Minor update glitch in FR 2.1.12 rpm (CentOS/RH)
Just an FYI (sorry if this has already been covered): If you update FR via yum in CentOS or RedHat, as is usual practice with RPMs, conf files that have been modified are not overwritten, so the new version is installed with an .rpmnew suffix. This works great for most of the config files, but not the modules. For some reason, the .rpmnew module file is loaded instead of the original one: including configuration file /etc/raddb/modules/ldap.rpmnew The original module is there, but not loaded at run time...perhaps because it sees the .rpmnew one first? Fixing it is trivial, of course, once you see what the problem is, but I thought perhaps the rpm maintainers or FR developers might want to be made aware of it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pool-Name attribute issue WAS Re: Unknown Auth-Type LDAP in authenticate sub-section
On Sat, Mar 10, 2012 at 5:29 AM, u...@3.am wrote:
So to save lots of time and configuration problem: does your LDAP
store user passwords in clear text or any common hash (e.g. md5,
unix)? If yes, AND you know what the LDAP attribute is, you don't even
need an LDAP section in authenticate.
Mostly crypt, but I've seen a few SSHA hashes. I know the ldap attribute as
well. Assuming those hashes are common enough, what do I need to do?
If the hash is supported (see
http://wiki.freeradius.org/Protocol%20Compatibility) , you only need
to make sure FR sees it in the right place. See ldap.atrmap.
I should point out that I had been using:
DEFAULT Auth-Type = Ldap
In the users file as well on the two older servers, despite docs that say
that
it
is almost always wrong, but it was the only way we got it working.
If you have the attribute, and the hash is supported, you shouldn't need that.
I've taken that out on the new, 2.1.12 install and now a typical DEFAULT entry
looks like this:
DEFAULT Group == FOO, Pool-Name :=FOO_pool
It seems to instantiate the module ok:
Module: Linked to module rlm_ippool
Module: Instantiating module FOO_pool from file /usr/etc/raddb/radiusd.conf
ippool FOO_pool {
session-db = /usr/etc/raddb/db.FOO_ippool
ip-index = /usr/etc/raddb/db.FOO_ipindex
key = %{NAS-IP-Address} %{NAS-Port}
range-start = 172.17.0.101
range-stop = 172.17.0.253
netmask = 255.255.255.0
cache-size = 251
override = yes
maximum-timeout = 0
The Access-Request packet looks ok:
Framed-Protocol = PPP
User-Name = someuser
User-Password = somepassword
NAS-Port-Type = Virtual
NAS-Port = 2
NAS-Port-Id = Uniq-Sess-ID2
Service-Type = Framed-User
NAS-IP-Address = some pptp cisco device
LDAP authentication then succeeds as it should.
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = ldap1
LDAP bind is then successful as it should be, but then:
# Executing section post-auth from file /usr/etc/raddb/sites-enabled/default
[FOO_pool] Could not find Pool-Name attribute.
++[FOO_pool] returns noop
I assume I must be doing something wrong now with the users file entry. The
old,
working one was this:
DEFAULT Group == FOO, Pool-Name :=FOO_pool, Auth-Type = Ldap
Framed-Protocol == PPP,
Framed-Compression = Van-Jacobson-TCP-IP
The new one is currently:
DEFAULT Group == FOO, Pool-Name :=FOO_pool
I have tried the Framed-Protocol=PPP (is this still desired for PPTP, BTW?), I
have tried setting:
Service-Type = Framed-User
At the beginning and end of the line, same for Login-User, but the Could not
find Pool-Name attribute persists. The config files are all the same as the
older versions (2.1.09-.10). The pool name is listed in the accounting and
post-auth sections of sites-enabled/default.
Appreciate any clues as to what I missed.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pool-Name attribute issue WAS Re: Unknown Auth-Type LDAP in authenticate sub-section
On 12/03/12 15:44, u...@3.am wrote: DEFAULT Group == FOO, Pool-Name :=FOO_pool Group is probably empty. I can't remember what module, if any, fills it out. What do you *think* Group will contain? It won't contain LDAP groups. I was about to post about this..I just did a test with this entry: someuserPool-Name :=FOO_pool And it got an IP from the pool just fine, so you're right, the problem lies with Group. It is a legacy entry, left over from before we switched from PAM/unix to LDAP. Since it continued to work even after removing all of the unix group entries and still continues to work when we add new LDAP groups and LDAP users to that group. How it gets that is something I don't know...there's no ldap.attrmap entry for it on the older, working servers. I take it I will need to define map the LDAP attribute PosixGroup to something? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pool-Name attribute issue WAS Re: Unknown Auth-Type LDAP in authenticate sub-section
Hi, DEFAULT Group == FOO, Pool-Name :=FOO_pool Group is probably empty. I can't remember what module, if any, fills it out. # The Group and Group-Name attributes are automatically created by # the Unix module, and do checking against /etc/group automatically. # This means that you CANNOT use Group or Group-Name to do any other # kind of grouping in the server. You MUST define a new group # attribute. ...thats probably the one :-) ...and you just hit on something that solved the problem. It seems that FR was getting the group info from LDAP indirectly, through the PAM module, which was configured using authconfig. Running authconfig pointing to the local LDAP server solved the problem. /etc/pam.d/system-auth authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_ldap.so use_first_pass authrequired pam_deny.so Dovecot, sshd and other apps transparently use LDAP this way. I didn't think FR did (and maybe it doesn't completely), because I seem to recall trying to get it to work on an older version (using Auth-type=PAM) that way with no luck...but that was a while ago. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unknown Auth-Type LDAP in authenticate sub-section
On Sat, Mar 10, 2012 at 10:47 AM, u...@3.am wrote: Both hashes are supported, thanks for the link. I assume I need to define something to map to, as well? Like this: raddb/dictionary: ATTRIBUTE userPassword 3004 string err... no. raddb/ldap.attrmap: checkItem User-Password userPassword Is your LDAP attribute storing the password called userPassword? If yes, you shouldn't need to do anything as it's already mapped to the correct attribute on ldap.attrmap checkitem Password-With-HeaderuserPassword Ah...it seems that my ldap.attrmap is from an older version of FreeRadius that didn't have it. I had copied it over to the new raddb/ because I now have those custom POSIX expiry attributes that you and others helped me with. We generally try to use the entire existing raddb/ dir when we upgrade FR, because our configuration has gotten pretty complex (to us, anyway), but I guess this isn't always a good idea. Thanks again for your help! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unknown Auth-Type LDAP in authenticate sub-section
Hi:
Trying to set up a new RADIUS 2.1.12 server with LDAP. It configured and built
all the modules I need, including rlm_ldap, once I installed the dependencies.
I
took all of the same config files that I have working on servers running 2.1.9
and
2.1.10, but 2.1.12 rlm_ldap doesn't seem to finish instantiating. Here's most
of
the debug:
FreeRADIUS Version 2.1.12, for host x86_64-unknown-linux-gnu, built on Mar 8
2012
at 21:44:43
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/etc/raddb/radiusd.conf
including configuration file /usr/etc/raddb/clients.conf
including configuration file /usr/etc/raddb/eap.conf
including configuration file /usr/etc/raddb/policy.conf
including files in directory /usr/etc/raddb/sites-enabled/
including configuration file /usr/etc/raddb/sites-enabled/inner-tunnel
including configuration file /usr/etc/raddb/sites-enabled/default
main {
user = root
group = wheel
allow_core_dumps = no
}
including dictionary file /usr/etc/raddb/dictionary
main {
name = radiusd
prefix = /usr
localstatedir = /usr/var
sbindir = /usr/sbin
logdir = /var/log/radius
run_dir = /usr/var/run/radiusd
libdir = /usr/lib
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /usr/var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 5
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
radiusd: Loading Clients
client localhost {
SNIP CLIENTS
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module exec from file /usr/etc/raddb/radiusd.conf
exec {
wait = yes
input_pairs = request
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module expr from file /usr/etc/raddb/radiusd.conf
Module: Linked to module rlm_expiration
Module: Instantiating module expiration from file /usr/etc/raddb/radiusd.conf
expiration {
reply-message = Password Has Expired
}
Module: Linked to module rlm_logintime
Module: Instantiating module logintime from file /usr/etc/raddb/radiusd.conf
logintime {
reply-message = You are calling outside your allowed timespan
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server { # from file /usr/etc/raddb/radiusd.conf
modules {
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module pap from file /usr/etc/raddb/radiusd.conf
pap {
encryption_scheme = auto
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module chap from file /usr/etc/raddb/radiusd.conf
Module: Linked to module rlm_mschap
Module: Instantiating module mschap from file /usr/etc/raddb/radiusd.conf
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_pam
Module: Instantiating module pam from file /usr/etc/raddb/radiusd.conf
pam {
pam_auth = radiusd-auth
}
Module: Linked to module rlm_unix
Module: Instantiating module unix from file /usr/etc/raddb/radiusd.conf
unix {
radwtmp = /var/log/radius/radwtmp
}
Module: Linked to module rlm_ldap
Module: Instantiating module ldap1 from file /usr/etc/raddb/radiusd.conf
ldap ldap1 {
server = ldap1.domain.com
port = 389
password =
identity =
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = allow
tls {
start_tls = no
require_cert = allow
}
basedn = dc=domain,dc=com
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
base_filter = (objectclass=radiusprofile)
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = cn
groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
dictionary_mapping = /usr/etc/raddb/ldap.attrmap
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
Re: Unknown Auth-Type LDAP in authenticate sub-section
u...@3.am wrote:
Trying to set up a new RADIUS 2.1.12 server with LDAP. It configured and
built
all the modules I need, including rlm_ldap, once I installed the
dependencies.
