I am trying to get free radius working with huntgroups and ldap.
A couple of problems are occurring?
(1) modcall[authorize]: module "files" returns notfound for request 1
But the user can still login how can I stop this?
(2) rlm_ldap::groupcmp: Group disabled not found ????or user not a member
My users file is setup as below, but it does not seem to search through the
groups just fails on the first one? But still logs in. I have tried different
setups of fall-through with no luck as well.
USERS FILE
DEFAULT Ldap-Group == disabled, Auth-Type := Reject, Reply-Message = "Account
disabled. Please call the helpdesk."
Fall-Through = no
DEFAULT Huntgroup-Name == internet, Ldap-Group == lisdoonvarna, User-Profile :=
"cn=lisdoonvarna,ou=profiles,o=radius,dc=radiowave,dc=net"
Fall-Through = no
DEFAULT Huntgroup-Name == internet, Ldap-Group == doolin, User-Profile :=
"cn=doolin,ou=profiles,o=radius,dc=radiowave,dc=net"
Fall-Through = no
DEFAULT Huntgroup-Name == internet, Ldap-Group == fanore, User-Profile :=
"cn=fanore,ou=profiles,o=radius,dc=radiowave,dc=net"
Fall-Through = no
DEFAULT Huntgroup-Name == internet, Ldap-Group == ballyvaughan, User-Profile :=
"cn=ballyvaughan,ou=profiles,o=radius,dc=radiowave,dc=net"
Fall-Through = no
#DEFAULT Auth-Type := Reject
# Reply-Message = "Please call the helpdesk."
I have searched a bit for info on this but am having no joy. Look forward to
hearing from someone.
Thanks
alan
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 26 April 2005 05:27
To: freeradius-users@lists.freeradius.org
Subject: Freeradius-Users digest, Vol 1 #4555 - 3 msgs
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. How to log Acct-Termination-Cause variants in SQL DB (Guy Fraser)
2. Re: attribute value matching in users file (Chris Carver)
3. Re: TLS problem (frad)
--__--__--
Message: 1
Subject: How to log Acct-Termination-Cause variants in SQL DB
From: Guy Fraser <[EMAIL PROTECTED]>
To: freeradius-users@lists.freeradius.org
Date: Mon, 25 Apr 2005 15:03:33 -0600
Reply-To: freeradius-users@lists.freeradius.org
With every vendor making up there own Attributes and Values
it has me wondering how whether any one has a simple solution
to putting all the similar Attributes into the acctterminatecause
field. I have been thinking that I would use :
%{Acct-Terminate-Cause}:-%{Ascend-Disconnect-Cause}:-%{Cisco-Disconnect-
Cause}
I am not sure if this would need brackets or if there is a better
way. So far I will only need these three, for that entry.
There are other entries that will likely need to be mapped as well
but I have not yet researched them.
The custom Cistron I wrote allows me to map as many Radius
Attributes as I want to a sql attribute. In my system I just
put
#START#
...
Acct-Terminate-Cause = Acct-Terminate-Cause : Text #
Ascend-Disconnect-Cause = Acct-Terminate-Cause : Text #
Cisco-Disconnect-Cause = Acct-Terminate-Cause : Text #
...
#END#
The automatic table create/update function, accumulates all
the distinct SQL attributes, and creates one column per
Attribute, or adds any new columns to an existing table.
Unfortunately the code I wrote was not abstracted in any
way, and may be difficult to make work with MySQL, since
I only had PostgreSQL in mind when writing it.
PS: Can XLAT be used to generate SQL table names ?
My current system generates configured table names such as :
acct_%{Acct-Session-Type}_%Y%b
So every month I get 3 tables :
Eg:
acct_start_2005apr , acct_stop_2005apr , acct_other_2005apr
Acct-Session-Type is a special case, only Start and Stop
Tables are Created anything else is sent to the Other table
along with any duplicate log entries. Any failed entries
are saved in a cache file, that is monitored. I had one
entry over a year ago, that was caused by an entry that
had a byte count > 2GB that was being put into an int4.
I updated the attribute map to use "bigint", but haven't
had anything that large since.
--__--__--
Message: 2
Date: Mon, 25 Apr 2005 18:34:30 -0400
From: Chris Carver <[EMAIL PROTECTED]>
To: freeradius-users@lists.freeradius.org
Subject: Re: attribute value matching in users file
Reply-To: freeradius-users@lists.freeradius.org
Thanks for help, Alan. I think I have the problem resolved. Just for
fun when I used radclient I specified the dictionary location with -d
and it worked! Maybe radclient was thinking the custom dictionary file
was somewhere else? I'm not sure, but it seems to work now and thats
the only thing I changed. Thanks for your time.
Chris Carver
Alan DeKok wrote:
>Chris Carver <[EMAIL PROTECTED]> wrote:
>
>
>>I believe so. Here is what is a custom dictionary file thats included
>>in /etc/raddb/dictionary:
>>
>>
>
> Ok...
>
>
>
>>I still see the same behavior as before. The users file completely
>>ignores the existance of a redirectPort80 in the access-request, but it
>>can REPLY with a redirectPort80 attribute. Is there something special I
>>have to do to be able to check for this specific attribute in an
>>access-request?
>>
>>
>
> No. It should just work.
>
>
>
>>DEFAULT redirectPort80 == true
>>
>>Does not match even though thats what I'm feeding it with radclient.
>>
>>
>
> Hmm... if I test it with my server, it works.
>
> My guess is that you have *other* entries in your "users" file.
>Read the debug output to see which entries did match, and walk through
>the "users" file by hand to see where it stops matching, and why.
>
> Odds are you don't have a "Fall-Through" configured somewhere.
>
> Alan DeKok.
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
--__--__--
Message: 3
Date: Mon, 25 Apr 2005 23:29:35 -0400
From: frad <[EMAIL PROTECTED]>
To: freeradius-users@lists.freeradius.org
Subject: Re: TLS problem
Reply-To: freeradius-users@lists.freeradius.org
A good resource is www.austux.net/resources/network/eaptls.html
Also, make sure you are using "windows zero configuration" on the
WinXP client.
Jon
[EMAIL PROTECTED] wrote:
>Hello,
>
>I'm tying to make an authentication using freeradius-1.0.1-1 on Fedora
>Core 3, Cisco Catalyst 2950 as authenticator and WinXP (SP2) as a client.
>I didn't manage to make it work and I found a document describing that I
>should make a TLS authentication first, then go to MS-CHAP v2, but it
>didn't work too. I found that the TLS connection doesn't establish
>completely but I can't find the problem. Can you tell me the reason it
>doesn't work or url to more descriptive document?
>
--__--__--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest
--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.10.2 - Release Date: 21/04/2005
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.10.2 - Release Date: 21/04/2005
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
