Re: Default Authentication
Norman Zhang wrote: This won't work, as Auth-Type = System will act as the clean-up default. All other Unix users will be able to login, except they have privilege = 1. I read through users(5) few times, not sure if there's a way that I can avoid this. Can you give more hints? If you want only groups A and B to log in, do: DEFAULT Group == A, Auth-Type = System ... DEFAULT Group == B, Auth-Type = System ... DEFAULT Auth-Type := Reject Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple users with different service flows
Hello, I've provided you my users file attached in this mail; If I use this users file, the users call and platf8 are authenticated but the corresponding radius ACCES-ACCEPT message contains the Service-Flow-Descriptor and QoS-Descriptor values from the DEFAULT entry. If I use the users.wrong file as users file then the ACCESS ACCEPT message doesn't contain any Service-Flow-Descriptor and QoS-Descriptor. Maybe you could help me somehow. Thanks. Alan DeKok wrote: Cristian Novac wrote: For now I have successfully run tests only if I've written these attributes into a DEFAULT reply of the users file. But this technique make all users having the same service flows. If I try to add the two attributes to a specific user's reply list of items(in users file) it doesn't work.(the attributes are not sent in Radius ACCESS-ACCEPT message). Run the server in debugging mode to see what it's doing. Post samples from your users file here. Odds are the server is matching a DEFAULT early in the file, and you listed a user later in the file. If the DEFAULT doesn't have Fall-Through, later entries won't be matched. See man users for details. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html @zyxel.com Auth-Type := Local, User-Password == alcatel Framed-MTU = 3795, Service-Flow-Descriptor += 0x0106000102040001040303050304060301070301080302, QoS-Descriptor += 0x01030104030205030006060001f4000c0302, QoS-Descriptor += 0x0103020403020503000606000fac0302404000c01, Fall-Through = Yes #call Auth-Type := Local, User-Password == alcatel #Session-Time-Out = 30, # Termination-Action = 0, #Service-Flow-Descriptor += 0x0106000102040001040303050304060301070301080302, #QoS-Descriptor += 0x01030104030205030006060001f4000c0302, #QoS-Descriptor += 0x0103020403020503000606000fac0302404000c01, # Fall-Through = Yes #call Auth-Type := System call Auth-Type := Local, User-Password == alcatel Session-Timeout = 3600, Termination-Action = 1, Class = 0x1234567890, User-Name = accounting, #3GPP2-Service-Option-Profile = 0x00010104a501, Service-Flow-Descriptor += 0x000104000102040001040303050304060301070301080302, QoS-Descriptor += 0x0001030104030205030006060001f4000c0302, QoS-Descriptor += 0x000103020403020503000606000fac0302, Service-Flow-Descriptor += 0x000104000302040003040303050301060301070304, QoS-Descriptor += 0x0001030404030606060001d4c0070600015f90090600140a0600190c03010d0400140e03c8 platf8 Auth-Type := Local, User-Password == alcatel Session-Timeout = 3600, Termination-Action = 1, Class = 0x1234567890, User-Name = accounting, #3GPP2-Service-Option-Profile = 0x00010104a501, Service-Flow-Descriptor += 0x000104000102040001040303050304060301070301080302, QoS-Descriptor += 0x0001030104030205030006060001f4000c0302, QoS-Descriptor += 0x000103020403020503000606000fac0302, Service-Flow-Descriptor += 0x000104000302040003040303050301060301070304, QoS-Descriptor += 0x0001030404030606060001d4c0070600015f90090600140a0600190c03010d0400140e03c8 # Please read the documentation file ../doc/processing_users_file, # or 'man 5 users' (after installing the server) for more information. # # This file contains authentication security and configuration # information for each user. Accounting requests are NOT processed # through this file. Instead, see 'acct_users', in this directory. # # The first field is the user's name and can be up to # 253 characters in length. This is followed (on the same line) with # the list of authentication requirements for that user. This can # include password, comm server name, comm server port number, protocol # type (perhaps set by the hints file), and huntgroup name (set by # the huntgroups