I
took all of the same config files that I have working on servers running
2.1.9
and
2.1.10, but 2.1.12 rlm_ldap doesn't seem to finish instantiating. Here's
most
of
the debug:
You edited the default configuration and broke it.
You deleted the default ldap module. You added ldap1 and ldap2.
Then, the authenticate section refers to ldap, which doesn't exist.
Make sure that you refer to modules which exist.
That's the first thing I checked in raddb/sites-available/default but ldap is
commented out in the auth (and accounting) section. Here is what I have, which
is
at this point is the entire raddb directory lifted out of two older versions
that
are running fine:
authorize {
preprocess
redundant LDAP{
ldap1
ldap2
}
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
# ldap
authenticate {
#Auth-Type LDAP {
redundant LDAP{
ldap1
ldap2
}
accounting {
# Un-comment the following if you have set
# 'edir_account_policy_check = yes' in the ldap module sub-section of
# the 'modules' section.
#
# ldap
HOWEVER, I do refer to the ldap module in the radiusd.conf, but this is how I
got
it working with redundant LDAP servers in the first place.
ldap ldap1{
server = ldap1.domain.com
basedn = dc=domain,dc=com
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
ldap ldap2{
server =ldap2.domain.com
basedn = dc=domain,dc=com
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
This is how I understood to define more than one ldap source and it does work
on 2
older servers, as I noted. Is there something outside of raddb that I missed?
Thanks again!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unknown Auth-Type LDAP in authenticate sub-section
u...@3.am wrote:
Trying to set up a new RADIUS 2.1.12 server with LDAP. It configured and
built
all the modules I need, including rlm_ldap, once I installed the
dependencies.
I
took all of the same config files that I have working on servers running
2.1.9
and
2.1.10, but 2.1.12 rlm_ldap doesn't seem to finish instantiating. Here's
most
of
the debug:
You edited the default configuration and broke it.
You deleted the default ldap module. You added ldap1 and ldap2.
Then, the authenticate section refers to ldap, which doesn't exist.
Make sure that you refer to modules which exist.
That's the first thing I checked in raddb/sites-available/default but ldap
is
commented out in the auth (and accounting) section. Here is what I have,
which is
at this point is the entire raddb directory lifted out of two older versions
that
are running fine:
authorize {
preprocess
redundant LDAP{
ldap1
ldap2
}
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
# ldap
authenticate {
#Auth-Type LDAP {
redundant LDAP{
ldap1
ldap2
}
accounting {
# Un-comment the following if you have set
# 'edir_account_policy_check = yes' in the ldap module sub-section of
# the 'modules' section.
#
# ldap
HOWEVER, I do refer to the ldap module in the radiusd.conf, but this is how I
got
it working with redundant LDAP servers in the first place.
net_timeout = 1
Sorry, I inadvertently gave incomplete ldap module configs for ldap1 and 2..here
is a complete one:
ldap ldap2{
server =ldap2.domain.com
basedn = dc=domain,dc=com
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
set_auth_type = no
}
I did try set_auth_type = yes for gags, but no go.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unknown Auth-Type LDAP in authenticate sub-section
On Sat, Mar 10, 2012 at 3:23 AM, Phil Mayers p.may...@imperial.ac.uk wrote:
On Fri, Mar 09, 2012 at 10:59:46AM -0500, u...@3.am wrote:
authenticate {
#Auth-Type LDAP {
redundant LDAP{
ldap1
ldap2
}
Using ldap in the authenticate section is a bit tricky, and you'd be wise
to avoid it if you can - if the LDAP server will give you the password
(plaintext or crypted) you're better of doing that in authorize and
letting FreeRADIUS perform the auth using rlm_pap or whatever.
Yes.
So to save lots of time and configuration problem: does your LDAP
store user passwords in clear text or any common hash (e.g. md5,
unix)? If yes, AND you know what the LDAP attribute is, you don't even
need an LDAP section in authenticate.
Mostly crypt, but I've seen a few SSHA hashes. I know the ldap attribute as
well. Assuming those hashes are common enough, what do I need to do?
I should point out that I had been using:
DEFAULT Auth-Type = Ldap
In the users file as well on the two older servers, despite docs that say that
it
is almost always wrong, but it was the only way we got it working.
I switched the conf files to the way Phil suggested and it complained about
what I
was doing in the users file, so I just used the sample users file and it started
ok. I've not been able to test authenticating against it yet.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unknown Auth-Type LDAP in authenticate sub-section
On Sat, Mar 10, 2012 at 5:29 AM, u...@3.am wrote: So to save lots of time and configuration problem: does your LDAP store user passwords in clear text or any common hash (e.g. md5, unix)? If yes, AND you know what the LDAP attribute is, you don't even need an LDAP section in authenticate. Mostly crypt, but I've seen a few SSHA hashes. I know the ldap attribute as well. Assuming those hashes are common enough, what do I need to do? If the hash is supported (see http://wiki.freeradius.org/Protocol%20Compatibility) , you only need to make sure FR sees it in the right place. See ldap.atrmap. Both hashes are supported, thanks for the link. I assume I need to define something to map to, as well? Like this: raddb/dictionary: ATTRIBUTEuserPassword 3004string raddb/ldap.attrmap: checkItem User-Password userPassword Then I just noticed this in the ldap module (which we have in the radiusd.conf): # password_attribute = userPassword Do I understand correctly that I can just uncomment that and not define anything in the dictionary or ldap.attrmap? Again, thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP (POSIX attibutes) password expiry
On 03/06/2012 02:10 AM, u...@3.am wrote:
On 28/02/12 21:16, u...@3.am wrote:
However, we just noticed that password expiry isn't working. I suspect
this is
because we are still using all the original POSIX attributes and none of
them look
like good for mapping to the ones supplied by FreeRADIUS. I see: checkItem
Expiration radiusExpiration Our LDAP attributes use
the
following POSIX attributes to determine expiry: shadowMax: 90
shadowLastChange: 15215
Other replies should have convinced you that there's no built-in support for
this. You will need to either:
1. Arrange for a FreeRADIUS-ready radiusExpiration attribute to be
set in LDAP alongside the POSIX/shadow schemas
2. Synthesize an Expiration attribute, or otherwise locally check the
POSIX/shadow attributes.
One way you might accomplish the 2nd is as follows:
== Create some local RADIUS attributes for the shadow values ==
/etc/raddb/dictionary:
ATTRIBUTE Shadow-Max-Age 3000integer
ATTRIBUTE Shadow-Last-Change 3001integer
ATTRIBUTE Shadow-Expires 3002integer
ATTRIBUTE Shadow-Current 3003integer
/etc/raddb/ldap.attrmap:
checkItem Shadow-Max-Age shadowMax
checkItem Shadow-Last-Change shadowLastChange
== Read these attributes from LDAP, then perform some maths ==
/etc/raddb/sites-enabled/server:
authorize {
...
ldap
update control {
Shadow-Expires := %{expr:%{control:Shadow-Last-Change} +
%{control:Shadow-Max-Age}}
Shadow-Current := %{expr:%l / 86400}
}
if (control:Shadow-Current control:Shadow-Expires) {
reject
}
...
}
Hopefully it's clear what this does, but basically:
1. Pulls last-change max-age from LDAP
2. Adds them together, to get expiry (in days since epoch)
3. Divides %l (epoch) by 86400 to get today, in days since epoch 4.
Compares
them
-
It looks to me like it should do all of those things swimmingly...however, I
am
running into an issue that looks like it might be because we run redundant LDAP
servers. I put your 'update control' here, in the authorize :
redundant LDAP{
ldap1
ldap2
update control {ETC
}
}
Ok, so do:
redundant {
ldap1
ldap2
}
update control {
..
}
Ok, that got it starting and it looks tantalizingly close, but somehow
Shadow-Expires isn't getting parsed:
++- entering group LDAP {...}
[ldap1] performing user authorization for ldaptestuser
[ldap1] WARNING: Deprecated conditional expansion :-. See man unlang for
details
[ldap1] ... expanding second conditional
[ldap1] expand: %{User-Name} - ldaptestuser
[ldap1] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -
(uid=ldaptestuser)
[ldap1] expand: dc=domain,dc=com - dc=domain,dc=com
[ldap1] ldap_get_conn: Checking Id: 0
[ldap1] ldap_get_conn: Got Id: 0
[ldap1] performing search in dc=domain,dc=com, with filter (uid=ldaptestuser)
[ldap1] looking for check items in directory...
[ldap1] shadowLastChange - Shadow-Last-Change == 15215
[ldap1] shadowMax - Shadow-Max-Age == 90
[ldap1] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that the user
is configured correctly?
