But doesn't this mean there has to be a realm in the username eg [EMAIL PROTECTED]
The problem is the user-name attribute does not contain a realm. Is it still possible to proxy the accounting start and stop messages originating from as certain NAS-IP-ADDRESS. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 29 September 2005 06:22 PM To: freeradius-users@lists.freeradius.org Subject: Freeradius-Users Digest, Vol 5, Issue 98 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..." Today's Topics: 1. Proxy of Accounting Requests (Ashwin Gobind) 2. Re: Proxy of Accounting Requests (Nicolas Baradakis) 3. RE: Proxy of Accounting Requests (Jonathan De Graeve) 4. Re: LDAP and groups (Dusty Doris) 5. Re: LDAP and groups (Kenneth Grady) 6. Re: SSL3_GET_CLIENT_KEY_EXCHANGE (Juan Daniel Moreno) 7. (no subject) ([EMAIL PROTECTED]) 8. Postgresql+freeradius configuration ([EMAIL PROTECTED]) ---------------------------------------------------------------------- Message: 1 Date: Thu, 29 Sep 2005 12:18:37 +0200 From: "Ashwin Gobind" <[EMAIL PROTECTED]> Subject: Proxy of Accounting Requests To: <freeradius-users@lists.freeradius.org> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="us-ascii" Good day. I am using freeradius 1.05 I want to proxy accounting requests originating from certain hosts to another server, how can I do this. Also I am using Jradius to handle accounting request. But this certain request I don't want JRadius to handle, but freeradius just to proxy it. Here is an example of the request Thanks Acct-Session-Id = C42EA2A31F96530 Framed-Protocol = GPRS-PDP-Context Called-Station-Id = vlive Calling-Station-Id = 27829800529 Framed-IP-Address = 10.19.128.6 3GPP-IMSI = 655019800002252 3GPP-Charging-ID = 33121584 3GPP-PDP-Type = 0 3GPP-GGSN-Address = 196.46.162.163 3GPP-IMSI-MCC-MNC = 65501 3GPP-GGSN-MCC-MNC = 65501 3GPP-NSAPI = 5 3GPP-Selection-Mode = 0 3GPP-Charging-Gateway-Address = 10.25.0.10 3GPP-GPRS-Negotiated-QoS-profile = 99-23931F9396979774FB0808 3GPP-SGSN-Address = 196.6.254.49 User-Name = 27829800529 Cisco-AVPair = connect-progress=Call Up Acct-Authentic = RADIUS Acct-Status-Type = Start NAS-Port-Type = Virtual Cisco-NAS-Port = GGSN NAS-Port = 60000 Class = [Binary Data] Service-Type = Framed-User NAS-IP-Address = 10.31.1.122 NAS-Identifier = GMC-GGSN0-12-2 Acct-Delay-Time = 0 Client-IP-Address = 10.113.60.6 Acct-Unique-Session-Id = b30a3d4d494c8a87 "This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.net/legal/email.aspx " ------------------------------ Message: 2 Date: Thu, 29 Sep 2005 13:55:16 +0200 From: Nicolas Baradakis <[EMAIL PROTECTED]> Subject: Re: Proxy of Accounting Requests To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=us-ascii Ashwin Gobind wrote: > I want to proxy accounting requests originating from certain hosts to > another server, how can I do this. You could add something like this in file "acct_users": DEFAULT Client-IP-Address == 10.0.0.1, Proxy-To-Realm := realm1 DEFAULT Client-IP-Address == 10.0.0.2, Proxy-To-Realm := realm2 -- Nicolas Baradakis ------------------------------ Message: 3 Date: Thu, 29 Sep 2005 15:56:33 +0200 From: "Jonathan De Graeve" <[EMAIL PROTECTED]> Subject: RE: Proxy of Accounting Requests To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="us-ascii" Can you also do this in SQL? J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] --------- Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite --------- -----Oorspronkelijk bericht----- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Nicolas Baradakis Verzonden: donderdag 29 september 2005 13:55 Aan: FreeRadius users mailing list Onderwerp: Re: Proxy of Accounting Requests Ashwin Gobind wrote: > I want to proxy accounting requests originating from certain hosts to > another server, how can I do this. You could add something like this in file "acct_users": DEFAULT Client-IP-Address == 10.0.0.1, Proxy-To-Realm := realm1 DEFAULT Client-IP-Address == 10.0.0.2, Proxy-To-Realm := realm2 -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ------------------------------ Message: 4 Date: Thu, 29 Sep 2005 10:06:30 -0400 (EDT) From: Dusty Doris <[EMAIL PROTECTED]> Subject: Re: LDAP and groups To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <[EMAIL PROTECTED]> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed > Hello there, > > I have a small problem. And I read the documentation. And I can't find > what's wrong. > > I have a corporate LDAP with users and group. > > Each group is a "groupOfUniqueNames", with "uniquemember". > In the user defintion, no group definition is set. > > I need to authenticate members