Mikrotik ignores Framed-IP-Address
Hello I have freeradius and Mikrotik combination and here is the problem. Freeradius is configured to use mysql database. When I add Framed-IP-Address for certain user (in radreply table) For example 32 userFramed-IP-Address 10.51.8.152 := It works but only if I don't have IP pool created on Mikrotik. If I create IP pool than Framed-IP-Address is ignored. Framed-Pool is specified for every group and attributes for every group is added in radgroupreply table. Log without IP pool rad_recv: Access-Request packet from host 192.168.1.7:1026, id=229, length=149 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 870 NAS-Port-Type = Ethernet User-Name = admin-test Calling-Station-Id = 00:C0:CA:18:75:B3 Called-Station-Id = radius NAS-Port-Id = ether1 CHAP-Challenge = 0x89a28dc77659b6311a88c16eb7500767 CHAP-Password = 0x01d385ce5c814c1d1db9cafadb4736c351 NAS-Identifier = 1.7 - h-0 NAS-IP-Address = 192.168.1.7 rlm_chap: Setting 'Auth-Type := CHAP' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 rlm_chap: login attempt by admin-test with CHAP password rlm_chap: Using clear text password perica for user admin-test authentication. rlm_chap: chap user admin-test authenticated succesfully Sending Access-Accept of id 229 to 192.168.1.7 port 1026 Framed-IP-Address := 192.168.8.152 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Ascend-Data-Rate := 0 Ascend-Xmit-Rate := 0 Framed-Pool := radius Log with created IP pool called radius rad_recv: Access-Request packet from host 192.168.1.7:1027, id=240, length=149 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 872 NAS-Port-Type = Ethernet User-Name = admin-test Calling-Station-Id = 00:C0:CA:18:75:B3 Called-Station-Id = radius NAS-Port-Id = ether1 CHAP-Challenge = 0x5293ac8321ad51693a5e3109f8887511 CHAP-Password = 0x01b0a9f7bca1f632878bee51c13d667f5c NAS-Identifier = 1.7 - h-0 NAS-IP-Address = 192.168.1.7 rlm_chap: Setting 'Auth-Type := CHAP' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 rlm_chap: login attempt by admin-test with CHAP password rlm_chap: Using clear text password perica for user admin-test authentication. rlm_chap: chap user admin-test authenticated succesfully Sending Access-Accept of id 240 to 192.168.1.7 port 1027 Framed-IP-Address := 192.168.8.152 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Ascend-Data-Rate := 0 Ascend-Xmit-Rate := 0 Framed-Pool := radius rad_recv: Accounting-Request packet from host 192.168.1.7:1027, id=241, length=146 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 872 NAS-Port-Type = Ethernet User-Name = admin-test Calling-Station-Id = 00:C0:CA:18:75:B3 Called-Station-Id = radius NAS-Port-Id = ether1 Acct-Session-Id = 81d00316 Framed-IP-Address = 192.168.8.159 Acct-Authentic = RADIUS Acct-Status-Type = Start NAS-Identifier = 1.7 - h-0 NAS-IP-Address = 192.168.1.7 Acct-Delay-Time = 0 rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released sql socket id: 3 Sending Accounting-Response of id 241 to 192.168.1.7 port 1027 Any ideas? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mikrotik ignores Framed-IP-Address
Use one way to assign IP addresses: DHCP or radius. If you want to give static addresses to devices use dhcp pools (dynamic IP) and reservations (static IP); if you want to give static IPs to users than use radius ippool (dynamic IP) and (static) IP address assignment. Ivan Kalik Kalik Informatika ISP Dana 12/11/2007, Marinko Tarlac [EMAIL PROTECTED] piše: Hello I have freeradius and Mikrotik combination and here is the problem. Freeradius is configured to use mysql database. When I add Framed-IP-Address for certain user (in radreply table) For example 32 userFramed-IP-Address 10.51.8.152 := It works but only if I don't have IP pool created on Mikrotik. If I create IP pool than Framed-IP-Address is