Using multiple authentication modules.
Hello everyone, I am trying to authenticate users using client certificates and when that is verified I intend to use perl module for checking other attributes and verify that from database. Till now I was trying to configure freeradius to do EAP-TLS and then execute the perl module(rlm_perl). Both of them work perfectly fine independently but I donot know if we can put them together. I believe I can do something similar(checking certificate using EAP and then execute a script) using exec-program-wait but considering its depricability and per thread overhead will like the rlm_perl. Any help is appreciated. Regards, Kumar Mrinal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to conf VLAN assign,mac-auth-bypass, and redirect url?
hi all, can anyone show me how to conf VLAN assign,mac-auth-bypass, and redirect url?thank you very much- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Implementing SQL Insert/logging for SoH.
On 2 Aug 2011, at 16:09, Palmer J.D.F. wrote: Didn't think xlat could do inserts and updates? I wrote the patch to add the functionality and its been in the server code for about the past three years :) Good stuff. :) The source of rlm_sql.c still states only ... * sql xlat function. Right now only SELECTs are supported. Yeah its just to scare off the uninitiated. I guess I should really fix it :) Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Forwarding Accounting Packets
Hi Alan,
I installed freeradius 2.1.11 as you suggested and tried to use the
replicate module.
It seems that it is not working for me, maybe I am not configuring it
properly...
In the replicate module I have the following:
replicate {
update control {
Replicate-To-Realm := AL_realm
}
}
And in the accounting section in the 'default' file I have 'replicate'
entered.
Is there something I'm doing wrong?
The proxy.conf file seems fine since, Proxy-To-Realm works just fine.
Thanks and regards,
Andrew
-Original Message-
From:
freeradius-users-bounces+andrew.tonna=vodafone@lists.freeradius.org
[mailto:freeradius-users-bounces+andrew.tonna=vodafone.com@lists.freerad
ius.org] On Behalf Of Alan DeKok
Sent: Tuesday, August 02, 2011 1:53 PM
To: FreeRadius users mailing list
Subject: Re: Forwarding Accounting Packets
Tonna, Andrew, VF-MT wrote:
I am trying to set up the radius server so that it forwards all
accounting packet to a remote radius server without having to wait for
reply.
Use version 2.1.11 (or git v2.1.x branch), and see
src/modules/replicate
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
Vodafone
-
This email is intended only for the use of individuals to whom it is addressed,
as it may contain confidential or privileged information. If you are not a
named addressee, intended recipient, or the person responsible for delivering
the message to the named addressee, be advised that you have received this
email in error and that you should not disseminate, distribute, print, copy
this mail or otherwise divulge its contents. In such instances, please notify
Vodafone Malta Limited on telephone number +356 9247 and delete this email
from your system. Since this transmission was affected via email, Vodafone
Malta Limited cannot guarantee that it is secure or error-free as information
could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or
contain viruses. Vodafone Malta Limited does not accept liability for any
errors or omissions in the contents of this message which arise as a result of
email transmission.
Save the environment for our children - Print e-mail only when necessary.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using multiple authentication modules.
Mrinal K sinha.mri...@gmail.com wrote:
I am trying to authenticate users using client certificates and when
that is verified I intend to use perl module for checking other
attributes and verify that from database. Till now I was trying to
configure freeradius to do EAP-TLS and then execute the perl
module(rlm_perl). Both of them work perfectly fine independently but I
donot know if we can put them together. I believe I can do something
similar(checking certificate using EAP and then execute a script)
using exec-program-wait but considering its depricability and per
thread overhead will like the rlm_perl.
Without including your FreeRADIUS configuration there is very little
anyone here can do to help you other than ask have you just tried using
both modules?
authorize {
...
eap
perl
...
}
authenticate {
eap
perl
}
Cheers
--
Alexander Clouter
.sigmonster says: Yow! Is my fallout shelter termite proof?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Forwarding Accounting Packets
Um... why are you... nevermind.
Ok so you need to set the realm you want to replicate to then call 'replicate'.
