Re: Post-Proxy attr_filter on Access-Accept Packets only
Mike O'Connor wrote: How do I only add a radius attribute via attr_filter on Accept-Accept Packets ? Run attr_filter only on the post-auth section. Or, are you doing proxying? My current config is adding the attribute on accounting reply packets also. That doesn't matter too much. It should be stripped out before the reply is sent. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP+MD5+SQL trouble
It is probably a default setting of FreeRadiusto go Local when it doesn't find an Auth method. No. You are setting it. If it's not in radcheck, then in radgroupcheck table. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 deployment howto
Matthias Cramer wrote: No, i unse 1.1.3 because this is the last version which seams not to have the sighup bug. seems. *NO* version of 1.x is safe under HUP. Maybe it's easier to reproduce in 1.1.4 and later. But 1.1.3 isn't safe, either. I've been doing some massive code changes in the code in CVS in order to enable HUP. I don't think it will be in 2.0, but maybe 2.0.1, or 2.1. Handling HUP correctly is *hard*. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting with Oracle and stored procedures
Hi. I'm having problems integrating FreeRADIUS with Oracle
(Instantclient 10.2.0.3 library). My client makes two stored
procedures available to me:
FUNCTION session_start(id_in IN VARCHAR2, terminal_address_in IN VARCHAR2,
nas_address_in IN VARCHAR2, msisdn_in IN VARCHAR2, apn_in IN VARCHAR2, rat_in
NUMBER, start_date_in IN DATE) RETURN INTEGER;
and
FUNCTION session_stop(id_in IN VARCHAR2, bytes_transmitted_in IN NUMBER,
bytes_received_in IN NUMBER, stop_date_in IN DATE) RETURN INTEGER;
The juicy bits from my sql{} statement:
driver = rlm_sql_oracle
server = foobar
login = foobar
password = foobar
radius_db =
(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=foobar)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=foobar)))
accounting_start_query = SELECT session_start('%{Acct-Session-Id}',
'%{Framed-IP-Address}', '%{NAS-IP-Address}', '%{Calling-Station-Id}',
'%{Called-Station-Id}', '0', TO_DATE('%S','-mm-dd hh24:mi:ss')) FROM dual
accounting_stop_query = SELECT session_stop('%{Acct-Session-Id}', '0', '0',
TO_DATE('%S','-mm-dd hh24:mi:ss')) FROM dual
This is parsed correctly and FreeRADIUS (v1.1.0) starts up nicely
enough. But when an accounting query comes in, I get the following
error:
rlm_sql (sql): Reserving sql socket id: 4
SELECT session_start('c16dd2c12dc4536a', '10.16.12.253', '10.0.0.1',
'12341324', 'foobar', '0', TO_DATE('2007-10-10 16:16:19','-mm-dd
hh24:mi:ss')) FROM dual
rlm_sql_oracle: execute query failed in sql_query: ORA-24374: define not done
before fetch or execute and fetch
rlm_sql (sql): Attempting to connect rlm_sql_oracle #4
rlm_sql (sql): Connected new DB handle, #4
SELECT session_start('c16dd2c12dc4536a', '10.16.12.253', '10.0.0.1',
'12341324', 'foobar', '0', TO_DATE('2007-10-10 16:16:19','-mm-dd
hh24:mi:ss')) FROM dual
rlm_sql_oracle: execute query failed in sql_query: ORA-24374: define not done
before fetch or execute and fetch
rlm_sql (sql): failed after re-connect
rlm_sql (sql): Couldn't insert SQL accounting START record - ORA-24374: define
not done before fetch or execute and fetch
We've also tried changing from FUNCTION to PROCEDURE, but no change
in behaviour.
Anyone here had similar problems? I'm thankful for any suggestions!
