Dialup admin
I've configured freeradius+dialupadmin in order to authenticate users through an access point 3com 7250. All is fine but that Dialup admin does not record the username of the user connected, it seems that for freeradius or dialupadmin the user is simply the access point. Is that its normal behaviour? Thank You, Angelo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ip-pool
Hi,
I really don't know what i'm doing wrong. Probably I have misunderstood
something. I'm using ttls/md5 authentication it's working fine and I get an
ip address from a dhcp server.
To get the ip address from an ippool I have made the following
configurations:
- user file:
user_name User-Password == , Pool-Name := my_pool
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-MTU = 1500,
- radiusd.conf file:
ippool my_pool{
range-start = 10.0.0.11
range-stop = 10.0.0.30
netmask = 255.0.0.0
cache-size = 800
session-db = ${raddbdir}/ip-pool.db
ip-index= ${raddbdir}/ip-index.db
override= no
maximum-timeout = 0
}
And the Access accept message looks like this:
..
rlm_ippool: Allocated ip 10.0.0.26 to client on nas 10.0.0.1,port 503
..
Sending Access-Accept of id 62 to 10.0.0.1:21647
Service-Type = Framed-User,
Framed Protocol = PPP,
Framed MTU = 1500,
MS-MPPE-Recv-Key = 0x***
MS-MPPE-Send-Key = 0x***
EAP-Message = 0x*
Message-Authenticator = 0x*
User-Name = user_name
Framed-IP-Address = 10.0.0.26
Framed-IP-Netmask = 255.0.0.0
The NAS still receives his IP address from the DHCP server and not from the
radius server.
Could you please tell me which rfc's to read
Thanks for the reply
Tom Fritz
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: mardi 19 avril 2005 18:46
To: freeradius-users@lists.freeradius.org
Subject: Re: ip-pool
Tom Fritz [EMAIL PROTECTED] wrote:
The radius server is sending the correct Framed-IP-Address with the
Access-Accept message, but it isn't assigned to the connection.
Then the NAS is not doing what it's told.
Either the NAS is buggy, or you didn't assign Framed-Protocol and
Service-Type, too. See the RFC's, or your NAS documentation.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Attributes Missing - Auth with ldap
Hi,
I have a very strange problem.
I authenticate a user agains a Novell 6 Server, which is not the
problem.
But I need some Attributes from the authentication brought back to the
NAS
I put these in the users file and it worked with another server:
Users (complete)
-
DEFAULT Auth-Type :=3DLDAP ,Ldap-Group =3D=3D CN=3DWGRAS,O=3DFKEL
Reply-Message =3D Welcome, you are allowed to have dialup
access,
Framed-Filter-Id =3D std.ppp,
Fall-Through =3D 0
--
The Ldap portion of the radiusd.conf (comments removed)
ldap {
server =3D 170.56.185.59
identity =3D anonymous
basedn =3D OU=3DAbteilungen,O=3DFKEL
filter =3D (uid=3D%{Stripped-User-Name:-%{User-Name}})
start_tls =3D no
dictionary_mapping =3D ${raddbdir}/ldap.attrmap
ldap_connections_number =3D 5
groupmembership_attribute =3D radiusGroupName
timeout =3D 20
timelimit =3D 20
net_timeout =3D 10
}
Strangely the binds need a very long time (up to 8 seconds each) - but
what has this to do with the not transmitting the Attributes ??
As I said, the authentication works, but the Attributes are missing -
Any Ideas ?
Regards
Andre
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TLS Alert write:fatal:certificate revoked
hello the certificate listened below isn't revoked, but the following error occured during authentication rlm_eap_tls: Done initial handshake rlm_eap_tls: TLS 1.0 Handshake [length 0782], Certificate -- verify error:num=23:certificate revoked chain-depth=0, error=23 -- User-Name = Kom -- BUF-Name = Kom -- subject = /C=CH/CN=Kom/[EMAIL PROTECTED] -- issuer = /C=CH/CN=WisecCA -- verify return:0 rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal certificate_revoked TLS Alert write:fatal:certificate revoked TLS_accept:error in SSLv3 read client certificate B 16917:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2021: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. In SSL Handshake Phase thanks for reply alain - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attributes Missing - Auth with ldap
Firstly, run freeradius is debug mode (radiusd -X) and it will tell you
exactly what it is doing. You should be able to see which attribute it
has retrieved from the directory to add to the reply.
