Minor update glitch in FR 2.1.12 rpm (CentOS/RH)
Just an FYI (sorry if this has already been covered): If you update FR via yum in CentOS or RedHat, as is usual practice with RPMs, conf files that have been modified are not overwritten, so the new version is installed with an .rpmnew suffix. This works great for most of the config files, but not the modules. For some reason, the .rpmnew module file is loaded instead of the original one: including configuration file /etc/raddb/modules/ldap.rpmnew The original module is there, but not loaded at run time...perhaps because it sees the .rpmnew one first? Fixing it is trivial, of course, once you see what the problem is, but I thought perhaps the rpm maintainers or FR developers might want to be made aware of it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pool-Name attribute issue WAS Re: Unknown Auth-Type LDAP in authenticate sub-section
On Sat, Mar 10, 2012 at 5:29 AM, u...@3.am wrote: So to save lots of time and configuration problem: does your LDAP store user passwords in clear text or any common hash (e.g. md5, unix)? If yes, AND you know what the LDAP attribute is, you don't even need an LDAP section in authenticate. Mostly crypt, but I've seen a few SSHA hashes. I know the ldap attribute as well. Assuming those hashes are common enough, what do I need to do? If the hash is supported (see http://wiki.freeradius.org/Protocol%20Compatibility) , you only need to make sure FR sees it in the right place. See ldap.atrmap. I should point out that I had been using: DEFAULT Auth-Type = Ldap In the users file as well on the two older servers, despite docs that say that it is almost always wrong, but it was the only way we got it working. If you have the attribute, and the hash is supported, you shouldn't need that. I've taken that out on the new, 2.1.12 install and now a typical DEFAULT entry looks like this: DEFAULT Group == FOO, Pool-Name :=FOO_pool It seems to instantiate the module ok: Module: Linked to module rlm_ippool Module: Instantiating module FOO_pool from file /usr/etc/raddb/radiusd.conf ippool FOO_pool { session-db = /usr/etc/raddb/db.FOO_ippool ip-index = /usr/etc/raddb/db.FOO_ipindex key = %{NAS-IP-Address} %{NAS-Port} range-start = 172.17.0.101 range-stop = 172.17.0.253 netmask = 255.255.255.0 cache-size = 251 override = yes maximum-timeout = 0 The Access-Request packet looks ok: Framed-Protocol = PPP User-Name = someuser User-Password = somepassword NAS-Port-Type = Virtual NAS-Port = 2 NAS-Port-Id = Uniq-Sess-ID2 Service-Type = Framed-User NAS-IP-Address = some pptp cisco device LDAP authentication then succeeds as it should. [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = ldap1 LDAP bind is then successful as it should be, but then: # Executing section post-auth from file /usr/etc/raddb/sites-enabled/default [FOO_pool] Could not find Pool-Name attribute. ++[FOO_pool] returns noop I assume I must be doing something wrong now with the users file entry. The old, working one was this: DEFAULT Group == FOO, Pool-Name :=FOO_pool, Auth-Type = Ldap Framed-Protocol == PPP, Framed-Compression = Van-Jacobson-TCP-IP The new one is currently: DEFAULT Group == FOO, Pool-Name :=FOO_pool I have tried the Framed-Protocol=PPP (is this still desired for PPTP, BTW?), I have tried setting: Service-Type = Framed-User At the beginning and end of the line, same for Login-User, but the Could not find Pool-Name attribute persists. The config files are all the same as the older versions (2.1.09-.10). The pool name is listed in the accounting and post-auth sections of sites-enabled/default. Appreciate any clues as to what I missed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pool-Name attribute issue WAS Re: Unknown Auth-Type LDAP in authenticate sub-section
On 12/03/12 15:44, u...@3.am wrote: DEFAULT Group == FOO, Pool-Name :=FOO_pool Group is probably empty. I can't remember what module, if any, fills it out. What do you *think* Group will contain? It won't contain LDAP groups. I was about to post about this..I just did a test with this entry: someuserPool-Name :=FOO_pool And it got an IP from the pool just fine, so you're right, the problem lies with Group. It is a legacy entry, left over from before we switched from PAM/unix to LDAP. Since it continued to work even after removing all of the unix group entries and still continues to work when we add new LDAP groups and LDAP users to that group. How it gets that is something I don't know...there's no ldap.attrmap entry for it on the older, working servers. I take it I will need to define map the LDAP attribute PosixGroup to something? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pool-Name attribute issue WAS Re: Unknown Auth-Type LDAP in authenticate sub-section
Hi, DEFAULT Group == FOO, Pool-Name :=FOO_pool Group is probably empty. I can't remember what module, if any, fills it out. # The Group and Group-Name attributes are automatically created by # the Unix module, and do checking against /etc/group automatically. # This means that you CANNOT use Group or Group-Name to do any other # kind of grouping in the server. You MUST define a new group # attribute. ...thats probably the one :-) ...and you just hit on something that solved the problem. It seems that FR was getting the group info from LDAP indirectly, through the PAM module, which was configured using authconfig. Running authconfig pointing to the local LDAP server solved the problem. /etc/pam.d/system-auth authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_ldap.so use_first_pass authrequired pam_deny.so Dovecot, sshd and other apps transparently use LDAP this way. I didn't think FR did (and maybe it doesn't completely), because I seem to recall trying to get it to work on an older version (using Auth-type=PAM) that way with no luck...but that was a while ago. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unknown Auth-Type LDAP in authenticate sub-section
On Sat, Mar 10, 2012 at 10:47 AM, u...@3.am wrote: Both hashes are supported, thanks for the link. I assume I need to define something to map to, as well? Like this: raddb/dictionary: ATTRIBUTE userPassword 3004 string err... no. raddb/ldap.attrmap: checkItem User-Password userPassword Is your LDAP attribute storing the password called userPassword? If yes, you shouldn't need to do anything as it's already mapped to the correct attribute on ldap.attrmap checkitem Password-With-HeaderuserPassword Ah...it seems that my ldap.attrmap is from an older version of FreeRadius that didn't have it. I had copied it over to the new raddb/ because I now have those custom POSIX expiry attributes that you and others helped me with. We generally try to use the entire existing raddb/ dir when we upgrade FR, because our configuration has gotten pretty complex (to us, anyway), but I guess this isn't always a good idea. Thanks again for your help! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unknown Auth-Type LDAP in authenticate sub-section
Hi: Trying to set up a new RADIUS 2.1.12 server with LDAP. It configured and built all the modules I need, including rlm_ldap, once I installed the dependencies. I took all of the same config files that I have working on servers running 2.1.9 and 2.1.10, but 2.1.12 rlm_ldap doesn't seem to finish instantiating. Here's most of the debug: FreeRADIUS Version 2.1.12, for host x86_64-unknown-linux-gnu, built on Mar 8 2012 at 21:44:43 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/etc/raddb/radiusd.conf including configuration file /usr/etc/raddb/clients.conf including configuration file /usr/etc/raddb/eap.conf including configuration file /usr/etc/raddb/policy.conf including files in directory /usr/etc/raddb/sites-enabled/ including configuration file /usr/etc/raddb/sites-enabled/inner-tunnel including configuration file /usr/etc/raddb/sites-enabled/default main { user = root group = wheel allow_core_dumps = no } including dictionary file /usr/etc/raddb/dictionary main { name = radiusd prefix = /usr localstatedir = /usr/var sbindir = /usr/sbin logdir = /var/log/radius run_dir = /usr/var/run/radiusd libdir = /usr/lib radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = /usr/var/run/radiusd/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = no log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 5 status_server = yes } } radiusd: Loading Realms and Home Servers radiusd: Loading Clients client localhost { SNIP CLIENTS radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating module exec from file /usr/etc/raddb/radiusd.conf exec { wait = yes input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module expr from file /usr/etc/raddb/radiusd.conf Module: Linked to module rlm_expiration Module: Instantiating module expiration from file /usr/etc/raddb/radiusd.conf expiration { reply-message = Password Has Expired } Module: Linked to module rlm_logintime Module: Instantiating module logintime from file /usr/etc/raddb/radiusd.conf logintime { reply-message = You are calling outside your allowed timespan minimum-timeout = 60 } } radiusd: Loading Virtual Servers server { # from file /usr/etc/raddb/radiusd.conf modules { Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module pap from file /usr/etc/raddb/radiusd.conf pap { encryption_scheme = auto auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module chap from file /usr/etc/raddb/radiusd.conf Module: Linked to module rlm_mschap Module: Instantiating module mschap from file /usr/etc/raddb/radiusd.conf mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_pam Module: Instantiating module pam from file /usr/etc/raddb/radiusd.conf pam { pam_auth = radiusd-auth } Module: Linked to module rlm_unix Module: Instantiating module unix from file /usr/etc/raddb/radiusd.conf unix { radwtmp = /var/log/radius/radwtmp } Module: Linked to module rlm_ldap Module: Instantiating module ldap1 from file /usr/etc/raddb/radiusd.conf ldap ldap1 { server = ldap1.domain.com port = 389 password = identity = net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = allow tls { start_tls = no require_cert = allow } basedn = dc=domain,dc=com filter = (uid=%{Stripped-User-Name:-%{User-Name}}) base_filter = (objectclass=radiusprofile) auto_header = no access_attr_used_for_allow = yes groupname_attribute = cn groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) dictionary_mapping = /usr/etc/raddb/ldap.attrmap ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes
Re: Unknown Auth-Type LDAP in authenticate sub-section
u...@3.am wrote: Trying to set up a new RADIUS 2.1.12 server with LDAP. It configured and built all the modules I need, including rlm_ldap, once I installed the dependencies. I took all of the same config files that I have working on servers running 2.1.9 and 2.1.10, but 2.1.12 rlm_ldap doesn't seem to finish instantiating. Here's most of the debug: You edited the default configuration and broke it. You deleted the default ldap module. You added ldap1 and ldap2. Then, the authenticate section refers to ldap, which doesn't exist. Make sure that you refer to modules which exist. That's the first thing I checked in raddb/sites-available/default but ldap is commented out in the auth (and accounting) section. Here is what I have, which is at this point is the entire raddb directory lifted out of two older versions that are running fine: authorize { preprocess redundant LDAP{ ldap1 ldap2 } # The ldap module will set Auth-Type to LDAP if it has not # already been set # ldap authenticate { #Auth-Type LDAP { redundant LDAP{ ldap1 ldap2 } accounting { # Un-comment the following if you have set # 'edir_account_policy_check = yes' in the ldap module sub-section of # the 'modules' section. # # ldap HOWEVER, I do refer to the ldap module in the radiusd.conf, but this is how I got it working with redundant LDAP servers in the first place. ldap ldap1{ server = ldap1.domain.com basedn = dc=domain,dc=com filter = (uid=%{Stripped-User-Name:-%{User-Name}}) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 ldap ldap2{ server =ldap2.domain.com basedn = dc=domain,dc=com filter = (uid=%{Stripped-User-Name:-%{User-Name}}) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 This is how I understood to define more than one ldap source and it does work on 2 older servers, as I noted. Is there something outside of raddb that I missed? Thanks again! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unknown Auth-Type LDAP in authenticate sub-section
u...@3.am wrote: Trying to set up a new RADIUS 2.1.12 server with LDAP. It configured and built all the modules I need, including rlm_ldap, once I installed the dependencies. I took all of the same config files that I have working on servers running 2.1.9 and 2.1.10, but 2.1.12 rlm_ldap doesn't seem to finish instantiating. Here's most of the debug: You edited the default configuration and broke it. You deleted the default ldap module. You added ldap1 and ldap2. Then, the authenticate section refers to ldap, which doesn't exist. Make sure that you refer to modules which exist. That's the first thing I checked in raddb/sites-available/default but ldap is commented out in the auth (and accounting) section. Here is what I have, which is at this point is the entire raddb directory lifted out of two older versions that are running fine: authorize { preprocess redundant LDAP{ ldap1 ldap2 } # The ldap module will set Auth-Type to LDAP if it has not # already been set # ldap authenticate { #Auth-Type LDAP { redundant LDAP{ ldap1 ldap2 } accounting { # Un-comment the following if you have set # 'edir_account_policy_check = yes' in the ldap module sub-section of # the 'modules' section. # # ldap HOWEVER, I do refer to the ldap module in the radiusd.conf, but this is how I got it working with redundant LDAP servers in the first place. net_timeout = 1 Sorry, I inadvertently gave incomplete ldap module configs for ldap1 and 2..here is a complete one: ldap ldap2{ server =ldap2.domain.com basedn = dc=domain,dc=com filter = (uid=%{Stripped-User-Name:-%{User-Name}}) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no set_auth_type = no } I did try set_auth_type = yes for gags, but no go. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unknown Auth-Type LDAP in authenticate sub-section
On Sat, Mar 10, 2012 at 3:23 AM, Phil Mayers p.may...@imperial.ac.uk wrote: On Fri, Mar 09, 2012 at 10:59:46AM -0500, u...@3.am wrote: authenticate { #Auth-Type LDAP { redundant LDAP{ ldap1 ldap2 } Using ldap in the authenticate section is a bit tricky, and you'd be wise to avoid it if you can - if the LDAP server will give you the password (plaintext or crypted) you're better of doing that in authorize and letting FreeRADIUS perform the auth using rlm_pap or whatever. Yes. So to save lots of time and configuration problem: does your LDAP store user passwords in clear text or any common hash (e.g. md5, unix)? If yes, AND you know what the LDAP attribute is, you don't even need an LDAP section in authenticate. Mostly crypt, but I've seen a few SSHA hashes. I know the ldap attribute as well. Assuming those hashes are common enough, what do I need to do? I should point out that I had been using: DEFAULT Auth-Type = Ldap In the users file as well on the two older servers, despite docs that say that it is almost always wrong, but it was the only way we got it working. I switched the conf files to the way Phil suggested and it complained about what I was doing in the users file, so I just used the sample users file and it started ok. I've not been able to test authenticating against it yet. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unknown Auth-Type LDAP in authenticate sub-section
On Sat, Mar 10, 2012 at 5:29 AM, u...@3.am wrote: So to save lots of time and configuration problem: does your LDAP store user passwords in clear text or any common hash (e.g. md5, unix)? If yes, AND you know what the LDAP attribute is, you don't even need an LDAP section in authenticate. Mostly crypt, but I've seen a few SSHA hashes. I know the ldap attribute as well. Assuming those hashes are common enough, what do I need to do? If the hash is supported (see http://wiki.freeradius.org/Protocol%20Compatibility) , you only need to make sure FR sees it in the right place. See ldap.atrmap. Both hashes are supported, thanks for the link. I assume I need to define something to map to, as well? Like this: raddb/dictionary: ATTRIBUTEuserPassword 3004string raddb/ldap.attrmap: checkItem User-Password userPassword Then I just noticed this in the ldap module (which we have in the radiusd.conf): # password_attribute = userPassword Do I understand correctly that I can just uncomment that and not define anything in the dictionary or ldap.attrmap? Again, thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP (POSIX attibutes) password expiry
On 03/06/2012 02:10 AM, u...@3.am wrote: On 28/02/12 21:16, u...@3.am wrote: However, we just noticed that password expiry isn't working. I suspect this is because we are still using all the original POSIX attributes and none of them look like good for mapping to the ones supplied by FreeRADIUS. I see: checkItem Expiration radiusExpiration Our LDAP attributes use the following POSIX attributes to determine expiry: shadowMax: 90 shadowLastChange: 15215 Other replies should have convinced you that there's no built-in support for this. You will need to either: 1. Arrange for a FreeRADIUS-ready radiusExpiration attribute to be set in LDAP alongside the POSIX/shadow schemas 2. Synthesize an Expiration attribute, or otherwise locally check the POSIX/shadow attributes. One way you might accomplish the 2nd is as follows: == Create some local RADIUS attributes for the shadow values == /etc/raddb/dictionary: ATTRIBUTE Shadow-Max-Age 3000integer ATTRIBUTE Shadow-Last-Change 3001integer ATTRIBUTE Shadow-Expires 3002integer ATTRIBUTE Shadow-Current 3003integer /etc/raddb/ldap.attrmap: checkItem Shadow-Max-Age shadowMax checkItem Shadow-Last-Change shadowLastChange == Read these attributes from LDAP, then perform some maths == /etc/raddb/sites-enabled/server: authorize { ... ldap update control { Shadow-Expires := %{expr:%{control:Shadow-Last-Change} + %{control:Shadow-Max-Age}} Shadow-Current := %{expr:%l / 86400} } if (control:Shadow-Current control:Shadow-Expires) { reject } ... } Hopefully it's clear what this does, but basically: 1. Pulls last-change max-age from LDAP 2. Adds them together, to get expiry (in days since epoch) 3. Divides %l (epoch) by 86400 to get today, in days since epoch 4. Compares them - It looks to me like it should do all of those things swimmingly...however, I am running into an issue that looks like it might be because we run redundant LDAP servers. I put your 'update control' here, in the authorize : redundant LDAP{ ldap1 ldap2 update control {ETC } } Ok, so do: redundant { ldap1 ldap2 } update control { .. } Ok, that got it starting and it looks tantalizingly close, but somehow Shadow-Expires isn't getting parsed: ++- entering group LDAP {...} [ldap1] performing user authorization for ldaptestuser [ldap1] WARNING: Deprecated conditional expansion :-. See man unlang for details [ldap1] ... expanding second conditional [ldap1] expand: %{User-Name} - ldaptestuser [ldap1] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=ldaptestuser) [ldap1] expand: dc=domain,dc=com - dc=domain,dc=com [ldap1] ldap_get_conn: Checking Id: 0 [ldap1] ldap_get_conn: Got Id: 0 [ldap1] performing search in dc=domain,dc=com, with filter (uid=ldaptestuser) [ldap1] looking for check items in directory... [ldap1] shadowLastChange - Shadow-Last-Change == 15215 [ldap1] shadowMax - Shadow-Max-Age == 90 [ldap1] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap1] user ldaptestuser authorized to use remote access [ldap1] ldap_release_conn: Release Id: 0 +++[ldap1] returns ok ++- group LDAP returns ok expand: %{control:Shadow-Last-Change} + %{control:Shadow-Max-Age} - 15215 + 90 expand: %{expr:%{control:Shadow-Last-Change} + %{control:Shadow-Max-Age}} - 15305 expand: %l / 86400 - 1331041623 / 86400 expand: %{expr:%l / 86400} - 15405 ++[control] returns ok ++? if (control:Shadow-Current control:Shadow-Expires) Failed parsing control:Shadow-Expires: Unknown value control:Shadow-Expires for attribute Shadow-Current --- To make sure I got the mapping and dictionary definitions right, here's what I have (pretty much just copied and pasted from you): [root@host]# grep -i shadow /etc/raddb/dictionary ATTRIBUTEShadow-Max-Age3000integer ATTRIBUTEShadow-Last-Change3001integer ATTRIBUTEShadow-Expires3002integer ATTRIBUTEShadow-Current3003integer [root@host]# grep -i shadow /etc/raddb/ldap.attrmap checkItem Shadow-Max-Age shadowMax checkItem Shadow-Last-Change shadowLastChange - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP (POSIX attibutes) password expiry SOLVED