Regards
--
Tore Anderson
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question regarding the Expiration attribute
FreeRADIUS Version 1.1.7 on Novell SLES10 The question is simple but I can't seem to find the answer to it so I will apologize in advance. Can some one tell me the format for entering the date in the Expiration attribute? I'm using the users file to authenticate users on a small wireless network. ie. testuserUser-Password == testpass Expiration = ??? (lets use today 10 October 2007 as an example) thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Simultaneous-Use and PEAP doesn't work correctly.
Hi, You said it's a bug in 1.x. I just tried the latest code in the cvs repository (2.0 I believe) and I still get the same problem. After the PEAP failure, it sends an Access-Challenge rather than an Access-Reject. Am I missing anything else here? Thank you in advance. Regards, -Tyler Marcotte, Tyler wrote: I've configured Simultaneous-Use on my freeradius server and have it configured to use PEAP as an authentication method. Users can authenticate perfectly well, however when the Simultaneous-Use limit is exceeded, it only half works. The user is not allowed on, the PEAP message is set to FAILURE, but no Access-Reject is ever sent. I have also tried with md5 authentication and it works as expected. Unfortunately, md5 authentication is not an option. What I really need is for that Reject to be sent back after the user logs on too many times. It's a bug in 1.x. Set reject_delay = 0. Alan DeKok reject_delay = 0 is already set. If I check out the version from cvs will it have this problem fixed? -Tyler - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding the Expiration attribute
Terry Pelley a écrit : FreeRADIUS Version 1.1.7 on Novell SLES10 The question is simple but I can't seem to find the answer to it so I will apologize in advance. Can some one tell me the format for entering the date in the Expiration attribute? I'm using the users file to authenticate users on a small wireless network. ie. testuserUser-Password == testpass Expiration = ??? (lets use today 10 October 2007 as an example) Expiration is not a reply attribute but a configuration one, so you have to put is on the first line: testuser User-Password == testpass, Expiration := 30 Jun 2009 HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use and PEAP doesn't work correctly.
Marcotte, Tyler wrote: Hi, You said it's a bug in 1.x. I just tried the latest code in the cvs repository (2.0 I believe) and I still get the same problem. After the PEAP failure, it sends an Access-Challenge rather than an Access-Reject. That's completely different from what you said before. Am I missing anything else here? $ radiusd -X Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Simultaneous-Use and PEAP doesn't work correctly.
Marcotte, Tyler wrote: Hi, You said it's a bug in 1.x. I just tried the latest code in the cvs repository (2.0 I believe) and I still get the same problem. After the PEAP failure, it sends an Access-Challenge rather than an Access- Reject. That's completely different from what you said before. Am I missing anything else here? $ radiusd -X Alan DeKok. I had it attached to my first email. Here it is again inline though. Thanks, -Tyler Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.3.88:1812, id=223, length=185 NAS-IP-Address = 192.168.3.88 NAS-Port = 192 Cisco-NAS-Port = FastEthernet0/6 NAS-Port-Type = Ethernet User-Name = user1 Called-Station-Id = 00-0D-29-53-6D-46 Calling-Station-Id = 00-09-6B-7C-1F-78 Service-Type = Framed-User Framed-MTU = 1500 State = 0x45d6de6646898817fedcc83eb8325436 EAP-Message = 0x0207001d1900170301001255c450b5120aec60b77bb555c8b9e89b6026 Message-Authenticator = 0x48d3b363a7a39d3120d016ea8ee0ef55 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 17 modcall[authorize]: module preprocess returns ok for request 17 modcall[authorize]: module chap returns noop for request 17 modcall[authorize]: module mschap returns noop for request 17 rlm_realm: No '\' in User-Name = user1, skipping NULL due to config. modcall[authorize]: module ntdomain returns noop for request 17 users: Matched entry DEFAULT at line 158 users: Matched entry DEFAULT at line 177 users: Matched entry user1 at line 223 modcall[authorize]: module files returns ok for request 17 rlm_eap: EAP packet type response id 7 length 29 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 17 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module pap returns noop for request 17 modcall: leaving group authorize (returns updated) for request 17 rad_check_password: Found Auth-Type System rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'user1' auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 