Something like:
preacct {
update control {
Replicate-To-Realm := 'AL_realm'
}
}
accounting {
replicate
}
I've tested this very recently on 3.x (master) and it works fine.
-Arran
On 4 Aug 2011, at 12:05, Tonna, Andrew, VF-MT wrote:
Hi Alan,
I installed freeradius 2.1.11 as you suggested and tried to use the
replicate module.
It seems that it is not working for me, maybe I am not configuring it
properly...
In the replicate module I have the following:
replicate {
update control {
Replicate-To-Realm := AL_realm
}
}
And in the accounting section in the 'default' file I have 'replicate'
entered.
Is there something I'm doing wrong?
The proxy.conf file seems fine since, Proxy-To-Realm works just fine.
Thanks and regards,
Andrew
-Original Message-
From:
freeradius-users-bounces+andrew.tonna=vodafone@lists.freeradius.org
[mailto:freeradius-users-bounces+andrew.tonna=vodafone.com@lists.freerad
ius.org] On Behalf Of Alan DeKok
Sent: Tuesday, August 02, 2011 1:53 PM
To: FreeRadius users mailing list
Subject: Re: Forwarding Accounting Packets
Tonna, Andrew, VF-MT wrote:
I am trying to set up the radius server so that it forwards all
accounting packet to a remote radius server without having to wait for
reply.
Use version 2.1.11 (or git v2.1.x branch), and see
src/modules/replicate
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
Vodafone
-
This email is intended only for the use of individuals to whom it is
addressed, as it may contain confidential or privileged information. If you
are not a named addressee, intended recipient, or the person responsible for
delivering the message to the named addressee, be advised that you have
received this email in error and that you should not disseminate, distribute,
print, copy this mail or otherwise divulge its contents. In such instances,
please notify Vodafone Malta Limited on telephone number +356 9247 and
delete this email from your system. Since this transmission was affected via
email, Vodafone Malta Limited cannot guarantee that it is secure or
error-free as information could be intercepted, corrupted, lost, destroyed,
arrive late or incomplete, or contain viruses. Vodafone Malta Limited does
not accept liability for any errors or omissions in the contents of this
message which arise as a result of email transmission.
Save the environment for our children - Print e-mail only when necessary.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to conf VLAN assign,mac-auth-bypass, and redirect url?
can anyone show me how to conf VLAN assign,mac-auth-bypass, and redirect url? For VLAN assignment see http://www.rfc-editor.org/rfc/rfc3580.txt, the other features you mentioned are specific to your NAS model and vendor, so I suggest you contact their support centre or read through the manuals included with your NAS. If you want information on inserting or modifying attributes see `man unlang` -Arran Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Change my submission
Hi, I will like to receive individuals email from this list but how?? as already said - http://lists.freeradius.org/mailman/listinfo/freeradius-users (if you follow the link thats on the bottom of the list sig or look at the mailing list headers you'll get the same info) right a the bottom, you will see a bit that says To unsubscribe from Freeradius-Users, get a password reminder, or change your subscription options enter your subscription email address: ..do that. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Forwarding Accounting Packets
On Thu, Aug 4, 2011 at 5:18 PM, Arran Cudbard-Bell
a.cudba...@freeradius.org wrote:
Um... why are you... nevermind.
Ok so you need to set the realm you want to replicate to then call
'replicate'.
Something like:
preacct {
update control {
Replicate-To-Realm := 'AL_realm'
}
}
accounting {
replicate
}
... and in case it's not obvious already, do NOT edit
raddb/modules/replicate. The changes should be in
raddb/sites-available/default (or whatever file your virtual server is
on).
Also, since 2.1.11 is known to have some bugs, better upgrade to
latest v2.1.x snapshot from git.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Forwarding Accounting Packets
Tonna, Andrew, VF-MT wrote: I installed freeradius 2.1.11 as you suggested and tried to use the replicate module. It seems that it is not working for me, See the FAQ for it doesn't work Really. Posting the debug output is *infinitely* more useful than saying it doesn't work Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Forwarding Accounting Packets
Thanks Fajar, it's working fine now.