On Tue, Mar 6, 2012 at 9:20 PM, u...@3.am wrote: ++? if (control:Shadow-Current control:Shadow-Expires) Failed parsing control:Shadow-Expires: Unknown value control:Shadow-Expires for attribute Shadow-Current Try if (control:Shadow-Current %{control:Shadow-Expires}) That did it! Thank you Fajar, Phil and Alan! It never ceases to amaze me the things that can be done with FreeRADIUS that would have been unthinkable with Cistron or Livingston. For anyone else interested, I'll paste the final modifications here (unwrap lines, of course): raddb/sites-available/servername: update control { Shadow-Expires := %{expr:%{control:Shadow-Last-Change} + %{control:Shadow-Max-Age}} Shadow-Current := %{expr:%l / 86400} } if (control:Shadow-Current %{control:Shadow-Expires}) { reject } -- raddb/dictionary: ATTRIBUTEShadow-Max-Age3000integer ATTRIBUTEShadow-Last-Change3001integer ATTRIBUTEShadow-Expires3002integer ATTRIBUTEShadow-Current3003integer -- raddb/ldap.attrmap checkItem Shadow-Max-Age shadowMax checkItem Shadow-Last-Change shadowLastChange --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP (POSIX attibutes) password expiry
On 28/02/12 21:16, u...@3.am wrote: However, we just noticed that password expiry isn't working. I suspect this is because we are still using all the original POSIX attributes and none of them look like good for mapping to the ones supplied by FreeRADIUS. I see: checkItem Expiration radiusExpiration Our LDAP attributes use the following POSIX attributes to determine expiry: shadowMax: 90 shadowLastChange: 15215 Other replies should have convinced you that there's no built-in support for this. You will need to either: 1. Arrange for a FreeRADIUS-ready radiusExpiration attribute to be set in LDAP alongside the POSIX/shadow schemas 2. Synthesize an Expiration attribute, or otherwise locally check the POSIX/shadow attributes. One way you might accomplish the 2nd is as follows: == Create some local RADIUS attributes for the shadow values == /etc/raddb/dictionary: ATTRIBUTE Shadow-Max-Age 3000integer ATTRIBUTE Shadow-Last-Change 3001integer ATTRIBUTE Shadow-Expires 3002integer ATTRIBUTE Shadow-Current 3003integer /etc/raddb/ldap.attrmap: checkItem Shadow-Max-Age shadowMax checkItem Shadow-Last-Change shadowLastChange == Read these attributes from LDAP, then perform some maths == /etc/raddb/sites-enabled/server: authorize { ... ldap update control { Shadow-Expires := %{expr:%{control:Shadow-Last-Change} + %{control:Shadow-Max-Age}} Shadow-Current := %{expr:%l / 86400} } if (control:Shadow-Current control:Shadow-Expires) { reject } ... } Hopefully it's clear what this does, but basically: 1. Pulls last-change max-age from LDAP 2. Adds them together, to get expiry (in days since epoch) 3. Divides %l (epoch) by 86400 to get today, in days since epoch 4. Compares them - It looks to me like it should do all of those things swimmingly...however, I am running into an issue that looks like it might be because we run redundant LDAP servers. I put your 'update control' here, in the authorize : redundant LDAP{ ldap1 ldap2 update control {ETC } } The above allows us to define two LDAP servers in radiusd.conf. Debug shows this error: /usr/etc/raddb/sites-enabled/default[76]: redundant sections cannot contain a update statement /usr/etc/raddb/sites-enabled/default[62]: Errors parsing authorize section. I see in man unlang that redundant can only contain a list of modules. If that's the case, either these two things won't work together, or I am trying to put it in the wrong place. If I try to uncomment the ldap module further down in the authorize section I get Failed to load module ldap (can post entire debug if necessary). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP (POSIX attibutes) password expiry
u...@3.am wrote: I didn't ignore any response. I have no reason to worry about whether Expiration will work in users because A) I'm not using users, I'm using LDAP and B) expiry worked fine using rlm_pam and /etc/shadow. Once again, you completely misunderstand my point. This is rude. I am sorry, I did not mean to be rude. You're right, I misunderstood your point. You asked *explicitly* about the Expiration attribute. FreeRADIUS implements expiration via the expiration attribute. I gave you instructions for testing it. Your response was to assume I'm an idiot, and to ignore my attempt to help you. You assumed I had no idea what you're talking about. You assumed I was confused about how FreeRADIUS works. Not at all. I know that you know better than anyone how FreeRADIUS works. I thought you were understandably unclear about what I was asking, because I obviously wasn't asking it well. Alan: I have been using your software for many years, and received a lot of help from you and other members of this list and know you have little patience for requests for help that don't include adequate debug output and inclusion of relevant configuration information. No. I have little patience for people who ask for help, and then tell me I'm wrong. If you're so smart, why are you asking questions here? Your behavior is rude. When I point this out, you get offended. I wasn't offended, I was apologetic and tried to offer an explanation for my current cognitive difficulties (perhaps you missed that part, because it was removed in your reply). I am a little taken aback by how much I have apparently offended you. Not that I could find, hence my post here. It looks like more clueful people than I have some potential workarounds, so from that standpoint, it may have paid off. Maybe they successfully read your mind. I know I can't. I answered the question you asked. Your response was to tell me my help was bullsh*t. I never said that, come on. Again, this is all due to my asking the wrong question or asking it in the wrong way. I can see why this upset you. You took the time to actually read my poorly put question and read debug output which really had no relevance, since nothing is really broken. At least that's how I see it. Again, I am sorry. That behavior is antisocial. Antisocial people get banned from this list. Well, I hope you don't ban me. I don't think that's happened to me in 20 years. I am sorry that I came off as antisocial. It was not my intention. Alan DeKok. - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP (POSIX attibutes) password expiry
u...@3.am wrote: checkItem Expiration radiusExpiration Did you check that the LDAP module is returning this attribute for the query? No, I don't expect it to, since I don't have that attribute or anything that looks like it might be a good substitute. So... why would you ever expect that expiration will work? I expect it would take some fiddling. I was showing what I had done so far for background reference. From a couple of other responses, it appears there might be ways to get this working. Did you check that Expiration works if you put it into the users file? I'm not worried about that...expiry worked with the old rlm_pam using Unix expiry. I see. You ask for help, and you ignore the response. I didn't ignore any response. I have no reason to worry about whether Expiration will work in users because A) I'm not using users, I'm using LDAP and B) expiry worked fine using rlm_pam and /etc/shadow. My first thought (hope) was that there was some config option in rlm_ldap that I was missing that might be an easy fix. I knew it was a long shot, but I didn't see the harm in asking. If you do this again, you will be unsubscribed and banned. Alan: I have been using your software for many years, and received a lot of help from you and other members of this list and know you have little patience for requests for help that don't include adequate debug output and inclusion of relevant configuration information. I've obviously pissed you off with my reply to you and for that, I apologize. It was not my intention. My cognitive ability is still recovering from a lot of chemotherapy over the past year and this may be reflected in the way I parse and post. When exporting Unix to LDAP, the expiry data was exported from /etc/shadow to the two LDAP attributes mentioned. I was hoping that perhaps there was a module that could calculate between the two and figure out that the password was expired and take it from there. I figured it a long shot but worth asking. Was there documentation saying that such a module existed? Not that I could find, hence my post here. It looks like more clueful people than I have some potential workarounds, so from that standpoint, it may have paid off. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP (POSIX attibutes) password expiry