17 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020700061a03 PEAP: Setting User-Name to user1 PEAP: Adding old state with 21 a6 PEAP: Sending tunneled request EAP-Message = 0x020700061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = user1 State = 0x21a6b01dca8c206387e07f1b6ed3d5e2 NAS-IP-Address = 192.168.3.88 NAS-Port = 192 Cisco-NAS-Port = FastEthernet0/6 NAS-Port-Type = Ethernet Called-Station-Id = 00-0D-29-53-6D-46 Calling-Station-Id = 00-09-6B-7C-1F-78 Service-Type = Framed-User Framed-MTU = 1500 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 17 modcall[authorize]: module preprocess returns ok for request 17 modcall[authorize]: module chap returns noop for request 17 modcall[authorize]: module mschap returns noop for request 17 rlm_realm: No '\' in User-Name = user1, skipping NULL due to config. modcall[authorize]: module ntdomain returns noop for request 17 users: Matched entry DEFAULT at line 158 users: Matched entry DEFAULT at line 177 users: Matched entry user1 at line 223 modcall[authorize]: module files returns ok for request 17 rlm_eap: EAP packet type response id 7 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 17 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module pap returns noop for request 17 modcall: leaving group authorize (returns updated) for request 17 rad_check_password: Found Auth-Type System rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'user1' auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 17 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 rlm_eap: Freeing handler modcall[authenticate]: module eap returns ok for request 17 modcall: leaving group authenticate (returns ok) for request 17 Processing the session section of radiusd.conf modcall: entering group session for request 17
Re: Simultaneous-Use and PEAP doesn't work correctly.
Marcotte, Tyler wrote: ... PEAP: Got tunneled reply RADIUS code 3 Reply-Message := \r\nYou are already logged in - access denied\r\n\n PEAP: Processing from tunneled session code 0x81667248 3 Reply-Message := \r\nYou are already logged in - access denied\r\n\n PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module eap returns handled for request 17 modcall: leaving group authenticate (returns handled) for request 17 Sending Access-Challenge of id 223 to 192.168.3.88 port 1812 So? Why would you expect it to send an Access-Reject? If you watch what happens next in the conversation, you should see the side effects of the Simultaneous-Use. I'm not surprised at this behavior. It's what is *supposed* to happen. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Simultaneous-Use and PEAP doesn't work correctly.
So? Why would you expect it to send an Access-Reject? If you watch what happens next in the conversation, you should see the side effects of the Simultaneous-Use. I'm not surprised at this behavior. It's what is *supposed* to happen. Alan DeKok. I can understand that nowhere in any documentation does it say that an Access-Reject is sent back (I just double-checked to verify). However, what I don't understand is why not? If you're using this with 802.1X (which I'm trying to do) the radius client most likely does not understand reply-messages. It only understands Access-Challenges, Requests, Accepts, and Rejects for types of RADIUS packets. It can also understand other Vendor Specific attributes depending on the vendor, but I've yet to encounter one that can understand a Reply-Message. If a End User isn't allowed onto the network because he's already logged in, why wouldn't you want to send an Access-Reject? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x kerberos
Is there a way to do 802.1x with Kerberos authentication using Freeradius? If their is can anyone point me in the right direction? We have been trying eap-ttls most recently with very little luck but everything I have read says this should be possible. What are we missing? Thanks, LB - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with LDAP and Groups
Hello all. First off here's what I want to accomplish in the end. Use
LDAP as the backend to store all user information including radius
attributes, shell info and access to specific devices in specific
locations. For example, Johnny needs access to all linux boxes in
Atlanta and priv-level 15 on cisco routers in Denver. Fred needs
read/write access to all packet shappers in Denver and read only to all
cisco devices in Atlanta and Denver. You get the picture.
I've setup a test server following the document in
/opt/freeradius/share/doc/freeradius/ldap_howto.txt without much
difficulty. This method does a good job of allowing only certain groups
to access certain devices without messing with the huntgroups.