[ldap1] user ldaptestuser authorized to use remote access
[ldap1] ldap_release_conn: Release Id: 0
+++[ldap1] returns ok
++- group LDAP returns ok
expand: %{control:Shadow-Last-Change} + %{control:Shadow-Max-Age} -
15215 + 90
expand: %{expr:%{control:Shadow-Last-Change} + %{control:Shadow-Max-Age}} -
15305
expand: %l / 86400 - 1331041623 / 86400
expand: %{expr:%l / 86400} - 15405
++[control] returns ok
++? if (control:Shadow-Current control:Shadow-Expires)
Failed parsing control:Shadow-Expires: Unknown value control:Shadow-Expires
for
attribute Shadow-Current
---
To make sure I got the mapping and dictionary definitions right, here's what I
have (pretty much just copied and pasted from you):
[root@host]# grep -i shadow /etc/raddb/dictionary
ATTRIBUTEShadow-Max-Age3000integer
ATTRIBUTEShadow-Last-Change3001integer
ATTRIBUTEShadow-Expires3002integer
ATTRIBUTEShadow-Current3003integer
[root@host]# grep -i shadow /etc/raddb/ldap.attrmap
checkItem Shadow-Max-Age shadowMax
checkItem Shadow-Last-Change shadowLastChange
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP (POSIX attibutes) password expiry SOLVED
On Tue, Mar 6, 2012 at 9:20 PM, u...@3.am wrote:
++? if (control:Shadow-Current control:Shadow-Expires)
Failed parsing control:Shadow-Expires: Unknown value control:Shadow-Expires
for
attribute Shadow-Current
Try
if (control:Shadow-Current %{control:Shadow-Expires})
That did it! Thank you Fajar, Phil and Alan! It never ceases to amaze me the
things that can be done with FreeRADIUS that would have been unthinkable with
Cistron or Livingston. For anyone else interested, I'll paste the final
modifications here (unwrap lines, of course):
raddb/sites-available/servername:
update control {
Shadow-Expires := %{expr:%{control:Shadow-Last-Change} +
%{control:Shadow-Max-Age}}
Shadow-Current := %{expr:%l / 86400}
}
if (control:Shadow-Current %{control:Shadow-Expires}) {
reject
}
--
raddb/dictionary:
ATTRIBUTEShadow-Max-Age3000integer
ATTRIBUTEShadow-Last-Change3001integer
ATTRIBUTEShadow-Expires3002integer
ATTRIBUTEShadow-Current3003integer
--
raddb/ldap.attrmap
checkItem Shadow-Max-Age shadowMax
checkItem Shadow-Last-Change shadowLastChange
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP (POSIX attibutes) password expiry
On 28/02/12 21:16, u...@3.am wrote:
However, we just noticed that password expiry isn't working. I suspect this
is
because we are still using all the original POSIX attributes and none of them
look
like good for mapping to the ones supplied by FreeRADIUS. I see: checkItem
Expiration radiusExpiration Our LDAP attributes use the
following POSIX attributes to determine expiry: shadowMax: 90
shadowLastChange: 15215
Other replies should have convinced you that there's no built-in support for
this. You will need to either:
1. Arrange for a FreeRADIUS-ready radiusExpiration attribute to be
set in LDAP alongside the POSIX/shadow schemas
2. Synthesize an Expiration attribute, or otherwise locally check the
POSIX/shadow attributes.
One way you might accomplish the 2nd is as follows:
== Create some local RADIUS attributes for the shadow values ==
/etc/raddb/dictionary:
ATTRIBUTE Shadow-Max-Age 3000integer
ATTRIBUTE Shadow-Last-Change 3001integer
ATTRIBUTE Shadow-Expires 3002integer
ATTRIBUTE Shadow-Current 3003integer
/etc/raddb/ldap.attrmap:
checkItem Shadow-Max-Age shadowMax
checkItem Shadow-Last-Change shadowLastChange
== Read these attributes from LDAP, then perform some maths ==
/etc/raddb/sites-enabled/server:
authorize {
...
ldap
update control {
Shadow-Expires := %{expr:%{control:Shadow-Last-Change} +
%{control:Shadow-Max-Age}}
Shadow-Current := %{expr:%l / 86400}
}
if (control:Shadow-Current control:Shadow-Expires) {
reject
}
...
}
Hopefully it's clear what this does, but basically:
1. Pulls last-change max-age from LDAP
2. Adds them together, to get expiry (in days since epoch)
3. Divides %l (epoch) by 86400 to get today, in days since epoch 4. Compares
them
-
It looks to me like it should do all of those things swimmingly...however, I am
running into an issue that looks like it might be because we run redundant LDAP
servers. I put your 'update control' here, in the authorize :
redundant LDAP{
ldap1
ldap2
update control {ETC
}
}
The above allows us to define two LDAP servers in radiusd.conf.
Debug shows this error:
/usr/etc/raddb/sites-enabled/default[76]: redundant sections cannot contain a
update statement
/usr/etc/raddb/sites-enabled/default[62]: Errors parsing authorize section.
I see in man unlang that redundant can only contain a list of modules. If
that's the case, either these two things won't work together, or I am trying to
put it in the wrong place. If I try to uncomment the ldap module further down
in the authorize section I get Failed to load module ldap (can post entire
debug if necessary).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP (POSIX attibutes) password expiry
u...@3.am wrote: I didn't ignore any response. I have no reason to worry about whether Expiration will work in users because A) I'm not using users, I'm using LDAP and B) expiry worked fine using rlm_pam and /etc/shadow. Once again, you completely misunderstand my point. This is rude. I am sorry, I did not mean to be rude. You're right, I misunderstood your point. You asked *explicitly* about the Expiration attribute. FreeRADIUS implements expiration via the expiration attribute. I gave you instructions for testing it. Your response was to assume I'm an idiot, and to ignore my attempt to help you. You assumed I had no idea what you're talking about. You assumed I was confused about how FreeRADIUS works. Not at all. I know that you know better than anyone how FreeRADIUS works. I thought you were understandably unclear about what I was asking, because I obviously wasn't asking it well. Alan: I have been using your software for many years, and received a lot of help from you and other members of this list and know you have little patience for requests for help that don't include adequate debug output and inclusion of relevant configuration information. No. I have little patience for people who ask for help, and then tell me I'm wrong. If you're so smart, why are you asking questions here? Your behavior is rude. When I point this out, you get offended. I wasn't offended, I was apologetic and tried to offer an explanation for my current cognitive difficulties (perhaps you missed that part, because it was removed in your reply). I am a little taken aback by how much I have apparently offended you. Not that I could find, hence my post here. It looks like more clueful people than I have some potential workarounds, so from that standpoint, it may have paid off. Maybe they successfully read your mind. I know I can't. I answered the question you asked. Your response was to tell me my help was bullsh*t. I never said that, come on. Again, this is all due to my asking the wrong question or asking it in the wrong way. I can see why this upset you. You took the time to actually read my poorly put question and read debug output which really had no relevance, since nothing is really broken. At least that's how I see it. Again, I am sorry. That behavior is antisocial. Antisocial people get banned from this list. Well, I hope you don't ban me. I don't think that's happened to me in 20 years. I am sorry that I came off as antisocial. It was not my intention. Alan DeKok. - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP (POSIX attibutes) password expiry
u...@3.am wrote: checkItem Expiration radiusExpiration Did you check that the LDAP module is returning this attribute for the query? No, I don't expect it to, since I don't have that attribute or anything that looks like it might be a good substitute. So... why would you ever expect that expiration will work? I expect it would take some fiddling. I was showing what I had done so far for background reference. From a couple of other responses, it appears there might be ways to get this working. Did you check that Expiration works if you put it into the users file? I'm not worried about that...expiry worked with the old rlm_pam using Unix expiry. I see. You ask for help, and you ignore the response. I didn't ignore any response. I have no reason to worry about whether Expiration will work in users because A) I'm not using users, I'm using LDAP and B) expiry worked fine using rlm_pam and /etc/shadow. My first thought (hope) was that there was some config option in rlm_ldap that I was missing that might be an easy fix. I knew it was a long shot, but I didn't see the harm in asking. If you do this again, you will be unsubscribed and banned. Alan: I have been using your software for many years, and received a lot of help from you and other members of this list and know you have little patience for requests for help that don't include adequate debug output and inclusion of relevant configuration information. I've obviously pissed you off with my reply to you and for that, I apologize. It was not my intention. My cognitive ability is still recovering from a lot of chemotherapy over the past year and this may be reflected in the way I parse and post. When exporting Unix to LDAP, the expiry data was exported from /etc/shadow to the two LDAP attributes mentioned. I was hoping that perhaps there was a module that could calculate between the two and figure out that the password was expired and take it from there. I figured it a long shot but worth asking. Was there documentation saying that such a module existed? Not that I could find, hence my post here. It looks like more clueful people than I have some potential workarounds, so from that standpoint, it may have paid off. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP (POSIX attibutes) password expiry
On 28/02/12 21:16, u...@3.am wrote:
Hi:
We've been running various versions of FreeRadius for years, currently
2.1.10 in
this application. A while ago, we switched from PAM (unix) auth to LDAP
auth.
Everything worked fine after the switch...POSIX attributes for group
membership
correctly allocated the right ippools, etc.
However, we just noticed that password expiry isn't working. I suspect this
is
because we are still using all the original POSIX attributes and none of them
look
like good for mapping to the ones supplied by FreeRADIUS. I see:
checkItem Expiration radiusExpiration
Our LDAP attributes use the following POSIX attributes to determine expiry:
shadowMax: 90
shadowLastChange: 15215
Other replies should have convinced you that there's no built-in support
for this. You will need to either:
1. Arrange for a FreeRADIUS-ready radiusExpiration attribute to be
set in LDAP alongside the POSIX/shadow schemas
2. Synthesize an Expiration attribute, or otherwise locally check the
POSIX/shadow attributes.
One way you might accomplish the 2nd is as follows:
== Create some local RADIUS attributes for the shadow values ==
/etc/raddb/dictionary:
ATTRIBUTE Shadow-Max-Age 3000integer
ATTRIBUTE Shadow-Last-Change 3001integer
ATTRIBUTE Shadow-Expires 3002integer
ATTRIBUTE Shadow-Current 3003integer
/etc/raddb/ldap.attrmap:
checkItem Shadow-Max-Age shadowMax
checkItem Shadow-Last-Change shadowLastChange
== Read these attributes from LDAP, then perform some maths ==
/etc/raddb/sites-enabled/server:
authorize {
...
ldap
update control {
Shadow-Expires := %{expr:%{control:Shadow-Last-Change} +
%{control:Shadow-Max-Age}}
Shadow-Current := %{expr:%l / 86400}
}
if (control:Shadow-Current control:Shadow-Expires) {
reject
}
...