On 28/02/12 21:16, u...@3.am wrote: Hi: We've been running various versions of FreeRadius for years, currently 2.1.10 in this application. A while ago, we switched from PAM (unix) auth to LDAP auth. Everything worked fine after the switch...POSIX attributes for group membership correctly allocated the right ippools, etc. However, we just noticed that password expiry isn't working. I suspect this is because we are still using all the original POSIX attributes and none of them look like good for mapping to the ones supplied by FreeRADIUS. I see: checkItem Expiration radiusExpiration Our LDAP attributes use the following POSIX attributes to determine expiry: shadowMax: 90 shadowLastChange: 15215 Other replies should have convinced you that there's no built-in support for this. You will need to either: 1. Arrange for a FreeRADIUS-ready radiusExpiration attribute to be set in LDAP alongside the POSIX/shadow schemas 2. Synthesize an Expiration attribute, or otherwise locally check the POSIX/shadow attributes. One way you might accomplish the 2nd is as follows: == Create some local RADIUS attributes for the shadow values == /etc/raddb/dictionary: ATTRIBUTE Shadow-Max-Age 3000integer ATTRIBUTE Shadow-Last-Change 3001integer ATTRIBUTE Shadow-Expires 3002integer ATTRIBUTE Shadow-Current 3003integer /etc/raddb/ldap.attrmap: checkItem Shadow-Max-Age shadowMax checkItem Shadow-Last-Change shadowLastChange == Read these attributes from LDAP, then perform some maths == /etc/raddb/sites-enabled/server: authorize { ... ldap update control { Shadow-Expires := %{expr:%{control:Shadow-Last-Change} + %{control:Shadow-Max-Age}} Shadow-Current := %{expr:%l / 86400} } if (control:Shadow-Current control:Shadow-Expires) { reject } ... } Hopefully it's clear what this does, but basically: 1. Pulls last-change max-age from LDAP 2. Adds them together, to get expiry (in days since epoch) 3. Divides %l (epoch) by 86400 to get today, in days since epoch 4. Compares them - It's very clear...I had no idea that the ldap module could do math functions. This is just the kind of thing I was looking for. Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP (POSIX attibutes) password expiry
= no } Module: Linked to module rlm_files Module: Instantiating module files from file /usr/etc/raddb/radiusd.conf files { usersfile = /usr/etc/raddb/users acctusersfile = /usr/etc/raddb/acct_users preproxy_usersfile = /usr/etc/raddb/preproxy_users compat = no } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module radutmp from file /usr/etc/raddb/radiusd.conf radutmp { filename = /var/log/radius/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module attr_filter.access_reject from file /usr/etc/raddb/radiusd.conf attr_filter attr_filter.access_reject { attrsfile = /usr/etc/raddb/attrs.access_reject key = %{User-Name} } } # modules } # server server { # from file /usr/etc/raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module preprocess from file /usr/etc/raddb/radiusd.conf preprocess { huntgroups = /usr/etc/raddb/huntgroups hints = /usr/etc/raddb/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module acct_unique from file /usr/etc/raddb/radiusd.conf acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module detail from file /usr/etc/raddb/radiusd.conf detail { detailfile = /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_ippool Module: Instantiating module some_pool from file /usr/etc/raddb/radiusd.conf SNIP } Module: Instantiating module attr_filter.accounting_response from file /usr/etc/raddb/radiusd.conf attr_filter attr_filter.accounting_response { attrsfile = /usr/etc/raddb/attrs.accounting_response key = %{User-Name} } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = * port = 1812 } listen { type = acct ipaddr = * port = 1813 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.7.1 port 1645, id=225, length=97 Framed-Protocol = PPP User-Name = ldaptest User-Password = testing NAS-Port-Type = Virtual NAS-Port = 241 NAS-Port-Id = Uniq-Sess-ID241 Service-Type = Framed-User NAS-IP-Address = 192.168.bogus # Executing section authorize from file /usr/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++- entering group LDAP {...} [ldap1] performing user authorization for ldaptest [ldap1] WARNING: Deprecated conditional expansion :-. See man unlang for details [ldap1] ... expanding second conditional [ldap1] expand: %{User-Name} - ldaptest [ldap1] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=ldaptest) [ldap1] expand: dc=domain,dc=com - dc=domain,dc=com [ldap1] ldap_get_conn: Checking Id: 0 [ldap1] ldap_get_conn: Got Id: 0 [ldap1] attempting LDAP reconnection [ldap1] (re)connect to ldap.server:389, authentication 0 [ldap1] bind as / to ldap.server:389 [ldap1] waiting for bind result ... [ldap1] Bind was successful [ldap1] performing search in dc=domain,dc=com, with filter (uid=ldaptest) [ldap1] looking for check items in directory... [ldap1] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap1] user ldaptest authorized to use remote access [ldap1] ldap_release_conn: Release Id: 0 +++[ldap1] returns ok ++- group LDAP returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = ldaptest, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message
Re: LDAP (POSIX attibutes) password expiry
u...@3.am wrote: However, we just noticed that password expiry isn't working. I suspect this is because we are still using all the original POSIX attributes and none of them look like good for mapping to the ones supplied by FreeRADIUS. I see: checkItem Expiration radiusExpiration Did you check that the LDAP module is returning this attribute for the query? No, I don't expect it to, since I don't have that attribute or anything that looks like it might be a good substitute. Did you check that Expiration works if you put it into the users file? I'm not worried about that...expiry worked with the old rlm_pam using Unix expiry. When exporting Unix to LDAP, the expiry data was exported from /etc/shadow to the two LDAP attributes mentioned. I was hoping that perhaps there was a module that could calculate between the two and figure out that the password was expired and take it from there. I figured it a long shot but worth asking. Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP (POSIX attibutes) password expiry
On Wed, Feb 29, 2012 at 4:16 AM, u...@3.am wrote: Hi: We've been running various versions of FreeRadius for years, currently 2.1.10 in this application. A while ago, we switched from PAM (unix) auth to LDAP auth. Everything worked fine after the switch...POSIX attributes for group membership correctly allocated the right ippools, etc. However, we just noticed that password expiry isn't working. I suspect this is because we are still using all the original POSIX attributes and none of them look like good for mapping to the ones supplied by FreeRADIUS. I see: checkItem Expiration radiusExpiration Our LDAP attributes use the following POSIX attributes to determine expiry: shadowMax: 90 shadowLastChange: 15215 With the first being the maximum age of the password and the second being the number of days since the Epoch. I will post the obligatory debug output below (with sensitive or irrelevant stuff snipped out) for a successful authentication for an expired password that shouldn't have succeeded. If anybody has an idea how to fix this with the minimal of messing around with our LDAP config itself, I'd greatly appreciate it...or, if that's unrealistic, what should be done. TIA! IIRC the Expiration attribute requires the format of 01 Jan 2011 01:00:00 (or something like that, other format might work, test it first). From the two LDAP attributes, you should be able to process them and present it as a new attribute. I see no easy way to do that without additional module though. You COULD use something like this on ldap.attrmap: checkItem Tmp-Integer-0 shadowMax checkItem Tmp-Integer-1 shadowLastChange ... then convert it to expiration with rlm_perl/rlm_sql/whatever. If you already have a mysql instance (e.g. for accounting), you could probably use it to do the processing. Something like this (see http://dev.mysql.com/doc/refman/5.5/en/date-and-time-functions.html): update control { Expiration := %{sql: SELECT FROM_UNIXTIME( ( %{Tmp-Integer-0} + %{Tmp-Integer-1} ) * 86400, '%d %b %Y %H:%i%s' )} } Fajar, thanks for taking the time with this reply. No, I'm not running MySQL for accounting...just the standard flat files on separate remote server and of course for auth, LDAP. I'll have to take a look and see what rlm_perl can do for us. I don't see a problem getting the attributes using perl (even if it just invokes shell commands), but how to process it back to FreeRADIUS without interfering with anything else. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySQL + WiFi PEAP authorisation only to a group of users
Hello, I would like to help with this: I have Freeradius version 2.1.6 I have it running with SQL and DialupAdmin. How do I give access to wifi users who authenticate with username pass over PEAP only to a group of users? I mean that authorised would be only users from group WIFI and not other users belonging to other group like OpenVPN. Now it authorises everybody from the radcheck table. I am very new to radius and even if I was searching the net for some time I cannot find the answer which would fir my needs. I would think something like this in your users file: DEFAULT NAS-Ip-Address == your.wifi.nas.ip, Group == WIFI DEFAULT NAS-Ip-Address == your.wifi.nas.ip, Auth-Type = Reject - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius - LDAP
: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x89d0250 Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = /etc/raddb/huntgroups hints = /etc/raddb/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = /etc/raddb/attrs.accounting_response key = %{User-Name} } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = * port = 0 } listen { type = acct ipaddr = * port = 0 } listen { type = control listen { socket = /var/run/radiusd/radiusd.sock } } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. --- NOW, when I try the auth: radtest ldapuser 121212 localhost 2 testing123 I get this output on the client side Sending Access-Request of id 207 to 127.0.0.1 port 1812 User-Name = ldapuser User-Password = MTIxMjEyIA== NAS-IP-Address = 127.0.0.1 NAS-Port = 2 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=207, length=20 AND this one on the radius server side: rad_recv: Access-Request packet from host 127.0.0.1 port 36725, id=207, length=60 User-Name = ldapuser User-Password = MTIxMjEyIA== NAS-IP-Address = 127.0.0.1 NAS-Port = 2 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = ldapuser, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for ldapuser [ldap]expand: %{Stripped-User-Name} - [ldap]expand: %{User-Name} - ldapuser [ldap]expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=ldapuser) [ldap]expand: dc=example,dc=com - dc=example,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind
