Hi,
I read the document. I think i put my question in a wrong way.
Let me put it in a different way.
I dont want the user to go directly in priv mode.
through priv level = 15 we can direclty go into priv level right.
what i want is first the user get into user level and then with another
password in level 2. (not with enable password)..it should be through RADIUS
server.
I hope it makes it easy.
On 7/19/07, [EMAIL PROTECTED] <
[EMAIL PROTECTED]> wrote:
Send Freeradius-Users mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: mod_auth_radius (Nick Owen)
2. Re: Quirky question about rewriting usernames (Cliff Cole)
3. "Time-out" Problem with Huntgroups in conjunction with MYSQL
Backend ([EMAIL PROTECTED])
4. Level 2 authentication with RADIUS. (ashish verma)
5. Re: Level 2 authentication with RADIUS. (Stefan Winter)
6. Re: Level 2 authentication with RADIUS. (Stefan Winter)
7. Re: TLS cant connect ldap+freeradius+novell
(Reimer Karlsen-Masur, DFN-CERT)
----------------------------------------------------------------------
Message: 1
Date: Thu, 19 Jul 2007 09:14:28 -0400
From: "Nick Owen" <[EMAIL PROTECTED]>
Subject: Re: mod_auth_radius
To: "FreeRadius users mailing list"
<[email protected]>
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 7/19/07, Rascher, Markus <[EMAIL PROTECTED]> wrote:
>
>
> Hi All,
>
> is there a tutorial how to install mod_auth_radius on an apache 2.xxserver?
> The howto on the freeradius webpage is a little bit deprecated i guess.
> i get an error when starting the apache server after installing
> mod_auth_radius:
>
> # service httpd start
> Starting httpd: httpd: Syntax error on line 205 of
> /etc/httpd/conf/httpd.conf: Cannot load
> /usr/lib/httpd/modules/mod_auth_radius-2.0.so into server:
> /usr/lib/httpd/modules/mod_auth_radius-2.0.so: undefined
> symbol: ap_snprintf
> [FAILED]
You might try mod_auth_xradius. I have done a couple of apache +
radius + WiKID 2FA docs that might help:
http://www.wikidsystems.com/documentation/howtos/how-to-add-two-factor-authentication-to-apache/
http://www.howtoforge.com/apache_radius_two_factor_authentication
The latter is more recent.
HTH,
nick
--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
------------------------------
Message: 2
Date: Thu, 19 Jul 2007 09:35:13 -0400
From: "Cliff Cole" <[EMAIL PROTECTED]>
Subject: Re: Quirky question about rewriting usernames
To: "FreeRadius users mailing list"
<[email protected]>
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Thanks for the reply. I'm new to free radius and have been
overwhelmed with documentation the past few days. Let me explain in
some logic and maybe I can make some sense as to what I'm trying to
do.
User authentication comes from "NAS A"
IF the username does not have @domain.com and NAS = "NAS A"
THEN append @domain.com
IF the username has @domain.com and NAS = "NAS A"
THEN continue with username as is.
Hope this helps to clear up what I'm trying to do. I appologize for
not being very clear.
Thanks
Cliff
On 7/19/07, Pshem Kowalczyk <[EMAIL PROTECTED]> wrote:
> Hi
>
> On 19/07/07, Cliff Cole <[EMAIL PROTECTED]> wrote:
> > Hello all.
> >
> > Here is my issue. This is very weird and would only affect one NAS.
> > I'm not sure freeradius is capable of this. I want a username that
> > comes in to check for an @domainname. If the domainname is there I
> > want it to be stripped and added back later. If the domainname is not
> > there I'd like it to continue and have to domainname added later in
> > the authentication process. I hope this makes sense and any help is
> > appreciated
>
> What do you mean by 'later' you can definitely check for the presence
> of domain, you can strip it and add it again. you just have to define
> the flow. rlm_attr will be of help to you (for both stripping and
> adding).
