I am trying to get free radius working with huntgroups and ldap.
A couple of problems are occurring? (1) modcall[authorize]: module "files" returns notfound for request 1 But the user can still login how can I stop this? (2) rlm_ldap::groupcmp: Group disabled not found ????or user not a member My users file is setup as below, but it does not seem to search through the groups just fails on the first one? But still logs in. I have tried different setups of fall-through with no luck as well. USERS FILE DEFAULT Ldap-Group == disabled, Auth-Type := Reject, Reply-Message = "Account disabled. Please call the helpdesk." Fall-Through = no DEFAULT Huntgroup-Name == internet, Ldap-Group == lisdoonvarna, User-Profile := "cn=lisdoonvarna,ou=profiles,o=radius,dc=radiowave,dc=net" Fall-Through = no DEFAULT Huntgroup-Name == internet, Ldap-Group == doolin, User-Profile := "cn=doolin,ou=profiles,o=radius,dc=radiowave,dc=net" Fall-Through = no DEFAULT Huntgroup-Name == internet, Ldap-Group == fanore, User-Profile := "cn=fanore,ou=profiles,o=radius,dc=radiowave,dc=net" Fall-Through = no DEFAULT Huntgroup-Name == internet, Ldap-Group == ballyvaughan, User-Profile := "cn=ballyvaughan,ou=profiles,o=radius,dc=radiowave,dc=net" Fall-Through = no #DEFAULT Auth-Type := Reject # Reply-Message = "Please call the helpdesk." I have searched a bit for info on this but am having no joy. Look forward to hearing from someone. Thanks alan -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 26 April 2005 05:27 To: freeradius-users@lists.freeradius.org Subject: Freeradius-Users digest, Vol 1 #4555 - 3 msgs Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..." Today's Topics: 1. How to log Acct-Termination-Cause variants in SQL DB (Guy Fraser) 2. Re: attribute value matching in users file (Chris Carver) 3. Re: TLS problem (frad) --__--__-- Message: 1 Subject: How to log Acct-Termination-Cause variants in SQL DB From: Guy Fraser <[EMAIL PROTECTED]> To: freeradius-users@lists.freeradius.org Date: Mon, 25 Apr 2005 15:03:33 -0600 Reply-To: freeradius-users@lists.freeradius.org With every vendor making up there own Attributes and Values it has me wondering how whether any one has a simple solution to putting all the similar Attributes into the acctterminatecause field. I have been thinking that I would use : %{Acct-Terminate-Cause}:-%{Ascend-Disconnect-Cause}:-%{Cisco-Disconnect- Cause} I am not sure if this would need brackets or if there is a better way. So far I will only need these three, for that entry. There are other entries that will likely need to be mapped as well but I have not yet researched them. The custom Cistron I wrote allows me to map as many Radius Attributes as I want to a sql attribute. In my system I just put #START# ... Acct-Terminate-Cause = Acct-Terminate-Cause : Text # Ascend-Disconnect-Cause = Acct-Terminate-Cause : Text # Cisco-Disconnect-Cause = Acct-Terminate-Cause : Text # ... #END# The automatic table create/update function, accumulates all the distinct SQL attributes, and creates one column per Attribute, or adds any new columns to an existing table. Unfortunately the code I wrote was not abstracted in any way, and may be difficult to make work with MySQL, since I only had PostgreSQL in mind when writing it. PS: Can XLAT be used to generate SQL table names ? My current system generates configured table names such as : acct_%{Acct-Session-Type}_%Y%b So every month I get 3 tables : Eg: acct_start_2005apr , acct_stop_2005apr , acct_other_2005apr Acct-Session-Type is a special case, only Start and Stop Tables are Created anything else is sent to the Other table along with any duplicate log entries. Any failed entries are saved in a cache file, that is monitored. I had one entry over a year ago, that was caused by an entry that had a byte count > 2GB that was being put into an int4. I updated the attribute map to use "bigint", but haven't had anything that large since. --__--__-- Message: 2 Date: Mon, 25 Apr 2005 18:34:30 -0400 From: Chris Carver <[EMAIL PROTECTED]> To: freeradius-users@lists.freeradius.org Subject: Re: attribute value matching in users file Reply-To: freeradius-users@lists.freeradius.org Thanks for help, Alan. I think I have the problem resolved. Just for fun when I used radclient I specified the dictionary location with -d and it worked! Maybe radclient was thinking the custom dictionary file was somewhere else? I'm not sure, but it seems to work now and thats the only thing I changed. Thanks for your time. Chris Carver Alan DeKok wrote: >Chris Carver <[EMAIL PROTECTED]> wrote: > > >>I believe so. Here is what is a custom dictionary file thats included >>in /etc/raddb/dictionary: >> >> > > Ok... > > > >>I still see the same behavior as before. The users file completely >>ignores the existance of a redirectPort80 in the access-request, but it >>can REPLY with a redirectPort80 attribute. Is there something special I >>have to do to be able to check for this specific attribute in an >>access-request? >> >> > > No. It should just work. > > > >>DEFAULT redirectPort80 == true >> >>Does not match even though thats what I'm feeding it with radclient. >> >> > > Hmm... if I test it with my server, it works. > > My guess is that you have *other* entries in your "users" file. >Read the debug output to see which entries did match, and walk through >the "users" file by hand to see where it stops matching, and why. > > Odds are you don't have a "Fall-Through" configured somewhere. > > Alan DeKok. > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > --__--__-- Message: 3 Date: Mon, 25 Apr 2005 23:29:35 -0400 From: frad <[EMAIL PROTECTED]> To: freeradius-users@lists.freeradius.org Subject: Re: TLS problem Reply-To: freeradius-users@lists.freeradius.org A good resource is www.austux.net/resources/network/eaptls.html Also, make sure you are using "windows zero configuration" on the WinXP client. Jon [EMAIL PROTECTED] wrote: >Hello, > >I'm tying to make an authentication using freeradius-1.0.1-1 on Fedora >Core 3, Cisco Catalyst 2950 as authenticator and WinXP (SP2) as a client. >I didn't manage to make it work and I found a document describing that I >should make a TLS authentication first, then go to MS-CHAP v2, but it >didn't work too. I found that the TLS connection doesn't establish >completely but I can't find the problem. Can you tell me the reason it >doesn't work or url to more descriptive document? > --__--__-- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.10.2 - Release Date: 21/04/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.10.2 - Release Date: 21/04/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html