Requesting help with FR + Dynamic vlans
Hi, here is the current scenario: * school with wireless access * allready uses radius (soon to be freeradius) * freeradius auth's via a win2k3 Active Directory Server * teachers need to be able to log into WAP's a,b,c etc and be automatically assigned to the teachers vlan * priv students need to be able to log into WAP's a,b,c and be assigned to the priv student vlan * norm students simply need to have network access denied from WAP's a,b,c From what Ive learnt so far today, I need to configure the radius.conf to retrieve the users group from the ADS and then return auth and map group - vlan / tunnel ID. If some1 could provide me an example or documentation / howto I should read Id be very thankfull. Also if the scenario wasnt clear enough please say so and I will re explain. Thanks alot FR crew. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Howto compile 1.1.6 on Fedora 6
Hi, Thanks to the people who helped me figure this out (big thanks to Alan), this works perfectly on a fresh Fedora system. Download, compile and install openssl download freeradius 1.1.6 unpack in usr/src cd freeradius-1.1.6 ./configure --prefix=/usr --with-openssl-includes=/usr/local/ssl/include --with-openssl-libraries=/usr/local/ssl/lib/ --disable-libtool-lock --with-system-libtool --sysconfdir=/etc (^all one line) make make install you SHOULD be able to simply use the redhat spec file that is shipped as part of the contrib sources in that 1.1.6 tarball to make an RPM exactly as the distro should/would supply if they were doing 1.1.6 did you try this? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Howto compile 1.1.6 on Fedora 6
I personally hate rpms and will compile all apps so no, I try rpms as a last resort and Im not surprised when they fail with a big list of dependancies. I will look into it though and test on the next machine and report back. On 4/16/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, Thanks to the people who helped me figure this out (big thanks to Alan), this works perfectly on a fresh Fedora system. Download, compile and install openssl download freeradius 1.1.6 unpack in usr/src cd freeradius-1.1.6 ./configure --prefix=/usr --with-openssl-includes=/usr/local/ssl/include --with-openssl-libraries=/usr/local/ssl/lib/ --disable-libtool-lock --with-system-libtool --sysconfdir=/etc (^all one line) make make install you SHOULD be able to simply use the redhat spec file that is shipped as part of the contrib sources in that 1.1.6 tarball to make an RPM exactly as the distro should/would supply if they were doing 1.1.6 did you try this? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Multiple REALMS, multiple SQL
Great, it does the trick :) It was simplier than I thought. Another question: is it safe to write into the same sql server\database\table by 2 radius servers authenticating the same realm? -- Andrea Cerrito - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Howto compile 1.1.6 on Fedora 6
I should be more specific, I will compile all specially needed apps after doing a norm installation. Generic stuff like X etc, I dont care about unless it doesnt work. On 4/16/07, Jacob Jarick [EMAIL PROTECTED] wrote: I personally hate rpms and will compile all apps so no, I try rpms as a last resort and Im not surprised when they fail with a big list of dependancies. I will look into it though and test on the next machine and report back. On 4/16/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, Thanks to the people who helped me figure this out (big thanks to Alan), this works perfectly on a fresh Fedora system. Download, compile and install openssl download freeradius 1.1.6 unpack in usr/src cd freeradius-1.1.6 ./configure --prefix=/usr --with-openssl-includes=/usr/local/ssl/include --with-openssl-libraries=/usr/local/ssl/lib/ --disable-libtool-lock --with-system-libtool --sysconfdir=/etc (^all one line) make make install you SHOULD be able to simply use the redhat spec file that is shipped as part of the contrib sources in that 1.1.6 tarball to make an RPM exactly as the distro should/would supply if they were doing 1.1.6 did you try this? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
O'Reillys Radius Book - Worth buying
Hi, Im just getting started with freeradius (trying to nut out dynamic vlans atm) and I was wondering if this book would be a worth while purchase. I had a great experience with O'reillys bind and perl cookbook books. Have any FR users used this book and if so your comments would be appreciated. http://www.oreilly.com/catalog/radius/index.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: O'Reillys Radius Book - Worth buying
Jacob Jarick wrote: Hi, Im just getting started with freeradius (trying to nut out dynamic vlans atm) and I was wondering if this book would be a worth while purchase. Maybe. I had a great experience with O'reillys bind and perl cookbook books. Have any FR users used this book and if so your comments would be appreciated. I reviewed the book before it was published. It's still linked to from freeradius.org. If you know nothing about RADIUS, it's worth buying. But 1/3 is pretty much paraphrased from the RFC's, and 1/3 is paraphrased from old FreeRADIUS documentation. If you're familiar with RADIUS, it will contain little useful information. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Requesting help with FR + Dynamic vlans
