"Ashwin Gobind" <[EMAIL PROTECTED]> writes: > But doesn't this mean there has to be a realm in the username eg > [EMAIL PROTECTED] > > The problem is the user-name attribute does not contain a realm. Is it > still possible to proxy the accounting start and stop messages > originating from as certain NAS-IP-ADDRESS.
I believe that was exactly what Nicolas' tip was supposed to do. The trick is to make the files module do exactly the same as the realm module would have done if you had passed "[EMAIL PROTECTED]" to the "suffix" instance. Proxy-To-Realm is documented in doc/module_interface Bjørn > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: 29 September 2005 06:22 PM > To: [email protected] > Subject: Freeradius-Users Digest, Vol 5, Issue 98 > > Send Freeradius-Users mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freeradius.org/mailman/listinfo/freeradius-users > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeradius-Users digest..." > > > Today's Topics: > > 1. Proxy of Accounting Requests (Ashwin Gobind) > 2. Re: Proxy of Accounting Requests (Nicolas Baradakis) > 3. RE: Proxy of Accounting Requests (Jonathan De Graeve) > 4. Re: LDAP and groups (Dusty Doris) > 5. Re: LDAP and groups (Kenneth Grady) > 6. Re: SSL3_GET_CLIENT_KEY_EXCHANGE (Juan Daniel Moreno) > 7. (no subject) ([EMAIL PROTECTED]) > 8. Postgresql+freeradius configuration ([EMAIL PROTECTED]) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 29 Sep 2005 12:18:37 +0200 > From: "Ashwin Gobind" <[EMAIL PROTECTED]> > Subject: Proxy of Accounting Requests > To: <[email protected]> > Message-ID: > > <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="us-ascii" > > Good day. I am using freeradius 1.05 > I want to proxy accounting requests originating from certain hosts to > another server, how can I do this. Also I am using Jradius to handle > accounting request. But this certain request I don't want JRadius to > handle, but freeradius just to proxy it. Here is an example of the > request > Thanks > > > > Acct-Session-Id = C42EA2A31F96530 > Framed-Protocol = GPRS-PDP-Context > Called-Station-Id = vlive > Calling-Station-Id = 27829800529 > Framed-IP-Address = 10.19.128.6 > 3GPP-IMSI = 655019800002252 > 3GPP-Charging-ID = 33121584 > 3GPP-PDP-Type = 0 > 3GPP-GGSN-Address = 196.46.162.163 > 3GPP-IMSI-MCC-MNC = 65501 > 3GPP-GGSN-MCC-MNC = 65501 > 3GPP-NSAPI = 5 > 3GPP-Selection-Mode = 0 > 3GPP-Charging-Gateway-Address = 10.25.0.10 > 3GPP-GPRS-Negotiated-QoS-profile = 99-23931F9396979774FB0808 > 3GPP-SGSN-Address = 196.6.254.49 > User-Name = 27829800529 > Cisco-AVPair = connect-progress=Call Up > Acct-Authentic = RADIUS > Acct-Status-Type = Start > NAS-Port-Type = Virtual > Cisco-NAS-Port = GGSN > NAS-Port = 60000 > Class = [Binary Data] > Service-Type = Framed-User > NAS-IP-Address = 10.31.1.122 > NAS-Identifier = GMC-GGSN0-12-2 > Acct-Delay-Time = 0 > Client-IP-Address = 10.113.60.6 > Acct-Unique-Session-Id = b30a3d4d494c8a87 > "This e-mail is sent on the Terms and Conditions that can be accessed by > Clicking on this link http://www.vodacom.net/legal/email.aspx " > > > > ------------------------------ > > Message: 2 > Date: Thu, 29 Sep 2005 13:55:16 +0200 > From: Nicolas Baradakis <[EMAIL PROTECTED]> > Subject: Re: Proxy of Accounting Requests > To: FreeRadius users mailing list > <[email protected]> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=us-ascii > > Ashwin Gobind wrote: > >> I want to proxy accounting requests originating from certain hosts to >> another server, how can I do this. > > You could add something like this in file "acct_users": > > DEFAULT Client-IP-Address == 10.0.0.1, Proxy-To-Realm := realm1 > > DEFAULT Client-IP-Address == 10.0.0.2, Proxy-To-Realm := realm2 > > -- > Nicolas Baradakis > > > > ------------------------------ > > Message: 3 > Date: Thu, 29 Sep 2005 15:56:33 +0200 > From: "Jonathan De Graeve" <[EMAIL PROTECTED]> > Subject: RE: Proxy of