Re: how to enable ldap during authentication
Hi Still something is wrong. I have the following authorize section: authorize { preprocess auth_req_log suffix sql ldap } I tried such authenticate sections: authenticate { Auth-Type LDAP { ldap } Auth-Type Digest { digest } Auth-Type PAP { pap } } authenticate { ldap } all the time I receive failed authentication, what do I miss here? hu Jan 24 09:40:35 2008 : Debug: rlm_ldap: - authorize Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: performing user authorization for tzl Thu Jan 24 09:40:35 2008 : Debug: expand: ([EMAIL PROTECTED]) - (mail= [EMAIL PROTECTED]) Thu Jan 24 09:40:35 2008 : Debug: expand: ou=Touki,ou=People,dc=touk,dc=pl - ou=Touki,ou=People,dc=touk,dc=pl Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: performing search in ou=Touki,ou=People,dc=touk,dc=pl, with filter ([EMAIL PROTECTED]) request 5 done Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: Added User-Password = {MD5}SNNMxdM+Zfvr//0yEp0DuA== in check items Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: looking for check items in directory... Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: LDAP attribute userPassword as RADIUS attribute Cleartext-Password == {MD5}SNNMxdM+Zfvr//0yEp0DuA== Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: looking for reply items in directory... Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: user tzl authorized to use remote access Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Thu Jan 24 09:40:35 2008 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 3 Thu Jan 24 09:40:35 2008 : Debug: ++[ldap] returns ok Thu Jan 24 09:40:35 2008 : Debug: auth: type Local Thu Jan 24 09:40:35 2008 : Debug: auth: user supplied User-Password does NOT match local User-Password Thu Jan 24 09:40:35 2008 : Debug: auth: Failed to validate the user. Thu Jan 24 09:40:35 2008 : Auth: Login incorrect: [tzl/somepass] (from client localhost port 0) Thu Jan 24 09:40:35 2008 : Debug: Found Post-Auth-Type Reject Thu Jan 24 09:40:35 2008 : Debug: +- entering group REJECT Thu Jan 24 09:40:35 2008 : Debug: modsingle[post-auth]: calling attr_filter.access_reject (rlm_attr_filter) for request 3 Thu Jan 24 09:40:35 2008 : Debug: expand: %{User-Name} - tzl Thu Jan 24 09:40:35 2008 : Debug: attr_filter: Matched entry DEFAULT at line 11 Thu Jan 24 09:40:35 2008 : Debug: modsingle[post-auth]: returned from attr_filter.access_reject (rlm_attr_filter) for request 3 Thu Jan 24 09:40:35 2008 : Debug: ++[attr_filter.access_reject] returns updated regards tomasz 2008/1/23 [EMAIL PROTECTED]: Uncomment ldap in authenticate section. Ivan Kalik Kalik Informatika ISP Dana 23/1/2008, Tomasz Zieleniewski [EMAIL PROTECTED] piše: Hi, I am using version 2.0.2-pre I would like to use ldap for freeradius authentication. I couldn't find anything on web about this topic. I have ldap module in the authorize section in my default virtual server. I see in the debug that ldap module returns ok during authorization please point me what do I have to do to use ldap olso for authentication is it enough to put ldap invocation in authentication section? below debug from authorization thanks a lot for any help! regards -tomasz rlm_ldap: waiting for bind result ... request 1 done rlm_ldap: Bind was successful rlm_ldap: performing search in ou=Touki,ou=People,dc=touk,dc=pl, with filter ([EMAIL PROTECTED]) request 2 done rlm_ldap: Added User-Password = {MD5}SNNMxdM+Zfvr//0yEp0DuA== in check items rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute userPassword as RADIUS attribute Cleartext-Password == {MD5}SNNMxdM+Zfvr//0yEp0DuA== rlm_ldap: looking for reply items in directory... rlm_ldap: user tzl authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP error
i have OS RHEL5 Amr el-Saeed wrote: Hi Alan, yes, i'm sure i added the option in the SPEC file and then build the RPM and about the second issue , i didn't have a debugging kernel but i got one and install it and boot with it and got the same output !! and ideas ?? thanks for help (gdb) set logging file gdb-radiusd.log (gdb) set logging on Copying output to gdb-radiusd.log. (gdb) run Starting program: /usr/sbin/radiusd (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) [Thread debugging using libthread_db enabled] [New Thread 46912546236704 (LWP 5584)] (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) Wed Jan 23 15:46:53 2008 : Info: Starting - reading configuration files ... (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) Program exited normally. (gdb) [EMAIL PROTECTED] wrote: Hi, i followed the bugs file. i recompiled the freeradius with --enable-developer actually i made RPM file with ( rpmbuild -ta freeradius-1.1.7.tar.gz ) are you SURE That this worked fine - as if you used the standard SPEC then you wouldnt enable the developer stuff. (no debugging symbols found) you also need to ensure your kernel is built with debugging support alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to enable ldap during authentication
