problem with proxy configuration
Hello, I am having following problem with proxy. In proxy.conf, I have following entries realm myPartnerRealm { type= radius authhost= mypartner.server.com:1812 accthost= mypartner.server.com:1813 secret = mypartnersecret nostrip } realm myCustomRealm { type= radius authhost= localhost:1812 accthost= localhost:1813 secret = mysecret nostrip } realm DEFAULT { type= radius authhost= localhost:1812 accthost= localhost:1813 secret = mysecret } I am able to authenticate against myPartnerRealm and default relam, but when I submit request for myCustomRealm, the server seems to go in a loop and marks the myCustomRealm as dead with the following error. marking authentication server localhost:1812 for realm myCustomRealm dead I also get the following warning message WARNING: Possible DoS attack from host 127.0.0.1: Too many attributes in request (received 201, max 200 are allowed). I read in one of the post that proxying to same server (localhost) is not allowed , but i need this feature as I do not want to strip certain Realms. Thanks for your help. Prabh -- MyBlog: http://things-on-my-mind.blogspot.com/ Get your news at www.DailyHeadlines.NET - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mobile Phones Radius Authentications
On Mon 16 Oct 2006 06:17, nsuralullec wrote: What i want is to authenticate Mobile WAP users to a freeradius before using the mobile wap gateway(Kannel), but as per the radius logs, it successfully authenticates but it does not redirect the mobile wap request to the wap gateway. The mobile configurations are correct it works if the NAS doesnot require authentications. What makes you think that it should do this? Have you configured your NAS to do this redirection? Your Access-Accept doen't contain any such message. Does your NAS even support such a feature? Ask your NAS vendor how this is supposed to work... Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgp7eWoYa0YAk.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Inserting and/or replacing reply attributes on a proxy request
Yep. I use attrs.pre-proxy and attrs files to do what they say on the tin. (Strip unwanted pairs pre and post proxy) then I add back in the pairs I want with rewrite rule and/or module (Module order is important here). For example this lets me strip Framed-IP-Address and then add one from sqlippool. Cheers Peter On Mon 16 Oct 2006 00:43, Jarrod Sayers wrote: Thanks Peter, any tips on how you have done this? I'll look at upgrading a development box to head today if it means I can resolve this problem. Jarrod. On 16/10/2006, at 12:45 AM, Peter Nixon wrote: This is trivial to do on CVS head (We are using these features in production). 1.1.3 is pretty limited in this regard.. Cheers Peter On Sun 15 Oct 2006 15:23, Jarrod Sayers wrote: The concept is close, but the effect I need is silently add or replace these attributes from any proxy reply. While I am slightly concerned that a realm neighbor would have the power to alter what tunnel group they land in, I am also concerned about proxy replies that come back without those variables. Reason being is without those variables, that username and realm pair can associate to any SSID where FreeRADIUS is used to check their credentials. Picture Cisco Aironet 1200's with multiple SSID's, all pointing back to a single instance of FreeRADIUS. The access point is relying on the RADIUS reply to determine if the user should be moved to another SSID and without it, assumes the one they are attempting to connect to is correct. Jarrod. On 15/10/2006, at 2:43 PM, Owen DeLong wrote: Seems to me that you need to know which RADIUS box you sent the proxy request to and which destinations it is allowed to return. Then, you should be able to map any responses which don't match those tuples to proxy-reject with an error indicating that the proxy returned nefarious content. Perhaps, however, I simply am not understanding the problem statement. Owen On Oct 14, 2006, at 9:59 PM, Jarrod Sayers wrote: Hi, I have a FreeRADIUS 1.1.2 box which its only job in life is to proxy requests based on realms, i.e., no local authentication is done. One of the realms is internal to the organisation (lets call that internal.org.com.au) and I trust the variables being returned, however I have no control over one external realm (lets call that some.other.org.net.au) and the default realm. The FreeRADIUS box is used to proxy wireless requests which relies on the following variables to dump users into their particular tunnel groups: Tunnel-Type:1 = VLAN Tunnel-Medium-Type:1 = IEEE-802 Tunnel-Private-Group-Id:1 = 1234 What I am trying to accomplish is to have replies from a certain realm forced to be returned with set values either adding them in if they are missing, or replacing them is they are not the same. So, if the request is proxied to a trusted source then don't alter the reply, though if its proxied to an external realm, force the Tunnel-Private-Group-Id:1 attribute to be 1234, yet if its proxied to the default realm, use 4321 instead. I had a go at this using the exec clause and had some success in adding variables if they didn't exist in the reply, but it wouldn't replace existing ones: modules { ... exec vlan_assignment { wait = yes program = ${confdir}/vlan.sh input_pairs = proxy-request output_pairs = proxy-reply packet_type = Access-Accept } } post-proxy { vlan_assignment ... } The associated script that it ran: fruitbox# cat vlan.sh #!