Jacob Jarick wrote: * school with wireless access * allready uses radius (soon to be freeradius) * freeradius auth's via a win2k3 Active Directory Server * teachers need to be able to log into WAP's a,b,c etc and be automatically assigned to the teachers vlan * priv students need to be able to log into WAP's a,b,c and be assigned to the priv student vlan * norm students simply need to have network access denied from WAP's a,b,c From what Ive learnt so far today, I need to configure the radius.conf to retrieve the users group from the ADS and then return auth and map group - vlan / tunnel ID. Yes. You should be able to do that via the LDAP-Group attribute. In the users file, do: DEFAULT LDAP-Group == norm-students, NAS-IP-Address == a, Auth-Type := Reject DEFAULT LDAP-Group == norm-students, NAS-IP-Address == b, Auth-Type := Reject DEFAULT LDAP-Group == norm-students, NAS-IP-Address == c, Auth-Type := Reject DEFAULT LDAP-Group == priv-students ... assign VLAN (see NAS documentation for what attributes) DEFAULT LDAP-Group == teacher ... assign VLAN (see NAS documentation for what attributes) Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: O'Reillys Radius Book - Worth buying
Alan DeKok wrote: Jacob Jarick wrote: Hi, Im just getting started with freeradius (trying to nut out dynamic vlans atm) and I was wondering if this book would be a worth while purchase. Maybe. I had a great experience with O'reillys bind and perl cookbook books. Have any FR users used this book and if so your comments would be appreciated. I reviewed the book before it was published. It's still linked to from freeradius.org. If you know nothing about RADIUS, it's worth buying. But 1/3 is pretty much paraphrased from the RFC's, and 1/3 is paraphrased from old FreeRADIUS documentation. If you're familiar with RADIUS, it will contain little useful information. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I just got this one http://books.theregister.co.uk/catalog/browse.asp?id=746814group=9880subcat=8cat=B Initial flickings through, suggest it's quite indepth . --- Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP with 1.1.6 and Net-SNMP 5.3
Hi, I receive the same broken pipe error when the smuxpeer pass and smux_password aren't the same, though there is probably a more complex cause. Are there any non-standard characters in either config file? Is Net-SNMP configured with ucd-snmp compatibility? Thanks for the tip. Looking up the net-snmp.spec file of openSUSE 10.2, it appears that ucd-snmp compat should be there... the compile switches --enable-local-smux and --enable-ucd-snmp-compatibility are there. Any other hints? Otherwise, I guess I'll need to source-compile net-snmp :-( Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpT7EfzFw0YP.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: O'Reillys Radius Book - Worth buying
Arran Cudbard-Bell wrote: I just got this one http://books.theregister.co.uk/catalog/browse.asp?id=746814group=9880subcat=8cat=B Initial flickings through, suggest it's quite indepth . I've seen that. It has 300+ pages, and 40 pages on RADIUS. I had a hard time reading it, to be honest. Long paragraphs, long sentences, convoluted explanations. If you're looking for a howto book, the O'Reilly book is *much* more suited to that purpose. If you're looking for a book that gives you an overview of ongoing research in AAA, the Wiley book is good. If you're looking for concepts that aren't covered anywhere else, my book (when I'm eventually done) will do that. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: O'Reillys Radius Book - Worth buying
Alan DeKok wrote: Arran Cudbard-Bell wrote: I just got this one http://books.theregister.co.uk/catalog/browse.asp?id=746814group=9880subcat=8cat=B Initial flickings through, suggest it's quite indepth . I've seen that. It has 300+ pages, and 40 pages on RADIUS. I had a hard time reading it, to be honest. Long paragraphs, long sentences, convoluted explanations. If you're looking for a howto book, the O'Reilly book is *much* more suited to that purpose. If you're looking for a book that gives you an overview of ongoing research in AAA, the Wiley book is good. If you're looking for concepts that aren't covered anywhere else, my book (when I'm eventually done) will do that. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yes, they're generally pretty good for that. What put me off the O'Rielly book was it's age.. Although I only started using FreeRADIUS with 1.1.4 , i've seen pretty rapid development. So I was concerned about how much relevance a book published in 2002 has today. There are also amazingly useful, mostly undocumented features like SQL Xlat, which won't be covered anywhere except the mailing list archives. But I guess for theory reference books are still pretty good :) Oh Btw on a completely unrelated subject, if you fix the 'Use Client-Ip-Address/ Packet-Src-IP-Address attribute as a check item' then I can push the CVS head out live and give you some proper feedback ;) -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication Authorisation Accounting Officer Infrastructure Services | ENG1 FF08 EXT:3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: O'Reillys Radius Book - Worth buying
Arran Cudbard-Bell wrote: What put me off the O'Rielly book was it's age.. Although I only started using FreeRADIUS with 1.1.4 , i've seen pretty rapid development. So I was concerned about how much relevance a book published in 2002 has today. It covers RADIUS. It's good for people who are completely new to RADIUS. There are also amazingly useful, mostly undocumented features like SQL Xlat, which won't be covered anywhere except the mailing list archives. As always, patches are welcome. Even patches to the documentation. Oh Btw on a completely unrelated subject, if you fix the 'Use Client-Ip-Address/ Packet-Src-IP-Address attribute as a check item' then I can push the CVS head out live and give you some proper feedback ;) Yeah, it turns out that some of the Packet-Src-IP-Address compares weren't even registered. The code has been re-shuffled, and it should now work, including with regular expressions. You'll have to list the expr module in the instantiate section for Packet-Src-IP-Address to work, though. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