Andrew
-Original Message-
From: freeradius-users-bounces+andrew.tonna=vodafone@lists.freeradius.org
[mailto:freeradius-users-bounces+andrew.tonna=vodafone@lists.freeradius.org]
On Behalf Of Fajar A. Nugraha
Sent: Thursday, August 04, 2011 1:28 PM
To: FreeRadius users mailing list
Subject: Re: Forwarding Accounting Packets
On Thu, Aug 4, 2011 at 5:18 PM, Arran Cudbard-Bell
a.cudba...@freeradius.org wrote:
Um... why are you... nevermind.
Ok so you need to set the realm you want to replicate to then call
'replicate'.
Something like:
preacct {
update control {
Replicate-To-Realm := 'AL_realm'
}
}
accounting {
replicate
}
... and in case it's not obvious already, do NOT edit
raddb/modules/replicate. The changes should be in
raddb/sites-available/default (or whatever file your virtual server is
on).
Also, since 2.1.11 is known to have some bugs, better upgrade to
latest v2.1.x snapshot from git.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
Vodafone
-
This email is intended only for the use of individuals to whom it is addressed,
as it may contain confidential or privileged information. If you are not a
named addressee, intended recipient, or the person responsible for delivering
the message to the named addressee, be advised that you have received this
email in error and that you should not disseminate, distribute, print, copy
this mail or otherwise divulge its contents. In such instances, please notify
Vodafone Malta Limited on telephone number +356 9247 and delete this email
from your system. Since this transmission was affected via email, Vodafone
Malta Limited cannot guarantee that it is secure or error-free as information
could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or
contain viruses. Vodafone Malta Limited does not accept liability for any
errors or omissions in the contents of this message which arise as a result of
email transmission.
Save the environment for our children - Print e-mail only when necessary.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
num_answers_to_alive
Hi, the configuration of 2.1.10 has the parameter num_answers_to_alive in proxy.conf. Looking at the source code, I found that instead, in realms.c, the config option num_pings_to_alive is used. num_answers is read from the config, but never referenced. If that's the case, then the config option in proxy.conf should be changed to be num_pings_to_alive, otherwise people will likely fail to tweak the value. Speaking of tweaking the value, I also found if (home-num_pings_to_alive 3) home-num_pings_to_alive = 3; if (home-num_pings_to_alive 10) home-num_pings_to_alive = 10; The documentation says that 3..10 are *useful* ranges, but doesn't mention that everything else is forbidden. In particular, I would like to use 1, not 3. The idea is: the server was dead before, but now it managed to send a reply back - so it must have been fixed. I would like to mark it alive immediately. Is that unreasonable? Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accept a number of MAC address per login
Hello, I would like to authorize a user to connect to the freeradius server with a maximum of 3 PC. I added a counter, an attribute for the check-name and a line in radcheck table but for my counter I'd like a query like this : select (COUNT(distinct CallingStationId)) FROM radcheck WHERE UserName='user_login' AND CallingStationId !='MAC_client' But there is I think, only one key and I need two. How can I do it ? Thank for your help ! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Accept-a-number-of-MAC-address-per-login-tp4666354p4666354.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: num_answers_to_alive
Stefan Winter stefan.win...@restena.lu wrote: The documentation says that 3..10 are *useful* ranges, but doesn't mention that everything else is forbidden. In particular, I would like to use 1, not 3. The idea is: the server was dead before, but now it managed to send a reply back - so it must have been fixed. I would like to mark it alive immediately. Is that unreasonable? Similar to 'link flapping' (think OSPF/BGP), you should use heuristics as things are not just black and white. If a service simply had two states up and down then that probably would be okay, but we also have 'unstable'. Imagine this state coming from: * overloaded RADIUS server (or backend DB) * link congestion between RADIUS servers Having a value of three, says not just alive but also alive and has been for a while; this could be further interpreted that the service is stable as well as alive. If the system briefly came back and died then on attempt two or three you would have likely seen a failure. Hope I am explaining myself well :) Cheers -- Alexander Clouter .sigmonster says: BOFH excuse #256: You need to install an RTFM interface. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: num_answers_to_alive
