Hi Ivan,
What i meant is you type "enable" but the password you give should be
authenticated by RADIUS server not the "enable password stored on the
device".
I am not sure whether it is possible or not. But just wanted to know from
the experts.
Thanks,
Ashish
On 7/19/07, [EMAIL PROTECTED] <
[EMAIL PROTECTED]> wrote:
Send Freeradius-Users mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Second level authentication. (ashish verma)
2. Re: Second level authentication. ([EMAIL PROTECTED])
3. Re: TLS cant connect ldap+freeradius+novell ([EMAIL PROTECTED])
4. Re: Quirky question about rewriting usernames (Cliff Cole)
5. Re: Second level authentication. (Claudiu Filip)
6. Re: TLS cant connect ldap+freeradius+novell (Martin G)
----------------------------------------------------------------------
Message: 1
Date: Thu, 19 Jul 2007 22:21:30 +0530
From: "ashish verma" <[EMAIL PROTECTED]>
Subject: Second level authentication.
To: [email protected]
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-1"
Hi Stefan,
I read the document and thanks for giving the link, that was helpful.
Well I think i put my question in a wrong way.
Let me put it in a different way.
I dont want the user to go directly in priv mode.
through priv level = 15 we direclty get into priv level right.
what i am looking for is first the user get into user level and then with
another
password in level 2. (not with enable password)..it should be through
RADIUS
server.
Ashish
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/4c1e3a0e/attachment-0001.html
------------------------------
Message: 2
Date: Thu, 19 Jul 2007 18:13:00 +0100
From: <[EMAIL PROTECTED]>
Subject: Re: Second level authentication.
To: "FreeRadius users mailing list"
<[email protected]>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-2
You want a shell user to get to privilege mode without typing
"enable"and knowing enable password? I am quite certain that Cisco
spent many years making sure that's impossible. If you find a way to do
that you can blackmail them for a hell of a lot of money.
Ivan Kalik
Kalik Informatika ISP
Dana 19/7/2007, "ashish verma" <[EMAIL PROTECTED]> pi?e:
>Hi Stefan,
>
>I read the document and thanks for giving the link, that was helpful.
>
>Well I think i put my question in a wrong way.
>Let me put it in a different way.
>
>I dont want the user to go directly in priv mode.
>through priv level = 15 we direclty get into priv level right.
>
>what i am looking for is first the user get into user level and then
with
>another
>password in level 2. (not with enable password)..it should be through
RADIUS
>server.
>
>
>Ashish
>
>
------------------------------
Message: 3
Date: Thu, 19 Jul 2007 18:19:59 +0100
From: <[EMAIL PROTECTED]>
Subject: Re: TLS cant connect ldap+freeradius+novell
To: "FreeRadius users mailing list"
<[email protected]>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-2
>Any idea how to type the FQDN !? :(
Well if this was your server:
>http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
FQDN would be: messenger.msn.click-url.com
Ivan Kalik
Kalik Informatika ISP
------------------------------
Message: 4
Date: Thu, 19 Jul 2007 13:30:23 -0400
From: "Cliff Cole" <[EMAIL PROTECTED]>
Subject: Re: Quirky question about rewriting usernames
To: "FreeRadius users mailing list"
<[email protected]>
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset=WINDOWS-1252; format=flowed
Once again. I am backwards on my wording, I am so sorry. This should
be correct.
IF the username does have @domain.com and NAS = "NAS A"
THEN continue with username as is
IF the username does not have @domain.com and NAS = "NAS A"
THEN append the @domain.com
I have been trying the hints file. I'm able to append @domain.com but
do not know how to check for @domain.com and continue if the
@domain.com is present.
Here is what I have in my hints file.
DEFAULT NAS-IP-Address == "255.255.255.255"
User-Name := "[EMAIL PROTECTED]"
This part works great and hopefully I'm FINALLY clear on what I'm
trying to accomplish.
Cliff
On 7/19/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> How about the other way around:
>
> IF the username does not have @domain.com and NAS = "NAS A"
> THEN continue with username as is
>
> IF the username has @domain.com and NAS = "NAS A"
> THEN strip @domain.com
>
> That works by default. If you want to keep it the other way around have
a
> look at the hints file.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
>
> Dana 19/7/2007, "Cliff Cole" <[EMAIL PROTECTED]> pi?e:
>
> >Thanks for the reply. I'm new to free radius and have been
> >overwhelmed with documentation the past few days. Let me explain in
> >some logic and maybe I can make some sense as to what I'm trying to
> >do.