daniel wrote: Apr 15 22:03:51 bill sshd[7861]: PAM unable to dlopen(/lib/security/pam_radius_auth.so) Apr 15 22:03:51 bill sshd[7861]: PAM [dlerror: /lib/security/pam_radius_auth.so: undefined symbol: __stack_chk_fail_local] You've built the module with stack overflow checking turned on, and haven't linked it (or SSH) to the necessary library. How to fix this depends on your local system. Apr 15 22:03:51 bill sshd[7861]: PAM adding faulty module: /lib/security/pam_radius_auth.so I am running pam_radius_auth 1.3.16 and freeradius 1.1.6 on Ubuntu 6.10 The pam_radius_auth module seems to be quite old, does anyone know if it still works? A new release should be out shortly. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Howto compile 1.1.6 on Fedora 6
Jacob Jarick wrote: I personally hate rpms and will compile all apps so no, I try rpms as a last resort and Im not surprised when they fail with a big list of dependancies. You were not told to pick up a random RPM on the net. The wiki explains how to build yourself a RPM from sources. The resulting package should run without problem on the host where it was compiled. Moreover, building a package allows you to uninstall the files later, so you can cleanly upgrade the version of FreeRADIUS. Residual files from previous installation do weird things, like the problem of double free for example. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql: Bug in stripping output of dynamic strings {sql:...}
Hi Alan, On Sat, Apr 14, 2007 at 03:26:11AM +0200, Alan DeKok wrote: Milan Holub wrote: Unfortunately I'm getting the output stripped by last character(byte): instead of getting 37 for session_count I get 3, instead of getting 1563 for noresetcounterflat I get 156, instead of getting S3H for product_code I get S3. When the query returns 1 character I get empty output. Ah. That looks like an issue with strlcpy. Try a cvs update, I've fixed a line in sql_xlat. == thanks for the fix. I've tested and it seems working! Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
3COM switches and freeradius
Please someone can post a working configuration for a 3COM switch(4500) to authenticate against freeradius? Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Howto compile 1.1.6 on Fedora 6
It wasnt a random rpm and at the time I was unaware that the wiki had been updated to list the latest rpms etc. So binarys are fairly well supported by freeradius I take it. On 4/16/07, Nicolas Baradakis [EMAIL PROTECTED] wrote: Jacob Jarick wrote: I personally hate rpms and will compile all apps so no, I try rpms as a last resort and Im not surprised when they fail with a big list of dependancies. You were not told to pick up a random RPM on the net. The wiki explains how to build yourself a RPM from sources. The resulting package should run without problem on the host where it was compiled. Moreover, building a package allows you to uninstall the files later, so you can cleanly upgrade the version of FreeRADIUS. Residual files from previous installation do weird things, like the problem of double free for example. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: O'Reillys Radius Book - Worth buying
I will put it on order as reference is better than nothing :) I have used radius before but not for ages (2000) I will be using it alot at this new job so I will need all the good references I can get. On 4/16/07, Alan DeKok [EMAIL PROTECTED] wrote: Arran Cudbard-Bell wrote: What put me off the O'Rielly book was it's age.. Although I only started using FreeRADIUS with 1.1.4 , i've seen pretty rapid development. So I was concerned about how much relevance a book published in 2002 has today. It covers RADIUS. It's good for people who are completely new to RADIUS. There are also amazingly useful, mostly undocumented features like SQL Xlat, which won't be covered anywhere except the mailing list archives. As always, patches are welcome. Even patches to the documentation. Oh Btw on a completely unrelated subject, if you fix the 'Use Client-Ip-Address/ Packet-Src-IP-Address attribute as a check item' then I can push the CVS head out live and give you some proper feedback ;) Yeah, it turns out that some of the Packet-Src-IP-Address compares weren't even registered. The code has been re-shuffled, and it should now work, including with regular expressions. You'll have to list the expr module in the instantiate section for Packet-Src-IP-Address to work, though. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault for SNMP query
Kevin Bonner wrote: Try http://bugs.freeradius.org/show_bug.cgi?id=150 I doubt that patch will still apply cleanly due to the many recent changes. I'll see if I can test the CVS head later today and submit a newer patch. Please try the latest CVS. I've added a patch based on yours. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
Alan, Thankyou, how do I build the module with stack overflow checking turned off, also what library do I need to link it to? Regards, Daniel Davis On Mon, 16 Apr 2007 11:15:59 +0200, Alan DeKok [EMAIL PROTECTED] wrote: daniel wrote: Apr 15 22:03:51 bill sshd[7861]: PAM unable to dlopen(/lib/security/pam_radius_auth.so) Apr 15 22:03:51 bill sshd[7861]: PAM [dlerror: /lib/security/pam_radius_auth.so: undefined symbol: __stack_chk_fail_local] You've built the module with stack overflow checking turned on, and haven't linked it (or SSH) to the necessary library. How to fix this depends on your local system. Apr 15 22:03:51 bill sshd[7861]: PAM adding faulty module: /lib/security/pam_radius_auth.so I am running pam_radius_auth 1.3.16 and freeradius 1.1.6 on Ubuntu 6.10 The pam_radius_auth module seems to be quite old, does anyone know if it still works? A new release should be out shortly. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