A few things to look at would be:
1) Do you have ldap configured in the authorize section of radiusd.conf?
This is where it picks up the attributes from the user's record.
2) If the answer to 1 is yes, You're doing an anonymous bind to the LDAP
server. Does that give you the necessary access rights to read the
record from LDAP?
3) If the answer to 2 is yes, are the attributes you're trying to
read/return configured in $prefix/etc/raddb/ldap.attrmap
Hope that helps, and guides you on your way to a solution.
regards,
Mike
Andre Herkenrath wrote:
Hi,
I have a very strange problem.
I authenticate a user agains a Novell 6 Server, which is not the
problem.
But I need some Attributes from the authentication brought back to the
NAS
I put these in the users file and it worked with another server:
Users (complete)
-
DEFAULT Auth-Type :=3DLDAP ,Ldap-Group =3D=3D CN=3DWGRAS,O=3DFKEL
Reply-Message =3D Welcome, you are allowed to have dialup
access,
Framed-Filter-Id =3D std.ppp,
Fall-Through =3D 0
--
The Ldap portion of the radiusd.conf (comments removed)
ldap {
server =3D 170.56.185.59
identity =3D anonymous
basedn =3D OU=3DAbteilungen,O=3DFKEL
filter =3D (uid=3D%{Stripped-User-Name:-%{User-Name}})
start_tls =3D no
dictionary_mapping =3D ${raddbdir}/ldap.attrmap
ldap_connections_number =3D 5
groupmembership_attribute =3D radiusGroupName
timeout =3D 20
timelimit =3D 20
net_timeout =3D 10
}
Strangely the binds need a very long time (up to 8 seconds each) - but
what has this to do with the not transmitting the Attributes ??
As I said, the authentication works, but the Attributes are missing -
Any Ideas ?
Regards
Andre
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radrelay stops sending data
Good day all, I fired up radrelay yesterday morning and it begin to send accounting data to by usage accounting server like it but for some reason there is no more data being passed from my FR 1.0.1 server. Radrelay has ran the entire time and my FR server is still righting to my detail-combined file but no data passes. Both servers are on the same box so I run radrelay like so /usr/local/bin/radrelay -a /var/log/radius/radacct/ -d /etc/raddb -S /etc/raddb/relayserv -r localhost:1646 detail-combined I have a cronjob to check to see if radrelay is running every hour and if not restart it, so far it has never failed. Both radius server are alive an well so I am at a loss. Since I am new to radrelay any hints or gotchas would be greatly appreciated. Thanks, David
RE: ip-pool
Hi,
I really don't know what i'm doing wrong. Probably I have misunderstood
something. I'm using ttls/md5 authentication it's working fine and I get an
ip address from a dhcp server.
To get the ip address from an ippool I have made the following
configurations:
- user file:
user_name User-Password == , Pool-Name := my_pool
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-MTU = 1500,
- radiusd.conf file:
ippool my_pool{
range-start = 10.0.0.11
range-stop = 10.0.0.30
netmask = 255.0.0.0
cache-size = 800
session-db = ${raddbdir}/ip-pool.db
ip-index= ${raddbdir}/ip-index.db
override= no
maximum-timeout = 0
}
And the Access accept message looks like this:
..
rlm_ippool: Allocated ip 10.0.0.26 to client on nas 10.0.0.1,port 503
..
Sending Access-Accept of id 62 to 10.0.0.1:21647
Service-Type = Framed-User,
Framed Protocol = PPP,
Framed MTU = 1500,
MS-MPPE-Recv-Key = 0x***
MS-MPPE-Send-Key = 0x***
EAP-Message = 0x*
Message-Authenticator = 0x*
User-Name = user_name
Framed-IP-Address = 10.0.0.26
Framed-IP-Netmask = 255.0.0.0
The NAS still receives his IP address from the DHCP server and not from the
radius server.