ignored. Framed-Pool is specified for every group and attributes for every group is added in radgroupreply table. Log without IP pool rad_recv: Access-Request packet from host 192.168.1.7:1026, id=229, length=149 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 870 NAS-Port-Type = Ethernet User-Name = admin-test Calling-Station-Id = 00:C0:CA:18:75:B3 Called-Station-Id = radius NAS-Port-Id = ether1 CHAP-Challenge = 0x89a28dc77659b6311a88c16eb7500767 CHAP-Password = 0x01d385ce5c814c1d1db9cafadb4736c351 NAS-Identifier = 1.7 - h-0 NAS-IP-Address = 192.168.1.7 rlm_chap: Setting 'Auth-Type := CHAP' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 rlm_chap: login attempt by admin-test with CHAP password rlm_chap: Using clear text password perica for user admin-test authentication. rlm_chap: chap user admin-test authenticated succesfully Sending Access-Accept of id 229 to 192.168.1.7 port 1026 Framed-IP-Address := 192.168.8.152 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Ascend-Data-Rate := 0 Ascend-Xmit-Rate := 0 Framed-Pool := radius Log with created IP pool called radius rad_recv: Access-Request packet from host 192.168.1.7:1027, id=240, length=149 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 872 NAS-Port-Type = Ethernet User-Name = admin-test Calling-Station-Id = 00:C0:CA:18:75:B3 Called-Station-Id = radius NAS-Port-Id = ether1 CHAP-Challenge = 0x5293ac8321ad51693a5e3109f8887511 CHAP-Password = 0x01b0a9f7bca1f632878bee51c13d667f5c NAS-Identifier = 1.7 - h-0 NAS-IP-Address = 192.168.1.7 rlm_chap: Setting 'Auth-Type := CHAP' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 rlm_chap: login attempt by admin-test with CHAP password rlm_chap: Using clear text password perica for user admin-test authentication. rlm_chap: chap user admin-test authenticated succesfully Sending Access-Accept of id 240 to 192.168.1.7 port 1027 Framed-IP-Address := 192.168.8.152 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Ascend-Data-Rate := 0 Ascend-Xmit-Rate := 0 Framed-Pool := radius rad_recv: Accounting-Request packet from host 192.168.1.7:1027, id=241, length=146 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 872 NAS-Port-Type = Ethernet User-Name = admin-test Calling-Station-Id = 00:C0:CA:18:75:B3 Called-Station-Id = radius NAS-Port-Id = ether1 Acct-Session-Id = 81d00316 Framed-IP-Address = 192.168.8.159 Acct-Authentic = RADIUS Acct-Status-Type = Start NAS-Identifier = 1.7 - h-0 NAS-IP-Address = 192.168.1.7 Acct-Delay-Time = 0 rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released sql socket id: 3 Sending Accounting-Response of id 241 to 192.168.1.7 port 1027 Any ideas? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Post-Auth REJECT - conditional sql
Rachel Primrose wrote:
Version: FreeRADIUS Version 1.1.3
Please upgrade to 1.1.7.
Problem:
The LNS that will be sending requests to this server first sends an
access request with just the realm with
Service-Type=Outbound-User/Dialout-Framed-User (5). We either accept
the request and give the LNS some interesting reply items that tell it
to authenticate the user at another radius server, OR we reject the
access request and the LNS will then send us through an access request
for [EMAIL PROTECTED] with Service-Type=Framed-User.
It also sounds like you want to do more, but you haven't described
what that more really is.
When the first realm access request comes through, we do not want to
use the sql module to log it, regardless of what our reply will be.
The problem is, that Post-Auth-Type is overwritten no matter what I
set it to in the users file!
That's confusing. Say what you want to happen. Don't say what's
going wrong.
Configuration (just the important bits):
users
realm1.com Password==blah, Service-Type==Dialout-Framed-User,
Auth-Type=Accept
That is wrong. This does NOT check the password!
