Use of Service type attribute
Hi, I am developing a RADIUS client for our embedded product. I would like the Radius client implementation to support the association of privilege level with individual accounts, e.g. the account normal_user has a privilege that allows read-only access while account admin_user has a privilege that allows read-write access(can changes our system configuration). Is it possible to use Service-Type attribute for this purpose, with Login value for normal_user and Administrative for admin_user. Please clarify. Thanks -Chandra __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Use of Service type attribute
Hi, I am developing a RADIUS client for our embedded product. I would like the Radius client implementation to support the association of privilege level with individual accounts, e.g. the account normal_user has a privilege that allows read-only access while account admin_user has a privilege that allows read-write access(can changes our system configuration). Is it possible to use Service-Type attribute for this purpose, with Login value for normal_user and Administrative for admin_user. Please clarify. Thanks -Chandra __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius, deb (sid)
Hiall, I'd like to use freeradius with PEAP. from freeradius -X: rlm_eap: Loaded and initialized type gtc rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory rlm_eap_tls.so seems to be missing. Does anyone know some debian source to get it with it? Is there some guide about how to build it and what dependencied are needed for that? br, gabor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
assign a value to an attribute via a script
Hello, I'm searching how to use a script to modify the value of an attribute. When I try the example of radiusd.conf : Attribute-Name = `%{echo:/path/to/program args}` In my test I try to use a script to assign an IP address to the Attribute Framed-IP-Address : Framed-IP-Address = `%{dhcp:/etc/raddb/test %{User-Name} %{NAS-IP-Address}}` I've added this in the accounting module with the same result as I want to fic this value in the attribute Framed-IP-Address during the time of an active accounting session. I've created an exec module : exec dhcp { wait = yes input_pairs = request output_pairs = reply packet_type = Access-Accept } I get an error message when I try to start : ERROR: Cannot find a configuration entry for module Framed-IP-Address. The rest of the radiusd.conf configuration is pointing to a MySQL database and works well. I've tested successfully the script itself alone in the echo module configuration : program = /var/log/radius/test %{User-Name} %{NAS-IP-Address} What am I doing wrong ? Is something missing ? Sincerely, Philippe BACQUAERT Accédez au courrier électronique de La Poste : www.laposte.net ; 3615 LAPOSTENET (0,34 /mn) ; tél : 08 92 68 13 50 (0,34/mn) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Create and Send attributes
Carlos Peñafiel wrote: Hello!!! I want to send from my radius server several attributes to the client, but I've been looking at the documenation. I can do that if my attribute-ID is between 1 and 100 (I guess, maybe is it 256), but also the documentation says that a new attribute has to have an ID greater than 3000. So, are not the attributes between 100 (256) and 3000 sent to the client radius? (I guess, they could be used for local management) If it is not, how can I create an attribute with id grater that 3000 and send to the radius client? If you are creating your own attributes, get an IANA enterprise number (either apply for one or re-use one if AND ONLY IF you're certainly it will only be used internally) and use a vendor-specific attribute space. See the dictionary.$vendor files for examples. Alternatively, have a dig in the dictionary files and/or RFCs for an existing attribute that closely matches the purpose. What are you trying to do? Obviously you'll have to have control over the radius client to make it actually use the new attribute. Most will only use attributes they already know about. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Use of Service type attribute
Chandra mohan wrote: Hi, I am developing a RADIUS client for our embedded product. I would like the Radius client implementation to support the association of privilege level with individual accounts, e.g. the account normal_user has a privilege that allows read-only access while account admin_user has a privilege that allows read-write access(can changes our system configuration). Is it possible to use Service-Type attribute for this purpose, with Login value for normal_user and Administrative for admin_user. Please clarify. Yes it is possible, but it is wrong. RFC2865 states: 5.6. Service-Type 1 Login 2 Framed 3 Callback Login 4 Callback Framed 5 Outbound 6 Administrative 7 NAS Prompt 8 Authenticate Only 9 Callback NAS Prompt 10 Call Check 11 Callback Administrative snip Login The user should be connected to a host. Administrative The user should be granted access to the administrative interface to the NAS from which privileged commands can be executed. NAS Prompt The user should be provided a command prompt on the NAS from which non-privileged commands can be executed. So you should actually use NAS Prompt for read-only and Administrative for read-write. Login is something else entirely. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Execute scripts
