RE: Freeradius CoA - Need Help
Can Anybody help me with this issue? -Original Message- From: freeradius-users-bounces+nasser=rasana@lists.freeradius.org [mailto:freeradius-users-bounces+nasser=rasana@lists.freeradius.org] On Behalf Of Nasser Heidari Sent: Tuesday, January 22, 2013 1:33 PM To: freeradius-users@lists.freeradius.org Subject: Freeradius CoA - Need Help Hi, I'm going to setup Freeradius CoA Virtual Server, I have already gone through originate-coa document, but need some help. This is the way that I traditionally originate CoA or POD packets: - I have wrote a Perl scripts that it listens on port 1810. - when I want to disconnect a user , I use another script to get user session info from DB , and then send it's information (User-Name, Acct-Session-ID, NAS IP Address) to port 1810 - then simply my perl scripts generates radclient commend and sends it to appropriate NAS. For the CoA it's same , the only different is that I send more AVP's to my script. Now what I couldn't understand is that, How should I trigger CoA server to send appropriate AVP's to NAS? How should I tell that I need these AVP's to be sent? I have Googled it but I couldn't find any sample. Thanks in advance. Regards, Nasser - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Video installation for freeradius with smsotp
Hello Lasse, * Lasse Odden lasse.od...@gmail.com [2013-01-24 11:48]: Long time since we spoke, but you told me you should try to find time to do a new video with instructions. Could you please help me out with this installation? I currently don't have the time, but if you have specific question, ask me. Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm
thanks! MIha Dne 1/23/2013 3:58 PM, piše Phil Mayers: On 23/01/13 14:47, Miha wrote: Hi, my radius client is sending with user-name and password aslo realm. I can not disable sending realm, is it possible to configure radius that will not user realm with user-name (user-name@realm)? [digest] Digest-Attributes look OK. Converting them to something more usful. *Digest-User-Name = 018108500* *Digest-Realm = test1.opensips.softnet.si* Digest-Nonce = 510001fb0006c9cc728438be21e324f917a5ea234380 Digest-URI = sip:+3858...@test1.opensips.test.si Digest-Method = INVITE [digest] Adding Auth-Type = DIGEST ++[digest] returns ok [suffix] Looking up realm test1.opensips.softnet.si for User-Name = *018108500@test1.opensips.**test.si* [suffix] No such realm test1.opensips.softnet.si ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} - *018108500@test1.opensips.**test.si* Radius will need to chack only user-name (*018108500*). Sure. The easiest option is something like this: authorize { ... if (User-Name =~ /^(.+)@(.+)$/) { update request { Stripped-User-Name := %{1} Realm := %{2} } } ... } ...and then ensure your SQL/files/whatever modules use an appropriate expansion for their key value e.g. sql { ... sql_user_name = %{%{Stripped-User-Name}:-%{User-Name}} ... } This is the default. So basically, you identify the realm yourself, set Stripped-User-Name, and use that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Filter and attribute
Hi, In LDAP config module, we can find filter = (|(uid=%{%{Stripped-User-Name}:-%{User-Name}})(mail=%{%{Stripped-User-Name}:-%{User-Name}})) Users authenticate in freeradius with login like pierre.dupont@12345678 We want to use both parts of adress in LDAP filter. pierre.dupont is %{User-Name} what should be the name of the variable for 12345678 ? -- Emmanuel BILLOT CATEL - Dpt. Système et Réseaux Rectorat - Académie d'Orléans-Tours 10, rue Molière - 45000 Orléans Tél : 02 38 79 45 57 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Filter and attribute
Le 24/01/2013 14:03, Emmanuel BILLOT a écrit : Hi, In LDAP config module, we can find filter = (|(uid=%{%{Stripped-User-Name}:-%{User-Name}})(mail=%{%{Stripped-User-Name}:-%{User-Name}})) Users authenticate in freeradius with login like pierre.dupont@12345678 We want to use both parts of adress in LDAP filter. pierre.dupont is %{User-Name} what should be the name of the variable for 12345678 ? I guess it is %{Realm} ? -- Emmanuel BILLOT CATEL - Dpt. Système et Réseaux Rectorat - Académie d'Orléans-Tours 10, rue Molière - 45000 Orléans Tél : 02 38 79 45 57 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Filter and attribute