Re: LDAP redundant with LDAP-Group within users file
Just a gap of our users file, we have 18 default lines and additional 4 for a local/PAP user: DEFAULT Auth-Type := LDAP, Huntgroup-Name == consoleserver, LDAP-Group == LDAP-GROUP-Team-a Login-Service = Telnet FWIW, since it's the LDAP-Group attribute that you're having trouble with, we are doing LDAP auth with POSIX style LDAP auth data and I believe it gets around this by simply using the old Group attribute from before we migrated from PAP/unix (but still gets from LDAP): DEFAULT Group == acme, Pool-Name :=acme_pool, Auth-Type = Ldap This is a smaller network with 1 fallback LDAP server, and I know that the fallback is working and I'm pretty sure it passes on the proper group info to assign the correct IP pool in this case. It may not work with non-POSIX LDAP groups though... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP server failover in FreeRADIUS 2.1
I can tell that ldap failover config is a FAQ by the number of hits I found searching for this, but it seems that many of the config examples are for older versions of FreeRADIUS. In any case, this is what I've tried, but it's not working: In radiusd.conf: ldap ldap1{ server = serverA.domain.com basedn = dc=domain,dc=com filter = (uid=%{Stripped-User-Name:-%{User-Name}}) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no set_auth_type = no } ldap ldap2{ server = serverB.domain.com basedn = dc=domain,dc=com filter = (uid=%{Stripped-User-Name:-%{User-Name}}) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no set_auth_type = yes } --- This is what I put in sites-enabled/default AND in sites-enabled/inner-tunnel (it doesn't look right to me, but it's what I found): authorize { preprocess redundant LDAP{ ldap1 ldap2 } Auth-Type LDAP { ldap1 ldap2 } - Again, sorry for the FAQ, but if somebody could put me straight here, I'd appreciate it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP server failover in FreeRADIUS 2.1
u...@3.am wrote: I can tell that ldap failover config is a FAQ by the number of hits I found searching for this, but it seems that many of the config examples are for older versions of FreeRADIUS. In any case, this is what I've tried, but it's not working: See the FAQ for it doesn't work. ldap ldap2{ set_auth_type = yes Thanks for pointing that out...I had just copied and pasted that section from the secondary radius server. Which will set Auth-Type := ldap2. That's probably not what you want. This is what I put in sites-enabled/default AND in sites-enabled/inner-tunnel (it doesn't look right to me, but it's what I found): authorize { preprocess redundant LDAP{ ldap1 ldap2 } That looks OK... Auth-Type LDAP { ldap1 ldap2 } That doesn't. It goes into the authenticate section, and you need add a redundant block which wraps the calls to ldap1 and ldap2 That did the trick...I changed it to this: #Auth-Type LDAP { redundant LDAP{ ldap1 ldap2 } I wasn't sure if you used both Auth-Type AND redundant, but apparently you only need the latter. Thanks once again, Alan! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simple Guest user web front end for FreeRADIUS
On Fri, Apr 8, 2011 at 9:50 PM, u...@3.am wrote: On my client's wifi network, we are authenticating staff users via FreeRADIUS against the corporate LDAP database. I've created a new SSID/WLAN with an IP pool that I've restricted through router ACLs that we want to deploy for temporary guest users. I can set up a new FreeRADIUS server (I've done many of those) backend for this, but am unfamiliar with 2 things that will be different here, which are: 1) A Web front end for a clerical type to enter in temporary accounts to FreeRADIUS. I imagine there must be a simple php interface for some sort of Internet cafe type of use. I'd prefer as simple as possible (ie, flat file), but would be fine if MySQL is the way to go for account info storage. I know I COULD put together a FreeRADIUS and OpenLDAP server with something like a webmin front end, but that seems overkill to me. 2) Some sort of automatic password generator for above...not absolutely necessary, but would be nice. I would imagine this wheel has already been invented, so if anybody could point me in the right direction, it would be appreciated. Thanks! - 1. You can simply use m0n0wall / Pfsense, it has all voucher/ user accounts stuff and a GUI onboard, so you don't even need to use radius if you think it's overkill for this particular situation. 2. Why setup an extra radius server if you have one? 3. There are many frontends available, dialup admin, daloradius, Yfi (aka hotcakes), dma softlab radius manager, etc The Cisco Wifi controller in question supports local, radius or ldap user authentication. I think they will like the accounting/reporting stuff that radius brings to the table . Thanks for the replies...I'll look into those. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simple Guest user web front end for FreeRADIUS
On my client's wifi network, we are authenticating staff users via FreeRADIUS against the corporate LDAP database. I've created a new SSID/WLAN with an IP pool that I've restricted through router ACLs that we want to deploy for temporary guest users. I can set up a new FreeRADIUS server (I've done many of those) backend for this, but am unfamiliar with 2 things that will be different here, which are: 1) A Web front end for a clerical type to enter in temporary accounts to FreeRADIUS. I imagine there must be a simple php interface for some sort of Internet cafe type of use. I'd prefer as simple as possible (ie, flat file), but would be fine if MySQL is the way to go for account info storage. I know I COULD put together a FreeRADIUS and OpenLDAP server with something like a webmin front end, but that seems overkill to me. 2) Some sort of automatic password generator for above...not absolutely necessary, but would be nice. I would imagine this wheel has already been invented, so if anybody could point me in the right direction, it would be appreciated. Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_pool problem
I've had FreeRadius 2.1.6 running ippools fine on one linux server and just installed it on a new one. They run with --prefix=/usr on both servers, which neccessitated me putting /usr/lib in /etc/ld.so.conf to get rlm_ippool to load on the new server. I copied over the old raddb tree, but when I start radiusd in debug, I get this: Module: Linked to module rlm_ippool Module: Instantiating medium_pool ippool medium_pool { session-db = /usr/etc/raddb/db.medium_ippool ip-index = /usr/etc/raddb/db.medium_ipindex key = %{NAS-IP-Address} %{NAS-Port} range-start = 172.16.31.101 range-stop = 172.16.31.253 netmask = 255.255.255.0 cache-size = 251 override = yes maximum-timeout = 0 } rlm_ippool: Failed to open file /usr/etc/raddb/db.medium_ippool: Invalid argument /usr/etc/raddb/radiusd.conf[1824]: Instantiation failed for module medium_pool /usr/etc/raddb/sites-enabled/default[337]: Failed to find module medium_pool. /usr/etc/raddb/sites-enabled/default[314]: Errors parsing accounting section. the db files for the pools, in this case: /usr/etc/raddb/db.medium_ippool do exist as chmod 600 root.wheel, just like the old server. We run as root to auth against shadow passwords. What did I miss? James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_pool problem
Replying to myself...I'm a dope. I deleted all the db.*ippool* files and let it create new ones and it's fine now. On Thu, 27 Aug 2009, u...@3.am wrote: I've had FreeRadius 2.1.6 running ippools fine on one linux server and just installed it on a new one. They run with --prefix=/usr on both servers, which neccessitated me putting /usr/lib in /etc/ld.so.conf to get rlm_ippool to load on the new server. I copied over the old raddb tree, but when I start radiusd in debug, I get this: Module: Linked to module rlm_ippool Module: Instantiating medium_pool ippool medium_pool { session-db = /usr/etc/raddb/db.medium_ippool ip-index = /usr/etc/raddb/db.medium_ipindex key = %{NAS-IP-Address} %{NAS-Port} range-start = 172.16.31.101 range-stop = 172.16.31.253 netmask = 255.255.255.0 cache-size = 251 override = yes maximum-timeout = 0 } rlm_ippool: Failed to open file /usr/etc/raddb/db.medium_ippool: Invalid argument /usr/etc/raddb/radiusd.conf[1824]: Instantiation failed for module medium_pool /usr/etc/raddb/sites-enabled/default[337]: Failed to find module medium_pool. /usr/etc/raddb/sites-enabled/default[314]: Errors parsing accounting section. the db files for the pools, in this case: /usr/etc/raddb/db.medium_ippool do exist as chmod 600 root.wheel, just like the old server. We run as root to auth against shadow passwords. What did I miss? James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco ignores Framed-IP-Address from freeradius
On Mon, 6 Jul 2009, Gilloteau Frederic wrote: Hello, I use freeradius 2.1.1-7 and a CISCO router (IOS 12.4(6)T9) to provide VPN connections. and the CISCO router gets it ... .. but never assign it to remote users, the cisco router assigns an IP address from its local pool. The interesting lines of my cisco configuration are : aaa new-model ! ! aaa authentication login ClientAuth group radius aaa authorization network ClienAuth group radius local aaa accounting delay-start aaa accounting network ClientAuth start-stop group radius I had a similar problem...it was with my aaa config. Try: aaa authentication login default local group radius aaa authentication ppp default group radius local aaa authorization exec default local aaa authorization network default group radius local James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pools How ?
