as one of the keys...because its always 29 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Strip off the domain part from the User-Name
Uh.. if you don't read the documentation and don't understand what
you're doing, it probably won't do what you want.
Sometimes true, sometimes not :)
Rather than randomly making changes, perhaps you could explain what
you're trying to do, and why.
Right now, I'm just experimenting and trying to learn how things work...
In any case, to give you an idea of one of the things I was thinking about...
One idea, is that we have a number of departments that want to be put into
a particular VLAN when they login. When a user normally logs in, they simply
use their username. This simply puts them in the general user VLAN. However,
if they login with username@department, and they are authorized, we will
return
the particular radius attribute to put them into their specific department VLAN.
A normal authorize might look like:
ldapAuthUser
if( %Realm ) {
ldapAuthVLAN
}
If one is smart about naming the Group in ldap the same as the Realm,
then one can quite easily construct a search filter in the ldap module to
look at the appropriate group in ldap. That group would actually have the
particular radiusReplyItem to return the correct VLAN...
Note that in the above the Realm is quite useful, but there is NO need to
actually do proxy, so really no REAL need to get into the proxy.conf ?
Thanks,
Robert
From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org
[freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] On Behalf
Of Alan DeKok [al...@deployingradius.com]
Sent: Friday, March 25, 2011 1:09 PM
To: FreeRadius users mailing list
Subject: Re: Strip off the domain part from the User-Name
Robert Roll wrote:
We're currently running 2.1.10..
I seemed to notice that the Out of the Box Config does not seem to
actually create
a Stripped-Username and Realm.
It creates those attributes if you define a realm. If you don't
define a realm, it doesn't know how to create a Realm attribute.
I did find that when I created a real realm in the proxy.conf
file, then a Stripped-Username and Realm were available.
Yes...
So, I thought that if I really wanted
ALL usernames stripped into their component parts, I would just change the
example.com realm
in the proxy.conf file to be DEFAULT ? This then seemed to send the
request into some sort of
endless loop ?
Uh.. if you don't read the documentation and don't understand what
you're doing, it probably won't do what you want.
Rather than randomly making changes, perhaps you could explain what
you're trying to do, and why.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strip off the domain part from the User-Name
On Sat, Mar 26, 2011 at 4:45 AM, Robert Roll robert.r...@utah.edu wrote:
A normal authorize might look like:
ldapAuthUser
if( %Realm ) {
ldapAuthVLAN
}
If one is smart about naming the Group in ldap the same as the Realm,
then one can quite easily construct a search filter in the ldap module to
look at the appropriate group in ldap. That group would actually have the
particular radiusReplyItem to return the correct VLAN...
Note that in the above the Realm is quite useful, but there is NO need to
actually do proxy, so really no REAL need to get into the proxy.conf ?
If you just want to split username@realm into username and realm, you
should be able to use this in authorize section
if (%{request:User-Name} =~ /^(.*)@/) {
update request {
Stripped-User-Name := %{1}
Realm := %{2}
}
}
As a side note, even if you only use freeradius locally (without any
external server to proxy to), using proxy can be useful if you have
multiple realms with different configurations. Using proxy you can
split the request into different virtual servers based on their realm.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strip off the domain part from the User-Name
On Sat, Mar 26, 2011 at 5:00 AM, Fajar A. Nugraha l...@fajar.net wrote:
On Sat, Mar 26, 2011 at 4:45 AM, Robert Roll robert.r...@utah.edu wrote:
A normal authorize might look like:
ldapAuthUser
if( %Realm ) {
ldapAuthVLAN
}
If one is smart about naming the Group in ldap the same as the Realm,
then one can quite easily construct a search filter in the ldap module to
look at the appropriate group in ldap. That group would actually have the
particular radiusReplyItem to return the correct VLAN...
Note that in the above the Realm is quite useful, but there is NO need to
actually do proxy, so really no REAL need to get into the proxy.conf ?
If you just want to split username@realm into username and realm, you
should be able to use this in authorize section
if (%{request:User-Name} =~ /^(.*)@/) {
Sorry, that should be
if (%{request:User-Name} =~ /^(.*)@(.*)/) {
update request {
Stripped-User-Name := %{1}
Realm := %{2}
}
}
As a side note, even if you only use freeradius locally (without any
external server to proxy to), using proxy can be useful if you have
multiple realms with different configurations. Using proxy you can
split the request into different virtual servers based on their realm.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Strip off the domain part from the User-Name
If you just want to split username@realm into username and realm, you
should be able to use this in authorize section
if (%{request:User-Name} =~ /^(.*)@/) {
update request {
Stripped-User-Name := %{1}
Realm := %{2}
}
}
Yes, thanks, and we may end up doing exactly that. However, I just
point out that freeradius OBVIOUSLY already has the capability to do
exactly this, so why re-invent the wheel ?
As a side note, even if you only use freeradius locally (without any
external server to proxy to), using proxy can be useful if you have
multiple realms with different configurations. Using proxy you can
split the request into different virtual servers based on their realm.
--
Fajar
Yes, I do agree... As I said earlier, some of what I am doing is just to
try and experiment and see what is possible. I'm actually quite impressed
with Freeradius and right now, we are still a ways from what I would consider
any kind of final configuration...
Thanks,
Robert
From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org
[freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] On Behalf
Of Fajar A. Nugraha [l...@fajar.net]
Sent: Friday, March 25, 2011 4:00 PM
To: FreeRadius users mailing list
Subject: Re: Strip off the domain part from the User-Name
On Sat, Mar 26, 2011 at 4:45 AM, Robert Roll robert.r...@utah.edu wrote:
A normal authorize might look like:
ldapAuthUser
if( %Realm ) {
ldapAuthVLAN
}
If one is smart about naming the Group in ldap the same as the Realm,
then one can quite easily construct a search filter in the ldap module to
look at the appropriate group in ldap. That group would actually have the
particular radiusReplyItem to return the correct VLAN...
Note that in the above the Realm is quite useful, but there is NO need to
actually do proxy, so really no REAL need to get into the proxy.conf ?
If you just want to split username@realm into username and realm, you
should be able to use this in authorize section
if (%{request:User-Name} =~ /^(.*)@/) {
update request {
Stripped-User-Name := %{1}
Realm := %{2}
}
}
As a side note, even if you only use freeradius locally (without any
external server to proxy to), using proxy can be useful if you have
multiple realms with different configurations. Using proxy you can
split the request into different virtual servers based on their realm.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