Le 24/01/2013 14:03, Emmanuel BILLOT a écrit : Hi, In LDAP config module, we can find filter = (|(uid=%{%{Stripped-User-Name}:-%{User-Name}})(mail=%{%{Stripped-User-Name}:-%{User-Name}})) Users authenticate in freeradius with login like pierre.dupont@12345678 We want to use both parts of adress in LDAP filter. pierre.dupont is %{User-Name} what should be the name of the variable for 12345678 ? Ok %{Realm} seems to works, however anyway to force upcase on it ? -- Emmanuel BILLOT CATEL - Dpt. Système et Réseaux Rectorat - Académie d'Orléans-Tours 10, rue Molière - 45000 Orléans Tél : 02 38 79 45 57 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Filter and attribute
On 24.01.2013 14:26, Emmanuel BILLOT wrote: I guess it is %{Realm} ? this will contain the realm yeah. But why do you want to to %{Stripped-User-Name}@%{Realm} when it is the same as %{User-Name} ? -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Filter and attribute
On 24.01.2013 14:03, Emmanuel BILLOT wrote: Hi, In LDAP config module, we can find filter = (|(uid=%{%{Stripped-User-Name}:-%{User-Name}})(mail=%{%{Stripped-User-Name}:-%{User-Name}})) Users authenticate in freeradius with login like pierre.dupont@12345678 then this will be in User-Name unless you made manipulation with it (what you should never do btw) We want to use both parts of adress in LDAP filter. pierre.dupont is %{User-Name} then your user is logging with pierre.dupont and not pierre.dupont@123456 what should be the name of the variable for 12345678 ? use %{User-Name} Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Filter and attribute
On 24.01.2013 14:34, Emmanuel BILLOT wrote: Le 24/01/2013 14:03, Emmanuel BILLOT a écrit : Hi, In LDAP config module, we can find filter = (|(uid=%{%{Stripped-User-Name}:-%{User-Name}})(mail=%{%{Stripped-User-Name}:-%{User-Name}})) Users authenticate in freeradius with login like pierre.dupont@12345678 We want to use both parts of adress in LDAP filter. pierre.dupont is %{User-Name} what should be the name of the variable for 12345678 ? Ok %{Realm} seems to works, however anyway to force upcase on it ? %{toupper:%{realm}} ? -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Thoughts on a FreeRadius setup with OpenLDAP and Kerberos serving Windows and Ubuntu Clients
Hi, 1. user authentication and authorisation against our OpenLDAP directory, which is currently setup to store passwords with a SASL mechanism (the pass is hashed, and Apache Directory Studio shows the value of the UserPassword attribute of each user as SASL hashed password. This note is important, see further on) you can use external code for validationbut that could get tricky for different EAP types 2. Switchport dynamic VLAN assignment on the Cisco Catalyst switches depending on the gidNumber of the user not a problem. reply items can contain whatever you need...which can be gleaned from whatever oracle you choose 3. Multiplatform support (Windows 7, Ubuntu 10.04, Ubuntu 12.04) ..they all do EAP 4. FreeRadius server certificate validation (no client certificates used) and 802.1x authentication by providing user/pass works out of the box. software succeeds and gives me an accept-accept. Intentionally mistyping the pass gives a reject. What am I doing wrong? Is the radtest tool using some other mechanism then MSCHAPv2? radtest is a PAP method - you need to use eg eapol_test (part of wpa_supplicant package) or radeaptest with required configuration files.or any other test tool (NTRadping for windows , JRadiusSimulator etc) 2. this appears to be fairly easy to achieve by configuring the users file with one line per LDAP group like DEFAULT LdapGroup == xxx to return the Tunnel-private-group-ID [81] VDA depending on the match... or maybe in some other place of the config via ulang? I still need to understand how it works that method (users file) is basic but works. unlang or external script can also be used client certificates would mean no problem with LDAP for authentication. then you just need to work out how to deploy the client certs.. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
helps with User-Password
Hello, A little question, when i run freeradius in debug mode ( freeradius -XX), ii can't see the User-Password! Sending Access-Request of id 167 to 195.220.94.130 port 1812 NAS-Port-Id = AP41/1 Calling-Station-Id = 74-2F-68-ED-12-1C Called-Station-Id = 00-0B-0E-A9-58-80:eduroam Service-Type = Framed-User EAP-Message = 0x0201001a01756e69762d6c696c6c65332e6672406372752e6672 User-Name = univ-lille3...@cru.fr NAS-Port = 61847 This attibute must be displayed? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: helps with User-Password