I'm new in FreeRadius. I want to make my own log on script which will execute same bash functions. Is it possible?? Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Messenger
Dear all, I am using freeradius 1.1.1 to authenticate SIP users. Using Windows Messenger as SIP phone is very important for me. I tested my servers(Sip proxy and freeradius) with free SIP phones and everything is OK. But with windows messenger I face some problems. I think the Function that Windows uses for Digest encription has some differences with FreeRadius functions (perhaps, I guess). Let me Know if anyone has tested the FreeRadius with windows messenger. "Is it possible or not?" I appericiate any help. Best wishes Saman Celebrate Earth Day everyday! Discover 10 things you can do to help slow climate change. Yahoo! Earth Day- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP TLS authentification
Hello, After an authentification with a certificate, the user-name who is return is the common name of the certificate. How can i do to use another field (subject, email, serial number...) because some person can have a same common name ? Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, deb (sid)
Gabor Szelei wrote: I'd like to use freeradius with PEAP. [...] rlm_eap_tls.so seems to be missing. Does anyone know some debian source to get it with it? Debian doesn't distribute a binary version of the rlm_eap_tls module because the OpenSSL license is incompatible with the GPL. http://www.gnu.org/licenses/license-list.html#GPLIncompatibleLicenses http://marc.theaimsgroup.com/?l=openssl-usersm=114460613316150w=2 Is there some guide about how to build it and what dependencied are needed for that? You might download FreeRADIUS 1.1.1 and build a Debian package from sources. http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Réf. : Freeradius-Users Digest, Vol 12, Issue 98
Hi Iam using actuallyfreeradius wich work fine for linux box with one if (eth0).I'veadded another if(eth1) for some applications else. But whe I run radiusd -X -A, freeradius doesn't start correctly, ie. log stop reading at clients file. so My question is how to start freeradius en specific interface (for example eth0). Thanks for any answer. Jacques - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius request to DHCP
Hello. There's also another solution. You can execute a shell script that contacts your DHCP server sending the Macaddress. That way, you can give whatever IP address you want. Check a shell called OMAPI in order to interact with the ISC DHCPd. Alan DeKok wrote: "Philippe Bacquaert" [EMAIL PROTECTED] wrote: I'm searching how to make freeradius (when receiving a request from a radius client) request itself a dynamic IP address to a dhcp server and write it in the attribute Framed-IP-Address. You write a scipt around dhclient, which might work. Or, use the ISC libdhcp, and integrate that into a FreeRADIUS module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Atentamente, |Paulo Cabrita, Msc| |Director do Centro de Informtica | |da Universidade Autnoma de Lisboa| |Tel: +351-213177635 | |Fax: +351-213533702 | |E-mail: [EMAIL PROTECTED]| - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re: Create and Send attributes
Carlos Peñafiel wrote: Hello!!! I want to send from my radius server several attributes to the client, but I've been looking at the documenation. I can do that if my attribute-ID is between 1 and 100 (I guess, maybe is it 256), but also the documentation says that a new attribute has to have an ID greater than 3000. So, are not the attributes between 100 (256) and 3000 sent to the client radius? (I guess, they could be used for local management) If it is not, how can I create an attribute with id grater that 3000 and send to the radius client? If you are creating your own attributes, get an IANA enterprise number (either apply for one or re-use one if AND ONLY IF you're certainly it will only be used internally) and use a vendor-specific attribute space. See the dictionary.$vendor files for examples. Alternatively, have a dig in the dictionary files and/or RFCs for an existing attribute that closely matches the purpose. What are you trying to do? Obviously you'll have to have control over the radius client to make it actually use the new attribute. Most will only use attributes they already know about. Hello and thank you to answer so soon. I am trying to do something like amount of quality of service that a user have. I have the control over the radius client because I am using a HostAP, but looking at the documentation and on Google, I cant find a way to solve this. can you help me a little but more? Thank you in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Use of Service type attribute
Chandra mohan [EMAIL PROTECTED] wrote: Is it possible to use Service-Type attribute for this purpose, with Login value for normal_user and Administrative for admin_user. Please clarify. Yes. To a large extent, your client can interpret the attributes however it wishes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, deb (sid)