file). # # If you are not sure why a particular reply is being sent by the # server, then run the server in debugging mode (radiusd -X), and # you will see which entries in this file are matched. # # When an authentication request is received from the comm server, # these values are tested. Only the first match is used unless the # Fall-Through variable is set to Yes. # # A special user named DEFAULT matches on all usernames. # You can have several DEFAULT entries. All entries are processed # in the order they appear in this file. The first entry that # matches the login-request will stop processing unless you use # the Fall-Through variable. # # If you use the database support to turn this file
RE: Freeradius-Users Digest, Vol 25, Issue 9
Hi All, Please suggest a free Diameter Server for me as M is developing a Translation Agent b/w Radius and Diameter and I need to sent the RADIUS Packets (decoded in the form of Diameter Packets ) to Diameter Server. khursheedAhmedQAU INTEGRATORS(S-05) mailto:[EMAIL PROTECTED]+92346-5099331 SkA From: [EMAIL PROTECTED]Reply-To: freeradius-users@lists.freeradius.orgTo: freeradius-users@lists.freeradius.orgSubject: Freeradius-Users Digest, Vol 25, Issue 9Date: Thu, 03 May 2007 04:10:31 +0200Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.orgTo subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-usersor, via email, send a message with subject or body 'help' to [EMAIL PROTECTED]You can reach the person managing the list at [EMAIL PROTECTED]When replying, please edit your Subject line so it is more specificthan "Re: Contents of Freeradius-Users digest..."Today's Topics: 1. Re: FreeRadius+AD integration ([EMAIL PROTECTED]) 2. Force Inner=Outer identity (Matt Ashfield) 3. RE: FreeRadius+AD integration (Danner, Mearl) 4. Re: Default Authentication (Norman Zhang) 5. Missing Huntgroups Man Pages (Norman Zhang) 6. Re: Problem with mysql authorization (Ian Truelsen) 7. Re: Default Authentication ([EMAIL PROTECTED]) 8. RE: VLAN Queries [SEC=UNCLASSIFIED] (Ranner, Frank MR) 9. Re: VLAN Queries [SEC=UNCLASSIFIED] (Jacob Jarick)--Message: 1Date: Wed, 2 May 2007 15:18:21 +0100From: [EMAIL PROTECTED]Subject: Re: FreeRadius+AD integrationTo: FreeRadius users mailing list freeradius-users@lists.freeradius.orgMessage-ID: [EMAIL PROTECTED]Content-Type: text/plain; charset=us-asciiHi, It must be you. so your are the right person to tell me what is causing ntlm_auth to send OK.huh?ntlm_auth is part of the SAMBA package. just do a 'man ntlm_auth'or somesuch. check freeradius source code. there is no ntlm_auth.if your SAMBA is configured in a different way, then it will be usinganother authenticaion file - check your /etc/smb.conf or whatever itis on your system! your SAMBA might be using PAM to authenticateand the user is a valid user!alan--Message: 2Date: Wed, 2 May 2007 11:29:23 -0300From: "Matt Ashfield" [EMAIL PROTECTED]Subject: Force Inner=Outer identityTo: "'FreeRadius users mailing list'" freeradius-users@lists.freeradius.orgMessage-ID: [EMAIL PROTECTED]Content-Type: text/plain; charset="us-ascii"Hi AllUsing EAP-TTLS PAP with FR authenticated against LDAP. In looking at ourmonitoring software, it displays the user's outer identity. Problem is, auser can specify any userID as it's outer Identity and as long as it's avalid outer Identity, that's what shows up in our monitoring software. Makesuser tracking quite difficult.Is there any way to force a users's outer identity to equal their inneridentity?ThanksMatt Ashfield[EMAIL PROTECTED]--Message: 3Date: Wed, 2 May 2007 10:46:13 -0500From: "Danner, Mearl" [EMAIL PROTECTED]Subject: RE: FreeRadius+AD integrationTo: "FreeRadius users mailing list" freeradius-users@lists.freeradius.orgMessage-ID: [EMAIL PROTECTED]Content-Type: text/plain; charset="us-ascii"Why not try this? Worked for us.http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTONote that the first thing configured is the Samba server. It doesn'teven mention installing the Freeradius server until after the Sambaconfiguration is completed.Hi, It must be you. so your are the right person to tell me what is causing ntlm_auth to send OK.