> >
> >User authentication comes from "NAS A"
> >
> >IF the username does not have @domain.com and NAS = "NAS A"
> >THEN append @domain.com
> >
> >IF the username has @domain.com and NAS = "NAS A"
> >THEN continue with username as is.
> >
> >Hope this helps to clear up what I'm trying to do. I appologize for
> >not being very clear.
> >
> >Thanks
> >
> >Cliff
> >
> >
> >
> >On 7/19/07, Pshem Kowalczyk <[EMAIL PROTECTED]> wrote:
> >> Hi
> >>
> >> On 19/07/07, Cliff Cole <[EMAIL PROTECTED]> wrote:
> >> > Hello all.
> >> >
> >> > Here is my issue. This is very weird and would only affect one
NAS.
> >> > I'm not sure freeradius is capable of this. I want a username that
> >> > comes in to check for an @domainname. If the domainname is there I
> >> > want it to be stripped and added back later. If the domainname is
not
> >> > there I'd like it to continue and have to domainname added later in
> >> > the authentication process. I hope this makes sense and any help
is
> >> > appreciated
> >>
> >> What do you mean by 'later' you can definitely check for the presence
> >> of domain, you can strip it and add it again. you just have to
define
> >> the flow. rlm_attr will be of help to you (for both stripping and
> >> adding).
> >>
> >> kind regards
> >> Pshem
> >> -
> >> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
> >>
> >-
> >List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
> >
> >
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
------------------------------
Message: 5
Date: Thu, 19 Jul 2007 20:44:04 +0300
From: Claudiu Filip <[EMAIL PROTECTED]>
Subject: Re: Second level authentication.
To: FreeRadius users mailing list
<[email protected]>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="us-ascii"
An HTML attachment was scrubbed...
URL:
https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/b668ab5b/attachment-0001.html
------------------------------
Message: 6
Date: Thu, 19 Jul 2007 20:11:01 +0200
From: "Martin G" <[EMAIL PROTECTED]>
Subject: Re: TLS cant connect ldap+freeradius+novell
To: [email protected]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; format=flowed
Iv found the following on the novellserver (CA-service):
Distinguished name: WIFITREE CA.Security
Host server: NW1.SYSTEM.WIFI
"NW1" would be the servername and "NW1.SYSTEM.WIFI" the FQDN?
I added the info in all kinds of sorts in my hosts-file to the novell-ip
on
the linux-server but still no progress :( Still:
ldapsearch -vvv -h NW1.SYSTEM.WIFI wifi -x -Z -b ou=adm,ou=malmo,o=wifi
"cn=lotta"
ldap_initialize( ldap://wifi )
ldap_start_tls: Connect error (-11)
additional info: TLS: hostname does not match CN in peer
certificate
filter: cn=lotta
requesting: All userApplication attributes
Any good idea!?
(iv added the novell-servers dns-ip to the ifconfig-dns of the linux also,
but no help from that either).
/Mr G
>>Any idea how to type the FQDN !? :(
>
>Well if this was your server:
>
>>http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
>FQDN would be: messenger.msn.click-url.com
>
>Ivan Kalik
>Kalik Informatika ISP
>
>- List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
>From: "Martin G" <[EMAIL PROTECTED]>
>Reply-To: FreeRadius users mailing list
><[email protected]>
>To: [email protected]
>Subject: Re: TLS cant connect ldap+freeradius+novell
>Date: Thu, 19 Jul 2007 18:05:22 +0200
>
>Subject of the novell-server-certificate is : O = WIFITREE
>OU = Organizational CA
>And thats no FQDN!?
>(I exported it from the novell as an .der and extracted it to see the
>subject, maby wrong way to do it? i havent exported the private key with
>either the .b64 or the .der and that shouldnt matter ?)
>
>*output from novell*
>Subject name: OU=Organizational CA.O=WIFITREE
>Issuer name: OU=Organizational CA.O=WIFITREE
>Effective date: den 22 oktober 2005 23:04:08
>Expiration date: den 22 oktober 2015 23:04:08
>Certificate status: Valid
>
>Any idea how to type the FQDN !? :(
>
>(Thx for all the good answers this far!)
>
>/Mr G
>
>
> >From: "Reimer Karlsen-Masur, DFN-CERT" <[EMAIL PROTECTED]>
> >Reply-To: FreeRadius users mailing list
> ><[email protected]>
> >To: FreeRadius users mailing list <
[email protected]>
> >Subject: Re: TLS cant connect ldap+freeradius+novell
> >Date: Thu, 19 Jul 2007 17:51:24 +0200
> >
> >Hmmmmm.