DEFAULT Auth-Type = LDAP, Autz-Type = ldap_user, Post-Auth-Type = ldap_user
And you don't have a post-auth-type of ldap_user.
post-auth {
Post-Auth-Type ldap{
sql
Why? The names aren't magic. There's no need to call it ldap if
it's not doing ldap.
In the post-auth section Post-Auth-Type REJECT I want to conditionally
run the sql module, based on the Service-Type attribute.
To do... what?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to return Reply-Message when user submitted wrong password
Hi, Hi Alan, thank you very much for the pseudo codes. I'm quite new to FreeRADIUS, so I need to check with you: are these for writing a new module? no - that was pseudo code for use with the already existing PERL module alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Two more reasons to upgrade to 2.0
Download CVS head, and: $ man radiusd ... In short: -C now works. Sort of. The server doesn't open any sockets. It doesn't check SQL, LDAP, etc. But modules which don't depend on anything (i.e. chap), and modules which only read flat-text files are checked for sanity when -C is used. The man page describes the limitations of -C. $ kill -HUP `psgrep radiusd` This works. Sort of. For now, HUP *only* reloads the files module. it doesn't change ANYTHING else in the server. It doesn't reload, re-open, or examine ANY of the configuration files such as radiusd.conf, eap.conf, etc. With tiny amounts more work, a few other modules can be made to reload on HUP. i.e. preprocess, passwd, linelog, and a few others. Just as with -C, SQL and LDAP won't be reloaded on HUP. Also, EAP won't be reloaded on HUP. If you *really* need that functionality, it's a large amount of work, and will need to be funded. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Does free radius support diameter? And If not is it easy to make it support diameter via modified the source code?
Hi: I have a node in my target system that has two interfaces of which one is diameter and the other is radius.So only radius protocol is supported does not meet the requirement.So does anybody know whether free radius support diameter or not(as far as I know it does not).If not supported, is there a way to make it support the diameter via modifying the souce codes or what else? Is it a tough job or an easy one,how much efforts shall be made? Br /Leon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Post-Auth REJECT - conditional sql
Thanks for the quick response.
I'll try to be more descriptive, the configuration does look a little
peculiar unless you know the order of events.
On Nov 13, 2007 1:54 AM, Alan DeKok [EMAIL PROTECTED] wrote:
Rachel Primrose wrote:
Version: FreeRADIUS Version 1.1.3
Please upgrade to 1.1.7.
I'll talk to the sys admins about this!
Problem:
The LNS that will be sending requests to this server first sends an
access request with just the realm with
Service-Type=Outbound-User/Dialout-Framed-User (5). We either accept
the request and give the LNS some interesting reply items that tell it
to authenticate the user at another radius server, OR we reject the
access request and the LNS will then send us through an access request
for [EMAIL PROTECTED] with Service-Type=Framed-User.
It also sounds like you want to do more, but you haven't described
what that more really is.
So, here is the order of operations:
1. User is trying to log in with [EMAIL PROTECTED]
2. The LNS first tries to authenticate the realm. It sends through
an access request packet to our radius server with
User-Name=realm.com, Service-Type=Dialout-Framed-User and Password =
cisco.
For certain realms only, we want to accept the request, and pass back
some cisco specific attributes. For the rest of the realms, we want
to just reject the request.
3a. If the LNS gets an accept packet back with cisco attributes, it
forwards an access request with [EMAIL PROTECTED] to a third party LNS.
3b. If the LNS gets a reject packet back, it will then send an access
request packet to our radius server with User-Name = [EMAIL PROTECTED],
Service-Type=Framed-User and Password = user-provided password.
4. We then authenticate/authorize against an ldap server, hence the
term ldap_user.
This setup enables us to have an l2tp setup with some specific clients.
When the first realm access request comes through, we do not want to
use the sql module to log it, regardless of what our reply will be.
The problem is, that Post-Auth-Type is overwritten no matter what I
set it to in the users file!
That's confusing. Say what you want to happen. Don't say what's
going wrong.