}
Hopefully it's clear what this does, but basically:
1. Pulls last-change max-age from LDAP
2. Adds them together, to get expiry (in days since epoch)
3. Divides %l (epoch) by 86400 to get today, in days since epoch
4. Compares them
-
It's very clear...I had no idea that the ldap module could do math functions.
This is just the kind of thing I was looking for.
Thanks!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP (POSIX attibutes) password expiry
= no
}
Module: Linked to module rlm_files
Module: Instantiating module files from file /usr/etc/raddb/radiusd.conf
files {
usersfile = /usr/etc/raddb/users
acctusersfile = /usr/etc/raddb/acct_users
preproxy_usersfile = /usr/etc/raddb/preproxy_users
compat = no
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module radutmp from file /usr/etc/raddb/radiusd.conf
radutmp {
filename = /var/log/radius/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating module attr_filter.access_reject from file
/usr/etc/raddb/radiusd.conf
attr_filter attr_filter.access_reject {
attrsfile = /usr/etc/raddb/attrs.access_reject
key = %{User-Name}
}
} # modules
} # server
server { # from file /usr/etc/raddb/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module preprocess from file /usr/etc/raddb/radiusd.conf
preprocess {
huntgroups = /usr/etc/raddb/huntgroups
hints = /usr/etc/raddb/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module acct_unique from file
/usr/etc/raddb/radiusd.conf
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module detail from file /usr/etc/raddb/radiusd.conf
detail {
detailfile =
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
header = %t
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_ippool
Module: Instantiating module some_pool from file /usr/etc/raddb/radiusd.conf
SNIP
}
Module: Instantiating module attr_filter.accounting_response from file
/usr/etc/raddb/radiusd.conf
attr_filter attr_filter.accounting_response {
attrsfile = /usr/etc/raddb/attrs.accounting_response
key = %{User-Name}
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = *
port = 1812
}
listen {
type = acct
ipaddr = *
port = 1813
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.7.1 port 1645, id=225,
length=97
Framed-Protocol = PPP
User-Name = ldaptest
User-Password = testing
NAS-Port-Type = Virtual
NAS-Port = 241
NAS-Port-Id = Uniq-Sess-ID241
Service-Type = Framed-User
NAS-IP-Address = 192.168.bogus
# Executing section authorize from file /usr/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++- entering group LDAP {...}
[ldap1] performing user authorization for ldaptest
[ldap1] WARNING: Deprecated conditional expansion :-. See man unlang for
details
[ldap1] ... expanding second conditional
[ldap1] expand: %{User-Name} - ldaptest
[ldap1] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -
(uid=ldaptest)
[ldap1] expand: dc=domain,dc=com - dc=domain,dc=com
[ldap1] ldap_get_conn: Checking Id: 0
[ldap1] ldap_get_conn: Got Id: 0
[ldap1] attempting LDAP reconnection
[ldap1] (re)connect to ldap.server:389, authentication 0
[ldap1] bind as / to ldap.server:389
[ldap1] waiting for bind result ...
[ldap1] Bind was successful
[ldap1] performing search in dc=domain,dc=com, with filter (uid=ldaptest)
[ldap1] looking for check items in directory...
[ldap1] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that the user
is configured correctly?
[ldap1] user ldaptest authorized to use remote access
[ldap1] ldap_release_conn: Release Id: 0
+++[ldap1] returns ok
++- group LDAP returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = ldaptest, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message
Re: LDAP (POSIX attibutes) password expiry
u...@3.am wrote: However, we just noticed that password expiry isn't working. I suspect this is because we are still using all the original POSIX attributes and none of them look like good for mapping to the ones supplied by FreeRADIUS. I see: checkItem Expiration radiusExpiration Did you check that the LDAP module is returning this attribute for the query? No, I don't expect it to, since I don't have that attribute or anything that looks like it might be a good substitute. Did you check that Expiration works if you put it into the users file? I'm not worried about that...expiry worked with the old rlm_pam using Unix expiry. When exporting Unix to LDAP, the expiry data was exported from /etc/shadow to the two LDAP attributes mentioned. I was hoping that perhaps there was a module that could calculate between the two and figure out that the password was expired and take it from there. I figured it a long shot but worth asking. Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP (POSIX attibutes) password expiry
On Wed, Feb 29, 2012 at 4:16 AM, u...@3.am wrote:
Hi:
We've been running various versions of FreeRadius for years, currently
2.1.10 in
this application. A while ago, we switched from PAM (unix) auth to LDAP
auth.
Everything worked fine after the switch...POSIX attributes for group
membership
correctly allocated the right ippools, etc.
However, we just noticed that password expiry isn't working. I suspect this
is
because we are still using all the original POSIX attributes and none of them
look
like good for mapping to the ones supplied by FreeRADIUS. I see:
checkItem Expiration radiusExpiration
Our LDAP attributes use the following POSIX attributes to determine expiry:
shadowMax: 90
shadowLastChange: 15215
With the first being the maximum age of the password and the second being the
number of days since the Epoch. I will post the obligatory debug output
below
(with sensitive or irrelevant stuff snipped out) for a successful
authentication
for an expired password that shouldn't have succeeded. If anybody has an
idea
how
to fix this with the minimal of messing around with our LDAP config itself,
I'd
greatly appreciate it...or, if that's unrealistic, what should be done. TIA!
IIRC the Expiration attribute requires the format of 01 Jan 2011
01:00:00 (or something like that, other format might work, test it
first). From the two LDAP attributes, you should be able to process
them and present it as a new attribute.
I see no easy way to do that without additional module though. You
COULD use something like this on ldap.attrmap:
checkItem Tmp-Integer-0 shadowMax
checkItem Tmp-Integer-1 shadowLastChange
... then convert it to expiration with rlm_perl/rlm_sql/whatever. If
you already have a mysql instance (e.g. for accounting), you could
probably use it to do the processing. Something like this (see
http://dev.mysql.com/doc/refman/5.5/en/date-and-time-functions.html):
update control {
Expiration := %{sql: SELECT FROM_UNIXTIME( ( %{Tmp-Integer-0} +
%{Tmp-Integer-1} ) * 86400, '%d %b %Y %H:%i%s' )}
}
Fajar, thanks for taking the time with this reply. No, I'm not running MySQL
for
accounting...just the standard flat files on separate remote server and of
course
for auth, LDAP. I'll have to take a look and see what rlm_perl can do for us.
I
don't see a problem getting the attributes using perl (even if it just invokes
shell commands), but how to process it back to FreeRADIUS without interfering
with
anything else.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySQL + WiFi PEAP authorisation only to a group of users
Hello, I would like to help with this: I have Freeradius version 2.1.6 I have it running with SQL and DialupAdmin. How do I give access to wifi users who authenticate with username pass over PEAP only to a group of users? I mean that authorised would be only users from group WIFI and not other users belonging to other group like OpenVPN. Now it authorises everybody from the radcheck table. I am very new to radius and even if I was searching the net for some time I cannot find the answer which would fir my needs. I would think something like this in your users file: DEFAULT NAS-Ip-Address == your.wifi.nas.ip, Group == WIFI DEFAULT NAS-Ip-Address == your.wifi.nas.ip, Auth-Type = Reject - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius - LDAP
: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
conns: 0x89d0250
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = /etc/raddb/huntgroups
hints = /etc/raddb/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile =
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
header = %t
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = /etc/raddb/attrs.accounting_response
key = %{User-Name}
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = *
port = 0
}
listen {
type = acct
ipaddr = *
port = 0
}
listen {
type = control
listen {
socket = /var/run/radiusd/radiusd.sock
}
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
---
NOW, when I try the auth:
radtest ldapuser 121212 localhost 2 testing123
I get this output on the client side
Sending Access-Request of id 207 to 127.0.0.1 port 1812
User-Name = ldapuser
User-Password = MTIxMjEyIA==
NAS-IP-Address = 127.0.0.1
NAS-Port = 2
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=207,
length=20
AND this one on the radius server side:
rad_recv: Access-Request packet from host 127.0.0.1 port 36725, id=207,
length=60
User-Name = ldapuser
User-Password = MTIxMjEyIA==
NAS-IP-Address = 127.0.0.1
NAS-Port = 2
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = ldapuser, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for ldapuser
[ldap]expand: %{Stripped-User-Name} -
[ldap]expand: %{User-Name} - ldapuser
[ldap]expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=ldapuser)
[ldap]expand: dc=example,dc=com - dc=example,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as / to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind
Re: LDAP redundant with LDAP-Group within users file
Just a gap of our users file, we have 18 default lines and additional 4 for a local/PAP user: DEFAULT Auth-Type := LDAP, Huntgroup-Name == consoleserver, LDAP-Group == LDAP-GROUP-Team-a Login-Service = Telnet FWIW, since it's the LDAP-Group attribute that you're having trouble with, we are doing LDAP auth with POSIX style LDAP auth data and I believe it gets around this by simply using the old Group attribute from before we migrated from PAP/unix (but still gets from LDAP): DEFAULT Group == acme, Pool-Name :=acme_pool, Auth-Type = Ldap This is a smaller network with 1 fallback LDAP server, and I know that the fallback is working and I'm pretty sure it passes on the proper group info to assign the correct IP pool in this case. It may not work with non-POSIX LDAP groups though... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP server failover in FreeRADIUS 2.1
I can tell that ldap failover config is a FAQ by the number of hits I found
searching for this, but it seems that many of the config examples are for
older versions of FreeRADIUS. In any case, this is what I've tried, but it's
not working:
In radiusd.conf:
ldap ldap1{
server = serverA.domain.com
basedn = dc=domain,dc=com
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
set_auth_type = no
}
ldap ldap2{
server = serverB.domain.com
basedn = dc=domain,dc=com
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
set_auth_type = yes
}
---
This is what I put in sites-enabled/default AND in sites-enabled/inner-tunnel
(it doesn't look right to me, but it's what I found):
authorize {
preprocess
redundant LDAP{
ldap1
ldap2
}
Auth-Type LDAP {
ldap1
ldap2
}
-
Again, sorry for the FAQ, but if somebody could put me straight here, I'd
appreciate it.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP server failover in FreeRADIUS 2.1
u...@3.am wrote:
I can tell that ldap failover config is a FAQ by the number of hits I found
searching for this, but it seems that many of the config examples are for
older versions of FreeRADIUS. In any case, this is what I've tried, but
it's
not working:
See the FAQ for it doesn't work.
ldap ldap2{
set_auth_type = yes
Thanks for pointing that out...I had just copied and pasted that section from
the secondary radius server.
