2.x.x and radtest: no IPv6?
Hi, while using radtest, I got some strange results: # ./radtest swinter testpwd [::1] 123 testing123 radclient: Failed to find IP address for host ::1: Success # ./radtest swinter testpwd ipv6-localhost 123 testing123 radclient: Failed to find IP address for host ipv6-localhost: Success ipv6-localhost is in my /etc/hosts. I'd expect both of these to work... no brackets also doesn't work, but that was just my last straw and doesn't have to work anyway. Does radtest not support IPv6? I could have sworn it did IPv6 earlier, but not totally sure. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ignoring request to authentication IPv6address
Hi, I want to make all the IPv6 address in a network to access the radius without specifying the individual ips in client.conf, because I am using DHCP server assigned IPs for clients. Whenever I add individual ip’s it’s working fine. But not, with below configuration in clients.conf. Client fd00:1:1:1::/63{ secret=mykey } But it throws the below error when I ran the radius in debug mode Ignoring request to authentication address :: port 1812 from unknown client fd00:1:1:1:191a:ddba:1784:e7c6 port 45297 my radius version is FreeRADIUS Version 2.1.7 Thanks if anyone give solution to this. Regards, MK - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.x.x and radtest: no IPv6?
Stefan Winter wrote: while using radtest, I got some strange results: # ./radtest swinter testpwd [::1] 123 testing123 radclient: Failed to find IP address for host ::1: Success It defaults to IPv4. # ./radtest swinter testpwd ipv6-localhost 123 testing123 radclient: Failed to find IP address for host ipv6-localhost: Success ipv6-localhost is in my /etc/hosts. I'd expect both of these to work... no brackets also doesn't work, but that was just my last straw and doesn't have to work anyway. Does radtest not support IPv6? I could have sworn it did IPv6 earlier, but not totally sure. ahem $ radtest -h Usage: radtest [OPTIONS] user passwd radius-server[:port] nas-port-number secret [ppphint] [nasname] -d RADIUS_DIR Set radius directory -t type Set authentication method type can be pap, chap, mschap, or eap-md5 -x Enable debug output -4 Use IPv4 for the NAS address (default) -6 Use IPv6 for the NAS address Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authentication by hostname
Hi, sorry, I am completely new to Radius … I want to change a FreeRadius server to authenticate a few hosts by their hostnames. The hostnames would be stored in a config file. How could I do this? This is the authentication request: rad_recv: Access-Request packet from host 10.10.10.21 port 54285, id=145, length=347 Framed-MTU = 1480 NAS-IP-Address = 10.10.10.21 NAS-Identifier = HP-2520-24-PoE User-Name = host/MYHOSTNAME Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = 1 Called-Station-Id = 84-34-97-de-df-80 Calling-Station-Id = 00-1f-29-98-8d-41 Connect-Info = CONNECT Ethernet 100Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 201 EAP-Message = 0x0201001401686f73742f544344452d3030303131 Message-Authenticator = 0xe06791a76c819a3dc0f89c8baf2df141 MS-RAS-Vendor = 11 Thanks for any help! Take care, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication by hostname
Stefan Sticht wrote: I want to change a FreeRadius server to authenticate a few hosts by their hostnames. The hostnames would be stored in a config file. That's not how RADIUS works. How could I do this? You can't. This is the authentication request: ... EAP-Message = 0x0201001401686f73742f544344452d3030303131 That's EAP authentication. You can't bypass the authentication. So... *why* do you want to do this? What other alternatives do you have? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.x.x and radtest: no IPv6?
On 22 Jul 2013, at 13:32, Stefan Winter stefan.win...@restena.lu wrote: Hi, Does radtest not support IPv6? I could have sworn it did IPv6 earlier, but not totally sure. ahem -4 Use IPv4 for the NAS address (default) -6 Use IPv6 for the NAS address Uh. Sorry. Still... maybe for a later version... if the input looks like an IP address, guessing the address family isn't all that hard. I see that such a -4 -6 option is required for hostnames, but even then only if they return addresses for both families. ipv6-localhost only returns ::1. And ::1 successfully parses neither as an IPv4, nor a hostname, but as an IPv6 address. Both are unambiguous and could be auto-detected. That would add a little user-friendliness for users who didn't have enough sleep :-) I've mentally scheduled a pass through modules in master to fix any places where it's IPv4 only, so i'll be sure to add that. It'd be nice to get some feedback from people though... do you think you'll ever need to record both your NAS IPv4 and IPv6 addresses? I'm guessing for dual stacking it'd be nice to record Framed-IP-Address and Framed-IPv6-Prefix, should they both be used to identify clients in areas like session management? It seems like the safest way of doing it to me. But would it break things? What if the NAS started just using the SRC IPv6 address in packets, and source IP protection was enabled? Does this happen in the real world? I don't have any experience managing an IPv6 enabled network. Does anyone else? Or is it all too new? Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.x.x and radtest: no IPv6?