Could you please tell me which rfc's to read
Thanks for the reply
Tom Fritz
Radius did its job and sent back the Framed-IP-Address and whatever reply
items you gave it. Its up to the NAS to use that radius reply value and
assign it to the user. You have to read the documentation on your NAS and
see what radius values it needs and how to enable it to use the radius
values instead of using dhcp.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and perl modules
On Wed, Apr 20, 2005 at 01:41:21AM +0200, Emil Wilmanski wrote: All of normal scripts work perfect with any module... Only radius say that have problem with libs. I don't know why.maybe somebody have any idea... Maybe perl 5.8.4 is not for this, or I have to compile freeradius with some other flags. I just use dpkg-buildpackage. Any idea? Maybe wrong path to libs? (how to set it?) Check output of perl -V, see if it does include useshrplib=true? and libperl=libperl.so. Check output of perl -MExtUtils::Embed -e ccopts -e ldopts Check against which libperl is linked rlm_perl -- Best Regards, Boian Jordanov SNE Orbitel - Next Generation Telecom tel. +359 2 4004 723 tel. +359 2 4004 002 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Attributes Missing - Auth with ldap
Hi, I looked at a few things: 1. the authorize section contains ldap 2. I bind with an existing user 3. I want to return Filter-Id and this is in teh ldap.attrmap The strange thing is the following: I run the Freeradius on a Virtual machine. I tried this first with Novell Server A There I had an very fast binding and got my return attributes. Then I tried with Novell Server B The binding was very slow and I didn´t got my attributes. The only thing I changed were the servers and groups I authenticate against. Your answer brings me to another question: Do the return Attributes need to be defined on the user properties on the novell server ? Find attached a debug output: rad_recv: Access-Request packet from host 170.56.119.129:3243, id=1, length=48 User-Name = herkenra User-Password = removed Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = herkenra, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'OU=Abteilungen,O=FKEL' radius_xlat: '(uid=herkenra)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 170.56.185.59:389, authentication 0 rlm_ldap: bind as cn=B_LDAP,o=FKEL/ to 170.56.185.59:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in OU=Abteilungen,O=FKEL, with filter (uid=herkenra) rlm_ldap: ldap_release_conn: Release Id: 0 radius_xlat: '(|((objectClass=GroupOfNames)(member=cn=herkenra,ou=GCD,ou=Abteilungen ,o=FKEL))((objectClass=GroupOfUniqueNames)(uniquemember=cn=herkenra,ou= GCD,ou=Abteilungen,o=FKEL)))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in CN=WGRAS,O=FKEL, with filter (|((objectClass=GroupOfNames)(member=cn=herkenra,ou=GCD,ou=Abteilungen, o=FKEL))((objectClass=GroupOfUniqueNames)(uniquemember=cn=herkenra,ou=G CD,ou=Abteilungen,o=FKEL))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=herkenra,ou=GCD,ou=Abteilungen,o=FKEL, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: ldap_get_values() failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module files returns notfound for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for herkenra radius_xlat: '(uid=herkenra)' radius_xlat: 'OU=Abteilungen,O=FKEL' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=Abteilungen,O=FKEL, with filter (uid=herkenra) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user herkenra authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by herkenra with password removed rlm_ldap: user DN: cn=herkenra,ou=GCD,ou=Abteilungen,o=FKEL rlm_ldap: (re)connect to 170.56.185.59:389, authentication 1 rlm_ldap: bind as cn=herkenra,ou=GCD,ou=Abteilungen,o=FKEL/removed to 170.56.185.59:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user herkenra authenticated succesfully modcall[authenticate]: module ldap returns ok for request 0 modcall: group Auth-Type returns ok for request 0 Sending Access-Accept of id 1 to 170.56.119.129:3243 Finished request 0 Going to the next request -Ursprüngliche Nachricht- Von: Michael Mitchell [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 20. April 2005 15:19 An: freeradius-users@lists.freeradius.org Betreff: Re: Attributes Missing - Auth with ldap Firstly, run freeradius is debug mode (radiusd -X) and it will tell you exactly what it is doing. You should be able to see which attribute it has retrieved from the directory to add to the reply. A few things to look at would be: 1) Do you have ldap configured in the authorize section of radiusd.conf? This is where it picks up the attributes from the user's record. 2) If the answer to 1 is yes, You're doing an anonymous bind to the LDAP server. Does that give you the necessary access rights to read the record from LDAP? 3) If the