Hi, A little question, when i run freeradius in debug mode ( freeradius -XX), ii can't see the User-Password! what method are you using? looks like EAP - in which case , depending on the phase2 method used, you might not see a user-password - for example PEAP (well, PEAPv0/MSCHAPv2) sends challenge-response method inside the EAP tunnel. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: helps with User-Password
Hi, Sending Access-Request of id 167 to 195.220.94.130 port 1812 NAS-Port-Id = AP41/1 Calling-Station-Id = 74-2F-68-ED-12-1C Called-Station-Id = 00-0B-0E-A9-58-80:eduroam Service-Type = Framed-User EAP-Message = 0x0201001a01756e69762d6c696c6c65332e6672406372752e6672 User-Name = univ-lille3...@cru.fr NAS-Port = 61847 This attibute must be displayed? No: there is no User-Password. This is an EAP request. Credentials are sent inside the EAP-Message attribute, and strongly encrypted between the source (user device) and the home RADIUS server at cru.fr. As an intermediate party, this is all you will get. Why are you interested in other users' passwords? Greetings, Stefan Winter Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: helps with User-Password
Le 24/01/2013 16:17, Stefan Winter a écrit : Hi, Sending Access-Request of id 167 to 195.220.94.130 port 1812 NAS-Port-Id = AP41/1 Calling-Station-Id = 74-2F-68-ED-12-1C Called-Station-Id = 00-0B-0E-A9-58-80:eduroam Service-Type = Framed-User EAP-Message = 0x0201001a01756e69762d6c696c6c65332e6672406372752e6672 User-Name = univ-lille3...@cru.fr NAS-Port = 61847 This attibute must be displayed? No: there is no User-Password. This is an EAP request. Credentials are sent inside the EAP-Message attribute, and strongly encrypted between the source (user device) and the home RADIUS server at cru.fr. As an intermediate party, this is all you will get. 1This question because somene asked it to me and i was not enable to give an answer. Thanks a lot. Why are you interested in other users' passwords? Greetings, Stefan Winter Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
HuntGroup in FR1
Hi. I need to give user specific limitation based on where they connect to. I.e. I have two nas where the user can roam to, but when he logs into hs A he gets Max-Daily-Session := 60, while on B has no daily limit. Based on research, this should be done with Huntgroup. Current wiki page [1] doesn't eplain very much... I appended maxxer NAS-IP-Address == 87.24.AA.BB to /etc/freeradius/huntgroups In radiusd.conf, preprocess section, I have huntgroups = ${confdir}/huntgroups Running freeradius -x I see it reads huntgroups file, but if I try logging in to the NAS at ip 87.24.AA.BB the user doesn't get any special property. (Sadly) I'm (still) using FreeRadius 1.1.x. What did I do wrong? thanks [1] http://wiki.freeradius.org/config/Huntgroups -- Lorenzo Milesi - lorenzo.mil...@yetopen.it GPG/PGP Key-Id: 0xE704E230 - http://keyserver.linux.it - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius CoA - Need Help
Nasser Heidari wrote: Can Anybody help me with this issue? To send CoA packets, read raddb/sites-available/originate-coa You choose the attributes to send like you choose any attributes to send. Use unlang, or a module... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help Needed !!! FreeRADIUS Integration with MS AD
Hi, Thanks for the suggestion. The below setup is now working for me. I. Users are getting authenticated from the AD server II. I have configured the switch to send the accounting logs to TACACS and its working But am not able to see the value-attribute pair which i have passed, I can login to the switch with the AD user account but am landing at the prompt and the priv showing 1, Where as i have passed the priv level 15 , So not sure how to fix this. PFA the configuration files. Please help. Regards, /Neo On Wed, Jan 23, 2013 at 12:00 AM, a.l.m.bu...