--Message: 4Date: Wed, 02 May 2007 11:05:22 -0600From: Norman Zhang [EMAIL PROTECTED]Subject: Re: Default AuthenticationTo: freeradius-users@lists.freeradius.orgMessage-ID: [EMAIL PROTECTED]Content-Type: text/plain; charset=ISO-8859-1; format=flowedAlan DeKok wrote: Is there a way to force only group router-ro and router-rw can login? Switch the entries around: DEFAULT Group == router-ro Fall-Through = Yes, cisco-avpair := "shell:priv-lvl=7" DEFAULT Group == router-rw Fall-Through = Yes, cisco-avpair := "shell:priv-lvl=15" DEFAULT Auth-Type = System Service-Type = NAS-Prompt-UserThis won't work, as Auth-Type = System will act as the clean-up default.All other Unix users will be able to login, except they have privilege =1. I read through users(5) few times, not sure if there's a way that Ican avoid this. Can you give more hints?Norman--Message: 5Date: Wed, 02 May 2007 11:41:57 -0600From: Norman Zhang [EMAIL PROTECTED]Subject: Missing Huntgroups Man PagesTo: freeradius-users@lists.freeradius.orgMessage-ID: [EMAIL PROTECTED]Content-Type: text/plain; charset=ISO-8859-1; format=flowedIs huntgroups(5) removed from FreeRADIUS? I googled but all end up withdead links and downloaded 1.1.6 source, can't find it in there either.Please help.Norman--Message:
Re: multiple users with different service flows
Cristian Novac wrote: Hello, I've provided you my users file attached in this mail; Please run the server in debugging mode, as suggested in the FAQ, README, INSTALL, etc. It will tell you which users file entries are being matched. Do NOT use Auth-Type := Local. I have no idea why people still do this. Where you have: user Auth-Type := Local, User-Password == foo Change it to: user Cleartext-Password := foo. make that change before doing anything else. Then, run the server in debugging mode, and send the output here. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
return code of session section ignored?
Hi Alan, probably another bug report: in my radiusd.conf: ... session { reject } ... and when authenticating some user: 2007-05-03 12:57:50.210429500 modcall[authenticate]: module perl returns ok for request 4 2007-05-03 12:57:50.210432500 modcall: group PERL returns ok for request 4 2007-05-03 12:57:50.210434500 Processing the session section of radiusd.conf 2007-05-03 12:57:50.210436500 modcall: entering group session for request 4 2007-05-03 12:57:50.210451500 modcall[session]: module reject returns reject for request 4 2007-05-03 12:57:50.210453500 modcall: group session returns reject for request 4 2007-05-03 12:57:50.210456500 Login OK: [skzxtz/xtbsjs] (from client localhost port 5281) 2007-05-03 12:57:50.210458500 Processing the post-auth section of radiusd.conf 2007-05-03 12:57:50.210460500 modcall: entering group post-auth for request 4 As you can see group session returned REJECT but the user is accepted! Is it a bug or a feature? Or am I missing something? I've discovered this when having: ... session { sql { fail = reject } } ... I'm using checkrad to query NAS about the user. By above I wanted to assure that when the checkrad fails(eg. because of firewall) then by default we assume that the user is logged in... Please advise. PS: Observed on cvs head from Apr 30 but I've checked changes since then and I do not think this was fixed. Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Assign Vlan based on Inner Identity (was: Force Inner=Outer identity)
Hi All I doubt my original post was doable, , it probably doesn't make sense to ask FR to be able to force Inner=Outer identity. In that case, would it be possible to perform authorization based on the Inner identity instead of the Outer identity? Matt [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Ashfield Sent: May 2, 2007 11:29 AM To: 'FreeRadius users mailing list' Subject: Force Inner=Outer identity Hi All Using EAP-TTLS PAP with FR authenticated against LDAP. In looking at our monitoring software, it displays the user's outer identity. Problem is, a user can specify any userID as it's outer Identity and as long as it's a valid outer Identity, that's what shows up in our monitoring software. Makes user tracking quite difficult. Is there any way to force a users's outer identity to equal their inner identity? Thanks Matt Ashfield [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