Which will set Auth-Type := ldap2. That's probably not what you want.
This is what I put in sites-enabled/default AND in
sites-enabled/inner-tunnel
(it doesn't look right to me, but it's what I found):
authorize {
preprocess
redundant LDAP{
ldap1
ldap2
}
That looks OK...
Auth-Type LDAP {
ldap1
ldap2
}
That doesn't. It goes into the authenticate section, and you need
add a redundant block which wraps the calls to ldap1 and ldap2
That did the trick...I changed it to this:
#Auth-Type LDAP {
redundant LDAP{
ldap1
ldap2
}
I wasn't sure if you used both Auth-Type AND redundant, but apparently you
only need the latter.
Thanks once again, Alan!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simple Guest user web front end for FreeRADIUS
On Fri, Apr 8, 2011 at 9:50 PM, u...@3.am wrote: On my client's wifi network, we are authenticating staff users via FreeRADIUS against the corporate LDAP database. I've created a new SSID/WLAN with an IP pool that I've restricted through router ACLs that we want to deploy for temporary guest users. I can set up a new FreeRADIUS server (I've done many of those) backend for this, but am unfamiliar with 2 things that will be different here, which are: 1) A Web front end for a clerical type to enter in temporary accounts to FreeRADIUS. I imagine there must be a simple php interface for some sort of Internet cafe type of use. I'd prefer as simple as possible (ie, flat file), but would be fine if MySQL is the way to go for account info storage. I know I COULD put together a FreeRADIUS and OpenLDAP server with something like a webmin front end, but that seems overkill to me. 2) Some sort of automatic password generator for above...not absolutely necessary, but would be nice. I would imagine this wheel has already been invented, so if anybody could point me in the right direction, it would be appreciated. Thanks! - 1. You can simply use m0n0wall / Pfsense, it has all voucher/ user accounts stuff and a GUI onboard, so you don't even need to use radius if you think it's overkill for this particular situation. 2. Why setup an extra radius server if you have one? 3. There are many frontends available, dialup admin, daloradius, Yfi (aka hotcakes), dma softlab radius manager, etc The Cisco Wifi controller in question supports local, radius or ldap user authentication. I think they will like the accounting/reporting stuff that radius brings to the table . Thanks for the replies...I'll look into those. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simple Guest user web front end for FreeRADIUS
On my client's wifi network, we are authenticating staff users via FreeRADIUS against the corporate LDAP database. I've created a new SSID/WLAN with an IP pool that I've restricted through router ACLs that we want to deploy for temporary guest users. I can set up a new FreeRADIUS server (I've done many of those) backend for this, but am unfamiliar with 2 things that will be different here, which are: 1) A Web front end for a clerical type to enter in temporary accounts to FreeRADIUS. I imagine there must be a simple php interface for some sort of Internet cafe type of use. I'd prefer as simple as possible (ie, flat file), but would be fine if MySQL is the way to go for account info storage. I know I COULD put together a FreeRADIUS and OpenLDAP server with something like a webmin front end, but that seems overkill to me. 2) Some sort of automatic password generator for above...not absolutely necessary, but would be nice. I would imagine this wheel has already been invented, so if anybody could point me in the right direction, it would be appreciated. Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_pool problem
I've had FreeRadius 2.1.6 running ippools fine on one linux server and just
installed it on a new one. They run with --prefix=/usr on both servers, which
neccessitated me putting /usr/lib in /etc/ld.so.conf to get rlm_ippool to load
on the new server.
I copied over the old raddb tree, but when I start radiusd in debug, I get
this:
Module: Linked to module rlm_ippool
Module: Instantiating medium_pool
ippool medium_pool {
session-db = /usr/etc/raddb/db.medium_ippool
ip-index = /usr/etc/raddb/db.medium_ipindex
key = %{NAS-IP-Address} %{NAS-Port}
range-start = 172.16.31.101
range-stop = 172.16.31.253
netmask = 255.255.255.0
cache-size = 251
override = yes
maximum-timeout = 0
}
rlm_ippool: Failed to open file /usr/etc/raddb/db.medium_ippool: Invalid
argument
/usr/etc/raddb/radiusd.conf[1824]: Instantiation failed for module
medium_pool
/usr/etc/raddb/sites-enabled/default[337]: Failed to find module medium_pool.
/usr/etc/raddb/sites-enabled/default[314]: Errors parsing accounting section.
the db files for the pools, in this case:
/usr/etc/raddb/db.medium_ippool
do exist as chmod 600 root.wheel, just like the old server. We run as root to
auth against shadow passwords. What did I miss?
James Smallacombe PlantageNet, Inc. CEO and Janitor
u...@3.am http://3.am
=
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_pool problem
Replying to myself...I'm a dope. I deleted all the db.*ippool* files and
let it create new ones and it's fine now.
On Thu, 27 Aug 2009, u...@3.am wrote:
I've had FreeRadius 2.1.6 running ippools fine on one linux server and just
installed it on a new one. They run with --prefix=/usr on both servers,
which neccessitated me putting /usr/lib in /etc/ld.so.conf to get rlm_ippool
to load on the new server.
I copied over the old raddb tree, but when I start radiusd in debug, I get
this:
Module: Linked to module rlm_ippool
Module: Instantiating medium_pool
ippool medium_pool {
session-db = /usr/etc/raddb/db.medium_ippool
ip-index = /usr/etc/raddb/db.medium_ipindex
key = %{NAS-IP-Address} %{NAS-Port}
range-start = 172.16.31.101
range-stop = 172.16.31.253
netmask = 255.255.255.0
cache-size = 251
override = yes
maximum-timeout = 0
}
rlm_ippool: Failed to open file /usr/etc/raddb/db.medium_ippool: Invalid
argument
/usr/etc/raddb/radiusd.conf[1824]: Instantiation failed for module
medium_pool
/usr/etc/raddb/sites-enabled/default[337]: Failed to find module
medium_pool.
/usr/etc/raddb/sites-enabled/default[314]: Errors parsing accounting section.
the db files for the pools, in this case:
/usr/etc/raddb/db.medium_ippool
do exist as chmod 600 root.wheel, just like the old server. We run as root
to auth against shadow passwords. What did I miss?
James Smallacombe PlantageNet, Inc. CEO and Janitor
u...@3.am http://3.am
=
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
James Smallacombe PlantageNet, Inc. CEO and Janitor
u...@3.am http://3.am
=
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco ignores Framed-IP-Address from freeradius
On Mon, 6 Jul 2009, Gilloteau Frederic wrote: Hello, I use freeradius 2.1.1-7 and a CISCO router (IOS 12.4(6)T9) to provide VPN connections. and the CISCO router gets it ... .. but never assign it to remote users, the cisco router assigns an IP address from its local pool. The interesting lines of my cisco configuration are : aaa new-model ! ! aaa authentication login ClientAuth group radius aaa authorization network ClienAuth group radius local aaa accounting delay-start aaa accounting network ClientAuth start-stop group radius I had a similar problem...it was with my aaa config. Try: aaa authentication login default local group radius aaa authentication ppp default group radius local aaa authorization exec default local aaa authorization network default group radius local James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pools How ?
Hi Dogus:
In addition to the radiusd.conf and users file config that I assume you've
already figured out, you have to define the pool names in raddb/default if
you're going to use any pool name other than main_pool. ie:
# Return an address to the IP Pool when we see a stop record.
# main_pool
custom_pool
Here I commented out main_pool and defined two new ones, which I
configured in radiusd.conf:
ippool custom_pool {
range-start = 192.168.99.101
range-stop = 192.168.99.253
netmask = 255.255.255.0
cache-size = 251
session-db = ${db_dir}/db.custom_ippool
ip-index = ${db_dir}/db.custom_ipindex
override = yes
}
Then in users:
DEFAULT Group == vpn_users, Pool-Name :=custom_pool
Framed-Protocol == PPP,
Framed-Compression = Van-Jacobson-TCP-IP
Where vpn_users is a unix group on the radius server. Make sure to
remove the db.* files any time you make changes to the pool addresses.
You can define as many pools as you want like this. It's not all readily
apparent in any docs I found (at least not the first part), but there are
examples for the pools in radiusd.conf and users file.
HTH,
On Tue, 23 Jun 2009, Dogus Yalman wrote:
Hello ;
New to this great mailing list and the whole linux world so please bare with
me. :)
Im using FreeRADIUS Version 1.1.7 with fedora core 10 and my freeradius
frontend is DMA Softlabs Radius Manager.
http://www.dmasoftlab.com/cont/home
My clients are authenticating through distrubuted remote pppoe servers on a
wireless network.
I want to use freeradius Ip Pool functionality to assign dynamic public IPs to
customers since my frontend doesnt support that feature.
Is there a step by step approach on how to do it ? is just modyfying the
radius.conf and users file is enough? Do i have to create any sql tables for
this ?
Thanks and greetings from Northern Cyprus
James Smallacombe PlantageNet, Inc. CEO and Janitor
u...@3.am http://3.am
=
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippools and Pool-Name
On Wed, 3 Jun 2009, Alan DeKok wrote:
Because you don't have the GDBM libraries or header files.