Yup. Typically once something fails I consider it questionable / unstable until it proves itself to me again. The routing / circuit analogy is a perfect example. Many HA things allow the user to configure preemption or not - such that once the primary node fails and the secondary takes over, when the primary is believed to be healthy again, does it automatically become the primary again - OR - must the admin manually make it the primary again? Personally preemption is disabled in all my HA routers, firewalls, etc. Once something fails I want to review / analyze the failure and validate it's stable before I trust it again and start running traffic through it! G -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Alexander Clouter Sent: Thursday, August 04, 2011 9:20 AM To: freeradius-users@lists.freeradius.org Subject: Re: num_answers_to_alive Stefan Winter stefan.win...@restena.lu wrote: The documentation says that 3..10 are *useful* ranges, but doesn't mention that everything else is forbidden. In particular, I would like to use 1, not 3. The idea is: the server was dead before, but now it managed to send a reply back - so it must have been fixed. I would like to mark it alive immediately. Is that unreasonable? Similar to 'link flapping' (think OSPF/BGP), you should use heuristics as things are not just black and white. If a service simply had two states up and down then that probably would be okay, but we also have 'unstable'. Imagine this state coming from: * overloaded RADIUS server (or backend DB) * link congestion between RADIUS servers Having a value of three, says not just alive but also alive and has been for a while; this could be further interpreted that the service is stable as well as alive. If the system briefly came back and died then on attempt two or three you would have likely seen a failure. Hope I am explaining myself well :) Cheers -- Alexander Clouter .sigmonster says: BOFH excuse #256: You need to install an RTFM interface. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help: There is a way to make radius let all clients autenticate?
Hi Friends, I'd like some help with the following situation:- I have an infraestruture with about 2.000 clients, autenticating on a radius server, which is fed by an third-part CRM. Although the radius is working to autenticating people, it isn´t having the expected performance. Due to that We will change hardware and software, but we have to do this in a produce environment. In order to avoid trouble and get a lot of clients not autenticating, during the process of changes, there is a way to make radius allow all clients autenticate with a default bandwidth and configuration, but not checking MAC or username and password? Thanks- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Virtual Servers, the Realms Module, and Proxying
Our goal here is to use a variety of virtual servers in our FreeRADIUS instance
to allow us to isolate handling of a variety of different sorts of users. As
such, there's a fair bit of proxying going on, but much is just going to the
virtual servers, and we'd like to be able to use the behavior of the realms
module to make this work for us.
Unfortunately, I haven't seen any way to get some of those attributes that the
Realm module inserts to continue through after being proxied, as they're
'internal' attributes and not wire attributes. I'd like for the
Stripped-User-Name and Realm attributes to be available to the far side of the
proxy (so I send it from the default virtual server to, say, the generic_realm
virtual server), so that it can make decisions based on that information. I
obviously can't use the realms module for parsing again in the first layer of
virtual server, as I'll just end up creating a loopback on itself, but at the
same time, I'd like to avoid having to do all that parsing and thinking in
unlang. Since there seems to be some special config for virtual servers, is
there any way to achieve this behavior (not stripping the 'internal' attributes
when proxying to virtual servers) without a patch? It seems to be consistent
with the idea behind virtual servers, but I may be misinterpreting it.
Thoughts? I feel like we're trying a little too hard to get what we want,
here, but I'm not seeing how to do it the 'right' way.
Jacob M. Dawson
Network Research Engineer
Virginia Tech
---
For context:
I have an arbitrary number of FreeRADIUS servers providing my AAA service. I
have an arbitrary number of NASs all talking to the FreeRADIUS servers, and
they all provide the same suite of services to all possible users, so I can't
do this proxying based on what client it comes in on (like this page suggests:
http://freeradius.org/features/virtual_servers.html).
