Re: Using virtual servers to authenticate with different ports and Users
On Fri, May 4, 2012 at 11:05 AM, Alan Kong ako...@ee.cuhk.edu.hk wrote: Hi, Thank you for the suggestions. I have upgraded to version 2.1.12 on CentOS 5. I am testing with sites-enabled/inner-tunnel virtual server setting, how do I read the second_files in the module files. I have included both files and second_files in the authorize section in inner-tunnel. And both list of users worked. I want to read different list of users for the inner-tunnel virtual server. How did you create second_files? Use the same method. Basically I think you should create another instance of files module. See http://wiki.freeradius.org/Rlm_sql#Instances for example (it's for sql, but you should get the idea from there). -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeraduis LDAP error
On Fri, May 4, 2012 at 12:33 PM, dhanushka ranasinghe parakrama1...@gmail.com wrote: Hi.. Seems like radius caching session thats why its got connected , as i mention my LDAP uses SHA as password encrypted method , is there any way to sort this issue and what configuration need to use in order to fix this Remove the configuration lines that break the server? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Volume Limit per user monthly
Hello Guys, I am crazy about this freeradius and thank all of the developers who work for freeradius application. It is great that you are doing such an open source application for everyone who needs. I am reading everything that I found about anything related to FR. And I have a question :) Firstly let me tell that, if the answer of my question that I am going to ask is located in some doc or another place in documentation just link the doc name and I will read it if I did not so I do not consume your time. First of all, the GGSN (NAS), that FR is communication is a Huawei system. I manage to succeed limiting a user usage per day (with respect to session time) with the use of session-timeout AVP that is located in the ACCESS-ACCEPT packet sent to my huawei GGSN and GGSN understand that and try to reauthenticate after that value. But the thing that I want is to limit the volume of the usage of a user in a month with the use of the Acct-Input-Octets and Acct-Output-Octets AVPs. But I am having trouble with impelemnting this. I guess I need to generate a counter and this counter should count the Input and Output Octets located in the accounting section and if it is over the limit that I defined in the users file. Thank you inadvance. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Volume-Limit-per-user-monthly-tp5684921.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeraduis LDAP error
Hi.. when i removed Auth-Type := PAP lineradius not checking password , even when wrong password is used user get the authenticated. Thank You Dhanushka On 4 May 2012 11:31, Fajar A. Nugraha l...@fajar.net wrote: On Fri, May 4, 2012 at 12:33 PM, dhanushka ranasinghe parakrama1...@gmail.com wrote: Hi.. Seems like radius caching session thats why its got connected , as i mention my LDAP uses SHA as password encrypted method , is there any way to sort this issue and what configuration need to use in order to fix this Remove the configuration lines that break the server? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using virtual servers to authenticate with different ports and Users
HI, Thank you very much. It works now. Regards Alan On 5/4/2012 1:56 PM, Fajar A. Nugraha wrote: On Fri, May 4, 2012 at 11:05 AM, Alan Kongako...@ee.cuhk.edu.hk wrote: Hi, Thank you for the suggestions. I have upgraded to version 2.1.12 on CentOS 5. I am testing with sites-enabled/inner-tunnel virtual server setting, how do I read the second_files in the module files. I have included both files and second_files in the authorize section in inner-tunnel. And both list of users worked. I want to read different list of users for the inner-tunnel virtual server. How did you create second_files? Use the same method. Basically I think you should create another instance of files module. See http://wiki.freeradius.org/Rlm_sql#Instances for example (it's for sql, but you should get the idea from there). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeraduis LDAP error
On Fri, May 4, 2012 at 1:15 PM, dhanushka ranasinghe parakrama1...@gmail.com wrote: Hi.. when i removed Auth-Type := PAP line radius not checking password , even when wrong password is used user get the authenticated. What does the debug log say? My guess is you have Auth-Type := Accept somewhere. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Very huge Acct-Session-Time