@lboro.ac.uk wrote: Hi, Thanks I have now configured the freeradius and the Cisco switch is now getting authenticated against the AD user but I can't see the commands executed in the switch by this user in the radius account log. follow the cisco docs for configuring your device for RADIUS accounting.and look up TACACS+ alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html client localhost { ipaddr = 127.0.0.1 secret = radiuspassword } client router1 { ipaddr = 192.168.0.1 secret = radiuspassword } ldap { #Note that this needs to match the name in the LDAP #Server certificate, if you.re usin ldaps. server = 192.168.0.10 identity = cn=neo,cn=users,dc=example,dc=com password = password123# basedn = cn=users,dc=example,dc=com filter = ((sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) # Group membership checking. Disabled by default. groupname_attribute = cn groupmembership_filter = (|((objectClass=group)(member=%Ldap-UserDn}))((objectClass=top)(uniquemember=%{Ldap-UserDn}))) groupmembership_attribute = memberOf } # -*- text -*- ## ## radiusd.conf -- FreeRADIUS server configuration file. ## ## http://www.freeradius.org/ ## $Id$ ## ## # # Read man radiusd before editing this file. See the section # titled DEBUGGING. It outlines a method where you can quickly # obtain the configuration you want, without running into # trouble. # # Run the server in debugging mode, and READ the output. # # $ radiusd -X # # We cannot emphasize this point strongly enough. The vast # majority of problems can be solved by carefully reading the # debugging output, which includes warnings about common issues, # and suggestions for how they may be fixed. # # There may be a lot of output, but look carefully for words like: # warning, error, reject, or failure. The messages there # will usually be enough to guide you to a solution. # # If you are going to ask a question on the mailing list, then # explain what you are trying to do, and include the output from # debugging mode (radiusd -X). Failure to do so means that all # of the responses to your question will be people telling you # to post the output of radiusd -X. ## # # The location of other config files and logfiles are declared # in this file. # # Also general configuration for modules can be done in this # file, it is exported through the API to modules that ask for # it. # # See man radiusd.conf for documentation on the format of this # file. Note that the individual configuration items are NOT # documented in that man page. They are only documented here, # in the comments. # # As of 2.0.0, FreeRADIUS supports a simple processing language # in the authorize, authenticate, accounting, etc. sections. # See man unlang for details. # prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct # # name of the running server. See also the -n command-line option. name = radiusd # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} # Should likely be ${localstatedir}/lib/radiusd db_dir = ${raddbdir} # # libdir: Where to find the rlm_* modules. # # This should be automatically set at configuration time. # # If the server builds and installs, but fails at execution time # with an 'undefined symbol' error, then you can use the libdir # directive to work around the problem. # # The cause is usually that a library has been installed on your # system in a place where the dynamic linker CANNOT find it. When # executing as root (or another user), your personal environment MAY # be set up to allow the dynamic linker to find the library. When # executing as a daemon, FreeRADIUS MAY NOT have the same # personalized configuration. # # To work around the problem, find out which library contains that symbol, # and add the directory containing that library to the end of 'libdir', # with a colon separating the
Re: Help Needed !!! FreeRADIUS Integration with MS AD
Hi, you need whitspace before the service-type and cisco VSA lines after your auth line (they are reply items.not check items) - if you run in debug mode (radiusd -X or freeradius -X on some distros) you can confirm from the output that the VSA/TLV are being sent to the client (switch). if they are, and you are stil being dumped on the basic prompt then you need to revisit the cisco docs and ensure that you have all the required AAA lines in place to allow admin/enable access after login (ie if FreeRADIUS is sending the right stuff, then its a NAS configuration issue) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help Needed !!! FreeRADIUS Integration with MS AD
Hi Alan, Thanks for your reply. Do you mean the below in the users file? cisco Auth-Type := LDAP Service-Type = Administrative-User, cisco-avpair = shell:priv-lvl=15 Regards, /Neo On Thu, Jan 24, 2013 at 11:19 PM, a.l.m.bu...@lboro.ac.uk wrote: Hi, you need whitspace before the service-type and cisco VSA lines after your auth line (they are reply items.not check items) - if you run in debug mode (radiusd -X or freeradius -X on some distros) you can confirm from the output that the VSA/TLV are being sent to the client (switch). if they are, and you are stil being dumped on the basic prompt then you need to revisit the cisco docs and ensure that you have all the required AAA lines in place to allow admin/enable access after login (ie if FreeRADIUS is sending the right stuff, then its a NAS configuration issue) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help Needed !!! FreeRADIUS Integration with MS AD