Here's the problem. When a user logs in and is a member of more than
one group radius only uses the first one to match. I've included the
users file below. For example, if the user is a member of the cisco
group and the packeteer group only the packeteer group information gets
passed back because it is found before the cisco group.
Is there a way to say that the request is from a Cisco box so only look
for the user in the cisco group? If the user is then found in that
group then pass back the correct attributes from their profile. I know
I would have to define what a cisco box is, probably by IP.
Please let me know if this is even possible and if so provide an
example. If it is not possible please provide some direction on how to
go about doing this.
Freeradius 1.1.7
*_Users file_*
DEFAULT Ldap-Group == acct_disabled, Auth-Type := Reject
Reply-Message = Account disabled. Please call the helpdesk.
DEFAULT Ldap-Group == packeteer_read_only,User-Profile :=
uid=packeteer_read_only,ou=profiles,ou=radius,dc=csctus,dc=net,
Auth-Type := LDAP
Fall-Through = no
DEFAULT Ldap-Group == Packeteer,User-Profile :=
uid=Packeteer,ou=profiles,ou=radius,dc=csctus,dc=net, Auth-Type := LDAP
Fall-Through = no
DEFAULT Ldap-Group == netscreen,User-Profile :=
uid=netscreen,ou=profiles,ou=radius,dc=csctus,dc=net, Auth-Type := LDAP
Fall-Through = no
DEFAULT Ldap-Group == cisco_priv_15,User-Profile :=
uid=cisco_priv_15,ou=profiles,ou=radius,dc=csctus,dc=net, Auth-Type :=
LDAP
Fall-Through = no
DEFAULT Ldap-Group == cisco_priv_1,User-Profile :=
uid=cisco_priv_1,ou=profiles,ou=radius,dc=csctus,dc=net, Auth-Type := LDAP
Fall-Through = no
DEFAULT Ldap-Group == netscreen,User-Profile :=
uid=netscreen,ou=profiles,ou=radius,dc=csctus,dc=net, Auth-Type := LDAP
DEFAULT Auth-Type := Reject
Reply-Message = Please call the helpdesk.