daniel wrote: Thankyou, how do I build the module with stack overflow checking turned off, also what library do I need to link it to? I have no idea. Stack checking is part of your local system, not part of the module. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Using Client-Ip-Address attribute in preprocess files
Nope, Client-IP-Address / Packet-Src-IP-Address don't work as check items in huntgroups or hints . Well, all I can say is that they Client-IP-Address currently works for me within the huntgroup (haven't tried the hints file). I use it for matching devices and applying policy thereafter from the users file. Am currently on 1.1.5 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
Alan, I dont know if someone could help me, i got FR working and authenticating in my AD. Here in my core switch a (Cisco 4507R) i have around 7 vlans, i was wondering if someone could explain to me how could i use FR and my switch to use a different vlan based in the user, and if is a guest user to send to a guest vlan Since now my thanks Robinson Santos Network Administrator Fundação Joao Paulo II www.cancaonova.com São Paulo, Brasil On 4/16/07, Alan DeKok [EMAIL PROTECTED] wrote: daniel wrote: Thankyou, how do I build the module with stack overflow checking turned off, also what library do I need to link it to? I have no idea. Stack checking is part of your local system, not part of the module. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Howto compile 1.1.6 on Fedora 6
On Mon 16 Apr 2007, Jacob Jarick wrote: It wasnt a random rpm and at the time I was unaware that the wiki had been updated to list the latest rpms etc. So binarys are fairly well supported by freeradius I take it. Yep. The general plan is that we spend the time once building an rpm, and then have much less questions on random build problems on various OS' Around 90% of build questions on the list are NOT bugs in freeradius :-) Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
password encoding flavours
Hi, currently in the process of migrating to 1.1.6 and the User-Password replacements. We used to have several entries, and for some of them I'm not really sure what to do with... if someone could add some clarity to that it would be highly appreciated! User-Password := something = Cleartext-Password := something Crypt-Password := unixcrypt = Crypt-Password := unixcrypt (these are easy) Crypt-Password := $1$somethingveryweird = SMD5-Password := somethingveryweird (stripping the header, and $1$ meands MD5 with 12-character salt, right?) Crypt-Password := $2a$somethingveryweirdandevenlonger = -Password := somethingveryweirdandevenlonger (no clue here... read that $2a$ is a Blowfish crypt, but there is no Blowfish-Password attribute, but apparently right now with 1.1.3 it works anyway?) Greetings, Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpJERlVTD56Z.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + 3Com switch 4500
Hi all, Has anyone a sample configuration of 3Com 4500 switch to work with Freeradius? THX in adv. Riccardo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Howto compile 1.1.6 on Fedora 6
Peter Nixon wrote: Yep. The general plan is that we spend the time once building an rpm, and then have much less questions on random build problems on various OS' Ideally, we should have packages on the web site. This is sometimes difficult to do... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: password encoding flavours
Stefan Winter wrote: User-Password := something = Cleartext-Password := something Crypt-Password := unixcrypt = Crypt-Password := unixcrypt Yes. Crypt-Password := $1$somethingveryweird = SMD5-Password := somethingveryweird (stripping the header, and $1$ meands MD5 with 12-character salt, right?) If you want. I don't think it's necessary, though. Crypt-Password := $2a$somethingveryweirdandevenlonger = -Password := somethingveryweirdandevenlonger (no clue here... read that $2a$ is a Blowfish crypt, but there is no Blowfish-Password attribute, but apparently right now with 1.1.3 it works anyway?) Because the crypt support on your system interprets it, and Does The Right Thing. If the crypt function on your system *didn't* support SMD5 passwords, you would have to make FreeRADIUS know about SMD5. As it is, I'll bet if you just leave all of the Crypt-Password entries alone, they should all work. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
Alan, I am trying to set up unix authentication using radius. Does the pam module support the maximum session times. I am trying to set up a system where linux users authenticate against my existing radius hotspot system and they are forced to log out when their session expires. Regards, Daniel Davis On Mon, 16 Apr 2007 11:15:59 +0200, Alan DeKok [EMAIL PROTECTED] wrote: daniel wrote: Apr 15 22:03:51 bill sshd[7861]: PAM unable to dlopen(/lib/security/pam_radius_auth.so) Apr 15 22:03:51 bill sshd[7861]: PAM [dlerror: /lib/security/pam_radius_auth.so: undefined symbol: __stack_chk_fail_local] You've built the module with stack overflow checking turned on, and haven't linked it (or SSH) to the necessary library. How to fix this depends on your local system. Apr 15 22:03:51 bill sshd[7861]: PAM adding faulty module: /lib/security/pam_radius_auth.so I am running pam_radius_auth 1.3.16 and freeradius 1.1.6 on Ubuntu 6.10 The pam_radius_auth module seems to be quite old, does anyone know if it still works? A new release should be out shortly. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault for SNMP query