My realm module is short and sweet:
realm suffix {
format = suffix
delimiter = @
ignore_null = yes
}
realm prefix {
format = prefix
delimiter = \\
}
I have the following virtual servers linked in sites-enabled:
ad.vt.edu
default
ed.vt.edu
generic-realm
proxy-inner-tunnel
ad.vt.edu is to handle our Domain users
ed.vt.edu is to handle folks authenticating against our Enterprise Directory
default is, of course, where they come in to start with
generic-realm is intended to handle people who come in with SOME non-vt realm.
Could be guests (authenticated against our AAA-related database, access via the
sql module), could be eduroam folks.
proxy-inner-tunnel is used largely by the ad.vt.edu module to handle proxying
the MS-CHAPv2 part of PEAP to our IAS machines.
default is simple:
authorize {
update request{
User-Name := %{tolower:%{User-Name}}
}
preprocess
auth_log
chap
mschap
perl
suffix
prefix
eap {
ok = return
}
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
ldap
eap
}
other stanzas don't seem relevant
In proxy, we defined these home_servers:
home_server ed.vt.edu {
type = auth
ipaddr = 127.0.0.1
port = 1816
secret = redacted
}
home_server ad.vt.edu {
type = auth
ipaddr = 127.0.0.1
port = 1815
secret = redacted
}
home_server generic_realm {
type = auth
ipaddr = 127.0.0.1
port = 1817
secret = redacted
}
home_server_pool ad_virtual_pool {
home_server = ad.vt.edu
}
home_server_pool ed_virtual_pool {
home_server = ed.vt.edu
}
home_server_pool generic_virtual_pool {
home_server = generic_realm
}
realm ~HOKIES {
auth_pool = ad_virtual_pool
nostrip
}
realm DomainUser {
auth_pool = HOKIES_authen
nostrip
}
realm ~.*w2k\\.vt\\.edu$ {
auth_pool = ad_virtual_pool
nostrip
}
realm ~vt.edu$ {
auth_pool = ed_virtual_pool
}
realm LOCAL {
}
realm NULL {
auth_pool = ed_virtual_pool
}
realm DEFAULT {
auth_pool = generic_virtual_pool
}
Our virtual servers then start off like this, and then include the usual
appropriate stanzas:
listen {
ipaddr = 127.0.0.1
port = 1815
type = auth
}
client 127.0.0.1 {
secret = redacted
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help: There is a way to make radius let all clients autenticate?
On Fri, Aug 5, 2011 at 2:03 AM, Rodrigo Yoshioka ro_yoshioka2...@yahoo.com.br wrote: there is a way to make radius allow all clients autenticate with a default bandwidth and configuration, but not checking MAC or username and password? Sort of. See http://wiki.freeradius.org/FAQ#How+do+I+permit+access+to+any+user+regardless+of+password%3F You can add reply attributes that you need on that file as well, see man 5 users for the format. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Virtual Servers, the Realms Module, and Proxying
On Fri, Aug 5, 2011 at 2:39 AM, Jacob Dawson daw...@vt.edu wrote: I obviously can't use the realms module for parsing again in the first layer of virtual server, as I'll just end up creating a loopback on itself, but at the same time, I'd like to avoid having to do all that parsing and thinking in unlang. Since there seems to be some special config for virtual servers, is there any way to achieve this behavior (not stripping the 'internal' attributes when proxying to virtual servers) without a patch? It seems to be consistent with the idea behind virtual servers, but I may be misinterpreting it. Thoughts? I feel like we're trying a little too hard to get what we want, here, but I'm not seeing how to do it the 'right' way. Try raddb/modules/attr_filter -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Virtual Servers, the Realms Module, and Proxying
The whole realms/ suffix/ prefix methodology has been obsoleted by Unlang.
If you load up policy.conf in the master branch (use GitHub) there's an example
of proxying using unlang. Just re-parse the User-Name string each time a
request comes into one of the Virtual Servers.
Incidentally, been down that route many years ago. I think you're maybe the
second or third person on the list who's asked about this. Yes it's a brilliant
way to organise the server. No it won't work out like you want it to.
FreeRADIUS does not have unlimited internal proxy hops. So if you have an outer
listen server, which proxies to another outer server, with un-encapsulates EAP
and proxies to an inner server, which proxies to another inner server,
somewhere in that line of proxying you'll hit a random error and the request
will fail.