DEFAULT Auth-Type = System
fall-Through = 1
Radiusd.conf ldap section
ldap {
server = localhost
identity = cn=Manager,dc=csctus,dc=net
password = xxx
basedn = ou=users,ou=radius,dc=csctus,dc=net
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
# base_filter = (objectclass=radiusprofile)
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
#start_tls = yes
# tls_cacertfile= /path/to/cacert.pem
# tls_cacertdir= /path/to/ca/dir/
# tls_certfile= /path/to/radius.crt
# tls_keyfile= /path/to/radius.key
# tls_randfile= /path/to/rnd
# tls_require_cert= demand
# default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA
# profile_attribute = radiusProfileDn
#default_profile =
uid=Packeteer,ou=profiles,ou=radius,dc=csctus,dc=net
#profile_attribute = radiusProfileDn
#access_attr = DialupAccess
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
ldap_cache_timeout = 120
ldap_cache_size = 0
ldap_connections_number = 10
#
# NOTICE: The password_header directive is NOT case insensitive
#
# password_header = {clear}
#
# Set:
#password_attribute = nspmPassword
#
# to get the user's password from a Novell eDirectory
# backend. This will work *only if* freeRADIUS is
# configured to build with --with-edir option.
#
#
# The server can usually figure this out on its own, and pull
# the correct User-Password or NT-Password from the database.
#
# Note that NT-Passwords MUST be stored as a 32-digit hex
# string, and MUST start off with 0x, such as:
#
#0x000102030405060708090a0b0c0d0e0f
#
# Without the leading 0x, NT-Passwords will not work.
# This goes for NT-Passwords stored in SQL, too.
Re: 802.1x kerberos
It should be. Use EAP-TTLS/PAP and configure kerberos module in radiusd.conf: http://wiki.freeradius.org/index.php/Rlm_krb5 Make sure that it works without EAP first. Ivan Kalik Kalik Informatika ISP Dana 10/10/2007, Lisa Besko [EMAIL PROTECTED] piše: Is there a way to do 802.1x with Kerberos authentication using Freeradius? If their is can anyone point me in the right direction? We have been trying eap-ttls most recently with very little luck but everything I have read says this should be possible. What are we missing? Thanks, LB - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Get raddb/certs/bootstrap to work on systems where make is not gnu make
Attached is a simplistic patch to get raddb/certs/bootstrap to work on systems where make is not GNU make. The patch is to: radiusd/configure to add ./raddb/certs/bootstrap to the ac_config_files. radiusd/raddb/certs/bootstrap to get it ready to be repo-copied to radiusd/raddb/certs/bootstrap.in. I think radiusd/raddb/certs/bootstrap with then need to be cvs rmed. Hopefully it will be useful. -- Scott LambertKC5MLE Unix SysAdmin [EMAIL PROTECTED] Index: configure === RCS file: /source/radiusd/configure,v retrieving revision 1.134 diff -u -r1.134 configure --- configure 5 Aug 2007 23:38:44 - 1.134 +++ configure 10 Oct 2007 21:50:38 - @@ -25327,7 +25327,7 @@ unset ac_cv_env_LIBS_set unset ac_cv_env_LIBS_value - ac_config_files=$ac_config_files ./Make.inc ./src/include/build-radpaths-h ./src/main/Makefile ./src/main/checkrad.pl ./src/main/radlast ./src/main/radtest ./scripts/rc.radiusd ./scripts/radwatch ./scripts/check-radiusd-config ./scripts/radiusd.cron.daily ./scripts/radiusd.cron.monthly ./scripts/cryptpasswd ./raddb/dictionary ./raddb/radiusd.conf ./raddb/vmpsd.conf ./raddb/radrelay.conf + ac_config_files=$ac_config_files ./Make.inc ./src/include/build-radpaths-h ./src/main/Makefile ./src/main/checkrad.pl ./src/main/radlast ./src/main/radtest ./scripts/rc.radiusd ./scripts/radwatch ./scripts/check-radiusd-config ./scripts/radiusd.cron.daily ./scripts/radiusd.cron.monthly ./scripts/cryptpasswd ./raddb/dictionary ./raddb/radiusd.conf ./raddb/vmpsd.conf ./raddb/radrelay.conf ./raddb/certs/bootstrap cat confcache \_ACEOF # This file is a shell script that caches the results of configure Index: raddb/certs/bootstrap === RCS file: /source/radiusd/raddb/certs/bootstrap,v retrieving revision 1.3 diff -u -r1.3 bootstrap --- raddb/certs/bootstrap 19 Aug 2007 16:08:14 - 1.3 +++ raddb/certs/bootstrap 10 Oct 2007 21:50:38 - @@ -12,4 +12,4 @@ # umask 027 cd `dirname $0` -make ca server dh random [EMAIL PROTECTED]@ ca server dh random - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with LDAP and Groups
You can group devices in huntgroups and add Hungroup-Name to those
DEFAULT profiles.
Ivan Kalik
Kalik Informatika ISP
Dana 10/10/2007, Bryan Evege [EMAIL PROTECTED] piše:
Hello all. First off here's what I want to accomplish in the end. Use
LDAP as the backend to store all user information including radius
attributes, shell info and access to specific devices in specific
locations. For example, Johnny needs access to all linux boxes in
Atlanta and priv-level 15 on cisco routers in Denver. Fred needs
read/write access to all packet shappers in Denver and read only to all
cisco devices in Atlanta and Denver. You get the picture.
I've setup a test server following the document in
/opt/freeradius/share/doc/freeradius/ldap_howto.txt without much
difficulty. This method does a good job of allowing only certain groups
to access certain devices without messing with the huntgroups.