Hi Dogus: In addition to the radiusd.conf and users file config that I assume you've already figured out, you have to define the pool names in raddb/default if you're going to use any pool name other than main_pool. ie: # Return an address to the IP Pool when we see a stop record. # main_pool custom_pool Here I commented out main_pool and defined two new ones, which I configured in radiusd.conf: ippool custom_pool { range-start = 192.168.99.101 range-stop = 192.168.99.253 netmask = 255.255.255.0 cache-size = 251 session-db = ${db_dir}/db.custom_ippool ip-index = ${db_dir}/db.custom_ipindex override = yes } Then in users: DEFAULT Group == vpn_users, Pool-Name :=custom_pool Framed-Protocol == PPP, Framed-Compression = Van-Jacobson-TCP-IP Where vpn_users is a unix group on the radius server. Make sure to remove the db.* files any time you make changes to the pool addresses. You can define as many pools as you want like this. It's not all readily apparent in any docs I found (at least not the first part), but there are examples for the pools in radiusd.conf and users file. HTH, On Tue, 23 Jun 2009, Dogus Yalman wrote: Hello ; New to this great mailing list and the whole linux world so please bare with me. :) Im using FreeRADIUS Version 1.1.7 with fedora core 10 and my freeradius frontend is DMA Softlabs Radius Manager. http://www.dmasoftlab.com/cont/home My clients are authenticating through distrubuted remote pppoe servers on a wireless network. I want to use freeradius Ip Pool functionality to assign dynamic public IPs to customers since my frontend doesnt support that feature. Is there a step by step approach on how to do it ? is just modyfying the radius.conf and users file is enough? Do i have to create any sql tables for this ? Thanks and greetings from Northern Cyprus James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippools and Pool-Name
On Wed, 3 Jun 2009, Alan DeKok wrote: Because you don't have the GDBM libraries or header files. Ok, I installed those, and while I was at it, installed the latest radiusd. The first error I got involved the experimental raddb/sites-available/control-socket which was included in the old radiusd.conf: $INCLUDE sites-enabled/. I moved the file and radiusd started and worked as it did before. However, when I uncomment my ippool statement, I now get this: Module: Linked to module rlm_ippool Module: Instantiating users_pool ippool users_pool { session-db = $(raddbdir)/db.ippool ip-index = $(raddbdir)/db.ipindex key = %{NAS-IP-Address} %{NAS-Port} range-start = 172.16.1.2 range-stop = 172.16.1.253 netmask = 255.255.255.0 cache-size = 251 override = yes maximum-timeout = 0 } rlm_ippool: Failed to open file $(raddbdir)/db.ippool: No such file or directory /usr/etc/raddb/radiusd.conf[1824]: Instantiation failed for module users_pool /usr/etc/raddb/sites-enabled/default[337]: Failed to find module users_pool. /usr/etc/raddb/sites-enabled/default[314]: Errors parsing accounting section. Errors initializing modules - If I understand correctly, if I am running radiusd as root, shouldn't it simply create the db. files itself when started? I tried a touch raddb/db.ippool but it changed nothing. Again, thanks for your patience... James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippools and Pool-Name
Replying to myselferm, never mind...I must have a fairly old raddb/radiusd.conf...I found this by googling: db_dir = $(raddbdir) == It should be: db_dir = ${raddbdir} (brackets are wrong) On Wed, 3 Jun 2009, u...@3.am wrote: On Wed, 3 Jun 2009, Alan DeKok wrote: Because you don't have the GDBM libraries or header files. Ok, I installed those, and while I was at it, installed the latest radiusd. The first error I got involved the experimental raddb/sites-available/control-socket which was included in the old radiusd.conf: $INCLUDE sites-enabled/. I moved the file and radiusd started and worked as it did before. However, when I uncomment my ippool statement, I now get this: Module: Linked to module rlm_ippool Module: Instantiating users_pool ippool users_pool { session-db = $(raddbdir)/db.ippool ip-index = $(raddbdir)/db.ipindex key = %{NAS-IP-Address} %{NAS-Port} range-start = 172.16.1.2 range-stop = 172.16.1.253 netmask = 255.255.255.0 cache-size = 251 override = yes maximum-timeout = 0 } rlm_ippool: Failed to open file $(raddbdir)/db.ippool: No such file or directory /usr/etc/raddb/radiusd.conf[1824]: Instantiation failed for module users_pool /usr/etc/raddb/sites-enabled/default[337]: Failed to find module users_pool. /usr/etc/raddb/sites-enabled/default[314]: Errors parsing accounting section. Errors initializing modules - If I understand correctly, if I am running radiusd as root, shouldn't it simply create the db. files itself when started? I tried a touch raddb/db.ippool but it changed nothing. Again, thanks for your patience... James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ippools and Pool-Name
Hi: I am trying to configure a server-side IP pool for select pptp users to bypass the NAS's internal pool. The documentation appears sparse, but this is what I've done so far: In raddb/radiusd.conf: ippool users_pool { range-start = 172.16.1.2 range-stop = 172.16.1.253 netmask = 255.255.255.0 cache-size = 251 session-db = ${db_dir}/db.ippool ip-index = ${db_dir}/db.ipindex override = yes } In raddb/users sometestuserPool-Name :=users_pool Framed-Protocol == PPP, Framed-Compression = Van-Jacobson-TCP-IP However, sometestuser is simply allocated an IP from the NAS's internal pool, seemingly ignoring this. I also noticed that the files db.ippool and db.ipindex are not being created. Is there something else I'm missing? TIA, James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippools and Pool-Name
On Tue, 2 Jun 2009, Alan DeKok wrote: u...@3.am wrote: I am trying to configure a server-side IP pool for select pptp users to bypass the NAS's internal pool. The documentation appears sparse, but this is what I've done so far: In raddb/radiusd.conf: ippool users_pool { The examples show it using main_pool. The name doesn't matter, but it's a hint: $ grep main_pool raddb/sites-available/* You can re-name main_pool to users_pool, if you want. You have to tell the server to allocate IP's in the post-auth section, and to manage them from the accounting section. Ok, I wasn't sure where the post-auth section even was...I had been looking in the radiusd.conf...thanks for the hint. I just added the following to the raddb/sites-available/default: accounting { # Return an address to the IP Pool when we see a stop record. # main_pool users_pool post-auth { # Get an address from the IP Pool. # main_pool users_pool Now I get this running debug mode: } /usr/etc/raddb/radiusd.conf[1824]: Failed to link to module 'rlm_ippool': rlm_ippool.so: cannot open shared object file: No such file or directory /usr/etc/raddb/sites-enabled/default[337]: Failed to find module users_pool. /usr/etc/raddb/sites-enabled/default[314]: Errors parsing accounting section. } } Errors initializing modules ...and indeed, that file exists nowhere on the server. Was it a part of freeradius-server-2.0.4 ? James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assigning IP address from RADIUS to Cisco PPTP users
FYI: Cisco TAC quickly found my config problem. I took out: aaa authorization network default if-authenticated and replaced it with: aaa authorization network default group radius local and that did it. Thanks for all of your suggestions! Next up is to start defining pools and associating unix groups with them. On Tue, 26 May 2009, u...@3.am wrote: On Wed, 27 May 2009, Vadim Ostranitsyn wrote: Hi! On Tue, May 26, 2009 at 11:34:41AM -0400, u...@3.am wrote: Users are currently authenticating fine and getting assigned IPs from the IP pool as defined in the Cisco NAS. However, I'd like to have a few, select users assigned static IPs from outside that pool, but the Cisco (2811) is simply ignoring the raddb/users file entry for that user and assigning an IP from the pool on the NAS. [...] interface Virtual-Template1 ip unnumbered FastEthernet0/0 ip policy route-map VPN-Client peer match aaa-pools peer default ip address pool vpnpool Drop this line no keepalive ppp encrypt mppe auto ppp authentication pap chap ms-chap ms-chap-v2 ! ip local pool vpnpool 172.16.30.2 172.16.30.254 - Here is the raddb/users file entry: - testuserService-Type == Framed-User Framed-Protocol == PPP, Framed-IP-Address = 172.16.1.2, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP Cisco-AVPair = ip:addr-pool=vpnpool Add line above to the DEFAULT user entry. -- Hi Vadim: This looked promising, but when I remove that line from my Cisco config, I cannot log in at all. It just says that it cannot negotiate a ppp connection (Mac OS X) The debug on radius looks fine (I can supply that again if needed)). Here is the verbose logging from my Mac's /var/log/ppp.log: Tue May 26 23:21:13 2009 : PPTP connecting to server '10.2.2.2' (10.2.2.2) ... Tue May 26 23:21:13 2009 : PPTP connection established. Tue May 26 23:21:13 2009 : using link 0 Tue May 26 23:21:13 2009 : Using interface ppp0 Tue May 26 23:21:13 2009 : Connect: ppp0 -- socket[34:17] Tue May 26 23:21:13 2009 : sent [LCP ConfReq id=0x1 asyncmap 0x0 magic 0xc916 6b8c pcomp accomp] Tue May 26 23:21:13 2009 : rcvd [LCP ConfReq id=0x1 auth pap magic 0x3f29a7d2 ] Tue May 26 23:21:13 2009 : lcp_reqci: returning CONFACK. Tue May 26 23:21:13 2009 : sent [LCP ConfAck id=0x1 auth pap magic 0x3f29a7d2 ] Tue May 26 23:21:13 2009 : rcvd [LCP ConfAck id=0x1 asyncmap 0x0 magic 0xc916 6b8c pcomp accomp] Tue May 26 23:21:13 2009 : sent [LCP EchoReq id=0x0 magic=0xc9166b8c] Tue May 26 23:21:13 2009 : sent [PAP AuthReq id=0x1 user=testuser password= hidden] Tue May 26 23:21:13 2009 : rcvd [LCP EchoRep id=0x0 magic=0x3f29a7d2] Tue May 26 23:21:13 2009 : rcvd [PAP AuthAck id=0x1 ] Tue May 26 23:21:13 2009 : PAP authentication succeeded Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x1 addr 0.0.0.0 ms-dns1 0.0 .0.0 ms-dns3 0.0.0.0] Tue May 26 23:21:13 2009 : sent [IPV6CP ConfReq id=0x1 addr fe80::021e:c2ff:feb 5:8003] Tue May 26 23:21:13 2009 : sent [ACSCP] 01 01 00 10 01 06 00 00 00 01 02 06 00 0 0 00 01 Tue May 26 23:21:13 2009 : rcvd [IPCP ConfReq id=0x1 addr 192.168.7.1] Tue May 26 23:21:13 2009 : ipcp: returning Configure-ACK Tue May 26 23:21:13 2009 : sent [IPCP ConfAck id=0x1 addr 192.168.7.1] Tue May 26 23:21:13 2009 : rcvd [CCP ConfReq id=0x1] Tue May 26 23:21:13 2009 : Unsupported protocol 'Compression Control Protocol' ( 0x80fd) received Tue May 26 23:21:13 2009 : sent [LCP ProtRej id=0x2 80 fd 01 01 00 04] Tue May 26 23:21:13 2009 : rcvd [LCP ProtRej id=0x2 80 57 01 01 00 0e 01 0a 02 1 e c2 ff fe b5 80 03] Tue May 26 23:21:13 2009 : rcvd [LCP ProtRej id=0x3 82 35 01 01 00 10 01 06 00 0 0 00 01 02 06 00 00 00 01] Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x1 addr 0.0.0.0 ms-dns3 0.0 .0.0] Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x2 addrs 0.0.0.0 0.0.0.0 ms -dns1 0.0.0.0] Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x2 addrs 0.0.0.0 0.0.0.0] Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x3 addrs 0.0.0.0 0.0.0.0 ms -dns1 0.0.0.0] Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x3 addrs 0.0.0.0 0.0.0.0] Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x4 addrs 0.0.0.0 0.0.0.0 ms -dns1 0.0.0.0] Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x4 addrs 0.0.0.0 0.0.0.0] Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x5 addrs 0.0.0.0 0.0.0.0 ms -dns1 0.0.0.0] Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x5 addrs 0.0.0.0 0.0.0.0] Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x6 addrs 0.0.0.0 0.0.0.0 ms -dns1 0.0.0.0] Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x6 addrs 0.0.0.0 0.0.0.0] Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x7 addrs 0.0.0.0 0.0.0.0 ms -dns1 0.0.0.0] Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x7 addrs 0.0.0.0 0.0.0.0] Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x8