/bin/sh # Set defaults. TunnelType=VLAN TunnelMediumType=IEEE-802 TunnelPrivateGroupId=200 # Only alter Wireless-802.11 requests. if [ ${NAS_PORT_TYPE} = Wireless-802.11 -a ${REALM} != internal.org.com.au ]; then # Determine VLAN to be used. if [ ${REALM} = some.other.org.net.au ]; then # Force user into specific tunnel group. TunnelPrivateGroupId=1234 elif [ ${REALM} = DEFAULT ]; then # Force user into specific tunnel group. TunnelPrivateGroupId=4321 fi # Return actual VLAN assignment. echo Tunnel-Type:1 = ${TunnelType} echo Tunnel-Medium-Type:1 = ${TunnelMediumType} echo Tunnel-Private-Group-Id:1 = \${TunnelPrivateGroupId}\ fi exit 0 fruitbox# Allowing these variables to pass though from untrusted sources may allow a user to be placed in another organisations tunnel group which I cannot allow. Any help or ideas appreciated :) Jarrod. -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc -
Re: Inserting and/or replacing reply attributes on a proxy request
An example would be handy :) Jarrod. On Mon, 16 Oct 2006, Peter Nixon wrote: Yep. I use attrs.pre-proxy and attrs files to do what they say on the tin. (Strip unwanted pairs pre and post proxy) then I add back in the pairs I want with rewrite rule and/or module (Module order is important here). For example this lets me strip Framed-IP-Address and then add one from sqlippool. Cheers Peter On Mon 16 Oct 2006 00:43, Jarrod Sayers wrote: Thanks Peter, any tips on how you have done this? I'll look at upgrading a development box to head today if it means I can resolve this problem. Jarrod. On 16/10/2006, at 12:45 AM, Peter Nixon wrote: This is trivial to do on CVS head (We are using these features in production). 1.1.3 is pretty limited in this regard.. Cheers Peter On Sun 15 Oct 2006 15:23, Jarrod Sayers wrote: The concept is close, but the effect I need is silently add or replace these attributes from any proxy reply. While I am slightly concerned that a realm neighbor would have the power to alter what tunnel group they land in, I am also concerned about proxy replies that come back without those variables. Reason being is without those variables, that username and realm pair can associate to any SSID where FreeRADIUS is used to check their credentials. Picture Cisco Aironet 1200's with multiple SSID's, all pointing back to a single instance of FreeRADIUS. The access point is relying on the RADIUS reply to determine if the user should be moved to another SSID and without it, assumes the one they are attempting to connect to is correct. Jarrod. On 15/10/2006, at 2:43 PM, Owen DeLong wrote: Seems to me that you need to know which RADIUS box you sent the proxy request to and which destinations it is allowed to return. Then, you should be able to map any responses which don't match those tuples to proxy-reject with an error indicating that the proxy returned nefarious content. Perhaps, however, I simply am not understanding the problem statement. Owen On Oct 14, 2006, at 9:59 PM, Jarrod Sayers wrote: Hi, I have a FreeRADIUS 1.1.2 box which its only job in life is to proxy requests based on realms, i.e., no local authentication is done. One of the realms is internal to the organisation (lets call that internal.org.com.au) and I trust the variables being returned, however I have no control over one external realm (lets call that some.other.org.net.au) and the default realm. The FreeRADIUS box is used to proxy wireless requests which relies on the following variables to dump users into their particular tunnel groups: Tunnel-Type:1 = VLAN Tunnel-Medium-Type:1 = IEEE-802 Tunnel-Private-Group-Id:1 = 1234 What I am trying to accomplish is to have replies from a certain realm forced to be returned with set values either adding them in if they are missing, or replacing them is they are not the same. So, if the request is proxied to a trusted source then don't alter the reply, though if its proxied to an external realm, force the Tunnel-Private-Group-Id:1 attribute to be 1234, yet if its proxied to the default realm, use 4321 instead. I had a go at this using the exec clause and had some success in adding variables if they didn't exist in the reply, but it wouldn't replace existing ones: modules { ... exec vlan_assignment { wait = yes program = ${confdir}/vlan.sh input_pairs = proxy-request output_pairs = proxy-reply packet_type = Access-Accept } } post-proxy { vlan_assignment ... } The associated script that it ran: fruitbox# cat vlan.sh #!/bin/sh # Set defaults. TunnelType=VLAN TunnelMediumType=IEEE-802 TunnelPrivateGroupId=200 # Only alter Wireless-802.11 requests. if [ ${NAS_PORT_TYPE} = Wireless-802.11 -a ${REALM} != internal.org.com.au ]; then # Determine VLAN to be used. if [ ${REALM} = some.other.org.net.au ]; then # Force user into specific tunnel group. TunnelPrivateGroupId=1234 elif [ ${REALM} = DEFAULT ]; then # Force user into specific tunnel group. TunnelPrivateGroupId=4321 fi # Return actual VLAN assignment. echo Tunnel-Type:1 = ${TunnelType} echo Tunnel-Medium-Type:1 = ${TunnelMediumType} echo Tunnel-Private-Group-Id:1 = \${TunnelPrivateGroupId}\ fi exit 0 fruitbox# Allowing these variables to pass though from untrusted sources may allow a user to be placed in another organisations tunnel group which I cannot allow. Any help or ideas appreciated :) Jarrod. -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See
Accounting-Response Log ??