Please see the last paragraph for what I want to happen.
Configuration (just the important bits):
users
realm1.com Password==blah, Service-Type==Dialout-Framed-User,
Auth-Type=Accept
That is wrong. This does NOT check the password!
This is just accepting the first access request from the lns for a
particular realm. And then passing back the cisco attributes seen
below. 192.168.0.0 is the IP of the third party LNS (I have replaced
all the values with dummys of course, I would be a little concerned if
that was the actual IP).
realm1.com Password==cisco, Service-Type==Dialout-Framed-User,
Auth-Type=Accept
Cisco-AVpair = vpdn:ip-addresses=192.168.0.0,
Cisco-AVpair += vpdn:tunnel-type=l2tp,
Cisco-AVpair += vpdn:l2tp-tunnel-password=blah,
Cisco-AVpair += vpdn:tunnel-id=blah
DEFAULT Auth-Type = LDAP, Autz-Type = ldap_user, Post-Auth-Type = ldap_user
And you don't have a post-auth-type of ldap_user.
post-auth {
Post-Auth-Type ldap{
sql
Configuration error, fixed to:
DEFAULT Auth-Type = LDAP, Autz-Type = ldap_user, Post-Auth-Type := ldap_user
post-auth{
Post-Auth-Type ldap_user
{
sql
Why? The names aren't magic. There's no need to call it ldap if
it's not doing ldap.
I called it ldap_user in line with the autz-type to keep it simple for
people not that familiar with radius (there will be a number of people
maintaining this system, some of which have never worked with radius
before).
In the post-auth section Post-Auth-Type REJECT I want to conditionally
run the sql module, based on the Service-Type attribute.
To do... what?
By conditionally run, I mean when the first access request packet with
just the realm arrives and is rejected, we do not want to log it in
the Post-Auth-Type REJECT section.
However, when the second access request arrives, if it is genuinely
rejected i.e. if the user does not exist, or the password is wrong, we
want to log it in the Post-Auth-Type REJECT section.
- Rachel Primrose
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 1.1.7 no DB handles
I set max_connections to 200, but that didnt help. That cannt really be a reason, because I am the only user by now. My partner gave up on this Problem. But I need to get this thing running! Maybe its the mysql-Version? We run mysql 3.23 on suse 8.1... Any Ideas? A.L.M.Buxey wrote: Hi, My DB-tables are empty, just accounting should be put into it. I do not need anything in usergroup for accounting etc, or do I? you are probably running more radius threads than you have DB handles - change the value in sql.conf - and make sure you enable enough max_connections in your mysql (my.cnf) file alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Freeradius-1.1.7-no-DB-handles-tf4757305.html#a13712775 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 1.1.7 no DB handles
Hi, I set max_connections to 200, but that didnt help. That cannt really be a reason, because I am the only user by now. My partner gave up on this Problem. But I need to get this thing running! Maybe its the mysql-Version? We run mysql 3.23 on suse 8.1... Any Ideas? can freeradius actually USE the MySQL? ie if you put values into the tables - check values, or username - or even use the naslist, does freeradius show such tables being put to use? ..does the accouting table get filled as you use the system? have you get eg selinux running? if so, check the logs...change it to warn mode instead and check the logs... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 1.1.7 no DB handles
Everybody can connect, I started mysql even with skip-grants... The mysql-log tells me Connect on radiusLOG when I start radiusd, but nothing else when I login into the switch. A.L.M.Buxey wrote: Hi, I set max_connections to 200, but that didnt help. That cannt really be a reason, because I am the only user by now. My partner gave up on this Problem. But I need to get this thing running! Maybe its the mysql-Version? We run mysql 3.23 on suse 8.1... Any Ideas? can freeradius actually USE the MySQL? ie if you put values into the tables - check values, or username - or even use the naslist, does freeradius show such tables being put to use? ..does the accouting table get filled as you use the system? have you get eg selinux running? if so, check the logs...change it to warn mode instead and check the logs... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Freeradius-1.1.7-no-DB-handles-tf4757305.html#a13713815 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mikrotik ignores Framed-IP-Address