Tomasz Zieleniewski wrote: Still something is wrong. I have the following authorize section: ... In which the default configuration has been massively changed. I'm not sure where else to document this: If you are not clear on how the server works, then DO NOT CHANGE THE DEFAULT CONFIGURATION. If the configuration you've created doesn't work, then it's clear that there's something missing. In that case, follow the instructions in the man page for how to create a working configuration. ... Thu Jan 24 09:40:35 2008 : Debug: ++[ldap] returns ok Thu Jan 24 09:40:35 2008 : Debug: auth: type Local Something in your local changes has set Auth-Type := Local. Can you please explain WHY you're doing that, WHERE you found documentation saying that it was a good idea, and WHAT you think it's doing? The documentation that comes with 2.0 tries very hard to explain that setting Auth-Type is almost always wrong. Is there somewhere else we need to document this? In addition, you're mapping a hashed password to a clear-text password: Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: LDAP attribute userPassword as RADIUS attribute Cleartext-Password == {MD5}SNNMxdM+Zfvr//0yEp0DuA== Again, this is NOT in the default configuration, and WILL NOT WORK. Start off with the default configuration. Configure the ldap module, and un-comment it from the authorize section. Your tests SHOULD work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unsubscribe
Unsubscribe. Thanks, Attention: Any non-official business related views, opinions and other information presented in this electronic mail are solely those of the sender/author. Burgan Bank does not endorse or accept responsibility for their opinions. If you are not the addressed indicated in this mail or responsible for delivering this message to the intended, you should delete this message and notify the sender immediately. --- Burgan Bank S.A.K www.burgan.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Don't work freeradius with MySQL.
hi, turn on the SQL debug logging in FreeRADIUS and see what the output of the SQl was alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Don't work freeradius with MySQL.
rad_recv: Access-Request packet from host 192.168.1.7:1119, id=0, length=44 User-Name = fred User-Password = wilma Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = fred, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 ==radius_xlat: '' ## modcall[authorize]: module sql returns fail for request 0 modcall: leaving group authorize (returns fail) for request 0 OK. You have done something to radiusd.conf and broken the configuration. Username should appear in there. Go back to the default configuration, only uncomment sql entries and try again. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: extract different field from ldap on nas's ip address base
Is it possible to extract (to filter) different field in a ldap entry on the base of the nas ip address? ok i've found out this old thread http://lists.cistron.nl/pipermail/freeradius-users/2004-December/039132.html and it was realy usefull, but i still have problem to make the rule in users file match the packet can someone tell me where to find out a guide, tutorial, README about the fields i can use in the rules inside users file? thanks, arjuna - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP error
Hi, i have OS RHEL5 it looks like it didnt build with the required debug parts - once again, as you are using the SPEC for your distro they could have other things that mess it up - I can only help if you build from the source and leave package management stuff alone. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EXAMPLE: unlang removing attribute inside a test
Hi Alan The documentation does not mention these options so I assume that you mean it would need writing ? One option is to add more filtering operators. e.g. -~, meaning regex match, and remove. Or perhaps a better way, is to add a filter section: filter request { # filter out attributes matching the following Foo =~ /bar/ # remove by regex } Also, adding a require section may be useful, too: require request { # filter out attributes NOT matching Foo =~ /bar/ } As I have not written much C code in 15 years, its going to take me awhile to work that one out. Cheers Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: extract different field from ldap on nas's ip address base
Look at the freeradius dictionaries. All of those. Ivan Kalik Kalik Informatika ISP Dana 24/1/2008, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: Is it possible to extract (to filter) different field in a ldap entry on the base of the nas ip address? ok i've found out this old thread http://lists.cistron.nl/pipermail/freeradius-users/2004-December/039132.html and it was realy usefull, but i still have problem to make the rule in users file match the packet can someone tell me where to find out a guide, tutorial, README about the fields i can use in the rules inside users file? thanks, arjuna - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: unlang? - reject unknown?