On 2012/05/04 03:13 AM, Claude Brown wrote: Probably not - but what have you got to lose by checking? My 2c says thata Alan de Kock is right. Nas is buggy. What happens on the Nas is probably the following (This is a wild guess) 1) Nas boots, time is set to 1970. 2) User logs in, and Nas stores start time internally. 3) NTP on the Nas eventially figures out what the time is. 4) Next time the Nas calculates the Session time, it is 43 years. I must say I am unsure how I would do it differently if I was the Nas software developer. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Volume Limit per user monthly
On Fri, May 4, 2012 at 1:04 PM, yagizozen yagizo...@yahoo.com wrote: Hello Guys, I am crazy about this freeradius and thank all of the developers who work for freeradius application. It is great that you are doing such an open source application for everyone who needs. I am reading everything that I found about anything related to FR. And I have a question :) Firstly let me tell that, if the answer of my question that I am going to ask is located in some doc or another place in documentation just link the doc name and I will read it if I did not so I do not consume your time. First of all, the GGSN (NAS), that FR is communication is a Huawei system. I manage to succeed limiting a user usage per day (with respect to session time) with the use of session-timeout AVP that is located in the ACCESS-ACCEPT packet sent to my huawei GGSN and GGSN understand that and try to reauthenticate after that value. But the thing that I want is to limit the volume of the usage of a user in a month with the use of the Acct-Input-Octets and Acct-Output-Octets AVPs. But I am having trouble with impelemnting this. I guess I need to generate a counter and this counter should count the Input and Output Octets located in the accounting section and if it is over the limit that I defined in the users file. First thing to ask your NAS vendor is whether they support the volume equivalent of session-timeout. For example, chillispot has ChilliSpot-Max-Total-Octets. If it doesn't, then there's no way to enforce the limit using any radius server. Period. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Volume Limit per user monthly
On 2012/05/04 09:06 AM, Fajar A. Nugraha wrote: First thing to ask your NAS vendor is whether they support the volume equivalent of session-timeout. For example, chillispot has ChilliSpot-Max-Total-Octets. If it doesn't, then there's no way to enforce the limit using any radius server. Period. Unless You locally keep track of the Total usage in all sessions for the month. When you receive an accoungting update, you do the math. If the user is over, you send a POD. This is how our local telco works with ADSL. Unfortunately you only get Accounting Updates every hour, so you might let a user run for about an hour before you disconnect him, but you dont really have another option. Cheers, -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Volume Limit per user monthly
Hello Johan, First of all thank you for your answer. I immidiately ask my GGSN vendor if it support data limitting if not, like u said I keep the track of usage for every user but can you give more information about what is POD and how it is sent to my GGSN and also POD is a standart AVP that my GGSN will know it for sure? Keeping track of the usage is not hard for me but the thing is that how can I disconnect the user like you said? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Volume-Limit-per-user-monthly-tp5684921p5685030.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Volume Limit per user monthly
On Fri, May 4, 2012 at 2:15 PM, Johan Meiring jmeir...@pcservices.co.za wrote: On 2012/05/04 09:06 AM, Fajar A. Nugraha wrote: First thing to ask your NAS vendor is whether they support the volume equivalent of session-timeout. For example, chillispot has ChilliSpot-Max-Total-Octets. If it doesn't, then there's no way to enforce the limit using any radius server. Period. Unless You locally keep track of the Total usage in all sessions for the month. When you receive an accoungting update, you do the math. If the user is over, you send a POD. This is how our local telco works with ADSL. Correct. That would be a good method if your NAS supports POD, and you're willing to tolerate some excess traffic (since you only get interim-update packets at certain time interval, not certain volume interval). Unfortunately you only get Accounting Updates every hour, That should be configurable through Acct-Interim-Interval attribute sent by radius. However: - some NAS limits the minimum allowed value (e.g. chillispot ignores values less than 60) - if you set it too low, the load your accting backend (e.g. db) might get too high, as there will be more accounting packets to process. 5, 15, or 60 minutes is usually a good start for Acct-Interim-Interval, depending on your current load. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SHA-256,384,512?
