Let me answer in the same way - read the article: http://wiki.freeradius.org/Cisco#Per_User_Privilege_Level
First thing it explains is how to give shell access and what happens when user then types enable. Ivan Kalik Kalik Informatika ISP Dana 19/7/2007, "ashish verma" <[EMAIL PROTECTED]> piše: >Hi, > >I read the document. I think i put my question in a wrong way. >Let me put it in a different way. > >I dont want the user to go directly in priv mode. >through priv level = 15 we can direclty go into priv level right. > >what i want is first the user get into user level and then with another >password in level 2. (not with enable password)..it should be through RADIUS >server. > >I hope it makes it easy. > >On 7/19/07, [EMAIL PROTECTED] < >[EMAIL PROTECTED]> wrote: >> >> Send Freeradius-Users mailing list submissions to >> [email protected] >> >> To subscribe or unsubscribe via the World Wide Web, visit >> http://lists.freeradius.org/mailman/listinfo/freeradius-users >> or, via email, send a message with subject or body 'help' to >> [EMAIL PROTECTED] >> >> You can reach the person managing the list at >> [EMAIL PROTECTED] >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of Freeradius-Users digest..." >> >> >> Today's Topics: >> >> 1. Re: mod_auth_radius (Nick Owen) >> 2. Re: Quirky question about rewriting usernames (Cliff Cole) >> 3. "Time-out" Problem with Huntgroups in conjunction with MYSQL >> Backend ([EMAIL PROTECTED]) >> 4. Level 2 authentication with RADIUS. (ashish verma) >> 5. Re: Level 2 authentication with RADIUS. (Stefan Winter) >> 6. Re: Level 2 authentication with RADIUS. (Stefan Winter) >> 7. Re: TLS cant connect ldap+freeradius+novell >> (Reimer Karlsen-Masur, DFN-CERT) >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Thu, 19 Jul 2007 09:14:28 -0400 >> From: "Nick Owen" <[EMAIL PROTECTED]> >> Subject: Re: mod_auth_radius >> To: "FreeRadius users mailing list" >> <[email protected]> >> Message-ID: >> <[EMAIL PROTECTED]> >> Content-Type: text/plain; charset=ISO-8859-1; format=flowed >> >> On 7/19/07, Rascher, Markus <[EMAIL PROTECTED]> wrote: >> > >> > >> > Hi All, >> > >> > is there a tutorial how to install mod_auth_radius on an apache 2.xxserver? >> > The howto on the freeradius webpage is a little bit deprecated i guess. >> > i get an error when starting the apache server after installing >> > mod_auth_radius: >> > >> > # service httpd start >> > Starting httpd: httpd: Syntax error on line 205 of >> > /etc/httpd/conf/httpd.conf: Cannot load >> > /usr/lib/httpd/modules/mod_auth_radius-2.0.so into server: >> > /usr/lib/httpd/modules/mod_auth_radius-2.0.so: undefined >> > symbol: ap_snprintf >> > [FAILED] >> >> You might try mod_auth_xradius. I have done a couple of apache + >> radius + WiKID 2FA docs that might help: >> >> http://www.wikidsystems.com/documentation/howtos/how-to-add-two-factor-authentication-to-apache/ >> >> http://www.howtoforge.com/apache_radius_two_factor_authentication >> >> The latter is more recent. >> >> HTH, >> >> nick >> >> -- >> Nick Owen >> WiKID Systems, Inc. >> 404.962.8983 >> http://www.wikidsystems.com >> Commercial/Open Source Two-Factor Authentication >> >> >> ------------------------------ >> >> Message: 2 >> Date: Thu, 19 Jul 2007 09:35:13 -0400 >> From: "Cliff Cole" <[EMAIL PROTECTED]> >> Subject: Re: Quirky question about rewriting usernames >> To: "FreeRadius users mailing list" >> <[email protected]> >> Message-ID: >> <[EMAIL PROTECTED]> >> Content-Type: text/plain; charset=ISO-8859-1; format=flowed >> >> Thanks for the reply. I'm new to free radius and have been >> overwhelmed with documentation the past few days. Let me explain in >> some logic and maybe I can make some sense as to what I'm trying to >> do. >> >> User authentication comes from "NAS A" >> >> IF the username does not have @domain.com and NAS = "NAS A" >> THEN append @domain.com >> >> IF the username has @domain.com and NAS = "NAS A" >> THEN