Hi,I have two radius servers. (Freeradius and Juniper SBR).Freeradius server be a radius proxy to proxy all auth/acct requests to Juniper SBR.Then I sometimes found there are some accounting-stop request don't arrival to Juniper SBR. Because Freeradius server and Juniper SBR is in the different subnet and through firewall.I think this problem may cause by firewall.In the radius accounting communication model there should have request and response. Is freeradius log the accounting-response result ?How to enable it ?I want to this log to identify the problem.Thanks.Rio Yang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Machine + User Authentication
Hello everyoneI would appreciate if anybody could tell me whethere FreeRADIUS supports the following scenario or not.Currently, we have Foundry FastIron Edge 2402 switch. What we need is to deploy 802.1x user AND machine authentication. 1) If (Machine authentication is successfull) then (If User authentication is successfull) Drop the user in their respective VLAN.2) If (Machine authentication is successfull) then (If User authentication is NOT successfull) Drop the user in their default restricted VLAN.3) If (Machine authentication is NOT successfull OR there is no machine certificate) Drop the user in their default restricted VLAN OR Dont allow access to the switch port. Now the question I want to ask is, whethere FreeRADIUS supports the third case i.e. to disallow access OR drop in restricted vlan if machine authentication fails. Cisco Machine Access Restriction 4.0 for Windows ( http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_data_sheet0900aecd802fefd7.html) claims to support the abaove scenario. It would be great if someone could also tell me the relative parameters/configuration for the above particular case, if FreeRADIUS supports it.RegardsHammad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WPA authentication works only with MacOS clients
Hello all, I'm using WPA with EAP-TTLS and PEAP with a MacOS .Authentication works fine (even if enough slowly). The problem is that I can't authenticate WinXP client. I've readed that for using EAP-TTLS are required some other supplicant like SecureW2. Is SecureW2 required also for PEAP? Thanks for attention Best Regards, Josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pam radius authentication
anyone??? pls!!! no suggestions at all ? :( Pe 12 Oct 2006, la 12:46, [EMAIL PROTECTED] a scris: Hello! I try to authenticate ssh users logins using pam_radius_auth.so. On my RedHat 9 I have the following setup: - freeradius server - users file: testAuth-Type := Local, User-Password == test - clients.conf client 127.0.0.1 { secret = secret shortname = localhost } -pam radius module - cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_securetty.so auth sufficient pam_radius_auth.so debug auth required /lib/security/pam_unix_auth.so accountrequired pam_radius_auth.so debug password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_limits.so sessionoptional pam_console.so -cat /etc/raddb/server 127.0.0.1 secret 1 - pam_radius_auth.so is copied in /lib/security -I created linux user test with home directory /home/test , without setting up a password - freeradius started with radiusd -X Problem is that, when I trie to connect to this machine using ssh, the radius server receives the request, processes it, sends access-accept, but the ssh session is ended, without the user being really logged in !!! I don't know the reason why the user gets rejected... tail -f /var/log/secure Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 1108551052. Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: Got RADIUS response code 2 Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: authentication succeeded Oct 12 11:06:27 D-Server sshd[26585]: Accepted password for test from 10.243.30.42 port 2847 ssh2 Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Got user name test Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Sending RADIUS request code 1 Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 1108551052. Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Got RADIUS response code 2 Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: authentication succeeded Oct 12 11:28:30 D-Server sshd[26590]: Accepted password for test from 10.243.30.42 port 2881 ssh2 from radiusd -X : rad_recv: Access-Request packet from host 127.0.0.1:27615, id=253, length=97 User-Name = test User-Password = test NAS-IP-Address = 127.0.0.1 NAS-Identifier = sshd NAS-Port = 26590 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = 512wyse83.cosmote.rom Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry test at line 80 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Sending Access-Accept of id 253 to 127.0.0.1 port 27615 Finished request 0 thank you! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA authentication works only with MacOS clients
Hi Josh, Hello all, I'm using WPA with EAP-TTLS and PEAP with a MacOS .Authentication works fine (even if enough slowly). The problem is that I can't authenticate WinXP client. I've readed that for using EAP-TTLS are required some other supplicant like SecureW2. Is SecureW2 required also for PEAP? No, the built-in supplicant works. But then your server cert needs to have the TLS Web Server Authentication OID, otherwise the supplicant will refuse to authenticate. This special surprise brought to you by: Microsoft :-) Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgp9eDXTZDrWr.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: module for deleting attributes
Lars Ricken wrote: How can I understand you developed module for deleting attributes from incoming radius requests. Can You send it to me via email or give a link where I can download it.It's very important for me. I don't think there's any point in deleting attributes in the incoming request. Just don't check those attributes in authorize, that's all. If you've configured FreeRADIUS as a proxy, you want to delete the undesired attributes from the proxy request, not the incoming request. In this case you could use the attr_filter module in the pre-proxy section. See the rlm_attr_filter(5) manpage. PS: Please don't reply to freeradius-devel, this is a question for the freeradius-users mailing list. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA authentication works only with MacOS clients
Hi, Hello all, I'm using WPA with EAP-TTLS and PEAP with a MacOS .Authentication works fine (even if enough slowly). The problem is that I can't authenticate WinXP client. I've readed that for using EAP-TTLS are required some other supplicant like SecureW2. Is SecureW2 required also for PEAP? no. the builtin WinXP supplicant does PEAP natively. however, dont forget that PEAP doesnt deal with plain text passwords - you either need to have NT-hash or use ntlm_auth alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pam radius authentication
Hi, anyone??? pls!!! no suggestions at all ? :( I'd read the INSTALL doc that coems as part of the pam_radius tool. - cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_securetty.so auth sufficient pam_radius_auth.so debug auth required /lib/security/pam_unix_auth.so accountrequired pam_radius_auth.so debug password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_limits.so sessionoptional pam_console.so no. your invoking pam_radius_auth in the wrong place and for the wrong reason. again the INSTALL is your friend. your radius configuration appears to be correct alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA authentication works only with MacOS clients
On 10/16/06, Stefan Winter [EMAIL PROTECTED] wrote: Hi Josh,No, the built-in supplicant works. But then your server cert needs to havethe TLS Web Server Authentication OID, otherwise the supplicant will refuseto authenticate. This special surprise brought to you by: Microsoft :-) Hi Stefan,thank you for the quick answer.Can you tell me the parameter that I must use for having TLS Web Server Authentication OID? I have used - x509 but it is insufficient :) However, thanks.Josh Shamir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
billing problem in freeradius
Dear All,I want to integrate our billing code in freeradius. and i wants to make a code in c language with mysql database connectivity and i wants to make a so file also . Please help me.ThanksA. K.Anand KumarSoftware Engineer(VoIP) How low will we go? Check out Yahoo! Messengers low PC-to-Phone call rates.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Autoreply: Reid Canavan is on vacation.