Ok, I installed those, and while I was at it, installed the latest
radiusd. The first error I got involved the experimental
raddb/sites-available/control-socket which was included in the old
radiusd.conf: $INCLUDE sites-enabled/. I moved the file and radiusd
started and worked as it did before.
However, when I uncomment my ippool statement, I now get this:
Module: Linked to module rlm_ippool
Module: Instantiating users_pool
ippool users_pool {
session-db = $(raddbdir)/db.ippool
ip-index = $(raddbdir)/db.ipindex
key = %{NAS-IP-Address} %{NAS-Port}
range-start = 172.16.1.2
range-stop = 172.16.1.253
netmask = 255.255.255.0
cache-size = 251
override = yes
maximum-timeout = 0
}
rlm_ippool: Failed to open file $(raddbdir)/db.ippool: No such file or
directory
/usr/etc/raddb/radiusd.conf[1824]: Instantiation failed for module
users_pool
/usr/etc/raddb/sites-enabled/default[337]: Failed to find module
users_pool.
/usr/etc/raddb/sites-enabled/default[314]: Errors parsing accounting
section.
Errors initializing modules
-
If I understand correctly, if I am running radiusd as root, shouldn't it
simply create the db. files itself when started? I tried a touch
raddb/db.ippool but it changed nothing.
Again, thanks for your patience...
James Smallacombe PlantageNet, Inc. CEO and Janitor
u...@3.am http://3.am
=
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippools and Pool-Name
Replying to myselferm, never mind...I must have a fairly old
raddb/radiusd.conf...I found this by googling:
db_dir = $(raddbdir) ==
It should be:
db_dir = ${raddbdir} (brackets are wrong)
On Wed, 3 Jun 2009, u...@3.am wrote:
On Wed, 3 Jun 2009, Alan DeKok wrote:
Because you don't have the GDBM libraries or header files.
Ok, I installed those, and while I was at it, installed the latest radiusd.
The first error I got involved the experimental
raddb/sites-available/control-socket which was included in the old
radiusd.conf: $INCLUDE sites-enabled/. I moved the file and radiusd started
and worked as it did before.
However, when I uncomment my ippool statement, I now get this:
Module: Linked to module rlm_ippool
Module: Instantiating users_pool
ippool users_pool {
session-db = $(raddbdir)/db.ippool
ip-index = $(raddbdir)/db.ipindex
key = %{NAS-IP-Address} %{NAS-Port}
range-start = 172.16.1.2
range-stop = 172.16.1.253
netmask = 255.255.255.0
cache-size = 251
override = yes
maximum-timeout = 0
}
rlm_ippool: Failed to open file $(raddbdir)/db.ippool: No such file or
directory
/usr/etc/raddb/radiusd.conf[1824]: Instantiation failed for module
users_pool
/usr/etc/raddb/sites-enabled/default[337]: Failed to find module
users_pool.
/usr/etc/raddb/sites-enabled/default[314]: Errors parsing accounting section.
Errors initializing modules
-
If I understand correctly, if I am running radiusd as root, shouldn't it
simply create the db. files itself when started? I tried a touch
raddb/db.ippool but it changed nothing.
Again, thanks for your patience...
James Smallacombe PlantageNet, Inc. CEO and Janitor
u...@3.am http://3.am
=
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
James Smallacombe PlantageNet, Inc. CEO and Janitor
u...@3.am http://3.am
=
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ippools and Pool-Name
Hi:
I am trying to configure a server-side IP pool for select pptp users to
bypass the NAS's internal pool. The documentation appears sparse, but
this is what I've done so far:
In raddb/radiusd.conf:
ippool users_pool {
range-start = 172.16.1.2
range-stop = 172.16.1.253
netmask = 255.255.255.0
cache-size = 251
session-db = ${db_dir}/db.ippool
ip-index = ${db_dir}/db.ipindex
override = yes
}
In raddb/users
sometestuserPool-Name :=users_pool
Framed-Protocol == PPP,
Framed-Compression = Van-Jacobson-TCP-IP
However, sometestuser is simply allocated an IP from the NAS's internal
pool, seemingly ignoring this. I also noticed that the files db.ippool
and db.ipindex are not being created.
Is there something else I'm missing?
TIA,
James Smallacombe PlantageNet, Inc. CEO and Janitor
u...@3.am http://3.am
=
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippools and Pool-Name
On Tue, 2 Jun 2009, Alan DeKok wrote:
u...@3.am wrote:
I am trying to configure a server-side IP pool for select pptp users to
bypass the NAS's internal pool. The documentation appears sparse, but
this is what I've done so far:
In raddb/radiusd.conf:
ippool users_pool {
The examples show it using main_pool. The name doesn't matter, but
it's a hint:
$ grep main_pool raddb/sites-available/*
You can re-name main_pool to users_pool, if you want.
You have to tell the server to allocate IP's in the post-auth section,
and to manage them from the accounting section.
Ok, I wasn't sure where the post-auth section even was...I had been
looking in the radiusd.conf...thanks for the hint. I just added the
following to the raddb/sites-available/default:
accounting {
# Return an address to the IP Pool when we see a stop record.
# main_pool
users_pool
post-auth {
# Get an address from the IP Pool.
# main_pool
users_pool
Now I get this running debug mode:
}
/usr/etc/raddb/radiusd.conf[1824]: Failed to link to module 'rlm_ippool':
rlm_ippool.so: cannot open shared object file: No such file or directory
/usr/etc/raddb/sites-enabled/default[337]: Failed to find module
users_pool.
/usr/etc/raddb/sites-enabled/default[314]: Errors parsing accounting
section.
}
}
Errors initializing modules
...and indeed, that file exists nowhere on the server. Was it a part of
freeradius-server-2.0.4 ?
James Smallacombe PlantageNet, Inc. CEO and Janitor
u...@3.am http://3.am
=
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assigning IP address from RADIUS to Cisco PPTP users
FYI: Cisco TAC quickly found my config problem. I took out: aaa authorization network default if-authenticated and replaced it with: aaa authorization network default group radius local and that did it. Thanks for all of your suggestions! Next up is to start defining pools and associating unix groups with them. On Tue, 26 May 2009, u...@3.am wrote: On Wed, 27 May 2009, Vadim Ostranitsyn wrote: Hi! On Tue, May 26, 2009 at 11:34:41AM -0400, u...@3.am wrote: Users are currently authenticating fine and getting assigned IPs from the IP pool as defined in the Cisco NAS. However, I'd like to have a few, select users assigned static IPs from outside that pool, but the Cisco (2811) is simply ignoring the raddb/users file entry for that user and assigning an IP from the pool on the NAS. [...] interface Virtual-Template1 ip unnumbered FastEthernet0/0 ip policy route-map VPN-Client peer match aaa-pools peer default ip address pool vpnpool Drop this line no keepalive ppp encrypt mppe auto ppp authentication pap chap ms-chap ms-chap-v2 ! ip local pool vpnpool 172.16.30.2 172.16.30.254 - Here is the raddb/users file entry: - testuserService-Type == Framed-User Framed-Protocol == PPP, Framed-IP-Address = 172.16.1.2, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP Cisco-AVPair = ip:addr-pool=vpnpool Add line above to the DEFAULT user entry. -- Hi Vadim: This looked promising, but when I remove that line from my Cisco config, I cannot log in at all. It just says that it cannot negotiate a ppp connection (Mac OS X) The debug on radius looks fine (I can supply that again if needed)). Here is the verbose logging from my Mac's /var/log/ppp.log: Tue May 26 23:21:13 2009 : PPTP connecting to server '10.2.2.2' (10.2.2.2) ... Tue May 26 23:21:13 2009 : PPTP connection established. Tue May 26 23:21:13 2009 : using link 0 Tue May 26 23:21:13 2009 : Using interface ppp0 Tue May 26 23:21:13 2009 : Connect: ppp0 -- socket[34:17] Tue May 26 23:21:13 2009 : sent [LCP ConfReq id=0x1 asyncmap 0x0 magic 0xc916 6b8c pcomp accomp] Tue May 26 23:21:13 2009 : rcvd [LCP ConfReq id=0x1 auth pap magic 0x3f29a7d2 ] Tue May 26 23:21:13 2009 : lcp_reqci: returning CONFACK. Tue May 26 23:21:13 2009 : sent [LCP ConfAck id=0x1 auth pap magic 0x3f29a7d2 ] Tue May 26 23:21:13 2009 : rcvd [LCP ConfAck id=0x1 asyncmap 0x0 magic 0xc916 6b8c pcomp accomp] Tue May 26 23:21:13 2009 : sent [LCP EchoReq id=0x0 magic=0xc9166b8c] Tue May 26 23:21:13 2009 : sent [PAP AuthReq id=0x1 user=testuser password= hidden] Tue May 26 23:21:13 2009 : rcvd [LCP EchoRep id=0x0 magic=0x3f29a7d2] Tue May 26 23:21:13 2009 : rcvd [PAP AuthAck id=0x1 ] Tue May 26 23:21:13 2009 : PAP authentication succeeded Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x1 addr 0.0.0.0 ms-dns1 0.0 .0.0 ms-dns3 0.0.0.0] Tue May 26 23:21:13 2009 : sent [IPV6CP ConfReq id=0x1 addr fe80::021e:c2ff:feb 5:8003] Tue May 26 23:21:13 2009 : sent [ACSCP] 01 01 00 10 01 06 00 00 00 01 02 06 00 0 0 00 01 Tue May 26 23:21:13 2009 : rcvd [IPCP ConfReq id=0x1 addr 192.168.7.1] Tue May 26 23:21:13 2009 : ipcp: returning Configure-ACK Tue May 26 23:21:13 2009 : sent [IPCP ConfAck id=0x1 addr 192.168.7.1] Tue May 26 23:21:13 2009 : rcvd [CCP ConfReq id=0x1] Tue May 26 23:21:13 2009 : Unsupported protocol 'Compression Control Protocol' ( 0x80fd) received Tue May 26 23:21:13 2009 : sent [LCP ProtRej id=0x2 80 fd 01 01 00 04] Tue May 26 23:21:13 2009 : rcvd [LCP ProtRej id=0x2 80 57 01 01 00 0e 01 0a 02 1 e c2 ff fe b5 80 03] Tue May 26 23:21:13 2009 : rcvd [LCP ProtRej id=0x3 82 35 01 01 00 10 01 06 00 0 0 00 01 02 06 00 00 00 01] Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x1 addr 0.0.0.0 ms-dns3 0.0 .0.0] Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x2 addrs 0.0.0.0 0.0.0.0 ms -dns1 0.0.0.0] Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x2 addrs 0.0.0.0 0.0.0.0] Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x3 addrs 0.0.0.0 0.0.0.0 ms -dns1 0.0.0.0] Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x3 addrs 0.0.0.0 0.0.0.0] Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x4 addrs 0.0.0.0 0.0.0.0 ms -dns1 0.0.0.0] Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x4 addrs 0.0.0.0 0.0.0.0] Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x5 addrs 0.0.0.0 0.0.0.0 ms -dns1 0.0.0.0] Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x5 addrs 0.0.0.0 0.0.0.0] Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x6 addrs 0.0.0.0 0.0.0.0 ms -dns1 0.0.0.0] Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x6 addrs 0.0.0.0 0.0.0.0] Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x7 addrs 0.0.0.0 0.0.0.0 ms -dns1 0.0.0.0] Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x7 addrs 0.0.0.0 0.0.0.0] Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x8