Hi, I'm trying to figure out if FreeRADIUS supports SHA-2 (256,384,512 variants) or just SHA1. Some attributes have only SSHA in their name, without a -1 so I thought they could do more than SHA-1. Looking at the source code of 2.1.12, it doesn't look like it though, SHA seems to be synonymous for SHA-1. Can I get a quick confirmation that the SHA-2 family is not supported for password hashes? Anything coming up in that regard in 3.0? Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Volume Limit per user monthly
I am glad that you are trying to help me guys. These are very good recommendations. I do not have any information regarding the that POD thing but the first thing that I will do is search for it. Is there any place that you recommend me to read for learning the POD mechanism or can you tell a little more about that? Thank you -- View this message in context: http://freeradius.1045715.n5.nabble.com/Volume-Limit-per-user-monthly-tp5684921p5685047.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeraduis LDAP error
Hi...guys...
with the blow configuration .in user file
DEFAULT Ldap-Group == cn=employees,ou=group,dc=ldap,dc=home,dc=com,
Auth-Type := PAP
Reply-Message = You are Accepted
DEFAULT Auth-Type := Reject
I test the radius access from command line , by entering wrong
password [1] and correct password [2] .., in that case radius respond
fine, Issue only occurs [3] when access via ubuntu machine
(WPAsupplicant) ...
eg --
1) radtest username wrong-password 192.168.0.63 1812 testing123
Sending Access-Request of id 176 to 192.168.0.63 port 1812
User-Name = dhanush...@wso2.com
User-Password = dcn05c4-128222
NAS-IP-Address = 192.168.0.60
NAS-Port = 1812
rad_recv: Access-Reject packet from host 192.168.0.63 port 1812,
id=176, length=38
2) radtest username correct-password 192.168.0.63 1812 testing123
Sending Access-Request of id 167 to 192.168.0.63 port 1812
User-Name = dhanush...@wso2.com
User-Password = dcn05c4-1282
NAS-IP-Address = 192.168.0.60
NAS-Port = 1812
rad_recv: Access-Accept packet from host 192.168.0.63 port 1812,
id=167, length=38
3)
# Executing group from file /etc/freeradius/sites-enabled/default
Thu May 3 11:50:26 2012 : Info: +- entering group PAP {...}
Thu May 3 11:50:26 2012 : Info: [pap] ERROR: You set 'Auth-Type =
PAP' for a request that does not contain a User-Password attribute!
Thu May 3 11:50:26 2012 : Info: ++[pap] returns invalid
Thu May 3 11:50:26 2012 : Info: Failed to authenticate the user.
Thank you
Dhanushka
On 4 May 2012 11:58, Fajar A. Nugraha l...@fajar.net wrote:
On Fri, May 4, 2012 at 1:15 PM, dhanushka ranasinghe
parakrama1...@gmail.com wrote:
Hi..
when i removed Auth-Type := PAP line radius not checking
password , even when wrong password is used user get the
authenticated.
What does the debug log say?
My guess is you have Auth-Type := Accept somewhere.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SHA-256,384,512?
Stefan Winter wrote: I'm trying to figure out if FreeRADIUS supports SHA-2 (256,384,512 variants) or just SHA1. There's only SHA1 code, IIRC. Looking at the source code of 2.1.12, it doesn't look like it though, SHA seems to be synonymous for SHA-1. Yes. Can I get a quick confirmation that the SHA-2 family is not supported for password hashes? Anything coming up in that regard in 3.0? cough Feel free to submit a patch. :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeraduis LDAP error
dhanushka ranasinghe wrote:
with the blow configuration .in user file
Which you were told was wrong.
I test the radius access from command line , by entering wrong
password [1] and correct password [2] .., in that case radius respond
fine, Issue only occurs [3] when access via ubuntu machine
(WPAsupplicant) ...
Which doesn't do PAP authentication.