continue with username as is. >> >> Hope this helps to clear up what I'm trying to do. I appologize for >> not being very clear. >> >> Thanks >> >> Cliff >> >> >> >> On 7/19/07, Pshem Kowalczyk <[EMAIL PROTECTED]> wrote: >> > Hi >> > >> > On 19/07/07, Cliff Cole <[EMAIL PROTECTED]> wrote: >> > > Hello all. >> > > >> > > Here is my issue. This is very weird and would only affect one NAS. >> > > I'm not sure freeradius is capable of this. I want a username that >> > > comes in to check for an @domainname. If the domainname is there I >> > > want it to be stripped and added back later. If the domainname is not >> > > there I'd like it to continue and have to domainname added later in >> > > the authentication process. I hope this makes sense and any help is >> > > appreciated >> > >> > What do you mean by 'later' you can definitely check for the presence >> > of domain, you can strip it and add it again. you just have to define >> > the flow. rlm_attr will be of help to you (for both stripping and >> > adding). >> > >> > kind regards >> > Pshem >> > - >> > List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > >> >> >> ------------------------------ >> >> Message: 3 >> Date: Thu, 19 Jul 2007 15:38:54 +0200 >> From: [EMAIL PROTECTED] >> Subject: "Time-out" Problem with Huntgroups in conjunction with MYSQL >> Backend >> To: [email protected] >> Message-ID: <[EMAIL PROTECTED]> >> Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; >> format="flowed" >> >> Hello FR users, >> >> I am running FreeRadius 1.1.3 together with MySQL 5.0.27 >> I use huntgroups to allow access to specific devices only to certain users >> belonging to a certain group (I use huntgroups since "I" didnt find a way >> to do it via MySQL) >> I have the following issue: >> When for a longer period (e.g. over night) no one logs into one of the >> devices (so the radius server sits idle), it happens that the first time >> in >> the morning someone tries to login he fails because FR rejects the Request >> with "invalid user" - only after 3 or 4 tries the login-attempt is >> successfull >> The reason seems to be, that after such a "long" dormant period, when the >> first RADIUS-request(s) arrive, FR has to re-connect to the MySQL DB to >> query the user's group-membership >> Since this re-connect takes "too long" the query returns "Not found" and >> the user is rejected as "unknown" >> >> Here is what you see in the radius.log file: >> Tue Jul 17 08:05:16 2007 : Info: rlm_sql_mysql: Starting connect to MySQL >> server for #9 >> Tue Jul 17 08:05:16 2007 : Error: rlm_sql (sql): failed after re-connect >> Tue Jul 17 08:05:16 2007 : Auth: No huntgroup access: [xxx] (from client >> ATWRE22e7601 port 1 cli 10.0.0.31) >> Tue Jul 17 08:05:16 2007 : Auth: Invalid user: [xxx] (from client >> ATWRE22e7601 port 1 cli 10.0.0.31) >> Tue Jul 17 08:05:25 2007 : Info: rlm_sql_mysql: Starting connect to MySQL >> server for #8 >> Tue Jul 17 08:05:25 2007 : Error: rlm_sql (sql): failed after re-connect >> Tue Jul 17 08:05:25 2007 : Auth: No huntgroup access: [xxx] (from client >> ATWRE22e7601 port 0) >> Tue Jul 17 08:05:25 2007 : Auth: Invalid user: [xxx] (from client >> ATWRE22e7601 port 0) >> Tue Jul 17 08:05:38 2007 : Info: rlm_sql_mysql: Starting connect to MySQL >> server for #7 >> Tue Jul 17 08:05:38 2007 : Error: rlm_sql (sql): failed after re-connect >> Tue Jul 17 08:05:38 2007 : Auth: No huntgroup access: [xxx] (from client >> ATWRE22e7601 port 0) >> Tue Jul 17 08:05:38 2007 : Auth: Invalid user: [xxx] (from client >> ATWRE22e7601 port 0) >> Tue Jul 17 08:06:00 2007 : Info: rlm_sql_mysql: Starting connect to MySQL >> server for #6 >> Tue Jul 17 08:06:00 2007 : Auth: Login OK: [xxx] (from client ATWRE22b7201 >> port 2 cli 10.0.0.31) >> >> Hope the logfile is sufficient, otherwise I would have to let FR run in >> debug-mode over night.... >> >> The funny thing is, that this problem doesn't occure when all