Hi Alan, On Mon, Apr 16, 2007 at 01:52:43PM +0200, Alan DeKok wrote: Kevin Bonner wrote: Try http://bugs.freeradius.org/show_bug.cgi?id=150 I doubt that patch will still apply cleanly due to the many recent changes. I'll see if I can test the CVS head later today and submit a newer patch. Please try the latest CVS. I've added a patch based on yours. == I've tested latest cvs head: - snmp works until 1st reload(HUP or snmp-write) - then it behaves the same as with Kevin's old patch (described in this thread) == snmp not working after reload - debug flags survive reload (good!) - with my config each reload eats additional 620k of memory per thread! Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
daniel wrote: I am trying to set up unix authentication using radius. Does the pam module support the maximum session times. No, because PAM has no provisions for enforcing maximum session times. The setrlimit function call can enforce CPU time restrictions, but that is *not* clock time. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault for SNMP query
Milan Holub wrote: - snmp works until 1st reload(HUP or snmp-write) - then it behaves the same as with Kevin's old patch (described in this thread) == snmp not working after reload Hmm... OK. - debug flags survive reload (good!) - with my config each reload eats additional 620k of memory per thread! That memory will be cleaned up after a few more HUPs. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql: readclients segmentation fault
Hi Alan, with the latest cvs head I've experienced following serious bug: radiusd.conf: ... listen { ipaddr = * port = 0 type = auth } listen { ipaddr = * port = 0 type = acct } ... clients.conf: client 127.0.0.1 { secret = testing123 shortname = localhost } sql.conf: ... readclients = yes ... When starting rlm_sql says it's adding nases from DB: freeradius -X: BEGIN DEBUG ... rlm_sql (sql): Read entry nasname=a.b.c.d,shortname=wlan-gw33,secret=secret rlm_sql (sql): Adding client a.b.c.d (wlan-gw33) to clients list rlm_sql (sql): Released sql socket id: 4 ... END DEBUG When testing freeradius with radclient from localhost it works OK. However when sending some request from eg. nas a.b.c.d(wlan-gw33) we ends up with segmentation fault: BEGIN DEBUG Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host a.b.c.d port 42926, id=82, length=46 (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1024 (LWP 16225)] 0x08052987 in client_listener_find () (gdb) (gdb) (gdb) bt #0 0x08052987 in client_listener_find () #1 0x080590df in main () #2 0x4024714f in __libc_start_main () from /lib/libc.so.6 END DEBUG I can confirm that at least cvs build from 6.4. 2007 did not have such a bug. Thus obviously there must be something rotten in latest cvs commits... Please advise. Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault for SNMP query
Hi Alan, On Mon, Apr 16, 2007 at 03:18:24PM +0200, Alan DeKok wrote: That memory will be cleaned up after a few more HUPs. == Are you sure about that? ps axu | grep rad: freerad 16235 2.2 1.9 9448 4916 pts/0S15:31 0:00 freeradius -X == initially we have 9448kb of memory used by freeradius process After 10 HUPs: for i in `seq 10`; do echo HUP $i; kill -HUP 16235; sleep 1; done we end up with 15636kb ps axu | grep rad: freerad 16235 0.8 4.2 15636 10920 pts/0 S15:31 0:01 freeradius -X 15636-9448=6188 Thus after 10 HUPs the process takes 6188kb more space in memory than at the beginning(and it's incrementing lineary each HUP). Please advise. Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql: readclients segmentation fault
Milan Holub wrote: Hi Alan, with the latest cvs head I've experienced following serious bug: radiusd.conf: ... listen { ipaddr = * port = 0 type = auth } listen { ipaddr = * port = 0 type = acct } ... clients.conf: client 127.0.0.1 { secret = testing123 shortname = localhost } sql.conf: ... readclients = yes ... When starting rlm_sql says it's adding nases from DB: freeradius -X: BEGIN DEBUG ... rlm_sql (sql): Read entry nasname=a.b.c.d,shortname=wlan-gw33,secret=secret rlm_sql (sql): Adding client a.b.c.d (wlan-gw33) to clients list rlm_sql (sql): Released sql socket id: 4 ... END DEBUG When testing freeradius with radclient from localhost it works OK. However when sending some request from eg. nas a.b.c.d(wlan-gw33) we ends up with segmentation fault: BEGIN DEBUG Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host a.b.c.d port 42926, id=82, length=46 (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1024 (LWP 16225)] 0x08052987 in client_listener_find () (gdb) (gdb) (gdb) bt #0 0x08052987 in client_listener_find () #1 0x080590df in main () #2 0x4024714f in __libc_start_main () from /lib/libc.so.6 END DEBUG I can confirm that at least cvs build from 6.4. 2007 did not have such a bug. Thus obviously there must be something rotten in latest cvs commits... Please advise. Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thats weird, i'm using cvs head from this morning and all is fine. I'll recompile tomorrow when I have time. I'm loading SQL clients in a seperate instance of the SQL module though. Not that, that should make any difference. Oh and i'm binding to a single ip instead of wildcarding. -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication Authorisation Accounting Officer Infrastructure Services | ENG1 FF08 EXT:3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql: processing radcheck radgroupcheck
Hi all, just wondering whether everyone is happy with current processing of radcheck radgroupcheck tables. I just wanted to raise a discussion about the rlm_sql module since on wiki http://wiki.freeradius.org/Development_Roadmap we can read that there are some plans with this (really useful) module for the future. Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql: readclients segmentation fault