Re: AW: Attributes Missing - Auth with ldap
On Wed, 20 Apr 2005, Andre Herkenrath wrote: Hi, I looked at a few things: 1. the authorize section contains ldap 2. I bind with an existing user 3. I want to return Filter-Id and this is in teh ldap.attrmap rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 170.56.185.59:389, authentication 0 rlm_ldap: bind as cn=B_LDAP,o=FKEL/ to 170.56.185.59:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in OU=Abteilungen,O=FKEL, with filter (uid=herkenra) rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: performing user authorization for herkenra radius_xlat: '(uid=herkenra)' radius_xlat: 'OU=Abteilungen,O=FKEL' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=Abteilungen,O=FKEL, with filter (uid=herkenra) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user herkenra authorized to use remote access **Nothing was found for reply items. rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: group authorize returns ok for request 0 You need to make sure that your ldap.attrmap is correct, the entry in ldap is correct, and the user you are searching with has permissions to read that value. For ldap.attrmap, remember you match a radius attribute to an ldap attribute. replyItem Filter-Id radiusFilterId So you should have an entry in your directory with radiusFilterid. dn: uid=... somestuff... radiusFilterid: some string Try it with the command line. $ ldapsearch -x -D cn=B_LDAP,o=FKEL -w yourpassword -b OU=Abteilungen,O=FKEL, uid=herkenra Does that return the radiusFilterid? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
detail logs aren't using the client IP address
My radiusd.conf has several sections like this:
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
Based on all the other compiled-in settings, this looks like it should put logs
in /usr/radius/var/log/radius/radacct/ip.add.re.ss/(logs here)
The ip address part isn't being honored, though. Logs are just going to
/usr/radius/var/log/radius/radacct/(logs here).
To my untrained eyes, everything in radiusd.conf, clients.conf (just a list of
a half-dozen NASes), and proxy.conf looks normal and looks like it makes sense.
Any suggestions on where I could look for a possible solution?
(This is with freeradius 1.0.2. Entire configuration files can be sent if
needed.)
Thanks!
David Smith
MVN.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: xlat LDAP woes
Jan-Piet Mens [EMAIL PROTECTED] wrote: The LDAP attribute is supposed to be an IP address, not a string that requires more processing before it becomes an IP address. Would it be possible and can you please give me a hint, perhaps a pointer to documentation? I'm not sure what else you want to know. Use an IP address for the value of that attribute, and it will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: Attributes Missing - Auth with ldap
Hi, I did the ldapsearch and here is the output: herkenra # extended LDIF # # LDAPv3 # base OU=Abteilungen,O=FKEL, with scope sub # filter: uid=herkenra # requesting: ALL # # search result search: 2 result: 80 Internal (implementation specific) error text: NDS error: no referrals (-634) # numResponses: 1 It seems that the Novell 6.0 Ldap isn´t working as expected ! I tried this on the Novell 6.5 Server I use for testing and got this result: # extended LDIF # # LDAPv3 # base o=MH with scope sub # filter: uid=andre # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 With the Novell 6.5, I could append the attribute, that I defined in the users-File without putting anything in the user directory. Do you have any ideas ?? Is there a possibility to give these attributes without the exact LDAP result ? Regards André -Ursprüngliche