entries in >> the huntgroups file are "commented out" >> >> So my question is, is there a config parameter to tell FR to "wait" a bit >> longer in the preprocess module (I assume) for the MYSQL query to deliver >> its answer? >> >> thanks alot >> regards >> thomas pudil >> >> >> >> >> >> ------------------------------ >> >> Message: 4 >> Date: Thu, 19 Jul 2007 19:11:35 +0530 >> From: "ashish verma" <[EMAIL PROTECTED]> >> Subject: Level 2 authentication with RADIUS. >> To: [email protected] >> Message-ID: >> <[EMAIL PROTECTED]> >> Content-Type: text/plain; charset="iso-8859-1" >> >> Hi all, >> I am new to the list and for RADIUS too so i might ask some repetitive >> questions. >> >> Here is my question: >> Can we have level 2 (enable) authentication too with Radius server as we >> have for level 1(user level)? >> >> If yes, can someone provide me some documentation. I tried to search for >> it >> but couldnt find any. >> >> Thanks in advance, >> Ashish >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: >> https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/d418ae1e/attachment-0001.html >> >> ------------------------------ >> >> Message: 5 >> Date: Thu, 19 Jul 2007 15:45:44 +0200 >> From: Stefan Winter <[EMAIL PROTECTED]> >> Subject: Re: Level 2 authentication with RADIUS. >> To: FreeRadius users mailing list >> <[email protected]> >> Message-ID: <[EMAIL PROTECTED]> >> Content-Type: text/plain; charset="utf-8" >> >> > Can we have level 2 (enable) authentication too with Radius server as >> we >> > have for level 1(user level)? >> >> If you say "enable" I suspect you are talking about Cisco equipment? Then >> enable is really level 15. And the following link was posted just MINUTES >> ago >> on this list. Did you read the etiquette thing about "read the mail >> archives >> before asking?"? >> >> http://wiki.freeradius.org/Cisco#Per_User_Privilege_Level >> >> Stefan >> >> -- >> Stefan WINTER >> >> Stiftung RESTENA - R?seau T?l?informatique de l'Education Nationale et de >> la Recherche >> Ingenieur Forschung & Entwicklung >> >> 6, rue Richard Coudenhove-Kalergi >> L-1359 Luxembourg >> E-Mail: [EMAIL PROTECTED] ? ? Tel.: ? ?+352 424409-1 >> http://www.restena.lu ? ? ? ? ? ? ? Fax: ? ? ?+352 422473 >> -------------- next part -------------- >> A non-text attachment was scrubbed... >> Name: not available >> Type: application/pgp-signature >> Size: 189 bytes >> Desc: This is a digitally signed message part. >> Url : >> https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/dd1d78bb/attachment-0001.bin >> >> ------------------------------ >> >> Message: 6 >> Date: Thu, 19 Jul 2007 15:53:13 +0200 >> From: Stefan Winter <[EMAIL PROTECTED]> >> Subject: Re: Level 2 authentication with RADIUS. >> To: FreeRadius users mailing list >> <[email protected]> >> Message-ID: <[EMAIL PROTECTED]> >> Content-Type: text/plain; charset="utf-8" >> >> > enable is really level 15. And the following link was posted just >> MINUTES >> > ago on this list. Did you read the etiquette thing about "read the mail >> > archives before asking?"? >> >> Wait a minute. That link was sent in reply to YOUR question! Did you even >> read >> it? >> >> -- >> Stefan WINTER >> >> Stiftung RESTENA - R?seau T?l?informatique de l'Education Nationale et de >> la Recherche >> Ingenieur Forschung & Entwicklung >> >> 6, rue Richard Coudenhove-Kalergi >> L-1359 Luxembourg >> E-Mail: [EMAIL PROTECTED] ? ? Tel.: ? ?+352 424409-1 >> http://www.restena.lu ? ? ? ? ? ? ? Fax: ? ? ?