Assigning IP address from RADIUS to Cisco PPTP users
Hi: I've used Livingston and Cistron radiusd's in the past with dialup ppp users and Cisco/Lucent NASes and have been able to do this with no problems. Users are currently authenticating fine and getting assigned IPs from the IP pool as defined in the Cisco NAS. However, I'd like to have a few, select users assigned static IPs from outside that pool, but the Cisco (2811) is simply ignoring the raddb/users file entry for that user and assigning an IP from the pool on the NAS. Here is my Cisco config:: aaa new-model aaa authentication login default local group radius aaa authentication ppp default group radius local aaa authorization exec default local aaa authorization network default if-authenticated aaa session-id common vpdn-group 1 accept-dialin protocol pptp virtual-template 1 interface Loopback0 ip address 99.99.99.99 255.255.255.255 ip nat inside ip virtual-reassembly interface Virtual-Template1 ip unnumbered FastEthernet0/0 ip policy route-map VPN-Client peer match aaa-pools peer default ip address pool vpnpool no keepalive ppp encrypt mppe auto ppp authentication pap chap ms-chap ms-chap-v2 ! ip local pool vpnpool 172.16.30.2 172.16.30.254 - Here is the raddb/users file entry: - testuserService-Type == Framed-User Framed-Protocol == PPP, Framed-IP-Address = 172.16.1.2, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP -- The DEFAULT entry allows users in /etc/passwd to authenticate fine, but testuser still gets an IP from the NAS pool instead of the one above.. Any pointers appreciated! James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assigning IP address from RADIUS to Cisco PPTP users
ipaddr = *
port = 1812
}
listen {
type = acct
ipaddr = *
port = 0
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Ready to process requests.
Framed-Protocol = PPP
User-Name = testuser
User-Password = some_password
NAS-Port-Type = Virtual
NAS-Port = 62
NAS-Port-Id = Uniq-Sess-ID62
Service-Type = Framed-User
NAS-IP-Address = 216.1.12.66
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = testuser, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
users: Matched entry testuser at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type
auth: type PAP
+- entering group PAP
rlm_pap: login attempt with password some_password
rlm_pap: Using CRYPT encryption.
rlm_pap: User authenticated successfully
++[pap] returns ok
Login OK: [testuser/some_password] (from client cisco_pptp port 62)
+- entering group post-auth
++[exec] returns noop
Framed-Protocol == PPP
Framed-IP-Address = 172.16.1.2
Framed-IP-Netmask = 255.255.255.255
Framed-Compression = Van-Jacobson-TCP-IP
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 205 with timestamp +17
Ready to process requests.
---
I'm not using realms, so I'm assuming that realms error is meaningless?
James Smallacombe PlantageNet, Inc. CEO and Janitor
u...@3.am http://3.am
=
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assigning IP address from RADIUS to Cisco PPTP users
On Tue, 26 May 2009, Ivan Kalik wrote: Make Sure Overide is Disabled in the ippool module.. e.g. # override: # If set, the Framed-IP-Address already in the # reply (if any) will be discarded, and replaced # with a Framed-IP-Address assigned here. override = no That would be so - if the pool was defined on the radius server. But his pool is on the Cisco device. Most likely culprit is: Correct, but I changed them to no and restarted radiusd anyway. No help. peer match aaa-pools I would thnk just the opposite...aaa-pools should include radius defined pools? Confusing anyway, since for now, we don't even want a pool for this particular user. I did a no peer match aaa-pools anyway, but to no avail. Here is how Cisco describes it: router(config-if)#peer match ? aaa-pools Use only peer pools that match AAA pools In any case, I really appreciate it if you can at least give my radiusd config the thumbs up for this...I can open a ticket with Cisco TAC if so. James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assigning IP address from RADIUS to Cisco PPTP users
0.0.0.0 ms -dns1 0.0.0.0] Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0xa addrs 0.0.0.0 0.0.0.0] Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0xb addrs 0.0.0.0 0.0.0.0 ms -dns1 0.0.0.0] Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0xb addrs 0.0.0.0 0.0.0.0] Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0xc addrs 0.0.0.0 0.0.0.0 ms -dns1 0.0.0.0] Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0xc addrs 0.0.0.0 0.0.0.0] Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0xd addrs 0.0.0.0 0.0.0.0 ms -dns1 0.0.0.0] Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0xd addrs 0.0.0.0 0.0.0.0] Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0xe addrs 0.0.0.0 0.0.0.0 ms -dns1 0.0.0.0] Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0xe addrs 0.0.0.0 0.0.0.0] Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0xf addrs 0.0.0.0 0.0.0.0 ms -dns1 0.0.0.0] Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0xf addrs 0.0.0.0 0.0.0.0] Tue May 26 23:21:13 2009 : IPCP: Maximum Config-Requests exceeded Tue May 26 23:21:13 2009 : sent [LCP TermReq id=0x3 No network protocols runnin g] Tue May 26 23:21:14 2009 : rcvd [LCP TermAck id=0x3] Tue May 26 23:21:14 2009 : Connection terminated. Tue May 26 23:21:14 2009 : PPTP disconnecting... Tue May 26 23:21:14 2009 : PPTP disconnected When I put 'peer default ip address pool vpnpool' back in the Cisco config, it works again: Tue May 26 23:26:48 2009 : PPTP connecting to server '10.2.2.2' (10.2.2.2) ... Tue May 26 23:26:48 2009 : PPTP connection established. Tue May 26 23:26:48 2009 : using link 0 Tue May 26 23:26:48 2009 : Using interface ppp0 Tue May 26 23:26:48 2009 : Connect: ppp0 -- socket[34:17] Tue May 26 23:26:48 2009 : sent [LCP ConfReq id=0x1 asyncmap 0x0 magic 0x3b8a 3df8 pcomp accomp] Tue May 26 23:26:48 2009 : rcvd [LCP ConfReq id=0x1 auth pap magic 0x3f2ec37a ] Tue May 26 23:26:48 2009 : lcp_reqci: returning CONFACK. Tue May 26 23:26:48 2009 : sent [LCP ConfAck id=0x1 auth pap magic 0x3f2ec37a] Tue May 26 23:26:48 2009 : rcvd [LCP ConfAck id=0x1 asyncmap 0x0 magic 0x3b8a 3df8 pcomp accomp] Tue May 26 23:26:48 2009 : sent [LCP EchoReq id=0x0 magic=0x3b8a3df8] Tue May 26 23:26:48 2009 : sent [PAP AuthReq id=0x1 user=testuser password=hidden] Tue May 26 23:26:48 2009 : rcvd [LCP EchoRep id=0x0 magic=0x3f2ec37a] Tue May 26 23:26:48 2009 : rcvd [PAP AuthAck id=0x1 ] Tue May 26 23:26:48 2009 : PAP authentication succeeded Tue May 26 23:26:48 2009 : sent [IPCP ConfReq id=0x1 addr 0.0.0.0 ms-dns1 0.0.0.0 ms-dns3 0.0.0.0] Tue May 26 23:26:48 2009 : sent [IPV6CP ConfReq id=0x1 addr fe80::021e:c2ff:feb5:8003] Tue May 26 23:26:48 2009 : sent [ACSCP] 01 01 00 10 01 06 00 00 00 01 02 06 00 0 0 00 01 Tue May 26 23:26:48 2009 : rcvd [IPCP ConfReq id=0x1 addr 192.168.7.1] Tue May 26 23:26:48 2009 : ipcp: returning Configure-ACK Tue May 26 23:26:48 2009 : sent [IPCP ConfAck id=0x1 addr 192.168.7.1] Tue May 26 23:26:48 2009 : rcvd [CCP ConfReq id=0x1] Tue May 26 23:26:48 2009 : Unsupported protocol 'Compression Control Protocol' (0x80fd) received Tue May 26 23:26:48 2009 : sent [LCP ProtRej id=0x2 80 fd 01 01 00 04] Tue May 26 23:26:48 2009 : rcvd [LCP ProtRej id=0x2 80 57 01 01 00 0e 01 0a 02 1 e c2 ff fe b5 80 03] Tue May 26 23:26:48 2009 : rcvd [LCP ProtRej id=0x3 82 35 01 01 00 10 01 06 00 0 0 00 01 02 06 00 00 00 01] Tue May 26 23:26:48 2009 : rcvd [IPCP ConfRej id=0x1 ms-dns3 0.0.0.0] Tue May 26 23:26:48 2009 : sent [IPCP ConfReq id=0x2 addr 0.0.0.0 ms-dns1 0.0 .0.0] Tue May 26 23:26:48 2009 : rcvd [IPCP ConfNak id=0x2 addr 172.16.30.9 ms-dns1 10.2.2.2] Tue May 26 23:26:48 2009 : sent [IPCP ConfReq id=0x3 addr 172.16.30.9 ms-dns1 10.2.2.2] Tue May 26 23:26:48 2009 : rcvd [IPCP ConfAck id=0x3 addr 172.16.30.9 ms-dns1 10.2.2.2] Tue May 26 23:26:48 2009 : ipcp: up Tue May 26 23:26:48 2009 : local IP address 172.16.30.9 Tue May 26 23:26:48 2009 : remote IP address 192.168.7.1 Tue May 26 23:26:48 2009 : primary DNS address 10.1.1.1 Tue May 26 23:26:48 2009 : sent [IP data src addr 172.16.30.9 dst addr 255.25 5.255.255 BOOTP Request type INFORM client id 0x080001 parameter s = 0x6 0x2c 0x2b 0x1 0xf9 0xf] Tue May 26 23:26:51 2009 : sent [IP data src addr 172.16.30.9 dst addr 255.25 5.255.255 BOOTP Request type INFORM client id 0x080001 parameter s = 0x6 0x2c 0x2b 0x1 0xf9 0xf] Tue May 26 23:26:54 2009 : sent [IP data src addr 172.16.30.9 dst addr 255.25 5.255.255 BOOTP Request type INFORM client id 0x080001 parameter s = 0x6 0x2c 0x2b 0x1 0xf9 0xf] Tue May 26 23:26:57 2009 : sent [IP data src addr 172.16.30.9 dst addr 255.25 5.255.255 BOOTP Request type INFORM client id 0x080001 parameter s = 0x6 0x2c 0x2b 0x1 0xf9 0xf] Tue May 26 23:27:00 2009 : sent [IP data src addr 172.16.30.9 dst addr 255.25 5.255.255 BOOTP Request type INFORM client id 0x080001 parameters = 0x6 0x2c 0x2b 0x1 0xf9 0xf] Tue May 26 23:27:03 2009 : No DHCP server replied James
Re: Framed-IP-Address override NAS pool?