Gabor Szelei [EMAIL PROTECTED] wrote: rlm_eap_tls.so seems to be missing. Does anyone know some debian source to get it with it? There is no debian package. But you can use the files in debian/ that come with FreeRADIUS to build your own. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Réf. : Freeradius-Users Digest, Vol 12 , Issue 98
JVUVANT Yahoo [EMAIL PROTECTED] wrote: But whe I run radiusd -X -A, freeradius doesn't start correctly, ie. log stop reading at clients file. And what does debugging mode say? What has to be put in the documentation in order to convince people to run the server in debugging mode, and to post the output to the list? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Create and Send attributes
=?iso-8859-1?B?Q2FybG9zIFBl8WFmaWVs?= [EMAIL PROTECTED] wrote: I am trying to do something like amount of quality of service that a user have. What does that mean? I have the control over the radius client because I am using a HostAP, but looking at the documentation and on Google, I cant find a way to solve this. can you help me a little but more? Edit the source code to the client to look for, and interpret, the new attribute. Re-use an attribute of a similar name, or invent a new one. If the attribure is used only in your local deployment, it doesn't really matter what number you pick. It just has to be a number that goes into a RADIUS packet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy failure
Hello, I set up FreeRadius in order to proxy certain realm to another Radius server (which is not under my control at all). The shared secret is the same. I put the address of the other Radius server in the proxy.conf file. My Radius sends the request 5 times to the other Radius server and then gives up marking the server dead (but it is not). This is what comes out : Cleaning up request 104 ID 0 with timestamp 444f845d Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.3.1.60:2050, id=0, length=147 User-Name = [EMAIL PROTECTED] NAS-IP-Address = 10.3.1.60 Called-Station-Id = 0014bfef3609 Calling-Station-Id = 001124a87bc6 NAS-Identifier = 0014bfef3609 NAS-Port = 21 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x021601746573746963666f4063657363612e6573 Message-Authenticator = 0xb82a0c651648b9bab3d9860388e081db Processing the authorize section of radiusd.conf modcall: entering group authorize for request 105 modcall[authorize]: module preprocess returns ok for request 105 radius_xlat: '/usr/local/var/log/radius/radacct/10.3.1.60/auth- detail-20060426' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/ auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/ 10.3.1.60/auth-detail-20060426 modcall[authorize]: module auth_log returns ok for request 105 rlm_realm: Looking up realm .es for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm DEFAULT rlm_realm: Proxying request from user test to realm DEFAULT rlm_realm: Adding Realm = DEFAULT rlm_realm: Preparing to proxy authentication request to realm DEFAULT modcall[authorize]: module suffix returns updated for request 105 rlm_eap: Request is supposed to be proxied to Realm DEFAULT. Not doing EAP. modcall[authorize]: module eap returns noop for request 105 users: Matched entry DEFAULT at line 161 modcall[authorize]: module files returns ok for request 105 rlm_ldap: - authorize rlm_ldap: performing user authorization for [EMAIL PROTECTED] radius_xlat: '([EMAIL PROTECTED])' radius_xlat: 'ou=People, dc=, dc=es' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People, dc=, dc=es, with filter ([EMAIL PROTECTED]) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns notfound for request 105 modcall: leaving group authorize (returns updated) for request 105 Processing the pre-proxy section of radiusd.conf modcall: entering group pre-proxy for request 105 radius_xlat: '/usr/local/var/log/radius/radacct/10.3.1.60/pre-proxy- detail-20060426' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/ pre-proxy-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/ 10.3.1.60/pre-proxy-detail-20060426 modcall[pre-proxy]: module pre_proxy_log returns ok for request 105 modcall: leaving group pre-proxy (returns ok) for request 105 Sending Access-Request of id 12 to aa.bb.cc.dd port 1812 User-Name = [EMAIL PROTECTED] NAS-IP-Address = 10.3.1.60 Called-Station-Id = 0014bfef3609 Calling-Station-Id = 001124a87bc6 NAS-Identifier = 0014bfef3609 NAS-Port = 21 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x021601746573746963666f4063657363612e6573 Message-Authenticator = 0x Proxy-State = 0x30 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.3.1.60:2050, id=0, length=147 Dropping conflicting packet from client APtest:2050 - ID: 0 due to unfinished request 105 --- Walking the entire request list --- Waking up in 2 seconds... --- Walking the entire request list --- Re-sending Access-Request of id 12 to aa.bb.cc.dd port 1812 User-Name = [EMAIL PROTECTED] NAS-IP-Address = 10.3.1.60 Called-Station-Id = 0014bfef3609 Calling-Station-Id = 001124a87bc6 NAS-Identifier = 0014bfef3609 NAS-Port = 21 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x021601746573746963666f4063657363612e6573 Message-Authenticator = 0x Client-IP-Address = 10.3.1.60 Realm = DEFAULT EAP-Type = Identity Module-Failure-Message = rlm_ldap: User not found Realm = DEFAULT Proxy-State = 0x30 Waking up in 5 seconds... --- Walking the entire request list --- Re-sending Access-Request of id 12 to aa.bb.cc.dd port 1812 User-Name = [EMAIL PROTECTED] NAS-IP-Address = 10.3.1.60 Called-Station-Id = 0014bfef3609 Calling-Station-Id = 001124a87bc6 NAS-Identifier