Hi Arran, On Mon, Apr 16, 2007 at 02:50:19PM +0100, Arran Cudbard-Bell wrote: Thats weird, i'm using cvs head from this morning and all is fine. == I'm using latest cvs head(at the time of writing). I have my own few minor patches against cvs head but these really should not have any impact...(and did not have before) I'll recompile tomorrow when I have time. == please do I'm loading SQL clients in a seperate instance of the SQL module though. Not that, that should make any difference. == I think so... Oh and i'm binding to a single ip instead of wildcarding. == I've tried but without any impact:-( Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: O'Reillys Radius Book - Worth buying
Hi, Hi, Im just getting started with freeradius (trying to nut out dynamic vlans atm) and I was wondering if this book would be a worth while purchase. I had a great experience with O'reillys bind and perl cookbook books. Have any FR users used this book and if so your comments would be appreciated. the O'Reilly book is a good resource if you are starting from minimal RADIUS knowledge and want a bit more background. ie its good for beginners through to experts. especially if you need to remind yourself of, eg, the exact structure of accounting packets. however it was written at the time of FreeRADIUS 0.9 - and is therefore a little dated with regards to some of the newer modules and methodsalso password expressions. however it is a good fundamental start. for FreeRADIUS you cant go much better than the current deployingradius site, source tarball docs and historical mailing archives - and Alans forthcoming book! ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault for SNMP query
Milan Holub wrote: Hi Alan, On Mon, Apr 16, 2007 at 03:18:24PM +0200, Alan DeKok wrote: That memory will be cleaned up after a few more HUPs. == Are you sure about that? Yes. After 10 HUPs: for i in `seq 10`; do echo HUP $i; kill -HUP 16235; sleep 1; done Try 32 HUPs. The memory will increase, but won't grow after that. At some point in the future, it can be fixed to do more cleanups after HUP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql: readclients segmentation fault
Milan Holub wrote: Hi Alan, with the latest cvs head I've experienced following serious bug: ... You're using SNMP. You ran into an assertion. Try cvs update. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault for SNMP query
Milan Holub wrote: == I've tested latest cvs head: - snmp works until 1st reload(HUP or snmp-write) - then it behaves the same as with Kevin's old patch (described in this thread) == snmp not working after reload Ok, try now. After some fighting with getting SNMPD to work, I can now see the counters incrementing when I query it via snmpwalk. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Client-Ip-Address attribute in preprocess files
Arran Cudbard-Bell wrote: [EMAIL PROTECTED] wrote: Hi, Trying to use Client-Ip-Address is huntgroups and hints doesn't seem to work, if this because the Client-Ip-Address is written to the request packet at the end of pre-process and not the beginning ? Or is there more strangeness afoot ? are you sure you want Client-IP-Address and not NAS-IP-Address ? utilizing the NAS-IP-Address allows you to define authorization etc based on the access point that the user has connected via. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html NAS's can lie :) . I'm still trying to do this without perland this is the last thing ! The very last thing I need to make it all work. nas_hints #/* Authentication Mediums */ #'802.1', # 802.1 (Wired LAN) #'802.11', # 802.11 (Wireless LAN) #'IPSEC', # IPSEC (VPN) #'SSH', # Secure Shell/Nas Prompt Login #'HTTPS', # Captive Portal/Nas Web Interface #'PROXY', # Client Isn't a NAS it's an offsite Proxy #'unused', # For future use #'unused', # For future use #/* Extended Features */ #'RADACCT',# NAS Can do RADIUS Accounting #'D802.Q', # NAS Can do Dynamic Vlan Assignment #'MULTIBESSID'); # NAS Can have multiple SSIDs / BSSIDs # # Debug entry for home testing. DEFAULT Packet-Src-IP-Address = '81.6.252.244' NAS-Feature-Set = '010' # # Set the 'PROXY' flag in the feature set for the JRS proxies DEFAULT Packet-Src-IP-Address == roaming0.ja.net NAS-Feature-Set = '010' DEFAULT Packet-Src-IP-Address == roaming1.ja.net NAS-Feature-Set = '010' DEFAULT Packet-Src-IP-Address == roaming2.ja.net NAS-Feature-Set = '010' # # Retrieve the feature set for all none recognised clients # from the NetReg3 Database DEFAULT NAS-Feature-Set =* ANY NAS-Feature-Set = %{sql_clients:SELECT EXPORT_SET(master.nas_flags,'1','0','',20) FROM `master` WHERE CONCAT(ip1,'.',ip2,'.',ip3,'.',ip4) = '%{Packet-Src-IP-Address}'} Need to be able to set static NAS profiles for the few weird clients that can't be included in the NetReg clients database. *sigh* Don't suppose you know how to match multiple values in a request attribute without regexp ? as in could be a,b or c ? Always assumed you couldn't , but may as well ask :) Thanks, Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yep can confirm latest CVS commit fixed this, Thanks Alan :D Unfortunately Huntgroups are very broken ATM, If the user is in the first huntgroup all is fine, Even if that huntgroup has multiple entries. If they're in the second huntgroup however, it doesn't match. This is huntgroups in the order that they appear in the huntgroups file. This isn't a major issue for me yet. But I know other people rely on them and would like them unbroken :) -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication Authorisation Accounting Officer Infrastructure Services | ENG1 FF08 EXT:3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Xlat Broken in SQL reply items.