Assigning IP address from RADIUS to Cisco PPTP users
Hi: I've used Livingston and Cistron radiusd's in the past with dialup ppp users and Cisco/Lucent NASes and have been able to do this with no problems. Users are currently authenticating fine and getting assigned IPs from the IP pool as defined in the Cisco NAS. However, I'd like to have a few, select users assigned static IPs from outside that pool, but the Cisco (2811) is simply ignoring the raddb/users file entry for that user and assigning an IP from the pool on the NAS. Here is my Cisco config:: aaa new-model aaa authentication login default local group radius aaa authentication ppp default group radius local aaa authorization exec default local aaa authorization network default if-authenticated aaa session-id common vpdn-group 1 accept-dialin protocol pptp virtual-template 1 interface Loopback0 ip address 99.99.99.99 255.255.255.255 ip nat inside ip virtual-reassembly interface Virtual-Template1 ip unnumbered FastEthernet0/0 ip policy route-map VPN-Client peer match aaa-pools peer default ip address pool vpnpool no keepalive ppp encrypt mppe auto ppp authentication pap chap ms-chap ms-chap-v2 ! ip local pool vpnpool 172.16.30.2 172.16.30.254 - Here is the raddb/users file entry: - testuserService-Type == Framed-User Framed-Protocol == PPP, Framed-IP-Address = 172.16.1.2, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP -- The DEFAULT entry allows users in /etc/passwd to authenticate fine, but testuser still gets an IP from the NAS pool instead of the one above.. Any pointers appreciated! James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assigning IP address from RADIUS to Cisco PPTP users
ipaddr = * port = 1812 } listen { type = acct ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. Framed-Protocol = PPP User-Name = testuser User-Password = some_password NAS-Port-Type = Virtual NAS-Port = 62 NAS-Port-Id = Uniq-Sess-ID62 Service-Type = Framed-User NAS-IP-Address = 216.1.12.66 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = testuser, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated users: Matched entry testuser at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type auth: type PAP +- entering group PAP rlm_pap: login attempt with password some_password rlm_pap: Using CRYPT encryption. rlm_pap: User authenticated successfully ++[pap] returns ok Login OK: [testuser/some_password] (from client cisco_pptp port 62) +- entering group post-auth ++[exec] returns noop Framed-Protocol == PPP Framed-IP-Address = 172.16.1.2 Framed-IP-Netmask = 255.255.255.255 Framed-Compression = Van-Jacobson-TCP-IP Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 205 with timestamp +17 Ready to process requests. --- I'm not using realms, so I'm assuming that realms error is meaningless? James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assigning IP address from RADIUS to Cisco PPTP users
On Tue, 26 May 2009, Ivan Kalik wrote: Make Sure Overide is Disabled in the ippool module.. e.g. # override: # If set, the Framed-IP-Address already in the # reply (if any) will be discarded, and replaced # with a Framed-IP-Address assigned here. override = no That would be so - if the pool was defined on the radius server. But his pool is on the Cisco device. Most likely culprit is: Correct, but I changed them to no and restarted radiusd anyway. No help. peer match aaa-pools I would thnk just the opposite...aaa-pools should include radius defined pools? Confusing anyway, since for now, we don't even want a pool for this particular user. I did a no peer match aaa-pools anyway, but to no avail. Here is how Cisco describes it: router(config-if)#peer match ? aaa-pools Use only peer pools that match AAA pools In any case, I really appreciate it if you can at least give my radiusd config the thumbs up for this...I can open a ticket with Cisco TAC if so. James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assigning IP address from RADIUS to Cisco PPTP users
0.0.0.0 ms -dns1 0.0.0.0] Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0xa addrs 0.0.0.0 0.0.0.0] Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0xb addrs 0.0.0.0 0.0.0.0 ms -dns1 0.0.0.0] Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0xb addrs 0.0.0.0 0.0.0.0] Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0xc addrs 0.0.0.0 0.0.0.0 ms -dns1 0.0.0.0] Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0xc addrs 0.0.0.0 0.0.0.0] Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0xd addrs 0.0.0.0 0.0.0.0 ms -dns1 0.0.0.0] Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0xd addrs 0.0.0.0 0.0.0.0] Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0xe addrs 0.0.0.0 0.0.0.0 ms -dns1 0.0.0.0] Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0xe addrs 0.0.0.0 0.0.0.0] Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0xf addrs 0.0.0.0 0.0.0.0 ms -dns1 0.0.0.0] Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0xf addrs 0.0.0.0 0.0.0.0] Tue May 26 23:21:13 2009 : IPCP: Maximum Config-Requests exceeded Tue May 26 23:21:13 2009 : sent [LCP TermReq id=0x3 No network protocols runnin g] Tue May 26 23:21:14 2009 : rcvd [LCP TermAck id=0x3] Tue May 26 23:21:14 2009 : Connection terminated. Tue May 26 23:21:14 2009 : PPTP disconnecting... Tue May 26 23:21:14 2009 : PPTP disconnected When I put 'peer default ip address pool vpnpool' back in the Cisco config, it works again: Tue May 26 23:26:48 2009 : PPTP connecting to server '10.2.2.2' (10.2.2.2) ... Tue May 26 23:26:48 2009 : PPTP connection established. Tue May 26 23:26:48 2009 : using link 0 Tue May 26 23:26:48 2009 : Using interface ppp0 Tue May 26 23:26:48 2009 : Connect: ppp0 -- socket[34:17] Tue May 26 23:26:48 2009 : sent [LCP ConfReq id=0x1 asyncmap 0x0 magic 0x3b8a 3df8 pcomp accomp] Tue May 26 23:26:48 2009 : rcvd [LCP ConfReq id=0x1 auth pap magic 0x3f2ec37a ] Tue May 26 23:26:48 2009 : lcp_reqci: returning CONFACK. Tue May 26 23:26:48 2009 : sent [LCP ConfAck id=0x1 auth pap magic 0x3f2ec37a] Tue May 26 23:26:48 2009 : rcvd [LCP ConfAck id=0x1 asyncmap 0x0 magic 0x3b8a 3df8 pcomp accomp] Tue May 26 23:26:48 2009 : sent [LCP EchoReq id=0x0 magic=0x3b8a3df8] Tue May 26 23:26:48 2009 : sent [PAP AuthReq id=0x1 user=testuser password=hidden] Tue May 26 23:26:48 2009 : rcvd [LCP EchoRep id=0x0 magic=0x3f2ec37a] Tue May 26 23:26:48 2009 : rcvd [PAP AuthAck id=0x1 ] Tue May 26 23:26:48 2009 : PAP authentication succeeded Tue May 26 23:26:48 2009 : sent [IPCP ConfReq id=0x1 addr 0.0.0.0 ms-dns1 0.0.0.0 ms-dns3 0.0.0.0] Tue May 26 23:26:48 2009 : sent [IPV6CP ConfReq id=0x1 addr fe80::021e:c2ff:feb5:8003] Tue May 26 23:26:48 2009 : sent [ACSCP] 01 01 00 10 01 06 00 00 00 01 02 06 00 0 0 00 01 Tue May 26 23:26:48 2009 : rcvd [IPCP ConfReq id=0x1 addr 192.168.7.1] Tue May 26 23:26:48 2009 : ipcp: returning Configure-ACK Tue May 26 23:26:48 2009 : sent [IPCP ConfAck id=0x1 addr 192.168.7.1] Tue May 26 23:26:48 2009 : rcvd [CCP ConfReq id=0x1] Tue May 26 23:26:48 2009 : Unsupported protocol 'Compression Control Protocol' (0x80fd) received Tue May 26 23:26:48 2009 : sent [LCP ProtRej id=0x2 80 fd 01 01 00 04] Tue May 26 23:26:48 2009 : rcvd [LCP ProtRej id=0x2 80 57 01 01 00 0e 01 0a 02 1 e c2 ff fe b5 80 03] Tue May 26 23:26:48 2009 : rcvd [LCP ProtRej id=0x3 82 35 01 01 00 10 01 06 00 0 0 00 01 02 06 00 00 00 01] Tue May 26 23:26:48 2009 : rcvd [IPCP ConfRej id=0x1 ms-dns3 0.0.0.0] Tue May 26 23:26:48 2009 : sent [IPCP ConfReq id=0x2 addr 0.0.0.0 ms-dns1 0.0 .0.0] Tue May 26 23:26:48 2009 : rcvd [IPCP ConfNak id=0x2 addr 172.16.30.9 ms-dns1 10.2.2.2] Tue May 26 23:26:48 2009 : sent [IPCP ConfReq id=0x3 addr 172.16.30.9 ms-dns1 10.2.2.2] Tue May 26 23:26:48 2009 : rcvd [IPCP ConfAck id=0x3 addr 172.16.30.9 ms-dns1 10.2.2.2] Tue May 26 23:26:48 2009 : ipcp: up Tue May 26 23:26:48 2009 : local IP address 172.16.30.9 Tue May 26 23:26:48 2009 : remote IP address 192.168.7.1 Tue May 26 23:26:48 2009 : primary DNS address 10.1.1.1 Tue May 26 23:26:48 2009 : sent [IP data src addr 172.16.30.9 dst addr 255.25 5.255.255 BOOTP Request type INFORM client id 0x080001 parameter s = 0x6 0x2c 0x2b 0x1 0xf9 0xf] Tue May 26 23:26:51 2009 : sent [IP data src addr 172.16.30.9 dst addr 255.25 5.255.255 BOOTP Request type INFORM client id 0x080001 parameter s = 0x6 0x2c 0x2b 0x1 0xf9 0xf] Tue May 26 23:26:54 2009 : sent [IP data src addr 172.16.30.9 dst addr 255.25 5.255.255 BOOTP Request type INFORM client id 0x080001 parameter s = 0x6 0x2c 0x2b 0x1 0xf9 0xf] Tue May 26 23:26:57 2009 : sent [IP data src addr 172.16.30.9 dst addr 255.25 5.255.255 BOOTP Request type INFORM client id 0x080001 parameter s = 0x6 0x2c 0x2b 0x1 0xf9 0xf] Tue May 26 23:27:00 2009 : sent [IP data src addr 172.16.30.9 dst addr 255.25 5.255.255 BOOTP Request type INFORM client id 0x080001 parameters = 0x6 0x2c 0x2b 0x1 0xf9 0xf] Tue May 26 23:27:03 2009 : No DHCP server replied James
Re: Framed-IP-Address override NAS pool?