Here's the problem. When a user logs in and is a member of more than
one group radius only uses the first one to match. I've included the
users file below. For example, if the user is a member of the cisco
group and the packeteer group only the packeteer group information gets
passed back because it is found before the cisco group.
Is there a way to say that the request is from a Cisco box so only look
for the user in the cisco group? If the user is then found in that
group then pass back the correct attributes from their profile. I know
I would have to define what a cisco box is, probably by IP.
Please let me know if this is even possible and if so provide an
example. If it is not possible please provide some direction on how to
go about doing this.
Freeradius 1.1.7
*_Users file_*
DEFAULT Ldap-Group == acct_disabled, Auth-Type := Reject
Reply-Message = Account disabled. Please call the helpdesk.
DEFAULT Ldap-Group == packeteer_read_only,User-Profile :=
uid=packeteer_read_only,ou=profiles,ou=radius,dc=csctus,dc=net,
Auth-Type := LDAP
Fall-Through = no
DEFAULT Ldap-Group == Packeteer,User-Profile :=
uid=Packeteer,ou=profiles,ou=radius,dc=csctus,dc=net, Auth-Type := LDAP
Fall-Through = no
DEFAULT Ldap-Group == netscreen,User-Profile :=
uid=netscreen,ou=profiles,ou=radius,dc=csctus,dc=net, Auth-Type := LDAP
Fall-Through = no
DEFAULT Ldap-Group == cisco_priv_15,User-Profile :=
uid=cisco_priv_15,ou=profiles,ou=radius,dc=csctus,dc=net, Auth-Type :=
LDAP
Fall-Through = no
DEFAULT Ldap-Group == cisco_priv_1,User-Profile :=
uid=cisco_priv_1,ou=profiles,ou=radius,dc=csctus,dc=net, Auth-Type := LDAP
Fall-Through = no
DEFAULT Ldap-Group == netscreen,User-Profile :=
uid=netscreen,ou=profiles,ou=radius,dc=csctus,dc=net, Auth-Type := LDAP
DEFAULT Auth-Type := Reject
Reply-Message = Please call the helpdesk.
DEFAULT Auth-Type = System
fall-Through = 1
Radiusd.conf ldap section
ldap {
server = localhost
identity = cn=Manager,dc=csctus,dc=net
password = xxx
basedn = ou=users,ou=radius,dc=csctus,dc=net
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
# base_filter = (objectclass=radiusprofile)
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
#start_tls = yes
# tls_cacertfile= /path/to/cacert.pem
# tls_cacertdir= /path/to/ca/dir/
# tls_certfile= /path/to/radius.crt
# tls_keyfile= /path/to/radius.key
# tls_randfile= /path/to/rnd
# tls_require_cert= demand
# default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA
# profile_attribute = radiusProfileDn
#default_profile =
uid=Packeteer,ou=profiles,ou=radius,dc=csctus,dc=net
#profile_attribute = radiusProfileDn
#access_attr = DialupAccess
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
ldap_cache_timeout = 120
ldap_cache_size = 0
ldap_connections_number = 10
#
# NOTICE: The password_header directive is NOT case insensitive
#
# password_header = {clear}
#
# Set:
#password_attribute = nspmPassword
#
# to get the user's password from a Novell eDirectory
# backend. This will work *only if* freeRADIUS is
# configured to build with --with-edir option.
#
#
# The server can usually figure this out on its own, and pull
# the correct User-Password or NT-Password from the database.
#
# Note that NT-Passwords MUST be stored as a 32-digit hex
# string, and MUST start off with 0x, such as:
Re: Post-Proxy attr_filter on Access-Accept Packets only
Hi Alan Do you see it in the response packet? Or in debug mode? Or both? Yes with verbose turned on in radclient you see the extra value pair printed on the screen. CVS head has this fixed. You can run separate pre/post proxy sections for authentication and for accounting. Ok so when version 2 is release this issue will go away. Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