Nachricht- Von: Dustin Doris [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 20. April 2005 16:41 An: freeradius-users@lists.freeradius.org Betreff: Re: AW: Attributes Missing - Auth with ldap On Wed, 20 Apr 2005, Andre Herkenrath wrote: Hi, I looked at a few things: 1. the authorize section contains ldap 2. I bind with an existing user 3. I want to return Filter-Id and this is in teh ldap.attrmap rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 170.56.185.59:389, authentication 0 rlm_ldap: bind as cn=B_LDAP,o=FKEL/ to 170.56.185.59:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in OU=Abteilungen,O=FKEL, with filter (uid=herkenra) rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: performing user authorization for herkenra radius_xlat: '(uid=herkenra)' radius_xlat: 'OU=Abteilungen,O=FKEL' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=Abteilungen,O=FKEL, with filter (uid=herkenra) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user herkenra authorized to use remote access **Nothing was found for reply items. rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: group authorize returns ok for request 0 You need to make sure that your ldap.attrmap is correct, the entry in ldap is correct, and the user you are searching with has permissions to read that value. For ldap.attrmap, remember you match a radius attribute to an ldap attribute. replyItem Filter-Id radiusFilterId So you should have an entry in your directory with radiusFilterid. dn: uid=... somestuff... radiusFilterid: some string Try it with the command line. $ ldapsearch -x -D cn=B_LDAP,o=FKEL -w yourpassword -b OU=Abteilungen,O=FKEL, uid=herkenra Does that return the radiusFilterid? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip-pool
Tom Fritz [EMAIL PROTECTED] wrote: I really don't know what i'm doing wrong. Probably I have misunderstood something. I'm using ttls/md5 authentication it's working fine and I get an ip address from a dhcp server. That's the way that wireless works. You can't change it. Authentication is via EAP, IP addresses are via DHCP. Now, if you had a DHCP to RADIUS gateway, you could forward the DHCP request to the RADIUS server, and it could assign an address to the user. But DHCP would still be used, and no such gateway exists in GPL'd code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: detail logs aren't using the client IP address
David E. Smith [EMAIL PROTECTED] wrote: The ip address part isn't being honored, though. Logs are just going to /usr/radius/var/log/radius/radacct/(logs here). To my untrained eyes, everything in radiusd.conf, clients.conf (just a list of a half-dozen NASes), and proxy.conf looks normal and looks like it makes sense. Are you sure that radiusd is reading the radiusd.conf file you think it is? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: Attributes Missing - Auth with ldap
Probably in the NDS setup - where the replicas are and which replica the info you're trying to get is on. Check this TID. It explains the referral process. http://support.novell.com/cgi-bin/search/searchtid.cgi?/10061859.htm Mearl [EMAIL PROTECTED] 4/20/2005 11:58 AM Hi, I did the ldapsearch and here is the output: herkenra # extended LDIF # # LDAPv3 # base OU=Abteilungen,O=FKEL, with scope sub # filter: uid=herkenra # requesting: ALL # # search result search: 2 result: 80 Internal (implementation specific) error text: NDS error: no referrals (-634) # numResponses: 1 It seems that the Novell 6.0 Ldap isn´t working as expected ! I tried this on the Novell 6.5 Server I use for testing and got this result: # extended LDIF # # LDAPv3 # base o=MH with scope sub # filter: uid=andre # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 With the Novell 6.5, I could append the attribute, that I defined in the users-File without putting anything in the user directory. Do you have any ideas ?? Is there a possibility to give these attributes without the exact LDAP result ? Regards André -Ursprüngliche Nachricht- Von: Dustin Doris [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 20. April 2005 16:41 An: freeradius-users@lists.freeradius.org Betreff: Re: AW: Attributes Missing - Auth with ldap On Wed, 20 Apr 2005, Andre Herkenrath wrote: Hi, I looked at a few