I will be out of the office starting 10/16/2006 and will not return until 10/23/2006. I will respond to your message when I return. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
block users on-the-fly
Hi, Does anyone already have a program to block freeradius on-the-fly? ie: user has PAID = YES in radcheck table. Whenever I set PAID = NO, the user would no longer authenticate the next time he/ she logs in. OK, this works, but, if the user is already loged in, even if I set PAID = NO, the user would not be rejected (for obvious reasons). This is important because the grand number of Router mode ADSL users, that never logs out. I'm building a program to verify every x minutes the database and if PAID = NO, return a flag to freeradius and then reject the user. Is there any other means to do that? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: block users on-the-fly
On Mon 16 Oct 2006 16:25, Guilherme Franco wrote: Hi, Does anyone already have a program to block freeradius on-the-fly? ie: user has PAID = YES in radcheck table. Sure. Change: authorize_check_query = SELECT id, UserName, Attribute, Value, Op \ FROM ${authcheck_table} \ WHERE Username = '%{SQL-User-Name}' AND calledstationid = '%{Called-Station-Id}' \ ORDER BY id to authorize_check_query = SELECT id, UserName, Attribute, Value, Op \ FROM ${authcheck_table} \ WHERE Username = '%{SQL-User-Name}' AND calledstationid = '%{Called-Station-Id}' \ AND PAID = 'YES' \ ORDER BY id Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgp6m1fcdzGmO.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: block users on-the-fly
On Mon 16 Oct 2006 16:25, Guilherme Franco wrote: Hi, Does anyone already have a program to block freeradius on-the-fly? ie: user has PAID = YES in radcheck table. Whenever I set PAID = NO, the user would no longer authenticate the next time he/ she logs in. OK, this works, but, if the user is already loged in, even if I set PAID = NO, the user would not be rejected (for obvious reasons). This is important because the grand number of Router mode ADSL users, that never logs out. I'm building a program to verify every x minutes the database and if PAID = NO, return a flag to freeradius and then reject the user. Thats the wrong way to do it. Simply disconnect the user on your NAS at the same time as setting PAID = NO. The way you do this depends on your NAS but PoD comes to mind: http://wiki.freeradius.org/POD -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AP, FreeRADIUS and Fedora Directory Server
Hm, well, sort of, as you get: rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. Probably wrong password. One cannot really be sure as you left out those earlier in this session parts of the _full_ debug output. Same password works when binding to LDAP server from different client applications, sucha as GQ. So I'm pretty sure that password is correct. I'm not sure that how will RADIUS server know to check password against LDAP server while EAP is in place? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: block users on-the-fly
I've been through exactly the same hell authenticating a bunch of VPN users. The fundamental problem is that FreeRADIUS is event-driven: ie, it can only do anything when someone sends a RADIUS request to it. This means, for our purposes, that freeradius needs to be *asked* if a user can continue to be connected. I did this by making VPN users be re-authenticated every 30 minutes by the VPN NAS - if the nas recieves an Access-Accept packet, then all is well, it continues to provide service (I also bundle on some max-upload and max-download attributes, so the user's speed can be changed on their gigabyte total, but this is an aside) - however, if it recieves and access-deny, the user is booted from the nas. What you need to do is get your NAS box to re-authenticate the users every n minutes (or hours or whatever you prefer). Depending on how you're authenticating in the first place, this could be done in any number of ways... However, unless your current solution is either software-based or has the functions in it already, it's probably going to be expensive to implement. If your NAS has a 'status list' function and a 'kick user' function (eg, telnet administration interface), you could write a script that connects to the status list, compares the usernames with the MySQL database, and then connects via telnet to the admin interface to issue a 'kill $user' command. I've seen this done before, and in some cases it can be less resource-intensive than the increased amount of RADIUS auth packets. However it's only really any good for 1 or 2 NAS'es - if you want your system to scale to 30-40 nases then you'll probably want to keep it simple to manage and debug, and get radius to handle periodic reauthentication. Hope this helps, Jan On 16/10/06, Guilherme Franco [EMAIL PROTECTED] wrote: Hi, Does anyone already have a program to block freeradius on-the-fly? ie: user has PAID = YES in radcheck table. Whenever I set PAID = NO, the user would no longer authenticate the next time he/ she logs in. OK, this works, but, if the user is already loged in, even if I set PAID = NO, the user would not be rejected (for obvious reasons). This is important because the grand number of Router mode ADSL users, that never logs out. I'm building a program to verify every x minutes the database and if PAID = NO, return a flag to freeradius and then reject the user. Is there any other means to do that? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: block users on-the-fly
On Oct 16, 2006, at 6:25 AM, Guilherme Franco wrote: Hi, Does anyone already have a program to block freeradius on-the-fly? ie: user has PAID = YES in radcheck table. Whenever I set PAID = NO, the user would no longer authenticate the next time he/ she logs in. OK, this works, but, if the user is already loged in, even if I set PAID = NO, the user would not be rejected (for obvious reasons). This is important because the grand number of Router mode ADSL users, that never logs out. I'm building a program to verify every x minutes the database and if PAID = NO, return a flag to freeradius and then reject the user. Is there any other means to do that? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html The radius protocol only supports processing of authentication requests. Unless you can get your hardware to send a periodic re-auth request, there's no way to have them processed by radius again no matter what you do to the database. Radius has no push capability. Your options are: + Get your hardware to re-auth periodically. + Use another process to boot users (forcing a reauth) when you change the database. Owen PGP.sig Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS Documentation