of a certain groups, and not of another ... > > Every doc I read mention that you have to create an attribute "per user" ... > > Any other way ? > I chose to do groups per user with radiusgroupname attribute, which is in the ldap_howto. However, you don't have to do it that way. Try reading radiusd.conf in the ldap section under the default groupmembership_filter. Or reading doc/rlm_ldap. If you are trying that and not having success, then post your debug output. ------------------------------ Message: 5 Date: Thu, 29 Sep 2005 08:11:27 -0600 From: Kenneth Grady <[EMAIL PROTECTED]> Subject: Re: LDAP and groups To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain ldapsearch -x cn=my_group # # filter: cn=my_group # requesting: ALL # # my_group, group, lanl, gov dn: cn=my_group,ou=group,dc=lanl,dc=gov objectClass: groupOfNames cn: my_group member: employeeNumber=0067,ou=people,dc=lanl,dc=gov member: employeeNumber=0068,ou=people,dc=lanl,dc=gov ... ---------------------------------- radiusd.conf (file) ...modules ldap My-group_Users { server = "ldap" net_timeout = 1 timeout = 3 timelimit = 4 ldap_connections_number = 5 basedn = "dc=lanl,dc=gov" #access_attr = "employeeNumber" filter = "(&(cn=my-group)(member=employeeNumber=%{Stripped-User-Name:-%{User-Name }},ou=people,dc=lanl,dc=gov))" start_tls = no groupname_attribute = cn groupmembership_filter = "" groupmembership_attribute = my_group dictionary_mapping = ${raddbdir}/ldap.attrmap compare_check_items = yes access_attr_used_for_allow = yes } ... authorize Autz-Type MY-GROUP { redundant { My-group_Users notfound = reject } } ---------------------------------- users (file) ... DEFAULT NAS-IP-Address =~ "^123.123", Autz-Type := MY-GROUP There's probably a better way, but this worked for what I wanted. On Thu, 2005-09-29 at 03:10, Jean-Francois Gobin wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello there, > > I have a small problem. And I read the documentation. And I can't find > what's wrong. > > I have a corporate LDAP with users and group. > > Each group is a "groupOfUniqueNames", with "uniquemember". > In the user defintion, no group definition is set. > > I need to authenticate members of a certain groups, and not of another ... > > Every doc I read mention that you have to create an attribute "per user" > ... > > Any other way ? > > Regards, > Jean-Francois Gobin > > - ---------- > Jean-Francois Gobin - Administrateur gobinjf.be > http://www.gobinjf.be mailto:[EMAIL PROTECTED] > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (FreeBSD) > Comment: Made with pgp4pine 1.76 > > iD8DBQFDO6+pkkg3QInH2uURAkoTAJ9CiiYoljx0B2zP/tInkSG4TwiwIgCbBWft > g16kNx6wUzO1va189DJmHRA= > =kTQn > -----END PGP SIGNATURE----- > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ------------------------------ Message: 6 Date: Thu, 29 Sep 2005 16:22:12 +0200 From: Juan Daniel Moreno <[EMAIL PROTECTED]> Subject: Re: SSL3_GET_CLIENT_KEY_EXCHANGE To: freeradius-users@lists.freeradius.org Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1 > > The protocol specification describes this. The implementation in > src/modules/rlm_eap/ contains diagrams of the packets it expects to > receive. > > Alan DeKok. > > Thank you Alan, but now I have a new problem. I have been reading the src/modules/rlm_eap/ to understand my problem but I don't find the issue. In TLS establishment, the public key in the server.cert is 128 bytes length. I generate a random string of 46 bytes and the protocol version (TLS 1.0 (0x03, 0x01)) and I use the SSL function RSA_public_encrypt() with server's public key to encrypt the PreMasterSecret. As a result I get a 128 length string. As I send this data to the server, I get a "tls rsa encrypted length is wrong: s3_srvr.c: 1450:" Can anybody please tell me where can be my problem? Here is my code for exemple. void Client_Key_Exchange (SSLData *ClientSSLData, unsigned short *length, char *HandshakeMessages, unsigned short *length_Hndshk, char *buff) { char *PreMasterSecret = (char*) _MEMORY_Allocate (58 , true); char *EncryptedPreMasterSecret = (char*) _MEMORY_Allocate (128, true); char *temp = (char*) _MEMORY_Allocate (58 , true); unsigned char *tmpCert = _MEMORY_Allocate (ClientSSLData->certificate_len + 128, true); _RANDOM_MakeCharString (temp, 46); PreMasterSecret [0] = 0x03; PreMasterSecret [1] = 0x01; for (register int i = 0; i<46; i++) { PreMasterSecret[i+2] = temp [i]; ClientSSLData->PreMasterSecret[i] = PreMasterSecret[i]; } for (i = 0; i < ClientSSLData->certificate_len; i++) tmpCert[i] =(unsigned char) ClientSSLData->certificate[i]; //----- OpenSSL Functions ----- RSA *server_public_key; X509 *cert = X509_new (); EVP_PKEY *evp = EVP_PKEY_new (); X509 *err = d2i_X509 (&cert, (unsigned char**) &tmpCert, (ClientSSLData->certificate_len) ); //----- d2i_509 Function retrives tmpCert pointer advanced the number of bytes read ----- tmpCert = tmpCert - (ClientSSLData->certificate_len); //----- We get the public key from the Server certificate ----- evp = X509_get_pubkey(cert); server_public_key = (RSA *) evp->pkey.ptr; int rsasize = RSA_size(server_public_key); //----- We get the PreMasterSecret encrypted ----- int Encrypted_len = RSA_public_encrypt(48, (BYTE*) PreMasterSecret, (unsigned char*)EncryptedPreMasterSecret, server_public_key, RSA_PKCS1_PADDING); ClientSSLData->bufferSSL[(*length)++] = 0x16; // Handshake Message ClientSSLData->bufferSSL[(*length)++] = 0x03; // Version ClientSSLData->bufferSSL[(*length)++] = 0x01; // Version ClientSSLData->bufferSSL[(*length)++] = (Encrypted_len + 6) / 256; // Length ClientSSLData->bufferSSL[(*length)++] = (Encrypted_len + 6) % 256; // Length ClientSSLData->bufferSSL[(*length)++] = 0x10; // Client key exchange ClientSSLData->bufferSSL[(*length)++] = 0x00; // Length ClientSSLData->bufferSSL[(*length)++] = (Encrypted_len ) / 256; // Length ClientSSLData->bufferSSL[(*length)++] = (Encrypted_len ) % 256; // Length //----- Public key exchange ----- for (i = 0; i < Encrypted_len; i++) { buff[i] = EncryptedPreMasterSecret[i]; HandshakeMessages[(*length_Hndshk)++] = EncryptedPreMasterSecret[i]; } free (PreMasterSecret); free (EncryptedPreMasterSecret); free (temp); free (tmpCert); } Thank you for your help. Juan Daniel MORENO ------------------------------ Message: 7 Date: Thu, 29 Sep 2005 16:59:00 +0100 From: [EMAIL PROTECTED] Subject: (no subject) Cc: freeradius-users@lists.freeradius.org Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1 Good morning!!!!! I have successfully configured freeradius server with using postgresql database to storage users which i want to authenticate. when i put it in debug mode to test he works well. But when I run it as deamon the server radius don't see the postgresql server. In the radius's log file i look this: Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked Info: rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radiusdb Error: rlm_sql_postgresql: Couldn't connect socket to PostgreSQL server [EMAIL PROTECTED]:radiusdb Error: rlm_sql_postgresql: Postgresql error 'could not connect to server: Permission denied ?Is the server running on host "localhost" and accepting ?TCP/IP connections on port 5432? ' Error: rlm_sql (sql): Failed to connect DB handle #0 Info: Ready to process requests. I use fedora core4 as Operating System and freeradius 1.0.4-1, postgresql 8.0.3-1. In the postgresql's file pg_hba.conf i make this configuration: #TYPE DATABASE USER CIDR-ADDRESS METHOD #IPv4 local connections: host radiusdb radiusadmin 127.0.0.1/32 trust I don't why this dysfonctionnement Please help me and thanks for your assistance. ------------------------------ Message: 8 Date: Thu, 29 Sep 2005 17:00:47 +0100 From: [EMAIL PROTECTED] Subject: Postgresql+freeradius configuration To: freeradius-users@lists.freeradius.org Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1 Good morning!!!!! I have successfully configured freeradius server with using postgresql database to storage users which i want to authenticate. when i put it in debug mode to test he works well. But when I run it as deamon the server radius don't see the postgresql server. In the radius's log file i look this: Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked Info: rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radiusdb Error: rlm_sql_postgresql: Couldn't connect socket to PostgreSQL server [EMAIL PROTECTED]:radiusdb Error: rlm_sql_postgresql: Postgresql error 'could not connect to server: Permission denied ?Is the server running on host "localhost" and accepting ?TCP/IP connections on port 5432? ' Error: rlm_sql (sql): Failed to connect DB handle #0 Info: Ready to process requests. I use fedora core4 as Operating System and freeradius 1.0.4-1, postgresql 8.0.3-1. In the postgresql's file pg_hba.conf i make this configuration: #TYPE DATABASE USER CIDR-ADDRESS METHOD #IPv4 local connections: host radiusdb radiusadmin 127.0.0.1/32 trust I don't why this dysfonctionnement Please help me and thanks for your assistance. ------------------------------ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 5, Issue 98 *********************************************** This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.net/legal/email.aspx " - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