Accounting Requests > To: "FreeRadius users mailing list" > <[email protected]> > Message-ID: > <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="us-ascii" > > Can you also do this in SQL? > > J. > > -- > Jonathan De Graeve > Network/System Administrator > Imelda vzw > Informatica Dienst > 015/50.52.98 > [EMAIL PROTECTED] > > --------- > Always read the manual for the correct way to do things because the > number of incorrect ways to do things is almost infinite > --------- > > -----Oorspronkelijk bericht----- > Van: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Namens Nicolas > Baradakis > Verzonden: donderdag 29 september 2005 13:55 > Aan: FreeRadius users mailing list > Onderwerp: Re: Proxy of Accounting Requests > > Ashwin Gobind wrote: > >> I want to proxy accounting requests originating from certain hosts to >> another server, how can I do this. > > You could add something like this in file "acct_users": > > DEFAULT Client-IP-Address == 10.0.0.1, Proxy-To-Realm := realm1 > > DEFAULT Client-IP-Address == 10.0.0.2, Proxy-To-Realm := realm2 > > -- > Nicolas Baradakis > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > > > ------------------------------ > > Message: 4 > Date: Thu, 29 Sep 2005 10:06:30 -0400 (EDT) > From: Dusty Doris <[EMAIL PROTECTED]> > Subject: Re: LDAP and groups > To: FreeRadius users mailing list > <[email protected]> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed > >> Hello there, >> >> I have a small problem. And I read the documentation. And I can't find >> what's wrong. >> >> I have a corporate LDAP with users and group. >> >> Each group is a "groupOfUniqueNames", with "uniquemember". >> In the user defintion, no group definition is set. >> >> I need to authenticate members of a certain groups, and not of another > ... >> >> Every doc I read mention that you have to create an attribute "per > user" ... >> >> Any other way ? >> > > I chose to do groups per user with radiusgroupname attribute, which is > in > the ldap_howto. However, you don't have to do it that way. Try reading > > radiusd.conf in the ldap section under the default > groupmembership_filter. > Or reading doc/rlm_ldap. > > If you are trying that and not having success, then post your debug > output. > > > > > ------------------------------ > > Message: 5 > Date: Thu, 29 Sep 2005 08:11:27 -0600 > From: Kenneth Grady <[EMAIL PROTECTED]> > Subject: Re: LDAP and groups > To: FreeRadius users mailing list > <[email protected]> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain > > ldapsearch -x cn=my_group > # > # filter: cn=my_group > # requesting: ALL > # > > # my_group, group, lanl, gov > dn: cn=my_group,ou=group,dc=lanl,dc=gov > objectClass: groupOfNames > cn: my_group > member: employeeNumber=0067,ou=people,dc=lanl,dc=gov > member: employeeNumber=0068,ou=people,dc=lanl,dc=gov > ... > ---------------------------------- > radiusd.conf (file) > ...modules > ldap My-group_Users { > server = "ldap" > net_timeout = 1 > timeout = 3 > timelimit = 4 > ldap_connections_number = 5 > basedn = "dc=lanl,dc=gov" > #access_attr = "employeeNumber" > filter = > "(&(cn=my-group)(member=employeeNumber=%{Stripped-User-Name:-%{User-Name > }},ou=people,dc=lanl,dc=gov))" > start_tls = no > groupname_attribute = cn > groupmembership_filter = "" > groupmembership_attribute = my_group > dictionary_mapping = ${raddbdir}/ldap.attrmap > compare_check_items = yes > access_attr_used_for_allow = yes > } > ... authorize > Autz-Type MY-GROUP { > redundant { > My-group_Users > notfound = reject > } > } > ---------------------------------- > users (file) > ... > DEFAULT NAS-IP-Address =~ "^123.123", Autz-Type := MY-GROUP > > There's probably a better way, but this worked for what I wanted. > > > > > On Thu, 2005-09-29 at 03:10, Jean-Francois Gobin wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hello there, >> >> I have a small problem. And I read the documentation. And