I read the mailing list... please send there in the future. On Sunday 15 October 2006 03:04, affora deeb wrote: do u know about IAS windows server 2003 configuration with NORTEL NAS Nope, don't have a clue. I try to avoid any windows that can't stand against a harsh external environment. Maybe someone else on the list can help you with the issues you're finding. -Kevin pgpi0lY8KxAOO.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re:Help: How to authenticate additional attribute
Title: Re:Re:Help: How to authenticate additional attribute Cisco APs have a dot11 location config. stmt., I should also have mentioned that the snmp server-location config. stmt. controls the Location-name. For more info, see http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124newft/124t/124t2/ht_wispr.htm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Huntgroupname checkitem in LDAP
Hello, im looking for a way to have my huntgroups defined in LDAP similar to the way they are in SQL. For example if a user belongs to Ldap-Group vpn, the Group in ldap contains an attribute containing the huntgroup names which the Group gives access to. I tried adding checkItem Huntgroup-Name info to my ldap.attrmap with attribute info having value: =~ ^(vpn|sslvpn)$ (without succes) I had success with the following setup: In users: DEFAULT Huntgroup-Name == vpn, Ldap-Group == vpn Fall-Through = no DEFAULT Huntgroup-Name == sslvpn, Ldap-Group == sslvpn Fall-Through = no DEFAULT Auth-Type := Reject This allows to specify which user has access to which nasgroup by adding groupmemberships to the user. But it breaks the users existing in SQL. I could off course also add the specific SQL-Groups into the users file but this would still require a reorganisation of the SQL users since they only have a Huntgroup-Name attribtue for there grouplevel which specifies multiple huntgroups by using regexp. Im kinda stuck in how to implement it. Any advice would be greatly appreciated. J. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: block users on-the-fly
Thanks, I didn't know about the POD (it wasn't on the wiki when I've read it before) On 10/16/06, Peter Nixon [EMAIL PROTECTED] wrote: On Mon 16 Oct 2006 16:25, Guilherme Franco wrote: Hi, Does anyone already have a program to block freeradius on-the-fly? ie: user has PAID = YES in radcheck table. Whenever I set PAID = NO, the user would no longer authenticate the next time he/ she logs in. OK, this works, but, if the user is already loged in, even if I set PAID = NO, the user would not be rejected (for obvious reasons). This is important because the grand number of Router mode ADSL users, that never logs out. I'm building a program to verify every x minutes the database and if PAID = NO, return a flag to freeradius and then reject the user. Thats the wrong way to do it. Simply disconnect the user on your NAS at the same time as setting PAID = NO. The way you do this depends on your NAS but PoD comes to mind: http://wiki.freeradius.org/POD -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Guilherme de Oliveira Franco Damovo - Brasil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA authentication works only with MacOS clients
Hi, I can't use NT-hash because I use PAP and I need clear-text password. However I've generated server-side certificates with CA.all script with standart xpextension: [ xpclient_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ xpserver_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 Can I modify this OID to create MS-Windows compatible certificates? Or there are some other way to obtain this feature? Best Regards, Josh On 10/16/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:Hi, Hello all, I'm using WPA with EAP-TTLS and PEAP with a MacOS .Authentication works fine (even if enough slowly). The problem is that I can't authenticate WinXP client. I've readed that for using EAP-TTLS are required some other supplicant like SecureW2. Is SecureW2 required also for PEAP? no. the builtin WinXP supplicant does PEAP natively.however, dont forgetthat PEAP doesnt deal with plain text passwords - you either need to haveNT-hash or use ntlm_authalan-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: block users on-the-fly
Thanks Owen On 10/16/06, Owen DeLong [EMAIL PROTECTED] wrote: On Oct 16, 2006, at 6:25 AM, Guilherme Franco wrote: Hi, Does anyone already have a program to block freeradius on-the-fly? ie: user has PAID = YES in radcheck table. Whenever I set PAID = NO, the user would no longer authenticate the next time he/ she logs in. OK, this works, but, if the user is already loged in, even if I set PAID = NO, the user would not be rejected (for obvious reasons). This is important because the grand number of Router mode ADSL users, that never logs out. I'm building a program to verify every x minutes the database and if PAID = NO, return a flag to freeradius and then reject the user. Is there any other means to do that? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html The radius protocol only supports processing of authentication requests. Unless you can get your hardware to send a periodic re-auth request, there's no way to have them processed by radius again no matter what you do to the database. Radius has no push capability. Your options are: + Get your hardware to re-auth periodically. + Use another process to boot users (forcing a reauth) when you change the database. Owen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Guilherme de Oliveira Franco Damovo - Brasil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WPA authentication works only with MacOS clients
Date: Mon, 16 Oct 2006 13:25:22 +0200 From: Josh Shamir [EMAIL PROTECTED] Subject: WPA authentication works only with MacOS clients To: freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 Hello all, I'm using WPA with EAP-TTLS and PEAP with a MacOS .Authentication works fine (even if enough slowly). The problem is that I can't authenticate WinXP client. I've readed that for using EAP-TTLS are required some other supplicant like SecureW2. Is SecureW2 required also for PEAP? You are correct. The Windows supplicant on XP SP2 supports PEAP-MSCHAPv2 otherwise known as PEAPv0 and EAP-TLS. If you want to use EAP-TTLS you have a few choices. You can use a commercial supplicant like Funk Odyssey Access Client (30 day free trial here: http://www.juniper.net/customers/support/products/oac.jsp. It's a great supplicant and supports EAP-TTLS, PEAPv0, PEAPv1, EAP-TLS, EAP-SIM, EAP-GTC etc. You also may want to check if your wireless card has its own supplicant that supports TTLS. Most new laptops come with an Intel Centrino chipset and Intel's Proset Wireless supplicant does support TTLS. It's also faster and has more features than the MS supplicant. If these aren't available options, why not just use PEAP-MSCHAPv2? If you're just doing username/password authentication this should work fine. PEAP and TTLS are very similar in nature and PEAP is supported in OS X and in the Windows supplicant. Thanks for attention Best Regards, Josh -- next part -- An HTML attachment was scrubbed... URL: https://list.xs4all.nl/pipermail/freeradius-users/attachments/20061016/aafb6aa7/attachment-0001.html -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius confirmation