Hi, Does radtest not support IPv6? I could have sworn it did IPv6 earlier, but not totally sure. ahem -4 Use IPv4 for the NAS address (default) -6 Use IPv6 for the NAS address Uh. Sorry. Still... maybe for a later version... if the input looks like an IP address, guessing the address family isn't all that hard. I see that such a -4 -6 option is required for hostnames, but even then only if they return addresses for both families. ipv6-localhost only returns ::1. And ::1 successfully parses neither as an IPv4, nor a hostname, but as an IPv6 address. Both are unambiguous and could be auto-detected. That would add a little user-friendliness for users who didn't have enough sleep :-) Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.x.x and radtest: no IPv6?
On 22/07/13 13:47, Arran Cudbard-Bell wrote: It'd be nice to get some feedback from people though... do you think you'll ever need to record both your NAS IPv4 and IPv6 addresses? I'm guessing for dual stacking it'd be nice to record Framed-IP-Address and Framed-IPv6-Prefix, should they both be used to identify clients in areas like session management? It seems like the safest way of doing it to me. Yes. It's important to record them separately, and useful for the reasons you suggest. But would it break things? What if the NAS started just using the SRC IPv6 address in packets, and source IP protection was enabled? Does this happen in the real world? Not sure I follow here; can you expand on this? I don't have any experience managing an IPv6 enabled network. Does anyone else? Or is it all too new? It's complicated. I've replied to your email on -devel. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.x.x and radtest: no IPv6?
On 22 Jul 2013, at 14:15, Phil Mayers p.may...@imperial.ac.uk wrote: On 22/07/13 13:47, Arran Cudbard-Bell wrote: It'd be nice to get some feedback from people though... do you think you'll ever need to record both your NAS IPv4 and IPv6 addresses? I'm guessing for dual stacking it'd be nice to record Framed-IP-Address and Framed-IPv6-Prefix, should they both be used to identify clients in areas like session management? It seems like the safest way of doing it to me. Yes. It's important to record them separately, and useful for the reasons you suggest. For the NAS too? Or would it be OK to have a single attribute?. But would it break things? What if the NAS started just using the SRC IPv6 address in packets, and source IP protection was enabled? Does this happen in the real world? Not sure I follow here; can you expand on this? Envisaging use in session identification. If the NAS was dumb, and was just looking at packets coming from one of it's directly connected devices, and pulling off the SRC IP address and using it to enrich Accounting-Requests, you may have that IP change during the course of a session. I doubt any NAS vendors are quite that stupid, but just wanted confirmation. I don't have any experience managing an IPv6 enabled network. Does anyone else? Or is it all too new? It's complicated. I've replied to your email on -devel. OK. Thanks. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization failed in cisco switch
On Mon, Jul 22, 2013 at 04:44:29PM +0200, Marco Aresu wrote: here the debug after authentication: Found Auth-Type = PAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password secret [pap] Using CRYPT password $6$GW4SlOPp$TZhPalub.qyMY8Z9zU03FMz3A.hSv0b6ycuZT5bYeyG89HPb2Gm/FINd2pdtU79NkgYhE5TUgp5e5/w6iNA40/ [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 70 to 172.31.61.224 port 1812 ... The RADIUS server sent an Access-Accept. That means that if you still can't get in, it's the switch that has the problem. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.x.x and radtest: no IPv6?
Stefan Winter wrote: Still... maybe for a later version... if the input looks like an IP address, guessing the address family isn't all that hard. Yeah patches? :) I see that such a -4 -6 option is required for hostnames, but even then only if they return addresses for both families. ipv6-localhost only returns ::1. And ::1 successfully parses neither as an IPv4, nor a hostname, but as an IPv6 address. Both are unambiguous and could be auto-detected. Sure. That would add a little user-friendliness for users who didn't have enough sleep :-) Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.x.x and radtest: no IPv6?