# Executing group from file /etc/freeradius/sites-enabled/default
Thu May 3 11:50:26 2012 : Info: +- entering group PAP {...}
Thu May 3 11:50:26 2012 : Info: [pap] ERROR: You set 'Auth-Type =
PAP' for a request that does not contain a User-Password attribute!
Which is the same message as before. The solution is the same.
You have been working HARD to avoid solving this problem. The
solution to the problem is simple. The debug output TELLS YOU what to do.
Go do it.
You have had a number of people try to help you. These people are
doing MORE WORK than you are to solve the problem. Do as you were told.
If you keep ignoring the instructions on this list, you will be
unsubscribed and banned. The reason is simple: you're wasting
everyone's time by asking questions, and ignoring the answers
That's no longer acceptable.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeraduis LDAP error
Hi...
Relay sorry if i make any trouble...Thanks lot for the every one who
try to solve my issue...
Thank You
Dhanushka
On 4 May 2012 13:22, Alan DeKok al...@deployingradius.com wrote:
dhanushka ranasinghe wrote:
with the blow configuration .in user file
Which you were told was wrong.
I test the radius access from command line , by entering wrong
password [1] and correct password [2] .., in that case radius respond
fine, Issue only occurs [3] when access via ubuntu machine
(WPAsupplicant) ...
Which doesn't do PAP authentication.
# Executing group from file /etc/freeradius/sites-enabled/default
Thu May 3 11:50:26 2012 : Info: +- entering group PAP {...}
Thu May 3 11:50:26 2012 : Info: [pap] ERROR: You set 'Auth-Type =
PAP' for a request that does not contain a User-Password attribute!
Which is the same message as before. The solution is the same.
You have been working HARD to avoid solving this problem. The
solution to the problem is simple. The debug output TELLS YOU what to do.
Go do it.
You have had a number of people try to help you. These people are
doing MORE WORK than you are to solve the problem. Do as you were told.
If you keep ignoring the instructions on this list, you will be
unsubscribed and banned. The reason is simple: you're wasting
everyone's time by asking questions, and ignoring the answers
That's no longer acceptable.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeraduis LDAP error
Hi, when i removed Auth-Type := PAP lineradius not checking password , even when wrong password is used user get the authenticated. you then have a hardcoded Accept somewhere in your config alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [EAP-TLS Windows 7] Problem with chain certificate on the client side
On 30/04/12 13:18, jinx_20 wrote: But I sill cannot understand why FR allowed to connect when I had removed Sub2_CA certificate from cert store. Just to emphasise, unless I'm mistaken it is OpenSSL that was validating or rejecting the cert. The FreeRADIUS verify callback doesn't override the OpenSSL decision except in the expected cases, such as the external verify script execution, CN comparisons or similar, and those are done on terminal certs only. So, either OpenSSL was failing to validate it, or OpenSSL was passing bad depth data into FreeRADIUS' callback function. Either way, I think the issue here lies inside OpenSSL. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Translate characters
Hello dear Freeradius friends! Im authenticating users by NAS-Port-Id by following format: ”1/1/4:1001.129”. In the scenario im using Service Router -- Freeradius -- Cisco ACS -- Active Directory. The problem is that Active directory cannot use “/” and “:” in the logon filed of the user when im trying to authenticate users. Is there anything I can do in the freeradius to change the characters to different ones? Example: To make “/” as “-“ and “:” as “_”. So the NAS-Port-ID would look like “1-1-4_1001.129” instead. Is it possible to translate characters in Freeradius? If possible, how do i make it? Best regards, Badstuber. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Translate-characters-tp5685645.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
multiple ldap servers
Greetings
I'm new to radius but have been reading.
I have a freeradius server running on ubuntu 11, my users file is an ldap
server which works great. My question is,
how can i search and alternate LDAP server for user credentials ?
If the first LDAP search fails try the next server in line.
I found some documentation-
* http://freeradius.org/radiusd/doc/ldap_howto.txt does not mention a second
server.