man unlang. Look for case-insensitive. In this case, you would delete that users file entry, and use unlang authorize { ... if (%{User-Name} =~ /special/i) { update reply { Reply-Message = Cannot use this user account reject } } ... That should work. I added this to the authorize section of radiusd.conf just after preprocess and before auth_log and it gives the error: radiusd.conf[1810]: ERROR: Unknown attribute reject radiusd.conf[1808]: Failed to parse update subsection. radiusd.conf[1788]: Errors parsing authorize section. Have I messed up here by misunderstanding you completely! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EXAMPLE: unlang removing attribute inside a test
Mike O'Connor wrote: The documentation does not mention these options so I assume that you mean it would need writing ? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang? - reject unknown?
Dean, Barry wrote: I added this to the authorize section of radiusd.conf just after preprocess and before auth_log and it gives the error: radiusd.conf[1810]: ERROR: Unknown attribute reject radiusd.conf[1808]: Failed to parse update subsection. radiusd.conf[1788]: Errors parsing authorize section. Have I messed up here by misunderstanding you completely! Nope. It should be: if (...) { update reply { Reply-Message := ... } reject } Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Problem with Vista EAP-PEAP Authentication
Hi All, I solved this problem using cert gen tools from 2.0.1 version of FreeRadius, as advised by Alan. Sending Access-Accept of id 108 to 10.40.0.114 port 1073 User-Name = LDAPAFONE\\nsouleman MS-MPPE-Recv-Key = 0x98a6ba5cb9a9a972244128a592224d932a0350aaf8d4dda665a7472e4479c0b7 MS-MPPE-Send-Key = 0x07405f0d8af6adda158c16a0dbb2581c9be219dcf251fc9c8d74bb8c2498edb4 EAP-Message = 0x03090004 Message-Authenticator = 0x Thanks, problem Solved. Nicolas SOULEMAN. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Force Auth-Type
Alan DeKok [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Markus Moeller wrote: I am new to freeradius and try to authenticate users with pam and authorize with ldap groups. I try to find a minimal configuration but have some problems forcing the Auth-Type to be PAM. You are aware that this will make EAP and many other authentication methods impossible? That is not my requirement right now ... authorize { auth_log ldap } You can add the following just after ldap: update control { Auth-Type := PAM } Only if I set set_auth_type = yes in radiusd.conf for ldap and change authorize in default to: Auth-Type LDAP { pam } That was the only way I could get it to work. If I use update control anybody can login, whereas in my setup only a user who exits in ldap get AUth-Type set to LDAP all other users have an empty value and therefore can not authenticate. Please don't do that. Is there also a way to disable the use of the ldap.attribute mapping as I really don't need it ? You'll have to edit the source code. I have changed my setup to use files and a users file together with a private radius attribute mapped to an ldap entry. e.g. dictionary has: Attribute user-location 3000 string ldap.attrmap: checkitem user-location office-address in users I have DEFAULT user-location == LDN, Auth-Type := Reject Reply-message = You are not allowed to login DEFAULT AUTH-Type := PAM in site-enabled/default I have Authorize { ldap files } authenticate { pam } Unfortunatly that does not work as I never hit the first default statement in users despite having a user-location of LDN. What do I do wrong here ? How can I use an ldap query result to deny/allow access ? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you Markus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP error
Amr el-Saeed wrote: i have OS RHEL5 yes, i'm sure i added the option in the SPEC file and then build the RPM and about the second issue , i didn't have a debugging kernel but i got one and install it and boot with it and got the same output !! made RPM file with ( rpmbuild -ta freeradius-1.1.7.tar.gz ) rpmbuild creates a separate package with the debugging information. You need to install the debuginfo rpm which was created in addition to the other rpms it created to get the debugging symbols, etc. I doubt you'll need a kernel with debugging. -- John Dennis [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
simple Ldap-group search