On Wed, 7 Jan 2009, t...@kalik.net wrote: I now want to assign a few users different, static IPs using this: testuserService-Type == Framed-User Framed-Protocol == PPP, Framed-IP-Address = 192.168.1.2, Framed-IP-Netmask = 255.255.255.0, Framed-Compression = Van-Jacobson-TCP-IP This sort of thing used to work fine with Cisco dialup NAS's and Cistron, even though the NAS had no pool using that IP range in its config...radius just forced it to override the default pool, but in this case, it just keeps assigning an IP from the NAS pool (and yes, I have the above statement ABOVE the DEFAULT statement). Is Framed-IP-Address in the Access-Accept packet? You should probably return Service-Type as well. If attribute is not in the accept packet post the debug. It appears to be. From debug, after Login OK: +- entering group post-auth ++[exec] returns noop Framed-Protocol == PPP Framed-IP-Address = 192.168.1.2 (The address I want) Framed-IP-Netmask = 255.255.255.0 Framed-Compression = Van-Jacobson-TCP-IP Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 195 with timestamp +79 Ready to process requests. However, that is not the IP that my client shows...it shows 192.168.0.2, which is from the pool defined in the Cisco router's config. It seems to be overriding the radius users' config. James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Framed-IP-Address override NAS pool?
On Wed, 7 Jan 2009, Jeff Crowe wrote: I was running into this problem on my Redback. The issue was the Redback wanted an IP address in the same subnet so I had to setup 192.168.1.1/24 as a sub interface to allow subscribers to be assigned addresses in the 192.168.1.x/24 range. My Shasta was completely different and would allow any IP address to be returned via radius and it would allow the IP to be used. Ok, I just tried assigning a secondary IP from that subnet to faste0/0, since I can't assign secondary IPs to the VirtualTemplate I/F, since it's IP unnumbered eth0/0. No go. What I would expect from the Cisco, judging from my past experience with AS5200s, is for it to allow radius to assign whatever address it wants, but simply not route it until I fix that part of it, which is fine. One fix I would think would start to work would be to simply add this new subnet to the pool on the Cisco. However, then the DEFAULT users would start to assign from that pool as well, unless I figure out a way to force it to assign from the first subnet. If there's a way to force that, I'd appreciate pointers. I saw the ippool option, but I'm not clear how that co-exists with the pool already configured on the Cisco. Perhaps you need both, it's just not clear to me. James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ippools; wasRE: Framed-IP-Address override NAS pool?
Sorry for the top-post, but I'm replying to myself and I want to keep my
questions clear. I tried creating two different ippools in the
radiusd.conf using the different ranges I want to use, but the client
ignored it and went only to the pool that the Cisco has. I then changed
the Cisco pool to include the entire range of IPs from both pools, but it
still doesn't seem to recognize the FreeRadius pools, and defaults to
whatever the first IP is in the Cisco pool.
I find the examples given in the radiusd.conf a little incomplete, but
this is what I tried (IPs given are just examples)
ippool users_pool {
range-start = 172.16.1.2
range-stop = 172.16.30.253
netmask = 255.255.255.0
cache-size = 251
session-db = ${db_dir}/db.ippool
ip-index = ${db_dir}/db.ipindex
override = yes
}
ippool admin_pool {
range-start = 172.16.30.2
range-stop = 172.16.30.253
netmask = 255.255.255.0
cache-size = 251
session-db = ${db_dir}/db.ippool
ip-index = ${db_dir}/db.ipindex
override = yes
}
The above seems to be clear from the example...but the example for the
raddb/users file is incomplete...here is what I tried:
testuserService-Type == Framed-User
Group == users, Pool-Name :=users_pool,
Framed-Protocol == PPP,
Framed-IP-Address = 172.16.1.2,
Framed-IP-Netmask = 255.255.255.0,
Framed-Compression = Van-Jacobson-TCP-IP
I'm a little unlcear about the Group attribute above, and whether it
pertains to unix groups at all, which I haven't done anything to yet. In
any case, any pointers on how to make different users use different IP
pools would be greatly appreciated.
On Wed, 7 Jan 2009, u...@3.am wrote:
On Wed, 7 Jan 2009, Jeff Crowe wrote:
I was running into this problem on my Redback. The issue was the Redback
wanted an IP address in the same subnet so I had to setup 192.168.1.1/24 as
a sub interface to allow subscribers to be assigned addresses in the
192.168.1.x/24 range. My Shasta was completely different and would allow
any IP address to be returned via radius and it would allow the IP to be
used.
Ok, I just tried assigning a secondary IP from that subnet to faste0/0, since
I can't assign secondary IPs to the VirtualTemplate I/F, since it's IP
unnumbered eth0/0. No go. What I would expect from the Cisco, judging from
my past experience with AS5200s, is for it to allow radius to assign whatever
address it wants, but simply not route it until I fix that part of it, which
is fine.
One fix I would think would start to work would be to simply add this new
subnet to the pool on the Cisco. However, then the DEFAULT users would start
to assign from that pool as well, unless I figure out a way to force it to
assign from the first subnet. If there's a way to force that, I'd appreciate
pointers. I saw the ippool option, but I'm not clear how that co-exists
with the pool already configured on the Cisco. Perhaps you need both, it's
just not clear to me.
James Smallacombe PlantageNet, Inc. CEO and Janitor
u...@3.am http://3.am
=
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
James Smallacombe PlantageNet, Inc. CEO and Janitor
u...@3.am http://3.am
=
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Framed-IP-Address override NAS pool?
Hi: In my years running a dialup ISP, I used Cistron Radius and Cisco and Lucent NAS's. I am no using FreeRadius and a Cisco router to authenticate pptp VPN users. The default IP address pool is defined in the Cisco like this (parsed): interface Virtual-Template1 peer default ip address pool vpnpool no keepalive ppp encrypt mppe auto ! ip local pool vpnpool 192.168.0.1 192.168.0.254 That works fine authenticating unix system users using this raddb/users config (one of the supplied samples): DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP I now want to assign a few users different, static IPs using this: testuserService-Type == Framed-User Framed-Protocol == PPP, Framed-IP-Address = 192.168.1.2, Framed-IP-Netmask = 255.255.255.0, Framed-Compression = Van-Jacobson-TCP-IP This sort of thing used to work fine with Cisco dialup NAS's and Cistron, even though the NAS had no pool using that IP range in its config...radius just forced it to override the default pool, but in this case, it just keeps assigning an IP from the NAS pool (and yes, I have the above statement ABOVE the DEFAULT statement). Is there something else that needs to be done to allow this? Thanks in advance! James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAM, ms-chap and shadow passwords
I understand that radius authenticating ppp (PPTP in this case) connections against shadow passwords requires cleartext authentication (PAP). Does PAM allow you to work around this? From reading what I can find on PAM, it would seem that FreeRADIUS would pass off the authentication request to PAM and PAM could then take care of the crypt/decrypt, thus allowing CHAP or MSCHAP client authentication against shadow passwords. Is this correct? TIA, James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