Hi All! I use freeradius with pppoe-server and mysql. If I connect to freeradius, the radius server give confirmation. The content of confirmation : Attributes + Values ex: Framed- Ip-Address, Reply_message etc... These attributes and values is in the my radreply table, in mysql. I modified dictionary file, and I add new attributes to dicrionary and radreply table, but the server not use these new attributes and radius confirmation not content these. Why? Thanks your answers. Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AP, FreeRADIUS and Fedora Directory Server
On 10/16/06, Mustafa Şenay [EMAIL PROTECTED] wrote: Same password works when binding to LDAP server from different client applications, sucha as GQ. So I'm pretty sure that password is correct. That doesn't mean it works for PEAP too (probably not). See below. I'm not sure that how will RADIUS server know to check password against LDAP server while EAP is in place? It's not so much EAP in general, but the PEAP (i.e. MSCHAPv2 part). However search this list's archive, see documentation etc. and the pertinent parts of the server's debug output you still chose not to provide here. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA authentication works only with MacOS clients
Hi Jason,I want to use PEAP.So I can use PEAP on a WinXP SP2 client without any other supplicant, using his native supplicant.The problem is that with native WinXP supplicant the authentication process failed, and freeradius server give me an error regarding certificates. The strange thing is that with the same certificates, PEAP works fine with MacOSx.Could be a problem of certificates ?I generate certificates with CA.all.Any ideas about how generate certificates that works also with MS WixXP client? Thanks for helpBest Regards, Josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sqlippool + MySQL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Does somebody knows how to configure sqlippool with MySQL ? The sqlippool.conf example is for pgsql. And for MySQL ? Here is my sqlippool.conf, corrected for MySQL: sqlippool sqlippool { # # SQL connection information # sql-instance-name = sql # lease_duration. fix for lost acc-stop packets lease-duration = 3600 # Attribute which should be considered unique per NAS pool-key = %{Acct-Session-Id} pool-name = mypool # pool-key = %{Calling-Station-Id} # # This series of queries allocates an IP address # allocate-clear = UPDATE radippool \ SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \ expiry_time = NOW() - INTERVAL 1 SECOND \ WHERE pool_key = '${pool-key}' # note the ORDER BY clause of next query, it'll try to allocate IPs # like Cisco internal pools do - it _trys_ to allocate the same IP-address # which user had last session... allocate-find = SELECT FramedIPAddress FROM radippool \ WHERE pool_name = '%{reply:Pool-Name}' AND expiry_time NOW() \ ORDER BY pool_name, (UserName '%{User-Name}'), (CallingStationId '%{Calling-Station-Id}'), expiry_time \ LIMIT 1 \ FOR UPDATE allocate-update = UPDATE radippool \ SET NASIPAddress = '%{NAS-IP-Address}', pool_key = '${pool-key}', \ CallingStationId = '%{Calling-Station-Id}', UserName = '%{User-Name}', \ expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \ WHERE FramedIPAddress = '%{Framed-IP-Address}' # # This series of queries frees an IP number when an accounting # START record arrives # start-update = UPDATE radippool \ SET expiry_time = NOW() + INTERVAL %J SECOND \ WHERE NASIPAddress = '%n' AND pool_key = '${pool-key}' AND pool_name = '%P' # # This series of queries frees an IP number when an accounting # STOP record arrives # stop-clear = UPDATE radippool \ SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \ expiry_time = NOW() - INTERVAL 1 SECOND \ WHERE NASIPAddress = '%{NAS-IP-Address}' AND pool_key = '${pool-key}' AND UserName = '%{User-Name}' \ AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress = '%{Framed-IP-Address}' # # This series of queries frees an IP number when an accounting # ALIVE record arrives # alive-update = UPDATE radippool \ SET expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \ WHERE NASIPAddress = '%{Nas-IP-Address}' AND pool_key = '${pool-key}' AND UserName = '%{User-Name}' \ AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress = '%{Framed-IP-Address}' # # This series of queries frees the IP numbers allocate to a # NAS when an accounting ON record arrives # on-clear = UPDATE radippool \ SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \ expiry_time = NOW() - INTERVAL 1 SECOND \ WHERE NASIPAddress = '%{NAS-IP-Address}' AND UserName = '%{User-Name}' \ AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress = '%{Framed-IP-Address}' # # This series of queries frees the IP numbers allocate to a # NAS when an accounting OFF record arrives # off-clear = UPDATE radippool \ SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \ expiry_time = NOW() - INTERVAL 1 SECOND \ WHERE NASIPAddress = '%{NAS-IP-Address}' AND UserName = '%{User-Name}' \ AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress = '%{Framed-IP-Address}' } Here is the radiusd -X: ... Mon Oct 16 17:50:50 2006 : Debug: Processing the post-auth section of radiusd.conf Mon Oct 16 17:50:50 2006 : Debug: modcall: entering group post-auth for request 0 Mon Oct 16 17:50:50 2006 : Debug: modsingle[post-auth]: calling sqlippool (rlm_sqlippool) for request 0 Mon Oct 16 17:50:50 2006 : Debug: rlm_sqlippool: Framed-IP-Address already exists Mon Oct 16 17:50:50 2006 : Debug: modsingle[post-auth]: returned from sqlippool (rlm_sqlippool) for request 0 Mon Oct 16 17:50:50 2006 : Debug: modcall[post-auth]: module sqlippool returns noop for request 0 Mon Oct 16 17:50:50 2006 : Debug: modcall: leaving group post-auth (returns noop) for request 0 ... ... Mon Oct 16 17:50:50 2006 : Debug: modsingle[accounting]: calling sqlippool (rlm_sqlippool) for request 1 Mon Oct 16 17:50:50 2006 : Debug: rlm_sql (sql): Reserving sql socket id: 2 Mon Oct 16 17:50:50 2006 : Debug: radius_xlat: 'BEGIN' Mon Oct 16 17:50:50 2006 : Debug: radius_xlat: 'UPDATE radippool SET expiry_time = NOW() + INTERVAL 3600 SECOND WHERE NASIPAddress = 'xx.xx.xx.xx' AND pool_key = '4533F0AA608100' AND pool_name = 'sqlippool'' ... This 'update' will never match !!! Here is the radippool's current line: mysql select * from radippool; ++---+-+--+-+--+-+--+--+ | id | pool_name | FramedIPAddress | NASIPAddress | CalledStationId | CallingStationId | expiry_time | UserName | pool_key |