Sorry, Another one for the list. Dynamic expansion of reply items in SQL is broken in current cvs head. Reply-Message = Welcome %{User-Name} At wherever Is printed as Welcome %{User-Name} At wherever Instead of Welcome Fluffy At Wherever. Thanks, Arran -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication Authorisation Accounting Officer Infrastructure Services | ENG1 FF08 EXT:3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Client-Ip-Address attribute in preprocess files
Arran Cudbard-Bell wrote: [EMAIL PROTECTED] wrote: Hi, Trying to use Client-Ip-Address is huntgroups and hints doesn't seem to work, if this because the Client-Ip-Address is written to the request packet at the end of pre-process and not the beginning ? Or is there more strangeness afoot ? are you sure you want Client-IP-Address and not NAS-IP-Address ? utilizing the NAS-IP-Address allows you to define authorization etc based on the access point that the user has connected via. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html NAS's can lie :) . I'm still trying to do this without perland this is the last thing ! The very last thing I need to make it all work. nas_hints #/* Authentication Mediums */ #'802.1', # 802.1 (Wired LAN) #'802.11', # 802.11 (Wireless LAN) #'IPSEC', # IPSEC (VPN) #'SSH', # Secure Shell/Nas Prompt Login #'HTTPS', # Captive Portal/Nas Web Interface #'PROXY', # Client Isn't a NAS it's an offsite Proxy #'unused', # For future use #'unused', # For future use #/* Extended Features */ #'RADACCT',# NAS Can do RADIUS Accounting #'D802.Q', # NAS Can do Dynamic Vlan Assignment #'MULTIBESSID'); # NAS Can have multiple SSIDs / BSSIDs # # Debug entry for home testing. DEFAULT Packet-Src-IP-Address = '81.6.252.244' NAS-Feature-Set = '010' # # Set the 'PROXY' flag in the feature set for the JRS proxies DEFAULT Packet-Src-IP-Address == roaming0.ja.net NAS-Feature-Set = '010' DEFAULT Packet-Src-IP-Address == roaming1.ja.net NAS-Feature-Set = '010' DEFAULT Packet-Src-IP-Address == roaming2.ja.net NAS-Feature-Set = '010' # # Retrieve the feature set for all none recognised clients # from the NetReg3 Database DEFAULT NAS-Feature-Set =* ANY NAS-Feature-Set = %{sql_clients:SELECT EXPORT_SET(master.nas_flags,'1','0','',20) FROM `master` WHERE CONCAT(ip1,'.',ip2,'.',ip3,'.',ip4) = '%{Packet-Src-IP-Address}'} Need to be able to set static NAS profiles for the few weird clients that can't be included in the NetReg clients database. *sigh* Don't suppose you know how to match multiple values in a request attribute without regexp ? as in could be a,b or c ? Always assumed you couldn't , but may as well ask :) Thanks, Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hmm ignore the last message, the issue is that now Packet-Src-Ip-Address Always matches ! Everywhere. Which exaplains the weirdness in hints and huntgroups. -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication Authorisation Accounting Officer Infrastructure Services | ENG1 FF08 EXT:3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Xlat Broken in SQL reply items.
Arran Cudbard-Bell wrote: Dynamic expansion of reply items in SQL is broken in current cvs head. Reply-Message = Welcome %{User-Name} At wherever I'd suggest to try using back quotes in the table of reply items: Reply-Message = `Welcome %{User-Name} At wherever` -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: O'Reillys Radius Book - Worth buying
I will start reading it all ASAP, thanks alot guys :) On 4/16/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, Hi, Im just getting started with freeradius (trying to nut out dynamic vlans atm) and I was wondering if this book would be a worth while purchase. I had a great experience with O'reillys bind and perl cookbook books. Have any FR users used this book and if so your comments would be appreciated. the O'Reilly book is a good resource if you are starting from minimal RADIUS knowledge and want a bit more background. ie its good for beginners through to experts. especially if you need to remind yourself of, eg, the exact structure of accounting packets. however it was written at the time of FreeRADIUS 0.9 - and is therefore a little dated with regards to some of the newer modules and methodsalso password expressions. however it is a good fundamental start. for FreeRADIUS you cant go much better than the current deployingradius site, source tarball docs and historical mailing archives - and Alans forthcoming book! ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Howto compile 1.1.6 on Fedora 6
No probs guys, will check for bins 1st in future. On 4/16/07, Alan DeKok [EMAIL PROTECTED] wrote: Peter Nixon wrote: Yep. The general plan is that we spend the time once building an rpm, and then have much less questions on random build problems on various OS' Ideally, we should have packages on the web site. This is sometimes difficult to do... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP with 1.1.6 and Net-SNMP 5.3
On Monday 16 April 2007 03:53:52 Stefan Winter wrote: Thanks for the tip. Looking up the net-snmp.spec file of openSUSE 10.2, it appears that ucd-snmp compat should be there... the compile switches --enable-local-smux and --enable-ucd-snmp-compatibility are there. Any other hints? Otherwise, I guess I'll need to source-compile net-snmp :-( Stefan Sorry, those few things were all I could think of. I don't have an openSUSE server lying around, so I can't even confirm it works at all. Hopefully the source compile of net-snmp and freeradius will uncover the actual problem. -Kevin pgpbzO8AwkkDp.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP server per realm