Background: When a user associated with the ssid Guest, the user will authenticate against a FreeRadius server. If he has a university account, the FreeRadius server will authenticate him via LDAP. If he does not have a university account, the FreeRadius server will do the authentication with a guest account database. Goal: To reduce the chance to do the LDAP search, the LDAP-group search is successful if the user is in the LDAP and no matter which LDAP group he is in. My shot and the problem: I am trying to do a wildcard search in LDAP-Group search, but it looks like the wildcard could not work. Related entries in the file users, omitted DEFAULT Called-Station-Id =~ .*Guest, myldap-Ldap-Group == *, Autz-Type := Ldap1, Auth-Type := Ldap1 DEFAULT Called-Station-Id =~ .*Guest, Group == guest, Autz-Type := Web, Auth-Type := System omitted Debug output, output omitted rlm_ldap: performing search in ou=people,dc=myuniv,dc=ca, with filter ((cn=*)(|((objectClass=GroupOfNames)(member=))((objectClass=GroupOfUnique Names)(uniquemember= output omitted rlm_ldap::groupcmp: Group * not found or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 ++[files] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [cxu] (from client localhost port 0) Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Questions: 1. Is there any way to make the wildcard LDAP-group search work? 2. Whether unlang could be applied here and how? 3. Any advice? Thanks! Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to enable ldap during authentication
On Jan 24, 2008 9:59 AM, Alan DeKok [EMAIL PROTECTED] wrote: Tomasz Zieleniewski wrote: Still something is wrong. I have the following authorize section: ... In which the default configuration has been massively changed. I'm not sure where else to document this: If you are not clear on how the server works, then DO NOT CHANGE THE DEFAULT CONFIGURATION. If the configuration you've created doesn't work, then it's clear that there's something missing. In that case, follow the instructions in the man page for how to create a working configuration. ... Thu Jan 24 09:40:35 2008 : Debug: ++[ldap] returns ok Thu Jan 24 09:40:35 2008 : Debug: auth: type Local Something in your local changes has set Auth-Type := Local. I didn't set it explicit. I don't know what caused setting Auth-Type to Local!! But I found my error. The problem was in ldap I didn't have Auth-Type Set in radius and I used old config from docs directory which didn't have set_auth_type parameter. Can you please explain WHY you're doing that, WHERE you found documentation saying that it was a good idea, and WHAT you think it's doing? The documentation that comes with 2.0 tries very hard to explain that setting Auth-Type is almost always wrong. Is there somewhere else we need to document this? In addition, you're mapping a hashed password to a clear-text password: Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: LDAP attribute userPassword as RADIUS attribute Cleartext-Password == {MD5}SNNMxdM+Zfvr//0yEp0DuA== Again, this is NOT in the default configuration, and WILL NOT WORK. Similar problem my LDAP server return hashed passwords instead of plain-text i added additional parameter in LDAP which solved the issue. Start off with the default configuration. Configure the ldap module, and un-comment it from the authorize section. Your tests SHOULD work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Project site down
On Wed 23 Jan 2008, Frank Büttner wrote: Hello, can it be, that the site is down? Unfortunately apache is getting stuck for some reason. I am still trying to figure out why. Sorry for the bumps. -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Force Auth-Type
Markus Moeller wrote: That was the only way I could get it to work. If I use update control anybody can login, whereas in my setup only a user who exits in ldap get AUth-Type set to LDAP all other users have an empty value and therefore can not authenticate. The LDAP module setting Auth-Type to LDAP is a bit of a hack. I understand that you're depending on it, but the behavior may change in the future. It's changed (slightly) in the past, to fix some issues. It's better to have the policy *explicitly* state what you want. I have changed my setup to use files and a users file together with a private radius attribute mapped to an ldap entry That's reasonable. It's a pretty simple fix to permit an empty ldap.attrmap definition. in users I have DEFAULT user-location == LDN, Auth-Type := Reject Reply-message = You are not allowed to login DEFAULT AUTH-Type := PAM That should mostly work. In 2.0, it's much easier just to put that directly in a policy in a configuration file. Unfortunatly that does not work as I never hit the first default statement in users despite having a user-location of LDN. What do I do wrong here ? How can I use an ldap query result to deny/allow access ? if (%{ldap: stuff... } == bar) { ... } Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to enable ldap during authentication