pradyumna dash wrote: But am not able to see the value-attribute pair which i have passed, I can login to the switch with the AD user account but am landing at the prompt and the priv showing 1, Where as i have passed the priv level 15 , So not sure how to fix this. PFA the configuration files. No. We don't care about the configuration. The FAQ, man page, and web pages says to post the output of radiusd -X. It also helps for you to *read* the output of radiusd -X. A little bit of thought goes a long ways. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HuntGroup in FR1
Lorenzo Milesi wrote: I need to give user specific limitation based on where they connect to. I.e. I have two nas where the user can roam to, but when he logs into hs A he gets Max-Daily-Session := 60, while on B has no daily limit. Based on research, this should be done with Huntgroup. Current wiki page [1] doesn't eplain very much... I appended maxxer NAS-IP-Address == 87.24.AA.BB to /etc/freeradius/huntgroups In radiusd.conf, preprocess section, I have huntgroups = ${confdir}/huntgroups Running freeradius -x I see it reads huntgroups file, but if I try logging in to the NAS at ip 87.24.AA.BB the user doesn't get any special property. You defined the huntgroup. You didn't *use* it to limit sessions. In the users file: DEFAULT Huntgroup-Name == maxxer, Max-Daily-Session := 60 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help Needed !!! FreeRADIUS Integration with MS AD
Hi, Do you mean the below in the users file? cisco Auth-Type := LDAP Service-Type = Administrative-User, cisco-avpair = shell:priv-lvl=15 no. cisco Auth-Type := LDAP Service-Type = Administrative-User, cisco-avpair = shell:priv-lvl=15 (see all the examples in the users file) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dialup Admin
Furthermore to do this. In dialup admin if a select accounting and run an accounting query, I can see accounting data listed in the tables, uptime, downloads, uploads, etc, however if I edit the user, the connection status has no information and the open session shows no sessions. Doesn't the data for all locations come from the same place? Is there anything that I need to do? -Original Message- From: freeradius-users-bounces+shawkys=ivox.com...@lists.freeradius.org [mailto:freeradius-users-bounces+shawkys=ivox.com...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, 27 June 2012 11:43 PM To: FreeRadius users mailing list Subject: Re: Dialup Admin Shawky Skaff wrote: - When I view a session of a user, it says user “bla” has 0 open session, which it weird because the user is connected. Where does radius get this info from? Is there anything that I need to change to fix it? It comes from the DB. The information in the DB comes from RADIUS accounting packets sent by the NAS. To fix it, make sure that the NAS sends accounting packets. - Is radkill still used? Is there anywhere I can obtain this from, the ftp link in the wiki times out after a while I guess it's gone. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Quick question about RFC 3579 2.6.5
Hi, Well, RFC 3579 2.6.5 says : If EAP-Message, then there MUST not be a Reply-Message. I understand the point on this based on the RFC. In my case (remember the eduroam design thread from a while back), I have several local Radius which proxy all request to my central radius, which in turn perform the authn+z for the users, or forward the request to the top level radius if the user do not belong to our organization (eduroam stuff, nothing new so far). So, I would like, in case of Access-Reject of OUR users, logging in OUR schools, to send back a reply-message to the local radius in the outer reply, so the local admin know why its user has been rejected. This would be logged then stripped before the reply reach the NAS. If it's an external user in our network, or one of our users but in an external network, then I won't add the Reply-Message. Would this still be illegal and would I end in jail ? ;) Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html