Re: Blank usernames
Marat Rysbekov wrote: > I specify the IP-pools in , and it works fine, except > for one thing: > I get no Access-Accept reply whenever the username is left blank (any > non-empty > username is accepted by the server). And "radiusd -X" says...? > So, my question: is there a way to make FreeRadius use the DEFAULT entries > when the username is not supplied at all? See what it's doing now *first*, before trying to change it's configuration to do something else. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Blank usernames
Good day, everyone. I'm trying to setup FreeRadius 1.1.3 to assing IP-addresses based on what NAS the authorization request came from, no matter what username or password was supplied. Some of my configuration: ... Alpha NAS-IP-Address == 192.168.10.1 BetaNAS-IP-Address == 192.168.20.1 ... ... DEFAULTAuth-Type := Accept, Huntgroup-Name == "Alpha", Pool-Name := "PoolA" DEFAULTAuth-Type := Accept, Huntgroup-Name == "Beta", Pool-Name := "PoolB" ... I specify the IP-pools in , and it works fine, except for one thing: I get no Access-Accept reply whenever the username is left blank (any non-empty username is accepted by the server). So, my question: is there a way to make FreeRadius use the DEFAULT entries when the username is not supplied at all? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: distinction between users on different AP (talking to the same radius server)
On 11/19/06, liran tal <[EMAIL PROTECTED]> wrote: I'll try to elaborate on this... There are two access points deployed in two different locations, they both speak to a central radius sever, it looks like this: AP1 - DHCP Address Pool 172.19.1.0/24 AP2 - DHCP Address Pool 172.19.2.0/24 ah ok. (nitpick: so the subnet mask /24 is not different, the subnets are *g*) Now, say user foo got connected to AP1, in the logs I will see he received FramedIPAddress 172.19.1.250 so I will know for a fact that the user is conneccting from AP1 rather than AP2. Which log? Again, as the issueing of dhcp leases would happen after the associating/authenticating of the user's machine I would not expect Framed-IP-Address to be tranmitted in an Access-Request from an ap to be acted on by freeradius. Actually the other way round would be more common, freeradius sending that attribute to the ap. Maybe it could be part of an accounting message sent by the ap, but that would also be to late to base authentication decisions on in any sane way. If you happen to have such setup nevertheless, could you show the freeradius debug output? So I'm asking if there's a better way to do this rather than by configuring different subnets on the dhcp server of the APs. A NASIPAddress is actually a good solution but I'm not going with that cause I can't be sure that it's a static one (some APs receive their "wan" interface address by DHCP which may vary all the time). Not freeradius related: Does every AP use/have its own dhcpd for the users? If so, they should ensure that no confliciting leases get out by means of relaying to a central server, coordinating between themselves, assigning different ranges of ips or just keeping the leases on different subnets (the last beeing not the best approach, I think, and would also not be needed for freeradius as I tried to explain already and will do, hopefully more completely, below). Ok, so the mentioned combinations would include NAS-IP-Address to be not part of them. I was talking in general about possible already existing choices you could watch out for. To do that even more: As to your wish to "distinct", what are your needs related to that distinction: authentication/authorization/accounting? As long as your aps send anything as part of the radius protocol, which is specific to them (which is quite probable) and known a priori (which might rule out NAS-IP-Address, (but why not dhcping fixed addresses, or at least different ranges to them? etc. as completely dynamic ips for aps look a bit awkward to me, not only for the problem at hand)) in the different messages to freeradius, that entitiy can be used (where/how depends on the purpose) to decide between different alternatives. So any other ideas... Not really, I would still uphold my statement previously made. To perhaps clarify it a bit: Yes, of course you can configure freeradius to act differently on different inputs. Any more specific suggestions could only arise from you telling what the aps do (other than putting users on different subnets, which is possible too, but not desireable I think) ; more to the point: what (which attributes) do they send in which situations, and what reaction you want in those situations. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: distinction between users on different AP (talking to the same radius server)
I'll try to elaborate on this... There are two access points deployed in two different locations, they both speak to a central radius sever, it looks like this: AP1 - DHCP Address Pool 172.19.1.0/24 AP2 - DHCP Address Pool 172.19.2.0/24 Now, say user foo got connected to AP1, in the logs I will see he received FramedIPAddress 172.19.1.250 so I will know for a fact that the user is conneccting from AP1 rather than AP2. So I'm asking if there's a better way to do this rather than by configuring different subnets on the dhcp server of the APs. A NASIPAddress is actually a good solution but I'm not going with that cause I can't be sure that it's a static one (some APs receive their "wan" interface address by DHCP which may vary all the time). So any other ideas... On 11/19/06, K. Hoercher <[EMAIL PROTECTED]> wrote: On 11/19/06, liran tal <[EMAIL PROTECTED]> wrote: > I want to spread several access points in different locations (they all talk > to a central radius) and then i want to distinct one location from another > for example user foo can login from either location but id like to make the > distinction from which ap he got connected from... whats the best way to do > that? I won't assert something about the following being the best way, but I would normally think of some rules in hints and/or users file matching on pertinent combinations of User-Name, NAS-IP-Address, Called-Station-Id etc. depending on the setup you actually want to implement. > I was thinking of one method which is to configure in each AP a different > subnet mask for the DHCP allocations > and then make the distinction based on that but I'm looking for a more > elegant way. As a side note to that: while I don't have a clear understanding of what the meaning of "different subnet mask"s in that context could possibly be, under sort of normal circumstances dhcp would happen after users' machines associate/authenticate on an ap. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: distinction between users on different AP (talking to the same radius server)
On 11/19/06, liran tal <[EMAIL PROTECTED]> wrote: I want to spread several access points in different locations (they all talk to a central radius) and then i want to distinct one location from another for example user foo can login from either location but id like to make the distinction from which ap he got connected from... whats the best way to do that? I won't assert something about the following being the best way, but I would normally think of some rules in hints and/or users file matching on pertinent combinations of User-Name, NAS-IP-Address, Called-Station-Id etc. depending on the setup you actually want to implement. I was thinking of one method which is to configure in each AP a different subnet mask for the DHCP allocations and then make the distinction based on that but I'm looking for a more elegant way. As a side note to that: while I don't have a clear understanding of what the meaning of "different subnet mask"s in that context could possibly be, under sort of normal circumstances dhcp would happen after users' machines associate/authenticate on an ap. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuration problem in Freeradius.
Hi! Assuming you don't have a user/passwd johndoe/hello in your /etc/passwd (see comment in lines above the matching DEFAULT l. 157) your debug output shows a correctly working freeradius. Speculating further: if you like to have an Access-Accept on that test without creating a system user "johndoe" you should add something like: johndoe User-Password:="hello" to the users file (preferably before l. 157, see man users and the comments in the file itself) Anything else would require your telling us so. (What do you want to achieve, by which means, what is the behaviour of the server?) regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
distinction between users on different AP (talking to the same radius server)
Hey everyone, I was just wondering for your opinion on this issue- I want to spread several access points in different locations (they all talk to a central radius) and then i want to distinct one location from another for example user foo can login from either location but id like to make the distinction from which ap he got connected from... whats the best way to do that? I was thinking of one method which is to configure in each AP a different subnet mask for the DHCP allocations and then make the distinction based on that but I'm looking for a more elegant way. Thanks guys, Liran. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html