Re: sqlippool + MySQL
Someone needs to do some serious work on sqlippool. I'd do so, but currently I have no need for SQL-assigned IPs, as I only have one RADIUS server - and if it fails over, the least thing I have to worry about is current IP assignments. I recommend finding someone who is adept at *SQL and buy them a pizza. Then ask them to 'translate' those queries for you. Jan On 16/10/06, Roberto Gonzalez Azevedo [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Does somebody knows how to configure sqlippool with MySQL ? The sqlippool.conf example is for pgsql. And for MySQL ? Here is my sqlippool.conf, corrected for MySQL: sqlippool sqlippool { # # SQL connection information # sql-instance-name = sql # lease_duration. fix for lost acc-stop packets lease-duration = 3600 # Attribute which should be considered unique per NAS pool-key = %{Acct-Session-Id} pool-name = mypool # pool-key = %{Calling-Station-Id} # # This series of queries allocates an IP address # allocate-clear = UPDATE radippool \ SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \ expiry_time = NOW() - INTERVAL 1 SECOND \ WHERE pool_key = '${pool-key}' # note the ORDER BY clause of next query, it'll try to allocate IPs # like Cisco internal pools do - it _trys_ to allocate the same IP-address # which user had last session... allocate-find = SELECT FramedIPAddress FROM radippool \ WHERE pool_name = '%{reply:Pool-Name}' AND expiry_time NOW() \ ORDER BY pool_name, (UserName '%{User-Name}'), (CallingStationId '%{Calling-Station-Id}'), expiry_time \ LIMIT 1 \ FOR UPDATE allocate-update = UPDATE radippool \ SET NASIPAddress = '%{NAS-IP-Address}', pool_key = '${pool-key}', \ CallingStationId = '%{Calling-Station-Id}', UserName = '%{User-Name}', \ expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \ WHERE FramedIPAddress = '%{Framed-IP-Address}' # # This series of queries frees an IP number when an accounting # START record arrives # start-update = UPDATE radippool \ SET expiry_time = NOW() + INTERVAL %J SECOND \ WHERE NASIPAddress = '%n' AND pool_key = '${pool-key}' AND pool_name = '%P' # # This series of queries frees an IP number when an accounting # STOP record arrives # stop-clear = UPDATE radippool \ SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \ expiry_time = NOW() - INTERVAL 1 SECOND \ WHERE NASIPAddress = '%{NAS-IP-Address}' AND pool_key = '${pool-key}' AND UserName = '%{User-Name}' \ AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress = '%{Framed-IP-Address}' # # This series of queries frees an IP number when an accounting # ALIVE record arrives # alive-update = UPDATE radippool \ SET expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \ WHERE NASIPAddress = '%{Nas-IP-Address}' AND pool_key = '${pool-key}' AND UserName = '%{User-Name}' \ AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress = '%{Framed-IP-Address}' # # This series of queries frees the IP numbers allocate to a # NAS when an accounting ON record arrives # on-clear = UPDATE radippool \ SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \ expiry_time = NOW() - INTERVAL 1 SECOND \ WHERE NASIPAddress = '%{NAS-IP-Address}' AND UserName = '%{User-Name}' \ AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress = '%{Framed-IP-Address}' # # This series of queries frees the IP numbers allocate to a # NAS when an accounting OFF record arrives # off-clear = UPDATE radippool \ SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \ expiry_time = NOW() - INTERVAL 1 SECOND \ WHERE NASIPAddress = '%{NAS-IP-Address}' AND UserName = '%{User-Name}' \ AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress = '%{Framed-IP-Address}' } Here is the radiusd -X: ... Mon Oct 16 17:50:50 2006 : Debug: Processing the post-auth section of radiusd.conf Mon Oct 16 17:50:50 2006 : Debug: modcall: entering group post-auth for request 0 Mon Oct 16 17:50:50 2006 : Debug: modsingle[post-auth]: calling sqlippool (rlm_sqlippool) for request 0 Mon Oct 16 17:50:50 2006 : Debug: rlm_sqlippool: Framed-IP-Address already exists Mon Oct 16 17:50:50 2006 : Debug: modsingle[post-auth]: returned from sqlippool (rlm_sqlippool) for request 0 Mon Oct 16 17:50:50 2006 : Debug: modcall[post-auth]: module sqlippool returns noop for request 0 Mon Oct 16 17:50:50 2006 : Debug: modcall: leaving group post-auth (returns noop) for request 0 ... ... Mon Oct 16 17:50:50 2006 : Debug: modsingle[accounting]: calling sqlippool (rlm_sqlippool) for request 1 Mon Oct 16 17:50:50 2006 : Debug: rlm_sql (sql): Reserving sql socket id: 2 Mon Oct 16 17:50:50 2006 : Debug: radius_xlat: 'BEGIN' Mon Oct 16 17:50:50 2006 : Debug: radius_xlat: 'UPDATE radippool SET expiry_time = NOW() + INTERVAL 3600 SECOND WHERE NASIPAddress = 'xx.xx.xx.xx' AND pool_key = '4533F0AA608100' AND pool_name =
Re: billing problem in freeradius
anand kumar wrote: Dear All, I want to integrate our billing code in freeradius. and i wants to make a code in c language with mysql database connectivity and i wants to make a so file also . Please help me. Thanks A. K. Anand Kumar Software Engineer(VoIP) Hi Anand, I'm not quite sure what you mean. Are you trying to get freeradius to deny authorization when a user meets certain billing-related criteria, eg: haven't paid their bill for x months, have used up all their pre-paid usage, etc? Or, are you trying to log accounting data into a database in some way that the rlm_sql accounting code doesn't already allow you to do? The standard approach is to simply use sql accounting, which will log accounting data to an SQL (MySQL, PostgreSQL, Oracle etc) database, then use billing software to generate bills based on the data in your accounting table, or a capture of that data at a particular instance, or something similar. If you have usage meters or other such software, you'd have those querying the accounting table. Did that help, or am I way off? Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Out of touch for a bit...