Well I'm trying to use it. When I enter for example ID | UserName | Attribute | op 32 | user | Framed-IP-Address | 192.168.8.152 | := in radreply table, user should get static IP address (in this case 192.168.8.152) but this is ignored by Mikrotik because Framed-Pool is also available because user is inside specific group which has defined IP pool. When I delete IP pool from Mikrotik everything works fine... It seem that finally I will wrote specific perl or php script who will be dedicated to decide if framed-ip-address exist send it to MT else send IP-pool name Re: Mikrotik ignores Framed-IP-Address ([EMAIL PROTECTED]) -- Message: 1 Date: Mon, 12 Nov 2007 12:55:14 +0100 From: [EMAIL PROTECTED] Subject: Re: Mikrotik ignores Framed-IP-Address To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 Use one way to assign IP addresses: DHCP or radius. If you want to give static addresses to devices use dhcp pools (dynamic IP) and reservations (static IP); if you want to give static IPs to users than use radius ippool (dynamic IP) and (static) IP address assignment. Ivan Kalik Kalik Informatika ISP Dana 12/11/2007, Marinko Tarlac [EMAIL PROTECTED] pi?e: Hello I have freeradius and Mikrotik combination and here is the problem. Freeradius is configured to use mysql database. When I add Framed-IP-Address for certain user (in radreply table) For example 32 userFramed-IP-Address 10.51.8.152 := It works but only if I don't have IP pool created on Mikrotik. If I create IP pool than Framed-IP-Address is ignored. Framed-Pool is specified for every group and attributes for every group is added in radgroupreply table. Log without IP pool rad_recv: Access-Request packet from host 192.168.1.7:1026, id=229, length=149 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 870 NAS-Port-Type = Ethernet User-Name = admin-test Calling-Station-Id = 00:C0:CA:18:75:B3 Called-Station-Id = radius NAS-Port-Id = ether1 CHAP-Challenge = 0x89a28dc77659b6311a88c16eb7500767 CHAP-Password = 0x01d385ce5c814c1d1db9cafadb4736c351 NAS-Identifier = 1.7 - h-0 NAS-IP-Address = 192.168.1.7 rlm_chap: Setting 'Auth-Type := CHAP' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 rlm_chap: login attempt by admin-test with CHAP password rlm_chap: Using clear text password perica for user admin-test authentication. rlm_chap: chap user admin-test authenticated succesfully Sending Access-Accept of id 229 to 192.168.1.7 port 1026 Framed-IP-Address := 192.168.8.152 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Ascend-Data-Rate := 0 Ascend-Xmit-Rate := 0 Framed-Pool := radius Log with created IP pool called radius rad_recv: Access-Request packet from host 192.168.1.7:1027, id=240, length=149 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 872 NAS-Port-Type = Ethernet User-Name = admin-test Calling-Station-Id = 00:C0:CA:18:75:B3 Called-Station-Id = radius NAS-Port-Id = ether1 CHAP-Challenge = 0x5293ac8321ad51693a5e3109f8887511 CHAP-Password = 0x01b0a9f7bca1f632878bee51c13d667f5c NAS-Identifier = 1.7 - h-0 NAS-IP-Address = 192.168.1.7 rlm_chap: Setting 'Auth-Type := CHAP' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 rlm_chap: login attempt by admin-test with CHAP password rlm_chap: Using clear text password perica for user admin-test authentication. rlm_chap: chap user admin-test authenticated succesfully Sending Access-Accept of id 240 to 192.168.1.7 port 1027 Framed-IP-Address := 192.168.8.152 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Ascend-Data-Rate := 0 Ascend-Xmit-Rate := 0 Framed-Pool := radius rad_recv: Accounting-Request packet from host 192.168.1.7:1027, id=241, length=146 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 872 NAS-Port-Type = Ethernet User-Name = admin-test Calling-Station-Id = 00:C0:CA:18:75:B3 Called-Station-Id = radius NAS-Port-Id = ether1 Acct-Session-Id = 81d00316 Framed-IP-Address = 192.168.8.159 Acct-Authentic = RADIUS Acct-Status-Type = Start NAS-Identifier = 1.7 - h-0 NAS-IP-Address = 192.168.1.7 Acct-Delay-Time = 0 rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released sql socket id: 3 Sending Accounting-Response of id 241 to 192.168.1.7 port 1027 Any ideas? - List
Re: Newbie question - number of radius requests per session?