On 22/07/13 14:32, Arran Cudbard-Bell wrote: On 22 Jul 2013, at 14:15, Phil Mayers p.may...@imperial.ac.uk wrote: On 22/07/13 13:47, Arran Cudbard-Bell wrote: It'd be nice to get some feedback from people though... do you think you'll ever need to record both your NAS IPv4 and IPv6 addresses? I'm guessing for dual stacking it'd be nice to record Framed-IP-Address and Framed-IPv6-Prefix, should they both be used to identify clients in areas like session management? It seems like the safest way of doing it to me. Yes. It's important to record them separately, and useful for the reasons you suggest. For the NAS too? Or would it be OK to have a single attribute?. Good question. Not sure on that one - I think most NASes treat an IPv4 and IPv6 RADIUS server as a separate server, so I guess treating it as a separate client is no big problem. OTOH two columns == less rows for dual-stack NAS. My guess is dual-stack NAS-RADIUS is going to be rare. But would it break things? What if the NAS started just using the SRC IPv6 address in packets, and source IP protection was enabled? Does this happen in the real world? Not sure I follow here; can you expand on this? Envisaging use in session identification. If the NAS was dumb, and was just looking at packets coming from one of it's directly connected devices, and pulling off the SRC IP address and using it to enrich Accounting-Requests, you may have that IP change during the Ah, gotcha. course of a session. Some NASes already do something similar with Framed-IP-Address only being present in some acct packets. We handle this with: update radacct set ... framedipaddress=coalesce(nullif('%{..}', ''), framedipaddress) ... ...which is basically use the IP from the packet if set, or on the existing row if unset - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization failed in cisco switch
Marco Aresu wrote: i am getting some problem with authorization in free radius i configured the users file as below : DEFAULT Auth-Type := System cisco Auth-Type := System Service-Type = NAS-Prompt-User cisco-avpair = shell:priv-lvl=15, Is it *exactly* that? i.e. did you format the entries correctly? When i try to login into a switch i receive the errore : Authorization Failed and during the debug i ve got : # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} [++[reply_log] returns ok ++[exec] returns noop You have rather a lot more than that. The whole point of the debug output is to READ IT. ALL of it. What ELSE does it say? Does the server return an Access-Accept? If so, blame the switch. Otherwise, READ THE DEBUG OUTPUT to see what's going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization failed in cisco switch
here the debug after authentication: Found Auth-Type = PAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password secret [pap] Using CRYPT password $6$GW4SlOPp$TZhPalub.qyMY8Z9zU03FMz3A.hSv0b6ycuZT5bYeyG89HPb2Gm/FINd2pdtU79NkgYhE5TUgp5e5/w6iNA40/ [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 70 to 172.31.61.224 port 1812 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 70 with timestamp +12 Ready to process requests. i don't understand when he tried to find the authorizaziont because if i add a comment in the row of the user in the Users file, i get the same error. Marco Aresu On 22 July 2013 16:37, Alan DeKok al...@deployingradius.com wrote: Marco Aresu wrote: i am getting some problem with authorization in free radius i configured the users file as below : DEFAULT Auth-Type := System cisco Auth-Type := System Service-Type = NAS-Prompt-User cisco-avpair = shell:priv-lvl=15, Is it *exactly* that? i.e. did you format the entries correctly? When i try to login into a switch i receive the errore : Authorization Failed and during the debug i ve got : # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} [++[reply_log] returns ok ++[exec] returns noop You have rather a lot more than that. The whole point of the debug output is to READ IT. ALL of it. What ELSE does it say? Does the server return an Access-Accept? If so, blame the switch. Otherwise, READ THE DEBUG OUTPUT to see what's going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authorization failed in cisco switch
Hi All i am getting some problem with authorization in free radius i configured the users file as below : DEFAULT Auth-Type := System cisco Auth-Type := System Service-Type = NAS-Prompt-User cisco-avpair = shell:priv-lvl=15, When i try to login into a switch i receive the errore : Authorization Failed and during the debug i ve got : # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} [++[reply_log] returns ok ++[exec] returns noop Can someone help me? thanks Marco Aresu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization failed in cisco switch
Marco Aresu wrote: here the debug after authentication: If you're not going to follow instructions, you shouldn't be posting questions on this list. Since you're not willing to post the full debug output here, we can't help you. Go read it yourself. i don't understand when he tried to find the authorizaziont because if i add a comment in the row of the user in the Users file, i get the same error. If only there was some way for you to figure out what the server was doing. Like maybe a debug mode? That would be wonderful. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization failed in cisco switch