things: 1. the authorize section contains ldap 2. I bind with an existing user 3. I want to return Filter-Id and this is in teh ldap.attrmap rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 170.56.185.59:389, authentication 0 rlm_ldap: bind as cn=B_LDAP,o=FKEL/ to 170.56.185.59:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in OU=Abteilungen,O=FKEL, with filter (uid=herkenra) rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: performing user authorization for herkenra radius_xlat: '(uid=herkenra)' radius_xlat: 'OU=Abteilungen,O=FKEL' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=Abteilungen,O=FKEL, with filter (uid=herkenra) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user herkenra authorized to use remote access **Nothing was found for reply items. rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: group authorize returns ok for request 0 You need to make sure that your ldap.attrmap is correct, the entry in ldap is correct, and the user you are searching with has permissions to read that value. For ldap.attrmap, remember you match a radius attribute to an ldap attribute. replyItem Filter-Id radiusFilterId So you should have an entry in your directory with radiusFilterid. dn: uid=... somestuff... radiusFilterid: some string Try it with the command line. $ ldapsearch -x -D cn=B_LDAP,o=FKEL -w yourpassword -b OU=Abteilungen,O=FKEL, uid=herkenra Does that return the radiusFilterid? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Users classes
How can I create classes of users in Radius? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question concerning vp_prints
Hi,
I see in lib/print.c:
static const char *vp_tokens[] = {
?, /* T_INVALID */
EOL,/* T_EOL */
{,
},
(,
),
,,
;,
+=,
-=,
:=,
=,
!=,
=,
,
=,
,
=~,
!~,
=*,
~*,
==,
#,
BARE-WORD,
\STRING\,
'STRING',
`STRING`
};
The ~*, shouldn't that be !* to be in sync with token.h:
T_OP_CMP_TRUE,/* =* */
T_OP_CMP_FALSE, /* !* */
Cheers and thanks,
Wolfgang
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question concerning vp_prints
I'm sorry for not being very exact. This is about 1.0.2. I've checked
CVS, it is there too.
Wolfgang
At Wed, 20 Apr 2005 22:36:32 +0200,
Wolfgang Hottgenroth wrote:
Hi,
I see in lib/print.c:
static const char *vp_tokens[] = {
?,/* T_INVALID */
EOL, /* T_EOL */
{,
},
(,
),
,,
;,
+=,
-=,
:=,
=,
!=,
=,
,
=,
,
=~,
!~,
=*,
~*,
==,
#,
BARE-WORD,
\STRING\,
'STRING',
`STRING`
};
The ~*, shouldn't that be !* to be in sync with token.h:
T_OP_CMP_TRUE,/* =* */
T_OP_CMP_FALSE, /* !* */
Cheers and thanks,
Wolfgang
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Calling Station Id not working
Dear all, I want to use mac authentication in radius. I am struggling for 2 days for Calling Station Id setup. I am using pppoe + freeradius + mysql. I have setup dialup admin too. I have manually entered Calling-Station-Id in /usr/local/dialup-admin/conf/admin.conf. So now i have the option of Calling -Station-Id in dialup admin. I created one user providing the mac address of that user's ethernet card. But it is not getting authenticated. I am getting the below error. rad_recv: Access-Request packet from host 127.0.0.1:32779, id=200, length=69 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "user2" User-Password = "user2" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.confmodcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "user2", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 users: Matched entry DEFAULT at line 183 modcall[authorize]: module "files" returns ok for request 0radius_xlat: 'user2'rlm_sql (sql): sql_set_user escaped user -- 'user2'radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'user2' ORDER BY id'rlm_sql (sql): Reserving sql socket id: 4radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'user2' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'user2' ORDER BY id'radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'user2' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'rlm_sql (sql): No matching entry in the database for request from user [user2]rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns notfound for request 0rlm_checkval: Could not find item named Calling-Station-Id in requestrlm_checkval: Could not find attribute named Calling-Station-Id in check pairs modcall[authorize]: module "checkval" returns notfound for request 0 I am not getting Calling-Station-Id in the request info. Can anybody help me. Thanks in Advance. Joel