Hello everyone, I'm working on finding a way to define multiple local realms and have each have a unique ldap profile associated with them.We want one associated with a particular realm, and the other to be the catchall/default case. In addition to this, we're also using EAP/TTLS, which may or not complicate the situation.. After googling a bit, I was under the impression that something along the following lines should work: Here are the relevant parts of the the files I modified: in proxy.conf: realm VLS { type= radius authhost= LOCAL accthost= LOCAL } in dictionary: VALUE Auth-Type VU 1 VALUE Auth-Type VLS 2 VALUE Autz-Type VU 1 VALUE Autz-Type VLS 2 in users: DEFAULT Domain == VLS, Autz-Type := VLS in radiusd.conf: ldap vlsldap { set_auth_type = yes } ldap vuldap { set_auth_type = yes } authorize { ... ... Autz-Type VLS { vlsldap } vuldap ... } authenticate { ... Auth-Type VLS { vlsldap } vuldap ... } When I attempt to authenticate, regardless of whether I specify a realm or not, it only checks the vuldap servers. Any suggestions would be greatly appreciated! Thank you.. ..Sean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: O'Reillys Radius Book - Worth buying
Alan DeKok wrote: If you're familiar with RADIUS, it will contain little useful information. I can confirm this. I was pretty disappointed about the value of the book when I bought it 3 years ago. I doesn't go indepth into anything. Thor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: O'Reillys Radius Book - Worth buying
Yea, after reading that book I barely got able to install the FR. I would say it tells you more about radius protocol then actual FR -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Thor Spruyt Sent: Monday, April 16, 2007 5:06 PM To: FreeRadius users mailing list Subject: Re: O'Reillys Radius Book - Worth buying Alan DeKok wrote: If you're familiar with RADIUS, it will contain little useful information. I can confirm this. I was pretty disappointed about the value of the book when I bought it 3 years ago. I doesn't go indepth into anything. Thor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP server per realm
Sean McNamara wrote: I'm working on finding a way to define multiple local realms and have each have a unique ldap profile associated with them.We want one associated with a particular realm, and the other to be the catchall/default case. In addition to this, we're also using EAP/TTLS, which may or not complicate the situation.. After googling a bit, I was under the impression that something along the following lines should work: Here are the relevant parts of the the files I modified: ... in dictionary: Please don't edit the dictionaries. The VALUEs you defined are already defined as something else. And the server will automatically create the relevant values for you, so there's no need to edit the dictionaries. in users: DEFAULT Domain == VLS, Autz-Type := VLS There is no Domain attribute. You mean Realm. When I attempt to authenticate, regardless of whether I specify a realm or not, it only checks the vuldap servers. Any suggestions would be greatly appreciated! If you run the server in debugging mode, you will see that your current configuration does *not* match the entry in the users file that you have. Make the changes I suggest, and it should work. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Xlat Broken in SQL reply items.
Arran Cudbard-Bell wrote: Aha, so the significance of the back ticks is . That the string will be sent through radius_xlat ? Yes. See doc/variables.txt, I believe. And this is true for reply attributes in all the 'files' processed files ? Or is this a special feature of rlm_sql ? It's part of the server core. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR + AD + Vlans + LDAP help
Hello, Im currently trying to configure freeradius to authenticate via a win2k3 server, check the users group and then return a confirmation/ denial + vlan id for the cisco WAP to process. Questions: 1: Is ldap the only way of retreiving the users group/s 2 - Can I talk directly to the ADS using the ldap client (or however its done) instead of setting up a linux openldap server. 3: Does users entry look correct it is ment to disallow people in the group rejects, assign priv students to 1 vlan and students to the other vlan: # !! testing groups DEFAULT LDAP-Group == rejects, Auth-Type := Reject DEFAULT Auth-Type = ntlm_auth Fall-Through = 1 DEFAULT LDAP-Group == staff Service-Type = Framed-User, Tunnel-Type = :1:VLAN, Tunnel-Medium-Type = :1:6, Tunnel-Private-Group-ID = :1:140 DEFAULT LDAP-Group == students Service-Type = Framed-User, Tunnel-Type = :1:VLAN, Tunnel-Medium-Type = :1:6, Tunnel-Private-Group-ID = :1:141 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: FR + AD + Vlans + LDAP help
Jacob Jarick wrote: Im not sure what is happening atm, the wireless client trys to authenticate but fails. radiusd -X -A output: http://pastebin.ca/444005 The debug output shows an error message from ntlm_auth. Fix that. Now I am still asumming radius can auth against ADS using ldap (am I wrong or right there ppl), No. This comes up a lot, and the answer is always the same. LDAP servers don't do authentication. They're databases. FreeRADIUS is an authentication server, not a database. And Active Directory is barely an LDAP server. You can query it for *some* information, but not for passwords. That's what ntlm_auth has to be used. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + AD + Vlans + LDAP help
Jacob Jarick wrote: Im currently trying to configure freeradius to authenticate via a win2k3 server, check the users group and then return a confirmation/ denial + vlan id for the cisco WAP to process. Questions: 1: Is ldap the only way of retreiving the users group/s If the users and groups are in LDAP, yes. 2 - Can I talk directly to the ADS using the ldap client (or however its done) instead of setting up a linux openldap server. Yes. Just point the ldap module to active directory. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html