>
> kind regards
> Pshem
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
------------------------------
Message: 3
Date: Thu, 19 Jul 2007 15:38:54 +0200
From: [EMAIL PROTECTED]
Subject: "Time-out" Problem with Huntgroups in conjunction with MYSQL
Backend
To: [email protected]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes";
format="flowed"
Hello FR users,
I am running FreeRadius 1.1.3 together with MySQL 5.0.27
I use huntgroups to allow access to specific devices only to certain users
belonging to a certain group (I use huntgroups since "I" didnt find a way
to do it via MySQL)
I have the following issue:
When for a longer period (e.g. over night) no one logs into one of the
devices (so the radius server sits idle), it happens that the first time
in
the morning someone tries to login he fails because FR rejects the Request
with "invalid user" - only after 3 or 4 tries the login-attempt is
successfull
The reason seems to be, that after such a "long" dormant period, when the
first RADIUS-request(s) arrive, FR has to re-connect to the MySQL DB to
query the user's group-membership
Since this re-connect takes "too long" the query returns "Not found" and
the user is rejected as "unknown"
Here is what you see in the radius.log file:
Tue Jul 17 08:05:16 2007 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #9
Tue Jul 17 08:05:16 2007 : Error: rlm_sql (sql): failed after re-connect
Tue Jul 17 08:05:16 2007 : Auth: No huntgroup access: [xxx] (from client
ATWRE22e7601 port 1 cli 10.0.0.31)
Tue Jul 17 08:05:16 2007 : Auth: Invalid user: [xxx] (from client
ATWRE22e7601 port 1 cli 10.0.0.31)
Tue Jul 17 08:05:25 2007 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #8
Tue Jul 17 08:05:25 2007 : Error: rlm_sql (sql): failed after re-connect
Tue Jul 17 08:05:25 2007 : Auth: No huntgroup access: [xxx] (from client
ATWRE22e7601 port 0)
Tue Jul 17 08:05:25 2007 : Auth: Invalid user: [xxx] (from client
ATWRE22e7601 port 0)
Tue Jul 17 08:05:38 2007 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #7
Tue Jul 17 08:05:38 2007 : Error: rlm_sql (sql): failed after re-connect
Tue Jul 17 08:05:38 2007 : Auth: No huntgroup access: [xxx] (from client
ATWRE22e7601 port 0)
Tue Jul 17 08:05:38 2007 : Auth: Invalid user: [xxx] (from client
ATWRE22e7601 port 0)
Tue Jul 17 08:06:00 2007 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #6
Tue Jul 17 08:06:00 2007 : Auth: Login OK: [xxx] (from client ATWRE22b7201
port 2 cli 10.0.0.31)
Hope the logfile is sufficient, otherwise I would have to let FR run in
debug-mode over night....
The funny thing is, that this problem doesn't occure when all entries in
the huntgroups file are "commented out"
So my question is, is there a config parameter to tell FR to "wait" a bit
longer in the preprocess module (I assume) for the MYSQL query to deliver
its answer?
thanks alot
regards
thomas pudil
------------------------------
Message: 4
Date: Thu, 19 Jul 2007 19:11:35 +0530
From: "ashish verma" <[EMAIL PROTECTED]>
Subject: Level 2 authentication with RADIUS.
To: [email protected]
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-1"
Hi all,
I am new to the list and for RADIUS too so i might ask some repetitive
questions.
Here is my question:
Can we have level 2 (enable) authentication too with Radius server as we
have for level 1(user level)?
If yes, can someone provide me some documentation. I tried to search for
it
but couldnt find any.
Thanks in advance,
Ashish
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/d418ae1e/attachment-0001.html
------------------------------
Message: 5
Date: Thu, 19 Jul 2007 15:45:44 +0200
From: Stefan Winter <[EMAIL PROTECTED]>
Subject: Re: Level 2 authentication with RADIUS.
To: FreeRadius users mailing list
<[email protected]>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="utf-8"
> Can we have level 2 (enable) authentication too with Radius server as
we
> have for level 1(user level)?
If you say "enable" I suspect you are talking about Cisco equipment? Then
enable is really level 15. And the following link was posted just MINUTES
ago
on this list. Did you read the etiquette thing about "read the mail
archives
before asking?"?
http://wiki.freeradius.org/Cisco#Per_User_Privilege_Level
Stefan
--
Stefan WINTER
Stiftung RESTENA - R?seau T?l?informatique de l'Education Nationale et de
la Recherche
Ingenieur Forschung & Entwicklung
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED] ? ? Tel.: ? ?+352 424409-1
http://www.restena.lu ? ? ? ? ? ? ? Fax: ? ? ?+352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url :
https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/dd1d78bb/attachment-0001.bin
------------------------------
Message: 6
Date: Thu, 19 Jul 2007 15:53:13 +0200
From: Stefan Winter <[EMAIL PROTECTED]>
Subject: Re: Level 2 authentication with RADIUS.