> >
> >Martin G wrote:
> > > Sorry, when i tried to rehash my certificate, id changed its path,
but
> >now
> > > its back and i got a new output from my ldapsearch-command:
> > >
> > > ldapsearch -vvv -h 10.10.0.11 -x -Z -b ou
> > > =adm,ou=malmo,o=wifi "cn=lotta"
> > > ldap_initialize( ldap://10.10.0.11 )
> > > ldap_start_tls: Connect error (-11)
> > > additional info: TLS: hostname does not match CN in peer
> >certificate
> >
> >What is the CN in the SubjectDN of the ldap servers certificate? Is it
a
> >FQDN?
> >
> >If so, try to map IP# 10.10.0.11 to this FQDN via /etc/hosts if your
DNS
> >server can't find the FQDN. Try to call ldapsearch with -h FQDN option.
> >
> >Is above warning going away?
> >
> > > filter: cn=lotta
> > > requesting: All userApplication attributes
> > > # extended LDIF
> > > #
> > > # LDAPv3
> > > # base <ou=adm,ou=malmo,o=wifi> with scope subtree
> > > # filter: cn=lotta
> > > # requesting: ALL
> > > #
> > >
> > > # lotta, ADM, MALMO, WIFI
> > > dn: cn=lotta,ou=ADM,ou=MALMO,o=WIFI
> > > zenzfdVersion::
> >
> >Something is at least working. It's not SSL secured though.
> >
> >...
> > >
> > > Iv also added the loglevel -1 to the /etc/ldap/ldap.conf and removed
>the
> > > TLSCertificateFile and TLSCertificateKeyFile from the
> >/etc/ldap/sldap.conf
> > > as i did forget before.
> >
> >slapd.conf is the config file of the openldap *server*. Messing with
this
> >file should not change anything. Or was that a typo?
> >
> > > Do i need to convert the certificate to .pem and how if the c_rehash
> >dont
> > > work?
> >
> >If tls_cacertdir is not set, then don't use c_rehash.
> >
> >Set tls_cacertfile to a single ASCII file containing all PEM formatted
CA
> >certificates of the CA certificate chain that is needed to validate
your
> >ldap servers certificate. Concatenate these PEM formatted CA certs into
> >this
> >single ASCII file.
> >
> >And I forgot, set ldap_debug to -1 in the radius config file.
> >
> >Don't send your ldap servers password in log files ;-)
> >
> >...
> > > Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded LDAP
> > > Tue Jul 10 12:35:00 2007 : Debug: ldap: server = "10.10.0.11"
> > > Tue Jul 10 12:35:00 2007 : Debug: ldap: port = 389
> > > Tue Jul 10 12:35:00 2007 : Debug: ldap: net_timeout = 1
> > > Tue Jul 10 12:35:00 2007 : Debug: ldap: timeout = 4
> > > Tue Jul 10 12:35:00 2007 : Debug: ldap: timelimit = 3
> > > Tue Jul 10 12:35:00 2007 : Debug: ldap: identity =
"cn=admin,o=wifi"
> > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_mode = no
> > > Tue Jul 10 12:35:00 2007 : Debug: ldap: start_tls = yes
> > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_cacertfile =
> > > "/etc/freeradius/certs
> > > /WIFITREE_CA.b64"
> > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_cacertdir = "(null)"
> > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_certfile = "(null)"
> > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_keyfile = "(null)"
> > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_randfile = "(null)"
> > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_require_cert = "allow"
> > > Tue Jul 10 12:35:00 2007 : Debug: ldap: password = "novell"
> > > Tue Jul 10 12:35:00 2007 : Debug: ldap: basedn =
> >"ou=adm,ou=malmo,o=wifi"
> >...
> > > Tue Jul 10 12:35:00 2007 : Debug: ldap: ldap_debug = 0
> > > Tue Jul 10 12:35:00 2007 : Debug: ldap: ldap_connections_number = 5
> > > Tue Jul 10 12:35:00 2007 : Debug: ldap: compare_check_items = no
> >
> >--
> >Beste Gruesse / Kind Regards
> >
> >Reimer Karlsen-Masur
> >
> >DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
> >--
> >Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
> >DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40
808077-555
> >Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE
232129737
>
>
> ><< smime.p7s >>
>
>
>
>
> >-
> >List info/subscribe/unsubscribe? See
> >http://www.freeradius.org/list/users.html
>
>_________________________________________________________________
>Express yourself instantly with MSN Messenger! Download today it's FREE!
>http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
------------------------------
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 27, Issue 126
*************************************************
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