the only file to edit for the authorization is the Users file? thanks Marco Marco Aresu On 22 July 2013 17:03, Alan DeKok al...@deployingradius.com wrote: Marco Aresu wrote: here the debug after authentication: If you're not going to follow instructions, you shouldn't be posting questions on this list. Since you're not willing to post the full debug output here, we can't help you. Go read it yourself. i don't understand when he tried to find the authorizaziont because if i add a comment in the row of the user in the Users file, i get the same error. If only there was some way for you to figure out what the server was doing. Like maybe a debug mode? That would be wonderful. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization failed in cisco switch
i created two users on freeradius server and when i tried to login with the new user that is not specify in the USERS file i ve got the same error Authorization Failed I think that i am editing the wrong USERS file but the directory is /etc/raddb/users Marco Aresu On 22 July 2013 17:19, Matthew Newton m...@leicester.ac.uk wrote: On Mon, Jul 22, 2013 at 04:44:29PM +0200, Marco Aresu wrote: here the debug after authentication: Found Auth-Type = PAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password secret [pap] Using CRYPT password $6$GW4SlOPp$TZhPalub.qyMY8Z9zU03FMz3A.hSv0b6ycuZT5bYeyG89HPb2Gm/FINd2pdtU79NkgYhE5TUgp5e5/w6iNA40/ [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 70 to 172.31.61.224 port 1812 ... The RADIUS server sent an Access-Accept. That means that if you still can't get in, it's the switch that has the problem. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP authentication filter based on source SSID
Yes it does. We found the solution by creating a rule that maps all the BSSID related to some SSID and then we do a specific filter to LDAP, so we did it for every SSID. Thanks for the help! Atenciosamente, Gustavo Vieira Oliveira GETIC - Gerência de Tecnologia da Informação SUSERV - Superintendência de Serviços Compartilhados Sistema FIESC Rod. Admar Gonzaga, 2765 - Itacorubi - 88034-001 - Florianópolis - SC Fone (48) 32314699 - Ramal 44699 http://www.sistemafiesc.com.br Em 12/07/2013 12:57, Alan Buxey escreveu: Does it use a different called station id mac for each ssid? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User-Name containing a $
Is there a way to tell radius to not do something based on the User-Name containing a $ ? I am doing dynamic VLAN assignment and I'd like to skip that for computer logins. I looked at unlang and I didn't see a way to check for a character in a username. Tena Gore Senior Network Administrator Technology Support Services Fairfield-Suisun Unified School District te...@fsusd.org 707-399-1200 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User-Name containing a $
N evermind, I figured out a way to do what I needed. Thanks! Tena Gore Senior Network Administrator Technology Support Services Fairfield-Suisun Unified School District te...@fsusd.org 707-399-1200 On Mon, Jul 22, 2013 at 11:20 AM, Tena Gore te...@fsusd.org wrote: Is there a way to tell radius to not do something based on the User-Name containing a $ ? I am doing dynamic VLAN assignment and I'd like to skip that for computer logins. I looked at unlang and I didn't see a way to check for a character in a username. Tena Gore Senior Network Administrator Technology Support Services Fairfield-Suisun Unified School District te...@fsusd.org 707-399-1200 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Authorization failed in cisco switch
Hi, you sending the wrong attributes or your switchconfig is not correct. The switch needs for authorization only these two attributes: Service-Type := Login Cisco-AVPair := shell:priv-lvl=15 And this is the working aaa config: aaa new-model aaa authentication login default group radius local aaa authorization exec default group radius local radius-server host 192.168.17.50 auth-port 1812 acct-port 1813 key 0 testing123 that's working on a WS-C2960-24TC-L with C2960 Software (C2960-LANBASEK9-M), Version 12.2(55)SE best regards, Max - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User-Name containing a $
Hi, Is there a way to tell radius to not do something based on the User-Name containing a $ ? I am doing dynamic VLAN assignment and I'd like to skip that for computer logins. I looked at unlang and I didn't see a way to check for a character in a username. use unlang regex check...you'll need to escape the $ as thats end of line for regex. hosts should be matched with eg if (User-Name =~ /^host\/.*\\.YOUR\\.AD\\.REALM$/i) { stuff goes here } alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.x.x and radtest: no IPv6?
Hi, Still... maybe for a later version... if the input looks like an IP address, guessing the address family isn't all that hard. unlike your using IPv4 in its IPv6 incantation What if the NAS started just using the SRC IPv6 address in packets, and source IP protection was enabled? well, then things might be interesting. if the NAS was configured to talk to an IPv6 RADIUS server then I'd expect it to be using its IPv6 source address and if you have DAI/etc on the network then that would have to be factored in I don't have any experience managing an IPv6 enabled network. Does anyone else? Or is it all too new? new? its been around for more than the lifetime of some people on this list! ;-) you'll probably have noticed that any stuff from us here has the fallback if IPv6 isnt present - so the usual Framed-Address/NAS-IP-Address assumptions all have to be checked in the server/config - I first started noting these issues when we configured remote systems to talk to our IPv6 addresses - finding top-level entries in /var/log/radiusd/ because the IPv4 stuff was missing oh yes, warning needed to ensure that the filesystem you use likes : in filenames! ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.x.x and radtest: no IPv6?