*http://freeradius.org/radiusd/doc/configurable_failover explains the redundant
setup for sql accounting.
so far I tried adding the second ldap server, it's info is read during module
load -- no errors. The problem is,.. only one of the ldap systems contains the
correct info. So one WILL fail and the other will pass.
with that being said,.. How do i configure my server to Pass if either system
returns ok ? currently it will fail even if one LDAP system returns good.
authorize {
preprocess
chap
mschap
digest
suffix
eap {
ok = return
}
files
redundant {
ldap1
ldap2
}
expiration
logintime
pap
# Autz-Type Status-Server {
#
# }
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
digest
#
# Pluggable Authentication Modules.
# pam
unix
Auth-Type LDAP {
ldap1
ldap2
}
eap
# Auth-Type eap {
# eap {
# handled = 1
# }
# if (handled (Response-Packet-Type == Access-Challenge)) {
# attr_filter.access_challenge.post-auth
# handled # override the updated code from attr_filter
# }
# }
}
Any Assistance would be helpful.
-j
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple ldap servers
Hi Jeff,
On 04.05.2012 14:30, jeff donovan wrote:
how can i search and alternate LDAP server for user credentials ? If
the first LDAP search fails try the next server in line.
Just mention only this ldap server in authenticate section:
authenticate {
Auth-Type LDAP {
ldap1 # the ldap server which has the credentials
}
}
That's it. Only the ldap servers you have mentioned in authorize
section will be queried for group memberships.
Greetz,
Tobias
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple ldap servers
jeff donovan wrote:
I'm new to radius but have been reading.
That's always positive.
how can i search and alternate LDAP server for user credentials ?
If the first LDAP search fails try the next server in line.
Do you mean fail or notfound? They're different...
I found some documentation-
* http://freeradius.org/radiusd/doc/ldap_howto.txt does not mention a
second server.
*http://freeradius.org/radiusd/doc/configurable_failover explains the
redundant setup for sql accounting.
See also man unlang. It explains this in more detail.
so far I tried adding the second ldap server, it's info is read during
module load -- no errors. The problem is,.. only one of the ldap systems
contains the correct info. So one WILL fail and the other will pass.
with that being said,.. How do i configure my server to Pass if either
system returns ok ? currently it will fail even if one LDAP system
returns good.
That's because you're using a redundant block. It treats notfound
as LDAP server is still up, and it doesn't fail over to the next one.
Because there was no failure!
authorize {
...
redundant {
ldap1
ldap2
}
Change that to:
ldap1
if (notfound) {
ldap2
}
And it will work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Translate characters
Xbert_badstuber wrote:
Is there anything I can do in the freeradius to change the characters to
different ones? Example: To make “/” as “-“ and “:” as “_”. So the
NAS-Port-ID would look like “1-1-4_1001.129” instead. Is it possible to
translate characters in Freeradius? If possible, how do i make it?
You can't translate the characters, but you can re-write the
attribute. I'd use a regex:
if (NAS-Port-Id =~ /^(.)/(.)/(.):(.*)$/) {
update request {
NAS-Port-Id := %1_%2_%3_%4
}
}
You may have to play with the regex to get it to match your exact
case, but the idea is there.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple ldap servers
On May 4, 2012, at 10:14 AM, Alan DeKok wrote:
jeff donovan wrote:
I'm new to radius but have been reading.
That's always positive.
how can i search and alternate LDAP server for user credentials ?
If the first LDAP search fails try the next server in line.
Do you mean fail or notfound? They're different...
true,. i will probably come across both.
I found some documentation-
* http://freeradius.org/radiusd/doc/ldap_howto.txt does not mention a
second server.
*http://freeradius.org/radiusd/doc/configurable_failover explains the
redundant setup for sql accounting.
See also man unlang. It explains this in more detail.
k tnx-more reading :)
so far I tried adding the second ldap server, it's info is read during
module load -- no errors. The problem is,.. only one of the ldap systems
contains the correct info. So one WILL fail and the other will pass.
with that being said,.. How do i configure my server to Pass if either
system returns ok ? currently it will fail even if one LDAP system
returns good.