Do I then remove ldap from the authorize section so that it doesn't call
it every packet? I did a bunch of testing and it seems that I have to
do that to reduce the number of calls to our eDirectory servers.
Thanks for helping me out.
Nathan
Nathan P. Hay
Network Engineer
Computer Services
Cedarville University
www.cedarville.edu ( http://www.cedarville.edu/ )
Phil Mayers [EMAIL PROTECTED] 10/31/2007 9:12 AM
On Wed, 2007-10-31 at 08:59 -0400, Nathan Hay wrote:
I have FreeRadius 1.1.7 installed and talking to our eDirectory
servers via LDAP to authenticate users to our wireless network. It
works great, but our eDirectory servers get hit with 11 requests
each
time a single client authenticates. Running FreeRadius in debug
mode,
I see 10 requests of the format Access-Request packet from host
10.0.0.1 and then Sending Access-Challenge of id 0 to 10.0.0.1
port
1082. Then I see a single final request of the format
Access-Request packet from host 10.0.0.1 and then Sending
Access-Accept of id 0 to 10.0.0.1 port 1082. Each one of these 11
requests performs a check of the user on our eDirectory servers,
hence
the 11 hits each time a single client authenticates.
Is this normal or do I need to fix something? I'd be glad to send
the
entire debug capture and my config if this is not normal.
EAP sessions typically cover tens of request/challenge packets.
You have configured to server to run the LDAP lookups on each packet,
as
opposed to just once.
The easiest thing is to do this:
authorize {
preprocess
...etc...
eap
...etc...
Autz-Type INNER {
ldap
}
}
...and in the users file:
DEFAULTFreeradius-Proxied-To == 127.0.0.1, Autz-Type := INNER
This will match the inner packets of the EAP session, and tell the
server to run the Autz-Type sub-block of authorize (containing LDAP)
You may still see 2 lookups, since there may be a request/challenge
and
request/accept inside the EAP tunnel, but it's better than 11.
Getting down to 1 lookup requires FreeRadius 2.0 (not currently
released)
Thanks for your help,
Nathan
Nathan P. Hay
Network Engineer
Computer Services
Cedarville University
www.cedarville.edu
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mikrotik ignores Framed-IP-Address
Static addresses must not be from ippools. Create group dynamic in sql and assign all the users that will have such addresses to it. Create an ippool dynamicIP (in freeradius not mikrotik) containing addresses free for dynamic IP use. Insert into radgroupcheck table Pool-Name dynamicIP with op:= for group dynamic. Leave users with static IPs as they are. Users should have point-to-point netmask (255.255.255.255). No scripts needed. Ivan Kalik Kalik Informatika ISP Dana 12/11/2007, Marinko Tarlac [EMAIL PROTECTED] piše: Well I'm trying to use it. When I enter for example ID | UserName | Attribute | op 32 | user | Framed-IP-Address | 192.168.8.152 | := in radreply table, user should get static IP address (in this case 192.168.8152) but this is ignored by Mikrotik because Framed-Pool is also available because user is inside specific group which has defined IP pool. When I delete IP pool from Mikrotik everything works fine... It seem that finally I will wrote specific perl or php script who will be dedicated to decide if framed-ip-address exist send it to MT else send IP-pool name Re: Mikrotik ignores Framed-IP-Address ([EMAIL PROTECTED]) -- Message: 1 Date: Mon, 12 Nov 2007 12:55:14 +0100 From: [EMAIL