expiration doesn't work in freebsd + mysql
Hello : I'm getting a weard error using expiration with mysql backend in FreeBSD. The same configuration works fine in linux (centos) but not in FreeBSD 6.1 In Linux, all works fine (freeradius 1.1.6 + mysql 5.0), I've tried both == and := operators and everything goes well. In FreeBSD 6.1 (freeradius 1.1.6 + mysql 4.1) everything works fine until I enable Expiration in the user's attributes. Despite the fact that I use the same configuration, I got the following message, whatever the operator be : Invalid operator for item Expiration: reverting to '==' rlm_sql (sql): No matching entry in the database for request from user [EMAIL PROTECTED] Has anyone had a similar experience ? Kind Regards Richard Cotrina - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assign Vlan based on Inner Identity
Matt Ashfield wrote: Hi All I doubt my original post was doable, , it probably doesn't make sense to ask FR to be able to force Inner=Outer identity. In that case, would it be possible to perform authorization based on the Inner identity instead of the Outer identity? Sure. See the copy_request_to_tunnel (which you may need) and use_tunneled_reply (which you will need) config option on the particular EAP type you're using, and put something like this into play: DEFAULT Freeradius-Proxied-To == 127.0.0.1, Autz-Type = INNER ...then in authorize: authorize { preprocess files Autz-Type INNER { sql/ldap/files_2/whatever adds the vlan tag } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Default Authentication
Alan DeKok wrote: If you want only groups A and B to log in, do: DEFAULT Group == A, Auth-Type = System ... DEFAULT Group == B, Auth-Type = System ... DEFAULT Auth-Type := Reject Thanks. Here's what I done. DEFAULT Group == router-ro, Auth-Type = System Service-Type = NAS-Prompt-User, cisco-avpair := shell:priv-lvl=7 DEFAULT Group == router-rw, Auth-Type = System Service-Type = NAS-Prompt-User, cisco-avpair := shell:priv-lvl=15 but I can't get restriction for another group fw-group to work. *added to users* DEFAULT Group == fw-group, Auth-Type = System Huntgroup-Name == fw-pix, Service-Type = NAS-Prompt-User, cisco-avpair := shell:priv-lvl=15 *added to huntgroups* fw-pix NAS-IP-Address == 10.0.0.1 fw-pix NAS-IP-Address == 10.0.0.2 Group router-ro and router-rw still can login to the PIX. Can you give me few more pointers? Norman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius proxy code questions and proposed patch
Kostas Zorbadelos wrote: Precicely. But when we work in 'synchronous' mode we want the NAS to be in charge of the retransmision policy not our proxy server. If the home server does not reply for any reason, we want the client (NAS) to notice it and retransmit. Eventually, the client will mark our proxy server dead not because it is its fault, but because the home server is not responding. Have you tried using failover for home servers? The whole point of marking a home server dead is to remove it from the pool of home servers. Then, if another one in the same pool is alive, the proxy will use it. If you don't mark the home server dead, then you can't do failover, and your system becomes less robust. Which server? All your patch does is make sure that the NAS marks the proxying server as dead. Eventually, yes this is what the NAS will do. All that is due to the synchronous mode in proxy operation. The solution is not to patch the code to make the proxying server dead. The solution is to use more than one home server. I have read in the list about the major clean up version 2.0 of the server will be. While reading the code of versions 1.x I could see that there is great room for improvement. I will take a look in the 2.0 sources and I look forward to testing it when it becomes available. Please test it now. If everyone waits for 2.0 to be release before testing it, then everyone will discover little problems that they don't like. Spend some time now to give feedback, and 2.0 will be that much more robust for everyone. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html