I've been away and unable to get mail for the past few days, and now my main net connection has a fibre cut. Hopefully I'll be back up and running tomorrow. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [sec: unclas] Huntgroupname checkitem in LDAP
I have been experimenting with something like this and found you can (mis)use the hints file to do something like this: DEFAULT Hint = `%{ldap:ldap:///ou=hosts,dc=demo,dc=org?radiusHuntgroupName?one?ipHostNumber=%{NAS-IP-Address}}` If you want you can use Huntgroup-Name insttead of hint. in that case, you should add a default, otherwise Huntgroup-Name gets set to "". DEFAULT Huntgroup-Name = `%{ldap:ldap:///ou=hosts,dc=demo,dc=org?radiusHuntgroupName?one?ipHostNumber=%{NAS-IP-Address}:-None}` In this case, Huntgroup-Name gets set to None if it isn't found in ldap. Some caveats: The huntgroup file will not be processed if Huntgroup-Name exists already. Since hints is processed before huntgroups that will be the case. Hints does not implement fallthrough - you get one match only. If you want to process usernames too, instantiate another instance. Another approach I have used is similar to your solution. i used rules in users like this: DEFAULT Ldap-Group == `%{Huntgroup-Name}` Access-Level := RW, Service-Type = Administrative-User, Cisco-AVPair := "shell:priv-lvl=15", Passport-Command-Impact = configuration The huntgroups are defined in the huntgroups file, or could be defined as above; users are put into groups corresponding to the huntgroup names. You can also generate pseudo groups like this: DEFAULT Ldap-Group == `%{Huntgroup-Name}_RO` Access-Level := RO, Service-Type = Nas-Prompt-User So a user in radius group sydney_RO gets Readonly access to devices in huntgroup sydney For this to work you need to apply a patch I submitted in the list some time ago, otherwise the substitution works only once. regards Frank Ranner From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan De GraeveSent: Tuesday, 17 October 2006 01:18To: freeradius-users@lists.freeradius.orgSubject: Huntgroupname checkitem in LDAP Hello, im looking for a way to have my huntgroups defined in LDAP similar to the way they are in SQL. For example if a user belongs to Ldap-Group vpn, the Group in ldap contains an attribute containing the huntgroup names which the Group gives access to. I tried adding checkItem Huntgroup-Name info to my ldap.attrmap with attribute info having value: =~ ^(vpn|sslvpn)$ (without succes) I had success with the following setup: In users: DEFAULT Huntgroup-Name == vpn, Ldap-Group == vpn Fall-Through = no DEFAULT Huntgroup-Name == sslvpn, Ldap-Group == sslvpn Fall-Through = no DEFAULT Auth-Type := Reject This allows to specify which user has access to which nasgroup by adding groupmemberships to the user. But it breaks the users existing in SQL. I could off course also add the specific SQL-Groups into the users file but this would still require a reorganisation of the SQL users since they only have a Huntgroup-Name attribtue for there grouplevel which specifies multiple huntgroups by using regexp. Im kinda stuck in how to implement it. Any advice would be greatly appreciated. J. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA authentication works only with MacOS clients
Message: 5 Date: Mon, 16 Oct 2006 22:36:14 +0200 From: Josh Shamir [EMAIL PROTECTED] Subject: Re: WPA authentication works only with MacOS clients To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 Hi Jason, I want to use PEAP. So I can use PEAP on a WinXP SP2 client without any other supplicant, using his native supplicant. The problem is that with native WinXP supplicant the authentication process failed, and freeradius server give me an error regarding certificates. The strange thing is that with the same certificates, PEAP works fine with MacOSx. Could be a problem of certificates ? I generate certificates with CA.all. Any ideas about how generate certificates that works also with MS WixXP client? This is a common problem. Windows XP requires that the server and client certificates have specific attributes. This is useful as it prevents a main-in-the-middle attack where an authentic client masquerades as a server with his client cert. You need to use Microsoft's Extended Attributes: [ xpclient_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ xpserver_ext ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 See http://www.linuxjournal.com/node/8095/print for detailed instructions how to create a server certificate that will work with PEAP and MS clients. The HOWTO is for EAP-TLS which requires client and server certificates. Since you are using PEAP, you just need to create the server certificate. Good luck. In particular you'll want to do: openssl req -new -keyout server_key.pem -out server_req.pem -days 730 -config ./openssl.cnf openssl ca -config ./openssl.cnf \ -policy policy_anything -out server_cert.pem \ -extensions xpserver_ext -extfile ./xpextensions \ -infiles ./server_req.pem You'll now have server_cert.pem (Public Certificate) and server_key.pem (Private Key which has no password). The public certificate will have the Server extended key usage extensions set and now your XP client should authenticate. signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA authentication works only with MacOS clients
Message: 5 Date: Mon, 16 Oct 2006 22:36:14 +0200 From: Josh Shamir [EMAIL PROTECTED] Subject: Re: WPA authentication works only with MacOS clients To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 Hi Jason, I want to use PEAP. So I can use PEAP on a WinXP SP2 client without any other supplicant, using his native supplicant. The problem is that with native WinXP supplicant the authentication process failed, and freeradius server give me an error regarding certificates. The strange thing is that with the same certificates, PEAP works fine with MacOSx. Could be a problem of certificates ? I generate certificates with CA.all. Any ideas about how generate certificates that works also with MS WixXP client? This is a common problem. Windows XP requires that the server and client certificates have specific attributes. This is useful as it prevents a main-in-the-middle attack where an authentic client masquerades as a server with his client cert. You need to use Microsoft's Extended Attributes: [ xpclient_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ xpserver_ext ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 See http://www.linuxjournal.com/node/8095/print for detailed instructions how to create a server certificate that will work with PEAP and MS clients. The HOWTO is for EAP-TLS which requires client and server certificates. Since you are using PEAP, you just need to create the server certificate. Good luck. In particular you'll want to do: openssl req -new -keyout server_key.pem -out server_req.pem -days 730 -config ./openssl.cnf openssl ca -config ./openssl.cnf \ -policy policy_anything -out server_cert.pem \ -extensions xpserver_ext -extfile ./xpextensions \ -infiles ./server_req.pem You'll now have server_cert.pem (Public Certificate) and server_key.pem (Private Key which has no password). The public certificate will have the Server extended key usage extensions set and now your XP client should authenticate. Jason Wittlin-Cohen P.S: Sorry for the double post. My last message had flowed text making it very difficult to read so I decided to resend it. signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html