I can't find > >> what's wrong. >> >> I have a corporate LDAP with users and group. >> >> Each group is a "groupOfUniqueNames", with "uniquemember". >> In the user defintion, no group definition is set. >> >> I need to authenticate members of a certain groups, and not of another > ... >> >> Every doc I read mention that you have to create an attribute "per > user" >> ... >> >> Any other way ? >> >> Regards, >> Jean-Francois Gobin >> >> - ---------- >> Jean-Francois Gobin - Administrateur gobinjf.be >> http://www.gobinjf.be mailto:[EMAIL PROTECTED] >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.2 (FreeBSD) >> Comment: Made with pgp4pine 1.76 >> >> iD8DBQFDO6+pkkg3QInH2uURAkoTAJ9CiiYoljx0B2zP/tInkSG4TwiwIgCbBWft >> g16kNx6wUzO1va189DJmHRA= >> =kTQn >> -----END PGP SIGNATURE----- >> >> - >> List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > ------------------------------ > > Message: 6 > Date: Thu, 29 Sep 2005 16:22:12 +0200 > From: Juan Daniel Moreno <[EMAIL PROTECTED]> > Subject: Re: SSL3_GET_CLIENT_KEY_EXCHANGE > To: [email protected] > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1 > >> >> The protocol specification describes this. The implementation in >> src/modules/rlm_eap/ contains diagrams of the packets it expects to >> receive. >> >> Alan DeKok. >> >> > > Thank you Alan, but now I have a new problem. I have been reading the > src/modules/rlm_eap/ to understand my problem but I don't find the > issue. In TLS establishment, the public key in the server.cert is 128 > bytes length. I generate a random string of 46 bytes and the protocol > version (TLS 1.0 (0x03, 0x01)) and I use the SSL function > RSA_public_encrypt() with server's public key to encrypt the > PreMasterSecret. As a result I get a 128 length string. As I send this > data to the server, I get a "tls rsa encrypted length is wrong: > s3_srvr.c: 1450:" > > Can anybody please tell me where can be my problem? Here is my code > for exemple. > > > void Client_Key_Exchange (SSLData *ClientSSLData, unsigned short > *length, char *HandshakeMessages, unsigned short *length_Hndshk, char > *buff) > { > > char *PreMasterSecret = (char*) _MEMORY_Allocate > (58 , true); > char *EncryptedPreMasterSecret = (char*) _MEMORY_Allocate (128, > true); > char *temp = (char*) > _MEMORY_Allocate (58 , true); > unsigned char *tmpCert = _MEMORY_Allocate > > (ClientSSLData->certificate_len + 128, true); > > _RANDOM_MakeCharString (temp, 46); > > PreMasterSecret [0] = 0x03; > PreMasterSecret [1] = 0x01; > > for (register int i = 0; i<46; i++) > { > PreMasterSecret[i+2] = temp > [i]; > ClientSSLData->PreMasterSecret[i] = > PreMasterSecret[i]; > } > > for (i = 0; i < ClientSSLData->certificate_len; i++) > tmpCert[i] =(unsigned char) > ClientSSLData->certificate[i]; > > > //----- OpenSSL Functions ----- > RSA *server_public_key; > > X509 *cert = X509_new (); > > EVP_PKEY *evp = EVP_PKEY_new (); > > X509 *err = d2i_X509 (&cert, (unsigned char**) &tmpCert, > > (ClientSSLData->certificate_len) ); > > //----- d2i_509 Function retrives tmpCert pointer advanced the > number > of bytes read ----- > tmpCert = tmpCert - (ClientSSLData->certificate_len); > > > //----- We get the public key from the Server certificate ----- > evp = X509_get_pubkey(cert); > > server_public_key = (RSA *) evp->pkey.ptr; > > int rsasize = RSA_size(server_public_key); > > //----- We get the PreMasterSecret encrypted ----- > int Encrypted_len = RSA_public_encrypt(48, (BYTE*) > PreMasterSecret, > (unsigned char*)EncryptedPreMasterSecret, server_public_key, > RSA_PKCS1_PADDING); > > ClientSSLData->bufferSSL[(*length)++] = 0x16; // > Handshake Message > ClientSSLData->bufferSSL[(*length)++] = 0x03; // > Version > ClientSSLData->bufferSSL[(*length)++] = 0x01; // > Version > ClientSSLData->bufferSSL[(*length)++] = (Encrypted_len + 6) / > 256; // Length > ClientSSLData->bufferSSL[(*length)++] = (Encrypted_len + 6) % > 256; // Length > ClientSSLData->bufferSSL[(*length)++] = 0x10; // > Client key exchange > ClientSSLData->bufferSSL[(*length)++] = 0x00; > // Length > ClientSSLData->bufferSSL[(*length)++] = (Encrypted_len ) / 256; > // Length > ClientSSLData->bufferSSL[(*length)++] = (Encrypted_len ) % 256; > // Length > > //----- Public key exchange ----- > for (i = 0; i < Encrypted_len; i++) > { > buff[i] = EncryptedPreMasterSecret[i]; > HandshakeMessages[(*length_Hndshk)++] = > EncryptedPreMasterSecret[i]; > } > > > free (PreMasterSecret); > free (EncryptedPreMasterSecret); > free (temp); > free (tmpCert); > > } > > Thank you for your help. Juan Daniel MORENO > > > > ------------------------------ > > Message: 7 > Date: Thu, 29 Sep 2005 16:59:00 +0100 > From: [EMAIL PROTECTED] > Subject: (no subject) > Cc: [email protected] > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1 > > Good morning!!!!! > I have successfully configured freeradius server with using postgresql > database > to storage users which i want to authenticate. > when i put it in debug mode to test he works well. But when I run it as > deamon > the server radius don't see the postgresql server. In the radius's log > file i > look this: > Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked > Info: rlm_sql (sql): Attempting to connect to > [EMAIL PROTECTED]:/radiusdb > Error: rlm_sql_postgresql: Couldn't connect socket to PostgreSQL server > [EMAIL PROTECTED]:radiusdb > Error: rlm_sql_postgresql: Postgresql error 'could not connect to > server: > Permission denied ?Is the server running on host "localhost" and > accepting > ?TCP/IP connections on port 5432? ' > Error: rlm_sql (sql): Failed to connect DB handle #0 > Info: Ready to process requests. > I use fedora core4 as Operating System and freeradius 1.0.4-1, > postgresql > 8.0.3-1. > In the postgresql's file pg_hba.conf i make this configuration: > #TYPE DATABASE USER CIDR-ADDRESS METHOD > #IPv4 local connections: > host radiusdb radiusadmin 127.0.0.1/32 trust > I don't why this dysfonctionnement > Please help me and thanks for your assistance. > > > > ------------------------------ > > Message: 8 > Date: Thu, 29 Sep 2005 17:00:47 +0100 > From: [EMAIL PROTECTED] > Subject: Postgresql+freeradius configuration > To: [email protected] > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1 > > Good morning!!!!! > I have successfully configured freeradius server with using postgresql > database > to storage users which i want to authenticate. > when i put it in debug mode to test he works well. But when I run it as > deamon > the server radius don't see the postgresql server. In the radius's log > file i > look this: > Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked > Info: rlm_sql (sql): Attempting to connect to > [EMAIL PROTECTED]:/radiusdb > Error: rlm_sql_postgresql: Couldn't connect socket to PostgreSQL server > [EMAIL PROTECTED]:radiusdb > Error: rlm_sql_postgresql: Postgresql error 'could not connect to > server: > Permission denied ?Is the server running on host "localhost" and > accepting > ?TCP/IP connections on port 5432? ' > Error: rlm_sql (sql): Failed to connect DB handle #0 > Info: Ready to process requests. > I use fedora core4 as Operating System and freeradius 1.0.4-1, > postgresql > 8.0.3-1. > In the postgresql's file pg_hba.conf i make this configuration: > #TYPE DATABASE USER CIDR-ADDRESS METHOD > #IPv4 local connections: > host radiusdb radiusadmin 127.0.0.1/32 trust > I don't why this dysfonctionnement > Please help me and thanks for your assistance. > > > > ------------------------------ > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > End of Freeradius-Users Digest, Vol 5, Issue 98 > *********************************************** > This e-mail is sent on the Terms and Conditions that can be accessed by > Clicking on this link http://www.vodacom.net/legal/email.aspx " > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