On Wed, 7 Jan 2009, t...@kalik.net wrote: I now want to assign a few users different, static IPs using this: testuserService-Type == Framed-User Framed-Protocol == PPP, Framed-IP-Address = 192.168.1.2, Framed-IP-Netmask = 255.255.255.0, Framed-Compression = Van-Jacobson-TCP-IP This sort of thing used to work fine with Cisco dialup NAS's and Cistron, even though the NAS had no pool using that IP range in its config...radius just forced it to override the default pool, but in this case, it just keeps assigning an IP from the NAS pool (and yes, I have the above statement ABOVE the DEFAULT statement). Is Framed-IP-Address in the Access-Accept packet? You should probably return Service-Type as well. If attribute is not in the accept packet post the debug. It appears to be. From debug, after Login OK: +- entering group post-auth ++[exec] returns noop Framed-Protocol == PPP Framed-IP-Address = 192.168.1.2 (The address I want) Framed-IP-Netmask = 255.255.255.0 Framed-Compression = Van-Jacobson-TCP-IP Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 195 with timestamp +79 Ready to process requests. However, that is not the IP that my client shows...it shows 192.168.0.2, which is from the pool defined in the Cisco router's config. It seems to be overriding the radius users' config. James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Framed-IP-Address override NAS pool?
On Wed, 7 Jan 2009, Jeff Crowe wrote: I was running into this problem on my Redback. The issue was the Redback wanted an IP address in the same subnet so I had to setup 192.168.1.1/24 as a sub interface to allow subscribers to be assigned addresses in the 192.168.1.x/24 range. My Shasta was completely different and would allow any IP address to be returned via radius and it would allow the IP to be used. Ok, I just tried assigning a secondary IP from that subnet to faste0/0, since I can't assign secondary IPs to the VirtualTemplate I/F, since it's IP unnumbered eth0/0. No go. What I would expect from the Cisco, judging from my past experience with AS5200s, is for it to allow radius to assign whatever address it wants, but simply not route it until I fix that part of it, which is fine. One fix I would think would start to work would be to simply add this new subnet to the pool on the Cisco. However, then the DEFAULT users would start to assign from that pool as well, unless I figure out a way to force it to assign from the first subnet. If there's a way to force that, I'd appreciate pointers. I saw the ippool option, but I'm not clear how that co-exists with the pool already configured on the Cisco. Perhaps you need both, it's just not clear to me. James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ippools; wasRE: Framed-IP-Address override NAS pool?
Sorry for the top-post, but I'm replying to myself and I want to keep my questions clear. I tried creating two different ippools in the radiusd.conf using the different ranges I want to use, but the client ignored it and went only to the pool that the Cisco has. I then changed the Cisco pool to include the entire range of IPs from both pools, but it still doesn't seem to recognize the FreeRadius pools, and defaults to whatever the first IP is in the Cisco pool. I find the examples given in the radiusd.conf a little incomplete, but this is what I tried (IPs given are just examples) ippool users_pool { range-start = 172.16.1.2 range-stop = 172.16.30.253 netmask = 255.255.255.0 cache-size = 251 session-db = ${db_dir}/db.ippool ip-index = ${db_dir}/db.ipindex override = yes } ippool admin_pool { range-start = 172.16.30.2 range-stop = 172.16.30.253 netmask = 255.255.255.0 cache-size = 251 session-db = ${db_dir}/db.ippool ip-index = ${db_dir}/db.ipindex override = yes } The above seems to be clear from the example...but the example for the raddb/users file is incomplete...here is what I tried: testuserService-Type == Framed-User Group == users, Pool-Name :=users_pool, Framed-Protocol == PPP, Framed-IP-Address = 172.16.1.2, Framed-IP-Netmask = 255.255.255.0, Framed-Compression = Van-Jacobson-TCP-IP I'm a little unlcear about the Group attribute above, and whether it pertains to unix groups at all, which I haven't done anything to yet. In any case, any pointers on how to make different users use different IP pools would be greatly appreciated. On Wed, 7 Jan 2009, u...@3.am wrote: On Wed, 7 Jan 2009, Jeff Crowe wrote: I was running into this problem on my Redback. The issue was the Redback wanted an IP address in the same subnet so I had to setup 192.168.1.1/24 as a sub interface to allow subscribers to be assigned addresses in the 192.168.1.x/24 range. My Shasta was completely different and would allow any IP address to be returned via radius and it would allow the IP to be used. Ok, I just tried assigning a secondary IP from that subnet to faste0/0, since I can't assign secondary IPs to the VirtualTemplate I/F, since it's IP unnumbered eth0/0. No go. What I would expect from the Cisco, judging from my past experience with AS5200s, is for it to allow radius to assign whatever address it wants, but simply not route it until I fix that part of it, which is fine. One fix I would think would start to work would be to simply add this new subnet to the pool on the Cisco. However, then the DEFAULT users would start to assign from that pool as well, unless I figure out a way to force it to assign from the first subnet. If there's a way to force that, I'd appreciate pointers. I saw the ippool option, but I'm not clear how that co-exists with the pool already configured on the Cisco. Perhaps you need both, it's just not clear to me. James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Framed-IP-Address override NAS pool?
Hi: In my years running a dialup ISP, I used Cistron Radius and Cisco and Lucent NAS's. I am no using FreeRadius and a Cisco router to authenticate pptp VPN users. The default IP address pool is defined in the Cisco like this (parsed): interface Virtual-Template1 peer default ip address pool vpnpool no keepalive ppp encrypt mppe auto ! ip local pool vpnpool 192.168.0.1 192.168.0.254 That works fine authenticating unix system users using this raddb/users config (one of the supplied samples): DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP I now want to assign a few users different, static IPs using this: testuserService-Type == Framed-User Framed-Protocol == PPP, Framed-IP-Address = 192.168.1.2, Framed-IP-Netmask = 255.255.255.0, Framed-Compression = Van-Jacobson-TCP-IP This sort of thing used to work fine with Cisco dialup NAS's and Cistron, even though the NAS had no pool using that IP range in its config...radius just forced it to override the default pool, but in this case, it just keeps assigning an IP from the NAS pool (and yes, I have the above statement ABOVE the DEFAULT statement). Is there something else that needs to be done to allow this? Thanks in advance! James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAM, ms-chap and shadow passwords
I understand that radius authenticating ppp (PPTP in this case) connections against shadow passwords requires cleartext authentication (PAP). Does PAM allow you to work around this? From reading what I can find on PAM, it would seem that FreeRADIUS would pass off the authentication request to PAM and PAM could then take care of the crypt/decrypt, thus allowing CHAP or MSCHAP client authentication against shadow passwords. Is this correct? TIA, James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html