RE: Re: Use of Service type attribute
=?iso-8859-1?B?Q2FybG9zIFBl8WFmaWVs?= [EMAIL PROTECTED] wrote: I am trying to do something like amount of quality of service that a user have. What does that mean? Im sorry for my English. I want to have a variable (attribute) saying that for each user who has authorization using the network, I want to offer a QoS going outside (to the internet) for him/her. I have the control over the radius client because I am using a HostAP, but looking at the documentation and on Google, I cant find a way to solve this. can you help me a little but more? Edit the source code to the client to look for, and interpret, the new attribute. Re-use an attribute of a similar name, or invent a new one. If the attribure is used only in your local deployment, it doesn't really matter what number you pick. It just has to be a number that goes into a RADIUS packet. Alan DeKok. Ok. Thank you for your time. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, deb (sid)
Hi, You might download FreeRADIUS 1.1.1 and build a Debian package from sources. I've tried, but faild to collect all the needed modules. Which version of libcrypt is need? Which version of openlls is needed? Can I find ldap headers from deb ? Is there some page about dependency requirments? Thanks. br, Gabor Szelei - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS and SIP-AVP
Hi, I was just wondering if it is possible to return an attribute more than once in a RADIUS reply? I.e, for OpenSER I for instance would like to return: SIP-AVP=rpid:1234567 SIP-AVP=voicemail:888 I've tried to use rlm_perl and script to add SIP-AVP more than once, but FreeRADIUS only uses one. br hw -- Helge Waastad Senior Konsulent Smartnet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy failure
Axel Seguin [EMAIL PROTECTED] wrote: My Radius sends the request 5 times to the other Radius server and then gives up marking the server dead (but it is not). Then why isn't it responding? Are there firewall rules that filter out the response or request? Why is there a Module-Failure-Message = rlm_ldap: User not found? Of course the user won't be found in the local ldap database since this realm is supposed to be proxied. Then why did you configure the server to look the user up in LDAP? It doesn't come configured to do that by default, so you must have added that to your local config. The radius server is obviously looking in the local ldap database with the unstriped username before proxying this request. Is there not a way, in case the realm of the username has to be proxied not to look for it locally in the ldap database fisrt? Yes. See doc/configurable_failover doc/Autz-Type If anyone has an idea why i don't get any answer, i would be gratefull. Use 'tcpdump' to see where the packets are going. See if you can run 'radclient on the same machine as the RADIUS server, and get a response from the other server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: assign a value to an attribute via a script
Philippe Bacquaert [EMAIL PROTECTED] wrote: I'm searching how to use a script to modify the value of an attribute. See scripts/exec-program-wait for an example. In my test I try to use a script to assign an IP address to the Attribute Framed-IP-Address : Framed-IP-Address = `%{dhcp:/etc/raddb/test %{User-Name} %{NAS-IP-Address}}` Is that an entry in the users file? I get an error message when I try to start : ERROR: Cannot find a configuration entry for module Framed-IP-Address. Ah. You put the attribute in radiusd.conf. Why? The documentation didn't say to do that, and all of the other examples of setting attributes put them in other files, like the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Messenger
sami aa [EMAIL PROTECTED] wrote: I am using freeradius 1.1.1 to authenticate SIP users. Using Windows Messenger as SIP phone is very important for me. I tested my servers(Sip proxy and freeradius) with free SIP phones and everything is OK. But with windows messenger I face some problems. I think the Function that Windows uses for Digest encription has some differences with FreeRadius functions (perhaps, I guess). Run the server in debugging mode and post the output to the list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Execute scripts
=?Windows-1250?Q?Andrzej_=AFmijewski?= [EMAIL PROTECTED] wrote: I'm new in FreeRadius. I want to make my own log on script which will execute same bash functions. Is it possible?? read radiusd.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP TLS authentification
[EMAIL PROTECTED] (Philippe Chataigner) wrote: After an authentification with a certificate, the user-name who is return is the common name of the certificate. How can i do to use another field (subject, email, serial number...) because some person can have a same common name ? Edit the source code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and SIP-AVP
Helge Waastad [EMAIL PROTECTED] wrote: I was just wondering if it is possible to return an attribute more than once in a RADIUS reply? Read man users, which documents exactly how to do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html