That's because you're using a redundant block. It treats notfound
as LDAP server is still up, and it doesn't fail over to the next one.
Because there was no failure!
authorize {
...
redundant {
ldap1
ldap2
}
Change that to:
ldap1
if (notfound) {
ldap2
}
And it will work.
thanks for the reply. can i really use if then else ?
with that said, i should be able to apply the same for fail ?
--- ill post more when i adjust my settings and try with the not found. then I
try with fail.
-j
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple ldap servers
jeff donovan wrote: thanks for the reply. can i really use if then else ? sigh Do you think I'm lying to you? Did you read man unlang, which explains all of this? with that said, i should be able to apply the same for fail ? $ man unlang Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius - IIS Outlook Web Access (OWA)
Any other alternatives? Has anyone any experience fronting OWA with an Apache HTTP reverse-proxy, authenticating users via the mod_auth_radius module and perhaps passing on the credentials to OWA ? On Thu, May 3, 2012 at 4:21 PM, Nick Owen no...@wikidsystems.com wrote: On Thu, May 3, 2012 at 3:51 PM, udptelecom udptele...@gmail.com wrote: Hi, Anyone know of an ISAPI filter that understands RADIUS that can be used to authenticate to FreeRadius. This would be used to authenticate access to Outlook Web Access (OWA) running under IIS. I know of one provider http://www.tcpdata.com - but they're site is currently down and all my calls emails have gone unanswered. Thanks! Abedi Have you seen MS Forefront? -- -- Nick Owen WiKID Systems, Inc. http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple ldap servers
On May 4, 2012, at 10:14 AM, Alan DeKok wrote:
snip
authorize {
...
redundant {
ldap1
ldap2
}
Change that to:
ldap1
if (notfound) {
ldap2
}
And it will work.
greetings i read the unlang pages.
I modified my Authorize section, and you are correct, the user is found on
ldap1 or checks the next server.
Now it seems to be sticking on the first reject in the Authenticate section.
here is what I have;
authenticate {
Auth-Type LDAP {
ldap1
if (reject) {
ldap2
}
}
I have also tried
Auth-Type LDAP {
ldap1
ldap2
}
in this case if the credentials do not exist on ldap1 everything stops.
here is my debug;
[ldap1] performing user authorization for drfoo
[ldap1] expand: %{Stripped-User-Name} -
[ldap1] ... expanding second conditional
[ldap1] expand: %{User-Name} - drfoo
[ldap1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=drfoo)
[ldap1] expand: cn=users,dc=ldap1,dc=example.com -
cn=users,dc=ldap1,dc=example.com
[ldap1] ldap_get_conn: Checking Id: 0
[ldap1] ldap_get_conn: Got Id: 0
[ldap1] performing search in cn=users,dc=ldap1,dc=example.com, with filter
(uid=drfoo)
[ldap1] object not found
[ldap1] search failed
[ldap1] ldap_release_conn: Release Id: 0
++[ldap1] returns notfound
++? if (notfound)
? Evaluating (notfound) - TRUE
++? if (notfound) - TRUE
++- entering if (notfound) {...}
[ldap2] performing user authorization for drfoo
[ldap2] expand: %{Stripped-User-Name} -
[ldap2] ... expanding second conditional
[ldap2] expand: %{User-Name} - drfoo
[ldap2] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=drfoo)
[ldap2] expand: cn=users,dc=ldap2,dc=example.com -
cn=users,dc=ldap2,dc=example.com
[ldap2] ldap_get_conn: Checking Id: 0
[ldap2] ldap_get_conn: Got Id: 0
[ldap2] performing search in cn=users,dc=ldap2,dc=example.com, with filter
(uid=drfoo)
[ldap2] No default NMAS login sequence
[ldap2] looking for check items in directory...