Tomasz Zieleniewski wrote: I didn't set it explicit. I don't know what caused setting Auth-Type to Local!! But I found my error. The problem was in ldap I didn't have Auth-Type Set in radius and I used old config from docs directory which didn't have set_auth_type parameter. OK. Similar problem my LDAP server return hashed passwords instead of plain-text i added additional parameter in LDAP which solved the issue. If you map the hashed password to Password-With-Header, and add the pap module to the authorize section, it should work, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
certificates in FR 2.0.1 on windows doesnt works
hi to all. created the certificates with the default config files in FR 2.0.1 with ./bootstrap created the client certificate with make client the import of the ca.pem and server.crt in winxp is OK. they link with each-other ok ( ca-server ) the import of client.p12 is ok but it doesnt have a valid link it is ca-server-client and the details of the server certificate tells that is not authorized to issue certificates . the client certificates tells that is issued by the server not by the ca. the question is : the client certificate should be issued by the server or by the ca? if its to be issued by the ca then the Makefile in cert dirs have to be modified. in fact after modified the Makefile and client.cnf and re-importing them in xp then the linkage is ok. ( ca-client ) is this a prob ? or what ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IP Pool defined, but radius does not hand out an IP address.
When I connect a client to freeradius the client authenticates, gets an accept/accept, but does not get an IP address. I've tried it with the Group and Pool-Name directives in each client's block, and I've tried it with them in a DEFAULT by themselves. Neither has handed out an IP address. System vitals: radius:/etc/freeradius# uname -a Linux radius 2.6.18-5-686 #1 SMP Mon Dec 24 16:41:07 UTC 2007 i686 GNU/Linux radius:/etc/freeradius# cat /etc/debian_version 4.0 radius:/etc/freeradius# freeradius -v freeradius: FreeRADIUS Version 1.1.3, for host i486-pc-linux-gnu, built on Dec 16 2006 at 23:48:11 # radtest umcc xx localhost 0 xxx Sending Access-Request of id 144 to 127.0.0.1 port 1812 User-Name = umcc User-Password = bts10200 NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=144, length=44 Service-Type = Framed-User Framed-IP-Netmask = 255.255.255.255 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP radius.log: Thu Jan 24 11:20:51 2008 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Thu Jan 24 11:20:51 2008 : Info: Ready to process requests. Thu Jan 24 11:32:33 2008 : Auth: Login OK: [umcc] (from client localhost-testing port 0) users: umccUser-Password == xx Service-Type = Framed-User, Framed-IP-Netmask = 255.255.255.255, Group == main_pool, Pool-Name := main_pool, Framed-Protocol = PPP, Framed-Compression = Van-Jacobsen-TCP-IP radiusd.conf (pertinent sections) ippool main_pool { range-start = 208.64.35.2 range-stop = 208.64.35.254 netmask = 255.255.255.255 cache-size = 253 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = yes maximum-timeout = 0 } accounting { detail unix radutmp main_pool } post-auth { main_pool } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Novice user. Authenticate against Radius Server
Hi guys. I'm a beginner with the Radius protocol. I've been using Linux for a while now, so I hope it doesn't take me too long to catch the idea. Sorry in advance if a make some stupid questions. Ok, here I go. I'm in a new job. My boss told me that they attempted to setup a Hotspot for free public access. But they want the users to register with us (this is a government office) for usage statistics, accounting, etc. They say the only missing part is a Radius Server where to authenticate the users. The steps are as follows: 1.- The user uses his laptop to access Internet, open the web browser and get a Welcome Page, where they have to login 2-. When they give user an password, the access point verifies it against a Radius Server, just for access statistics purposes. 3.- If it's a valid user, he/she can have access to Internet. Some sort of that is the idea. Nothing sophisticated, only that users must be registered. Can anyone point me to the right path ?? Thanks in advance... German Anguiano B. _ ¡Actúa tu película favorita y gana fabulosos premios! http://cine.prodigymsn.com/nanometraje - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Novice user. Authenticate against Radius Server