I keep poking Alan to fix it, but he says its hard.
-Arran
Our goal here is to use a variety of virtual servers in our FreeRADIUS
instance to allow us to isolate handling of a variety of different sorts of
users. As such, there's a fair bit of proxying going on, but much is just
going to the virtual servers, and we'd like to be able to use the behavior of
the realms module to make this work for us.
Unfortunately, I haven't seen any way to get some of those attributes that
the Realm module inserts to continue through after being proxied, as they're
'internal' attributes and not wire attributes. I'd like for the
Stripped-User-Name and Realm attributes to be available to the far side of
the proxy (so I send it from the default virtual server to, say, the
generic_realm virtual server), so that it can make decisions based on that
information. I obviously can't use the realms module for parsing again in
the first layer of virtual server, as I'll just end up creating a loopback on
itself, but at the same time, I'd like to avoid having to do all that parsing
and thinking in unlang. Since there seems to be some special config for
virtual servers, is there any way to achieve this behavior (not stripping the
'internal' attributes when proxying to virtual servers) without a patch? It
seems to be consistent with the idea behind virtual servers, but I may be
misinterpreting it.
Thoughts? I feel like we're trying a little too hard to get what we want,
here, but I'm not seeing how to do it the 'right' way.
Jacob M. Dawson
Network Research Engineer
Virginia Tech
---
For context:
I have an arbitrary number of FreeRADIUS servers providing my AAA service. I
have an arbitrary number of NASs all talking to the FreeRADIUS servers, and
they all provide the same suite of services to all possible users, so I can't
do this proxying based on what client it comes in on (like this page
suggests: http://freeradius.org/features/virtual_servers.html).
My realm module is short and sweet:
realm suffix {
format = suffix
delimiter = @
ignore_null = yes
}
realm prefix {
format = prefix
delimiter = \\
}
I have the following virtual servers linked in sites-enabled:
ad.vt.edu
default
ed.vt.edu
generic-realm
proxy-inner-tunnel
ad.vt.edu is to handle our Domain users
ed.vt.edu is to handle folks authenticating against our Enterprise Directory
default is, of course, where they come in to start with
generic-realm is intended to handle people who come in with SOME non-vt
realm. Could be guests (authenticated against our AAA-related database,
access via the sql module), could be eduroam folks.
proxy-inner-tunnel is used largely by the ad.vt.edu module to handle proxying
the MS-CHAPv2 part of PEAP to our IAS machines.
default is simple:
authorize {
update request{
User-Name := %{tolower:%{User-Name}}
}
preprocess
auth_log
chap
mschap
perl
suffix
prefix
eap {
ok = return
}
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
ldap
eap
}
other stanzas don't seem relevant
In proxy, we defined these home_servers:
home_server ed.vt.edu {
type = auth
ipaddr = 127.0.0.1
port = 1816
secret = redacted
}
home_server ad.vt.edu {
type = auth
ipaddr = 127.0.0.1
port = 1815
secret = redacted
}
home_server generic_realm {
type = auth
ipaddr = 127.0.0.1
port = 1817
secret = redacted
}
home_server_pool ad_virtual_pool {
home_server = ad.vt.edu
}
home_server_pool ed_virtual_pool {
home_server = ed.vt.edu
}
home_server_pool generic_virtual_pool {
home_server = generic_realm
}
realm ~HOKIES {
auth_pool = ad_virtual_pool
nostrip
}
realm DomainUser {
auth_pool = HOKIES_authen
nostrip
}
Re: Virtual Servers, the Realms Module, and Proxying
Well, we can certainly finagle that in Unlang, with a little thinking. I played with that earlier in this project. Happy to leave module/realm if that's the best route, and that means I can probably pull all of that out of proxy.conf, too. I don't think we'll run into the internal proxy chain problem, since we're sending the inner tunnel off to IAS. I'll keep this in mind if it seems to be randomly breaking, though. Thanks for the prompt response. - Jacob On 4 Aug 2011, at 15:54, Arran Cudbard-Bell wrote: The whole realms/ suffix/ prefix methodology has been obsoleted by Unlang. If you load up policy.conf in the master branch (use GitHub) there's an example of proxying using unlang. Just re-parse the User-Name string each time a request comes into one of the Virtual Servers. Incidentally, been down that route many years ago. I think you're maybe the second or third person on the list who's asked about this. Yes it's a brilliant way to organise the server. No it won't work out like you want it to. FreeRADIUS does not have unlimited internal proxy hops. So if you have an outer listen server, which proxies to another outer server, with un-encapsulates EAP and proxies to an inner server, which proxies to another inner server, somewhere in that line of proxying you'll hit a random error and the request will fail. I keep poking Alan to fix it, but he says its hard. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: num_answers_to_alive