[ldap2] userPassword - Password-With-Header ==
[ldap2] looking for reply items in directory...
[ldap2] Setting Auth-Type = LDAP
[ldap2] user drfoo authorized to use remote access
[ldap2] ldap_release_conn: Release Id: 0
+++[ldap2] returns ok
++- if (notfound) returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Failed to decode Password-With-Header =
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = LDAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group LDAP {...}
[ldap1] login attempt by drfoo with password XxXxXxX
[ldap1] user DN: uid=drfoo,cn=users,dc=ldap2,dc=example.com
[ldap1] (re)connect to ldap1.example.com:389, authentication 1
[ldap1] bind as uid=drfoo,cn=users,dc=ldap2,dc=example.com/XxXxXxX to
ldap1.example.com:389
[ldap1] waiting for bind result ...
[ldap1] Bind failed with invalid credentials
++[ldap1] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple ldap servers
On 04.05.2012 21:05, jeff donovan wrote:
Found Auth-Type = LDAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group LDAP {...}
[ldap1] login attempt by drfoo with password XxXxXxX
[ldap1] user DN: uid=drfoo,cn=users,dc=ldap2,dc=example.com
[ldap1] (re)connect to ldap1.example.com:389, authentication 1
[ldap1] bind as uid=drfoo,cn=users,dc=ldap2,dc=example.com/XxXxXxX
to ldap1.example.com:389
[ldap1] waiting for bind result ...
[ldap1] Bind failed with invalid credentials
++[ldap1] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
OK, so what happened here? The ldap bind has failed! That's not the
failure message that the user you want to authenticate has wrong
credentials.
Be sure you configured the ldap modules correctly or send the whole
radiusd -X debug output.
Best regards,
Tobias Hachmer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple ldap servers
On May 4, 2012, at 3:58 PM, Tobias Hachmer wrote:
On 04.05.2012 21:05, jeff donovan wrote:
Found Auth-Type = LDAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group LDAP {...}
[ldap1] login attempt by drfoo with password XxXxXxX
[ldap1] user DN: uid=drfoo,cn=users,dc=ldap2,dc=example.com
[ldap1] (re)connect to ldap1.example.com:389, authentication 1
[ldap1] bind as uid=drfoo,cn=users,dc=ldap2,dc=example.com/XxXxXxX
to ldap1.example.com:389
[ldap1] waiting for bind result ...
[ldap1] Bind failed with invalid credentials
++[ldap1] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
OK, so what happened here? The ldap bind has failed! That's not the failure
message that the user you want to authenticate has wrong credentials.
Be sure you configured the ldap modules correctly or send the whole radiusd
-X debug output.
greetings
sorry
i snipped the bottom off , I didn't think it relevant since nothing happened
after it tried to auth on ldap1.
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - drfoo
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 158 to 10.135.1.15 port 65478
Waking up in 4.9 seconds.
Cleaning up request 2 ID 158 with timestamp +22
Ready to process requests.
and that is correct. The user does not exist on LDAP1, his records are on
LDAP2, which it finds, but it trys to auth against ldap1 ( which will fail ). I
need it to step to ldap2
I thought the result code was reject so under authentication if result of
ldap1 = reject try ldap2.
Auth-Type LDAP {
ldap1
if (reject) {
ldap2
}
}
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple ldap servers::solved::
On May 4, 2012, at 7:40 PM, jeff donovan wrote:
snip
and that is correct. The user does not exist on LDAP1, his records are on
LDAP2, which it finds, but it trys to auth against ldap1 ( which will fail ).
I need it to step to ldap2
greetings
I made two changes. and it worked.,.. not sure if it the best syntax, but it's
the first time I got both systems to call back.
authorize {
ldap1
if (notfound) {
ldap2
}
if (reject) {
ldap2
}
authenticate {
Auth-Type LDAP {
ldap1{
reject = 1
ok = return
}
ldap2 {
reject = 1
ok = return
}
}
works very well.
thanks for your assistance
-j
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