German Anguiano Bayardo wrote: They say the only missing part is a Radius Server where to authenticate the users. The steps are as follows: 1.- The user uses his laptop to access Internet, open the web browser and get a Welcome Page, where they have to login 2-. When they give user an password, the access point verifies it against a Radius Server, just for access statistics purposes. 3.- If it's a valid user, he/she can have access to Internet. ... Can anyone point me to the right path ?? You want a captive portal, like http://coova.org/wiki/index.php/CoovaChilli Once that's set up, a RADIUS server should be relatively easy. Install, follow the docs... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Novice user. Authenticate against Radius Server
wiki.freeradius.org a little bit slow actualy. On 24/01/2008, German Anguiano Bayardo [EMAIL PROTECTED] wrote: Hi guys. I'm a beginner with the Radius protocol. I've been using Linux for a while now, so I hope it doesn't take me too long to catch the idea. Sorry in advance if a make some stupid questions. Ok, here I go. I'm in a new job. My boss told me that they attempted to setup a Hotspot for free public access. But they want the users to register with us (this is a government office) for usage statistics, accounting, etc. They say the only missing part is a Radius Server where to authenticate the users. The steps are as follows: 1.- The user uses his laptop to access Internet, open the web browser and get a Welcome Page, where they have to login 2-. When they give user an password, the access point verifies it against a Radius Server, just for access statistics purposes. 3.- If it's a valid user, he/she can have access to Internet. Some sort of that is the idea. Nothing sophisticated, only that users must be registered. Can anyone point me to the right path ?? Thanks in advance... German Anguiano B. _ ¡Actúa tu película favorita y gana fabulosos premios! http://cine.prodigymsn.com/nanometraje - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool defined, but radius does not hand out an IP address.
On Thursday 24 January 2008 13:10:09 Alan DeKok wrote: And with all of the information you posted, you didn't include the most important, which is requested in the FAQ, README, INSTALL, man page, and daily on this list: radiusd -X. Is there some other place in the documentation where this should be suggested? Alan DeKok. Big red letters on the front page of the website. Or below the subscribe/unsubscribe line in the footer of every message. =) -Kevin signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool defined, but radius does not hand out an IP address.
Alan DeKok wrote: Andrew D Kirch wrote: When I connect a client to freeradius the client authenticates, gets an accept/accept, but does not get an IP address. I've tried it with the Group and Pool-Name directives in each client's block, and I've tried it with them in a DEFAULT by themselves. Neither has handed out an IP address. ... radius:/etc/freeradius# freeradius -v freeradius: FreeRADIUS Version 1.1.3, for host i486-pc-linux-gnu, built on Dec 16 2006 at 23:48:11 You should upgrade to at least 1.1.6, maybe 2.0.1 And with all of the information you posted, you didn't include the most important, which is requested in the FAQ, README, INSTALL, man page, and daily on this list: radiusd -X. Is there some other place in the documentation where this should be suggested? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html You might try putting it at the top of radiusd.conf, everyone's eventually going to see that. Because I use Debian the others are packaged and abstracted away. I used the Freeradius wiki quite a bit as well, and perhaps it could be more visible there too. In fact I think this might be an honorable use of the blink element as I was able to use the freeradius -X output to immediately debug my problem. Thank you for the help. Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool defined, but radius does not hand out an IP address.