Stefan Winter wrote: the configuration of 2.1.10 has the parameter num_answers_to_alive in proxy.conf. Looking at the source code, I found that instead, in realms.c, the config option num_pings_to_alive is used. num_answers is read from the config, but never referenced. No. Both reference the same entry in the home server structure. The proxy.conf file is correct, and it works. If that's the case, then the config option in proxy.conf should be changed to be num_pings_to_alive, otherwise people will likely fail to tweak the value. But they're not pings. The name ping existed for a short time in 2.0, and was quickly removed. It's still there for backwards compatibility, and will be removed in 3.0 Speaking of tweaking the value, I also found if (home-num_pings_to_alive 3) home-num_pings_to_alive = 3; if (home-num_pings_to_alive 10) home-num_pings_to_alive = 10; The documentation says that 3..10 are *useful* ranges, but doesn't mention that everything else is forbidden. In particular, I would like to use 1, not 3. The idea is: the server was dead before, but now it managed to send a reply back - so it must have been fixed. I would like to mark it alive immediately. Is that unreasonable? If you want... but it's really not a good idea. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: Authentication failure issue
Hello Friends,
I met a issue regarding password/authentication with FreeRadius, Could
anybody help for the issue, Thanks!
User-Password = ?\210\365@\263\t\306\343\243iT?\311C\t\002
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
The details in below mails.
Regards,
Charles
Forwarded conversation
Subject: Authentication failure issue
From: *fieldpeak* fieldp...@gmail.com
Date: 2011/8/4
To: freeradius-users@lists.freeradius.org
Dear Friends,
I'm trying integrate Freeswitch with Freeradius, I met below issue, can
anyone help, thanks in adance.
Freeradius server log:
rad_recv: Access-Request packet from host 127.0.0.1 port 52684, id=49,
length=111
User-Name = 1001
User-Password = ?\210\365@\263\t\306\343\243iT?\311C\t\002
Called-Station-Id = 888
h323-conf-id = 749d2b5a-16ad-48e4-af58-
24011949d1b5
Calling-Station-Id = 1001
NAS-Port = 0
NAS-IP-Address = 127.0.0.1
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20110803
[auth_log]
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20110803
[auth_log] expand: %t - Wed Aug 3 12:06:33 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = 1001, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[sql] expand: %{User-Name} - 1001
[sql] sql_set_user escaped user -- '1001'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
- SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '1001' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority - SELECT
groupname FROM radusergroup WHERE username =
'1001' ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
[sql] User 1001 not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
WARNING: Unprintable characters in the password.Double-check the
shared secret on the server and the NAS!
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - 1001
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 49 to 127.0.0.1 port 52684
Waking up in 4.9 seconds.
Cleaning up request 8 ID 49 with timestamp +7674
Ready to process requests.
WARNING! No known good password found for the user
Regards,
Charles
--
From: *fieldpeak* fieldp...@gmail.com
Date: 2011/8/4
To: freeradius-users@lists.freeradius.org
Hello Gurus,
I've double checked the shared secret on both server and NAS are the same,
the problem still exist, it trouble me a few days, can anyone kindly help?
nas:
/usr/local/etc/radiusclient/servers
localhost/localhosttesting123
server:
/usr/local/etc/raddb/clients.conf
secret= testing123
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