Hi, My guess is dual-stack NAS-RADIUS is going to be rare. ummm. take a hold on that assertion. the joy of dual-stack deployment is that you need to ensure your servers are ready on IPv4 and IPv6 - and as part of that, you need to ensure that your using both methods in case either your IPv4 goes...or your IPv6 goes. we use both IPv4 and IPv6 on our kit...and our servers are configured for both..as are our NAS kit that can do IPv6 for RADIUS (we had some discussion about the best fall-over order to use..which in itself is interesting) my personal view is that network/sys admins who are avoiding IPv6 as much as they can are just storing themselves up for a whole lot of pain later when its forced onto them by internet evolution...embrace the IPv6 now whilst you can do it in your own time. it not like you havent been given over 15 years of advance notice ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
FYI I've packaged this for Fedora and built it for rawhide (rawhide is current development which spawns the next Fedora release). You can download the rawhide packages and/or the SRPM from the Koji build: http://koji.fedoraproject.org/koji/buildinfo?buildID=436791 You probably will not be able to simply install the rawhide packages on a current Fedora release due to dependencies/conflicts (not something I've tried). But you can always rebuild the SRPM using rpmbuild. The first Fedora release 3.0 will appear in will be F20 because we don't introduce major new versions of packages in existing releases (especially if they are not configuration compatible). FWIW the F19 train just pulled away from the station so unfortunately it's too late for F19. HTH, John -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: User-Name containing a $
Alan, You've reminded me of a question I've been meaning to ask. Your previous answer gives an example using the unlang regex syntax, including the case-insensitive operator at the end. But I was hoping to find an elegant way to do case-insensitive matching in proxy.conf, where the comments admit that the syntax breaks the rules of unlang regex matching. Putting an 'I' at the end hasn't worked for me. I'd love to do this: realm ~FOO\\.EDU$i { stuff here } Is the case-insensitive behavior supported in proxy.conf? Thanks, Steve -Original Message- Alan sagely explained: use unlang regex check...you'll need to escape the $ as thats end of line for regex. hosts should be matched with eg if (User-Name =~ /^host\/.*\\.YOUR\\.AD\\.REALM$/i) { stuff goes here } alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
coa
hi everybody,, I wanna implement COA (Change Of Authorization) in freeradius. I have a live session of a device, I wanna disconnect this device forcefully. I isssued following command echo Acct-Session-Id=1B1E97C3,User-Name=002682615F4E@test_cpe.com,NAS-IP-Address=2.2.2.2 | radclient -x 2.2.2.2:3799 disconnect 'huaweiaaa' but it give the error of missing attribute. Can anybody tell me what is the issue. Thanks -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: coa
Go back and read the manual from your nas provider as they should tell you what attributes they need in the coa payload. On 23/07/2013 4:50 PM, Muhammad Nadeem mnadeem8...@gmail.com wrote: hi everybody,, I wanna implement COA (Change Of Authorization) in freeradius. I have a live session of a device, I wanna disconnect this device forcefully. I isssued following command echo Acct-Session-Id=1B1E97C3,User-Name=002682615F4E@test_cpe.com,NAS-IP-Address=2.2.2.2 | radclient -x 2.2.2.2:3799 disconnect 'huaweiaaa' but it give the error of missing attribute. Can anybody tell me what is the issue. Thanks -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: coa
Hi Muhammad Try put in a file Acct-Session-Id=1B1E97C3 User-Name=002682615F4E@test_cpe.com NAS-IP-Address=2.2.2.2 cat file | radclient -x 2.2.2.2:3799 disconnect 'huaweiaaa' See how it goes Send all the output here so we can help Tiffany From: freeradius-users-bounces+tiffany.pasisir=countrytell.com.au@lists.freeradius .org [mailto:freeradius-users-bounces+tiffany.pasisir=countrytell.com...@lists.fr eeradius.org] On Behalf Of Muhammad Nadeem Sent: Tuesday, 23 July 2013 2:50 PM To: FreeRadius users mailing list Subject: coa hi everybody,, I wanna implement COA (Change Of Authorization) in freeradius. I have a live session of a device, I wanna disconnect this device forcefully. I isssued following command echo Acct-Session-Id=1B1E97C3,User-Name=002682615F4E@test_cpe.com,NAS-IP-Address =2.2.2.2 | radclient -x 2.2.2.2:3799 disconnect 'huaweiaaa' but it give the error of missing attribute. Can anybody tell me what is the issue. Thanks -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html