It's all in black and white: # for different users. The Pool-Name attribute is a *check* item not # a reply item. # # Example: # radiusd.conf: ippool students { [...] } # users file : DEFAULT Group == students, Pool-Name := students # Yet, you have put it as a reply item. Ivan Kalik Kalik Informatika ISP Dana 24/1/2008, Andrew D Kirch [EMAIL PROTECTED] piše: When I connect a client to freeradius the client authenticates, gets an accept/accept, but does not get an IP address. I've tried it with the Group and Pool-Name directives in each client's block, and I've tried it with them in a DEFAULT by themselves. Neither has handed out an IP address. System vitals: radius:/etc/freeradius# uname -a Linux radius 2.6.18-5-686 #1 SMP Mon Dec 24 16:41:07 UTC 2007 i686 GNU/Linux radius:/etc/freeradius# cat /etc/debian_version 4.0 radius:/etc/freeradius# freeradius -v freeradius: FreeRADIUS Version 1.1.3, for host i486-pc-linux-gnu, built on Dec 16 2006 at 23:48:11 # radtest umcc xx localhost 0 xxx Sending Access-Request of id 144 to 127.0.0.1 port 1812 User-Name = umcc User-Password = bts10200 NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=144, length=44 Service-Type = Framed-User Framed-IP-Netmask = 255.255.255.255 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP radius.log: Thu Jan 24 11:20:51 2008 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Thu Jan 24 11:20:51 2008 : Info: Ready to process requests. Thu Jan 24 11:32:33 2008 : Auth: Login OK: [umcc] (from client localhost-testing port 0) users: umccUser-Password == xx Service-Type = Framed-User, Framed-IP-Netmask = 255.255.255.255, Group == main_pool, Pool-Name := main_pool, Framed-Protocol = PPP, Framed-Compression = Van-Jacobsen-TCP-IP radiusd.conf (pertinent sections) ippool main_pool { range-start = 208.64.35.2 range-stop = 208.64.35.254 netmask = 255.255.255.255 cache-size = 253 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = yes maximum-timeout = 0 } accounting { detail unix radutmp main_pool } post-auth { main_pool } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: one RADIUS server per realm setup
Hi, I'm the guy that's trying to kinda duplicate eduroam, if you remember - I had an outdated server and Alan recommended I update to v2.0.1, which I have now done. I've gotten this working (after updating my server and building freeradius packages for it) - in 2.0.1, when I uncommented the IPASS option in the authorize section, which says: # Look for IPASS style 'realm/', and if not found, look for # '@realm', and decide whether or not to proxy, based on # that. which is exactly what I wanted, and it seems to do what I want now - when it finds a non-local realm, it no longer tries to authorize locally. Good. Everything is peachy. However... question. It says in radiusd.conf: # Setting Auth-Type = LDAP is ALMOST ALWAYS WRONG. We # really can't emphasize this enough. Uh. OK. That's exactly what I'm doing, and it's working :) I'm only doing it because I wanted to reject or accept local users based on groups, so I have the following in radiusd.conf: groupname_attribute = gidNumber groupmembership_filter = ((objectClass=posixAccount)(uid=%{Stripped-User-Name})) and then the following in users: # Allow Students DEFAULT Ldap-Group == 200, Auth-Type := LDAP # ...and Staff DEFAULT Ldap-Group == 250, Auth-Type := LDAP # ...and Faculty DEFAULT Ldap-Group == 300, Auth-Type := LDAP # ...and nobody else! DEFAULT Auth-Type := Reject Reply-Message = Only current faculty, staff or students are allowed to log in. It seems to do what I want. We don't store the group name in the LDAP user entry, so I'm using the gid, which works fine. However, is there a better way to do this that I'm not understanding? Why shouldn't I set Auth-Type := LDAP ? Thanks so much! I'm just trying to pay attention to the documentation, which tells me very strongly not to do exactly what I'm doing, even though it really seems to work. -Josiah [EMAIL PROTECTED] wrote: Hi, 1. Proxy authorization as well - it's not clear how to do this. Can you? I'd really just like to forward the entire request elsewhere, before anything else happens, so I'd like to check the realm FIRST, and not do anything if it's not a local realm. yes, thats exactly what you do proxy stuff for - you'll define your local realm, and null realm etc. you then define the realms and the RADIUS server address for each of those realms. the requests then get proxied to the remote systems. its similar to what we do with eduroam in europe - and myself with JRS (the 'UK side' of eduroam') - http://www.ja.net/roaming I'm currently using freeradius 1.0.2, but I can upgrade if I need to. definately upgrade - 2.0.1 the proxy stuff is soo much better (failovers, dead timers, status requests etc) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Wm. Josiah Erikson Computing Support School of Cognitive Science Hampshire College Amherst, MA 01002 (413) 559-6091 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about forum