PROTECTED] Subject: Re: Mikrotik ignores Framed-IP-Address To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 Use one way to assign IP addresses: DHCP or radius. If you want to give static addresses to devices use dhcp pools (dynamic IP) and reservations (static IP); if you want to give static IPs to users than use radius ippool (dynamic IP) and (static) IP address assignment. Ivan Kalik Kalik Informatika ISP Dana 12/11/2007, Marinko Tarlac [EMAIL PROTECTED] pi?e: Hello I have freeradius and Mikrotik combination and here is the problem. Freeradius is configured to use mysql database. When I add Framed-IP-Address for certain user (in radreply table) For example 32 userFramed-IP-Address 10.51.8.152 := It works but only if I don't have IP pool created on Mikrotik. If I create IP pool than Framed-IP-Address is ignored. Framed-Pool is specified for every group and attributes for every group is added in radgroupreply table. Log without IP pool rad_recv: Access-Request packet from host 192.168.1.7:1026, id=229, length=149 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 870 NAS-Port-Type = Ethernet User-Name = admin-test Calling-Station-Id = 00:C0:CA:18:75:B3 Called-Station-Id = radius NAS-Port-Id = ether1 CHAP-Challenge = 0x89a28dc77659b6311a88c16eb7500767 CHAP-Password = 0x01d385ce5c814c1d1db9cafadb4736c351 NAS-Identifier = 1.7 - h-0 NAS-IP-Address = 192.168.1.7 rlm_chap: Setting 'Auth-Type := CHAP' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 rlm_chap: login attempt by admin-test with CHAP password rlm_chap: Using clear text password perica for user admin-test authentication. rlm_chap: chap user admin-test authenticated succesfully Sending Access-Accept of id 229 to 192.168.1.7 port 1026 Framed-IP-Address := 192.168.8.152 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Ascend-Data-Rate := 0 Ascend-Xmit-Rate := 0 Framed-Pool := radius Log with created IP pool called radius rad_recv: Access-Request packet from host 192.168.1.7:1027, id=240, length=149 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 872 NAS-Port-Type = Ethernet User-Name = admin-test Calling-Station-Id = 00:C0:CA:18:75:B3 Called-Station-Id = radius NAS-Port-Id = ether1 CHAP-Challenge = 0x5293ac8321ad51693a5e3109f8887511 CHAP-Password = 0x01b0a9f7bca1f632878bee51c13d667f5c NAS-Identifier = 1.7 - h-0 NAS-IP-Address = 192.168.1.7 rlm_chap: Setting 'Auth-Type := CHAP' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 rlm_chap: login attempt by admin-test with CHAP password rlm_chap: Using clear text password perica for user admin-test authentication. rlm_chap: chap user admin-test authenticated succesfully Sending Access-Accept of id 240 to 192.168.1.7 port 1027 Framed-IP-Address := 192.168.8.152 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Ascend-Data-Rate := 0 Ascend-Xmit-Rate := 0 Framed-Pool := radius rad_recv: Accounting-Request packet from host 192.168.1.7:1027, id=241, length=146 Service-Type = Framed-User
RLM_python patch to enable postproxy - Not work need a little help
Hi Guys
I wrote the attached patch for Freeradius 1.1.7 to enabled calling
python in the post-proxy, it compiles but will not run when the hook is
listed in post-proxy because Freeradius complains that there is no
support for post-proxy in rlm_python.
My question is where in the source is the list of allowed call per module ?
Once I know this I can fix this attached and supply as a tested patch.