To: FreeRadius users mailing list
<[email protected]>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="utf-8"
> enable is really level 15. And the following link was posted just
MINUTES
> ago on this list. Did you read the etiquette thing about "read the mail
> archives before asking?"?
Wait a minute. That link was sent in reply to YOUR question! Did you even
read
it?
--
Stefan WINTER
Stiftung RESTENA - R?seau T?l?informatique de l'Education Nationale et de
la Recherche
Ingenieur Forschung & Entwicklung
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED] ? ? Tel.: ? ?+352 424409-1
http://www.restena.lu ? ? ? ? ? ? ? Fax: ? ? ?+352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url :
https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/966acda1/attachment-0001.bin
------------------------------
Message: 7
Date: Thu, 19 Jul 2007 16:06:46 +0200
From: "Reimer Karlsen-Masur, DFN-CERT" <[EMAIL PROTECTED]>
Subject: Re: TLS cant connect ldap+freeradius+novell
To: FreeRadius users mailing list
<[email protected]>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="us-ascii"
Hi.
Martin G wrote:
> Hello!
>
> Im new to both this mailinglist and to novell/linux/ldap/freeradius but
iv
> tried my best to install a radius/ldap linuxserver to pass on
> radius-requests from a Aruba-controller to our novell-server.
>
> IPs:
> Novell 10.10.0.11
> Aruba 10.10.0.28
> Linux (freeradius+ldap) 10.10.0.132
>
> Iv tried to change tls_mode, port and tls_start on and off a couple of
times
> without any good result and when i go use ldapsearch -vvv -h 10.10.0.11-x
> -Z -b ou=adm,ou=malmo,o=wifi "cn=lotta"
> i recieve "TLS: hostname does not match CN in peer certificate".
At least this means that your ldap server understands STARTTLS on the
standard ldap port.
So in FreeRADIUS ldap config section you should *not* set port and
tls_mode
options at all.
You should set start_tls=yes though.
As for the ldap server certificate name mismatch
> So i have some thoughts about the certificate, but iv exported the
> selfsigned novell-certificate from the novellserver and verifyed it. But
im
> not sure how to use a "client-certificate" on the linux.
>
> When i use "freeradius -XXX -A" on the linuxserver and i trie to do a
> radius-request, the aruba gets a timeout and the linuxserver tells me
the
> following logg:
Now for the certificates. Since your ldap server is using a server
certificate you must configure FreeRADIUS to trust the issuing CA.
Since identity and password are set it seems you do not use SSL client
authentication to authenticate the FreeRADIUS server (acting as ldap
client)
at the ldap server.
Hence don't set tls_certfile and tls_keyfile options.
Either use tls_cacertfile xor tlc_cacertdir option.
If using former, put in all the CA certificate chain validating the ldap
servers certificate in PEM format. Concatenate the CA certs into the file
named by this option.
If using the latter, put all CA certs of the chain validating the ldap
servers certificate in PEM format with .pem file extension into that
directory. cd into this directory and execute
# c_rehash .
to build some symlinks. The dot (.) for the current directory seems vital.
c_rehash is a tool that comes with openssl.
Be aware that the openldap client configuration file on the system or for
that user running FreeRADIUS is being used. That is ~/.ldap.conf or system
wide something like /etc/openldap/ldap.conf or what ever fits your FS
layout
and ldap installation on the FreeRADIUS server.
To ease ldap debugging within FreeRADIUS set "loglevel -1" in the
ldap.conf
file. Debugging output is to be found in files configured by syslogd more
than likely in /var/log/messages or similar.
HTH & good luck
--
Beste Gruesse / Kind Regards
Reimer Karlsen-Masur
DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5853 bytes
Desc: S/MIME Cryptographic Signature
Url :
https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/c6f96b9a/attachment.bin
------------------------------
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 27, Issue 121
*************************************************
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