+352 422473 >> -------------- next part -------------- >> A non-text attachment was scrubbed... >> Name: not available >> Type: application/pgp-signature >> Size: 189 bytes >> Desc: This is a digitally signed message part. >> Url : >> https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/966acda1/attachment-0001.bin >> >> ------------------------------ >> >> Message: 7 >> Date: Thu, 19 Jul 2007 16:06:46 +0200 >> From: "Reimer Karlsen-Masur, DFN-CERT" <[EMAIL PROTECTED]> >> Subject: Re: TLS cant connect ldap+freeradius+novell >> To: FreeRadius users mailing list >> <[email protected]> >> Message-ID: <[EMAIL PROTECTED]> >> Content-Type: text/plain; charset="us-ascii" >> >> Hi. >> >> Martin G wrote: >> > Hello! >> > >> > Im new to both this mailinglist and to novell/linux/ldap/freeradius but >> iv >> > tried my best to install a radius/ldap linuxserver to pass on >> > radius-requests from a Aruba-controller to our novell-server. >> > >> > IPs: >> > Novell 10.10.0.11 >> > Aruba 10.10.0.28 >> > Linux (freeradius+ldap) 10.10.0.132 >> > >> > Iv tried to change tls_mode, port and tls_start on and off a couple of >> times >> > without any good result and when i go use ldapsearch -vvv -h 10.10.0.11-x >> > -Z -b ou=adm,ou=malmo,o=wifi "cn=lotta" >> > i recieve "TLS: hostname does not match CN in peer certificate". >> >> At least this means that your ldap server understands STARTTLS on the >> standard ldap port. >> >> So in FreeRADIUS ldap config section you should *not* set port and >> tls_mode >> options at all. >> >> You should set start_tls=yes though. >> >> >> >> As for the ldap server certificate name mismatch >> >> > So i have some thoughts about the certificate, but iv exported the >> > selfsigned novell-certificate from the novellserver and verifyed it. But >> im >> > not sure how to use a "client-certificate" on the linux. >> > >> > When i use "freeradius -XXX -A" on the linuxserver and i trie to do a >> > radius-request, the aruba gets a timeout and the linuxserver tells me >> the >> > following logg: >> >> Now for the certificates. Since your ldap server is using a server >> certificate you must configure FreeRADIUS to trust the issuing CA. >> >> Since identity and password are set it seems you do not use SSL client >> authentication to authenticate the FreeRADIUS server (acting as ldap >> client) >> at the ldap server. >> >> Hence don't set tls_certfile and tls_keyfile options. >> >> Either use tls_cacertfile xor tlc_cacertdir option. >> >> If using former, put in all the CA certificate chain validating the ldap >> servers certificate in PEM format. Concatenate the CA certs into the file >> named by this option. >> >> If using the latter, put all CA certs of the chain validating the ldap >> servers certificate in PEM format with .pem file extension into that >> directory. cd into this directory and execute >> >> # c_rehash . >> >> to build some symlinks. The dot (.) for the current directory seems vital. >> c_rehash is a tool that comes with openssl. >> >> Be aware that the openldap client configuration file on the system or for >> that user running FreeRADIUS is being used. That is ~/.ldap.conf or system >> wide something like /etc/openldap/ldap.conf or what ever fits your FS >> layout >> and ldap installation on the FreeRADIUS server. >> >> To ease ldap debugging within FreeRADIUS set "loglevel -1" in the >> ldap.conf >> file. Debugging output is to be found in files configured by syslogd more >> than likely in /var/log/messages or similar. >> >> HTH & good luck >> >> -- >> Beste Gruesse / Kind Regards >> >> Reimer Karlsen-Masur >> >> DFN-PKI FAQ: https://www.pki.dfn.de/faqpki >> -- >> Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 >> DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 >> Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 >> -------------- next part -------------- >> A non-text attachment was scrubbed... >> Name: smime.p7s >> Type: application/x-pkcs7-signature >> Size: 5853 bytes >> Desc: S/MIME Cryptographic Signature >> Url : >> https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/c6f96b9a/attachment.bin >> >> ------------------------------ >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> >> End of Freeradius-Users Digest, Vol 27, Issue 121 >> ************************************************* >> > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