Thanks
Mike
--- src/modules/rlm_python/rlm_python.c.orig2007-03-06 00:45:28.0
+1030
+++ src/modules/rlm_python/rlm_python.c 2007-10-10 15:36:51.0 +0930
@@ -54,6 +54,7 @@
char*mod_authenticate;
char*mod_preacct;
char*mod_accounting;
+char*mod_post_proxy;
char*mod_checksimul;
char*mod_detach;
@@ -63,6 +64,7 @@
char*func_authenticate;
char*func_preacct;
char*func_accounting;
+char*func_post_proxy;
char*func_checksimul;
char*func_detach;
@@ -71,6 +73,7 @@
PyObject *pModule_authenticate;
PyObject *pModule_preacct;
PyObject *pModule_accounting;
+PyObject *pModule_post_proxy;
PyObject *pModule_checksimul;
PyObject *pModule_detach;
@@ -80,6 +83,7 @@
PyObject *pFunc_authenticate;
PyObject *pFunc_preacct;
PyObject *pFunc_accounting;
+PyObject *pFunc_post_proxy;
PyObject *pFunc_checksimul;
PyObject *pFunc_detach;
};
@@ -120,6 +124,11 @@
{ func_accounting, PW_TYPE_STRING_PTR,
offsetof(struct rlm_python_t, func_accounting), NULL, NULL},
+ { mod_post_proxy, PW_TYPE_STRING_PTR,
+offsetof(struct rlm_python_t, mod_post_proxy), NULL, NULL},
+ { func_post_proxy, PW_TYPE_STRING_PTR,
+offsetof(struct rlm_python_t, func_post_proxy), NULL, NULL},
+
{ mod_checksimul, PW_TYPE_STRING_PTR,
offsetof(struct rlm_python_t, mod_checksimul), NULL, NULL},
{ func_checksimul, PW_TYPE_STRING_PTR,
@@ -490,6 +499,7 @@
python_objclear(data-pFunc_authenticate);
python_objclear(data-pFunc_preacct);
python_objclear(data-pFunc_accounting);
+python_objclear(data-pFunc_post_proxy);
python_objclear(data-pFunc_checksimul);
python_objclear(data-pFunc_detach);
@@ -498,6 +508,7 @@
python_objclear(data-pModule_authenticate);
python_objclear(data-pModule_preacct);
python_objclear(data-pModule_accounting);
+python_objclear(data-pModule_post_proxy);
python_objclear(data-pModule_checksimul);
python_objclear(data-pModule_detach);
}
@@ -566,6 +577,12 @@
data-pFunc_accounting) 0)
goto failed;
+if (python_load_function(data-mod_post_proxy,
+data-func_post_proxy,
+data-pModule_post_proxy,
+data-pFunc_post_proxy) 0)
+goto failed;
+
if (python_load_function(data-mod_checksimul,
data-func_checksimul,
data-pModule_checksimul,
@@ -633,6 +650,14 @@
accounting);
}
+static int python_post_proxy(void *instance, REQUEST *request)
+{
+return python_function(
+ request,
+ ((struct rlm_python_t *)instance)-pFunc_post_proxy,
+ post-proxy);
+}
+
static int python_checksimul(void *instance, REQUEST *request)
{
return python_function(
@@ -663,7 +688,7 @@
python_accounting, /* accounting */
python_checksimul, /* checksimul */
NULL, /* pre-proxy */
- NULL, /* post-proxy */
+ python_post_proxy, /* post-proxy */
NULL/* post-auth */
},
python_detach, /* detach */
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newbie question - number of radius requests per session?
Nathan Hay wrote: Do I then remove ldap from the authorize section so that it doesn't call it every packet? I did a bunch of testing and it seems that I have to do that to reduce the number of calls to our eDirectory servers. Yes. But it has to be listed inside of a sub-block, as described in the message you responded to. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RLM_python patch to enable postproxy - Not work need a little help
Mike O'Connor wrote: I wrote the attached patch for Freeradius 1.1.7 to enabled calling python in the post-proxy, it compiles but will not run when the hook is listed in post-proxy because Freeradius complains that there is no support for post-proxy in rlm_python. You didn't install the new version of rlm_python. So it's still linking to the old rlm_python, without post-proxy support. My question is where in the source is the list of allowed call per module ? No. The *only* interaction is in the modules. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