I saw that freeradius project has his own chat channel but what about forum? I read all emails in this list and some of these mails should be available on some kind of forum so we can share experience. What do you think? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
Thanks Alan, Looking into it more what I really need to do is take a list of existing usernames and proxy them to an external server, but allow other usernames with the same format to be handled by a virtual server in the FreeRADIUS box. The list can be in a database or a text file or hard-coded into a script, its fairly short. New usernames can be handled as a different realm no problem but some of the existing ones have to be proxied also, we're having to delegate admin of them to a customer. Any thoughts - things to watch out for or that might help? Andy On 23/01/2008, Alan DeKok [EMAIL PROTECTED] wrote: Andy Billington wrote: hi all, am looking at whether to migrate to 2.0 to create a couple of possibilities and was wondering if I can: 1. create a main vritual server 2. use unlang to parse the incoming requests and then based on whether they match a regex, proxy them to different virtual servers or to an external 3rd party RADIUS? Yes. That's one of my test cases. The only issue is that you *will* have to proxy them. i.e. set up a client of 127.0.0.1, set up different listen sections for each virtual server, and set up those listen sections as home servers. The code does not currently have a way to re-direct requests to a virtual server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about forum
There is a history of this mailing list, but searching something is a nightmare. Imho forum would be great for that. Sent from my BlackBerry® wireless device -Original Message- From: Marinko Tarlac [EMAIL PROTECTED] Date: Thu, 24 Jan 2008 22:14:23 To:FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Question about forum I saw that freeradius project has his own chat channel but what about forum? I read all emails in this list and some of these mails should be available on some kind of forum so we can share experience. What do you think? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Blank spaces after username - problem with accounting -MySqldatabase.
It is solved now. I deleted FR .4 and migrated to .7 with fresh clean install. I didn't use the old files. Thanks [EMAIL PROTECTED] wrote: Hi, Please don't be angry. I'm trying to fix this issue because it works perfectly on FR1.1.7 if you've copied the config files direct from 1.1.7 to a 2.0.0 system then there will be quirks. wheres the full debug log? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool defined, but radius does not hand out an IP address.
Andrew D Kirch wrote: When I connect a client to freeradius the client authenticates, gets an accept/accept, but does not get an IP address. I've tried it with the Group and Pool-Name directives in each client's block, and I've tried it with them in a DEFAULT by themselves. Neither has handed out an IP address. ... radius:/etc/freeradius# freeradius -v freeradius: FreeRADIUS Version 1.1.3, for host i486-pc-linux-gnu, built on Dec 16 2006 at 23:48:11 You should upgrade to at least 1.1.6, maybe 2.0.1 And with all of the information you posted, you didn't include the most important, which is requested in the FAQ, README, INSTALL, man page, and daily on this list: radiusd -X. Is there some other place in the documentation where this should be suggested? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about forum
On Jan 24, 2008 3:14 PM, Marinko Tarlac [EMAIL PROTECTED] wrote: I saw that freeradius project has his own chat channel but what about forum? I read all emails in this list and some of these mails should be available on some kind of forum so we can share experience. What do you think? What's wrong with sharing your experiances with the list? Adding a forum will be just another place I'll have to check to get my FreeRADIUS fix. -- Nicholas Hall [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
UserName, Password + MAC authentication using Cisco's BBSM 5.3
Hello, I'm using Freeradius 1.1.17 version with Cisco's BBSM. With MySqL database too. I've storing username, passwords in mysql db. For now, authentication is OK. I want to check MAC address of users while they are authenticating. Inmy radcheck table: | id | UserName| Attribute | op | Value | ++-+++---+ | 3 | java| Password | == | password | | 18 | java| Calling-Station-Id | == | aa-bb-cc-dd-ee-ff | Also, BBSM's snmp is enabled. So I can get users' MAC addresses. I want Radius server checks username, password and MAC addresses at the same time when the user authenticate. Without Calling-Station-Id, authentication is OK. When I add Calling-Station-Id, the user cannot authenticate. In which table, do I enter this attribute? Also i cannot close or deactivate user session when I want to. When i removing from BBSM Mysql db, session is still open. Or can I put expiration time at every 03 o'clock? Could someone help me abt these? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html