Re: Calling Station Id not working
Joel n.solanki [EMAIL PROTECTED] wrote: I am not getting Calling-Station-Id in the request info. Can anybody help me. If the NAS isn't sending it, there's nothing you can do to the RADIUS server to get that data. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and perl modules
Check output of perl -V, see if it does include useshrplib=true? and libperl=libperl.so. $perl -V | grep -i useshrplib config_args='-Dusethreads -Duselargefiles -Dccflags=-DDEBIAN -Dcccdlflags=-fPIC -Darchname=i386-linux -Dprefix=/usr -Dprivlib=/usr/share/perl/5.8 -Darchlib=/usr/lib/perl/5.8 -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/perl5 -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.8.4 -Dsitearch=/usr/local/lib/perl/5.8.4 -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3 -Dman1ext=1 -Dman3ext=3perl -Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Uusesfio -Uusenm -Duseshrplib -Dlibperl=libperl.so.5.8.4 -Dd_dosuid -des' libc=/lib/libc-2.3.2.so, so=so, useshrplib=true, libperl=libperl.so.5.8.4 All ok. Check output of perl -MExtUtils::Embed -e ccopts -e ldopts $perl -MExtUtils::Embed -e ccopts -e ldopts -Wl,-E -L/usr/local/lib /usr/lib/perl/5.8/auto/DynaLoader/DynaLoader.a -L/usr/lib/perl/5.8/CORE -lperl -ldl -lm -lpthread -lc -lcrypt -D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DDEBIAN -fno-strict-aliasing -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/lib/perl/5.8/CORE [EMAIL PROTECTED]:/usr/lib$ ls -l | grep libperl -rw-r--r-- 1 root root 1400854 2005-03-08 11:15 libperl.a lrwxrwxrwx 1 root root 14 2005-04-16 16:28 libperl.so - libperl.so.5.8 lrwxrwxrwx 1 root root 16 2005-04-16 16:28 libperl.so.5.8 - libperl.so.5.8.4 -rw-r--r-- 1 root root 1150824 2005-03-08 11:15 libperl.so.5.8.4 Check against which libperl is linked rlm_perl Hmmm. how to test it?? -- EW - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and perl modules
Check against which libperl is linked rlm_perl ldd rlm_perl-1.0.2.so libperl.so.5.8 = /usr/lib/libperl.so.5.8 (0xb7ec3000) libdl.so.2 = /lib/tls/i686/cmov/libdl.so.2 (0xb7ebf000) libm.so.6 = /lib/tls/i686/cmov/libm.so.6 (0xb7e9d000) libc.so.6 = /lib/tls/i686/cmov/libc.so.6 (0xb7d69000) libcrypt.so.1 = /lib/tls/i686/cmov/libcrypt.so.1 (0xb7d3c000) libnsl.so.1 = /lib/tls/i686/cmov/libnsl.so.1 (0xb7d28000) libresolv.so.2 = /lib/tls/i686/cmov/libresolv.so.2 (0xb7d16000) libpthread.so.0 = /lib/tls/i686/cmov/libpthread.so.0 (0xb7d05000) libcrypto.so.0.9.7 = /usr/lib/i686/cmov/libcrypto.so.0.9.7 (0xb7c06000) libssl.so.0.9.7 = /usr/lib/i686/cmov/libssl.so.0.9.7 (0xb7bd5000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x8000) # ldconfig -p | grep libperl.so.5.8 libperl.so.5.8 (libc6) = /usr/lib/libperl.so.5.8 ?? -- EW - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius EAP-TLS client/server certificate
Hi This question is rather a certificate question but ... How does EAP-TLS certificate authentification work? As I know the server sends his certificate first with his public key to the client. The client sends his certificate to the radius server. I had first the username of the client (identity string of EAP) in the users file. My client is authorized. Than I deleted the user and the client is still accepted. How can I restrict the clients? Does it mean that every generated certificate which is not revoked can be used i.e. is authorized? The same is for the server side. How can I guaranty I'm on the right server if I don't have the server certificate on the client (supplicant) side? In the wpa_supplicant config file there are talking about Phase1 (outer authentication) and Phase2 (inner authentication) but only for EAP-PEAP or EAP-TTLS and it says Following certificate/private key fields are used in inner Phase2 I'm really confused. Is there any good beginner docu about certificate authentification and EAP-TLS works. But please not rfc 2246 ... I'm working with freeradius-1.0.2, wpa_supplicant-0.3.8 as Supplicant and a Linsys WRT54G as NAS. Thanks a lot Beat - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
