Re: how to enable ldap during authentication
Hi
Still something is wrong.
I have the following authorize section:
authorize {
preprocess
auth_req_log
suffix
sql
ldap
}
I tried such authenticate sections:
authenticate {
Auth-Type LDAP {
ldap
}
Auth-Type Digest {
digest
}
Auth-Type PAP {
pap
}
}
authenticate {
ldap
}
all the time I receive failed authentication,
what do I miss here?
hu Jan 24 09:40:35 2008 : Debug: rlm_ldap: - authorize
Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: performing user authorization
for tzl
Thu Jan 24 09:40:35 2008 : Debug: expand: ([EMAIL PROTECTED]) - (mail=
[EMAIL PROTECTED])
Thu Jan 24 09:40:35 2008 : Debug: expand:
ou=Touki,ou=People,dc=touk,dc=pl - ou=Touki,ou=People,dc=touk,dc=pl
Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: performing search in
ou=Touki,ou=People,dc=touk,dc=pl, with filter ([EMAIL PROTECTED])
request 5 done
Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: Added User-Password =
{MD5}SNNMxdM+Zfvr//0yEp0DuA== in check items
Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: looking for check items in
directory...
Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: LDAP attribute userPassword as
RADIUS attribute Cleartext-Password == {MD5}SNNMxdM+Zfvr//0yEp0DuA==
Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: looking for reply items in
directory...
Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: user tzl authorized to use
remote access
Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Thu Jan 24 09:40:35 2008 : Debug: modsingle[authorize]: returned from ldap
(rlm_ldap) for request 3
Thu Jan 24 09:40:35 2008 : Debug: ++[ldap] returns ok
Thu Jan 24 09:40:35 2008 : Debug: auth: type Local
Thu Jan 24 09:40:35 2008 : Debug: auth: user supplied User-Password does NOT
match local User-Password
Thu Jan 24 09:40:35 2008 : Debug: auth: Failed to validate the user.
Thu Jan 24 09:40:35 2008 : Auth: Login incorrect: [tzl/somepass] (from
client localhost port 0)
Thu Jan 24 09:40:35 2008 : Debug: Found Post-Auth-Type Reject
Thu Jan 24 09:40:35 2008 : Debug: +- entering group REJECT
Thu Jan 24 09:40:35 2008 : Debug: modsingle[post-auth]: calling
attr_filter.access_reject (rlm_attr_filter) for request 3
Thu Jan 24 09:40:35 2008 : Debug: expand: %{User-Name} - tzl
Thu Jan 24 09:40:35 2008 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Thu Jan 24 09:40:35 2008 : Debug: modsingle[post-auth]: returned from
attr_filter.access_reject (rlm_attr_filter) for request 3
Thu Jan 24 09:40:35 2008 : Debug: ++[attr_filter.access_reject] returns
updated
regards
tomasz
2008/1/23 [EMAIL PROTECTED]:
Uncomment ldap in authenticate section.
Ivan Kalik
Kalik Informatika ISP
Dana 23/1/2008, Tomasz Zieleniewski [EMAIL PROTECTED] piše:
Hi,
I am using version 2.0.2-pre
I would like to use ldap for freeradius authentication.
I couldn't find anything on web about this topic.
I have ldap module in the authorize section in my default virtual server.
I see in the debug that ldap module returns ok during authorization
please point me what do I have to do to use ldap olso for authentication
is it enough to put ldap invocation in authentication section?
below debug from authorization
thanks a lot for any help!
regards
-tomasz
rlm_ldap: waiting for bind result ...
request 1 done
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=Touki,ou=People,dc=touk,dc=pl, with
filter
([EMAIL PROTECTED])
request 2 done
rlm_ldap: Added User-Password = {MD5}SNNMxdM+Zfvr//0yEp0DuA== in check
items
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute userPassword as RADIUS attribute
Cleartext-Password
== {MD5}SNNMxdM+Zfvr//0yEp0DuA==
rlm_ldap: looking for reply items in directory...
rlm_ldap: user tzl authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP error
i have OS RHEL5 Amr el-Saeed wrote: Hi Alan, yes, i'm sure i added the option in the SPEC file and then build the RPM and about the second issue , i didn't have a debugging kernel but i got one and install it and boot with it and got the same output !! and ideas ?? thanks for help (gdb) set logging file gdb-radiusd.log (gdb) set logging on Copying output to gdb-radiusd.log. (gdb) run Starting program: /usr/sbin/radiusd (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) [Thread debugging using libthread_db enabled] [New Thread 46912546236704 (LWP 5584)] (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) Wed Jan 23 15:46:53 2008 : Info: Starting - reading configuration files ... (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) Program exited normally. (gdb) [EMAIL PROTECTED] wrote: Hi, i followed the bugs file. i recompiled the freeradius with --enable-developer actually i made RPM file with ( rpmbuild -ta freeradius-1.1.7.tar.gz ) are you SURE That this worked fine - as if you used the standard SPEC then you wouldnt enable the developer stuff. (no debugging symbols found) you also need to ensure your kernel is built with debugging support alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to enable ldap during authentication
Tomasz Zieleniewski wrote:
Still something is wrong.
I have the following authorize section:
...
In which the default configuration has been massively changed.
I'm not sure where else to document this: If you are not clear on how
the server works, then DO NOT CHANGE THE DEFAULT CONFIGURATION.
If the configuration you've created doesn't work, then it's clear that
there's something missing. In that case, follow the instructions in the
man page for how to create a working configuration.
...
Thu Jan 24 09:40:35 2008 : Debug: ++[ldap] returns ok
Thu Jan 24 09:40:35 2008 : Debug: auth: type Local
Something in your local changes has set Auth-Type := Local.
Can you please explain WHY you're doing that, WHERE you found
documentation saying that it was a good idea, and WHAT you think it's doing?
The documentation that comes with 2.0 tries very hard to explain that
setting Auth-Type is almost always wrong. Is there somewhere else we
need to document this?
In addition, you're mapping a hashed password to a clear-text password:
Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: LDAP attribute
userPassword as RADIUS attribute Cleartext-Password ==
{MD5}SNNMxdM+Zfvr//0yEp0DuA==
Again, this is NOT in the default configuration, and WILL NOT WORK.
Start off with the default configuration. Configure the ldap
module, and un-comment it from the authorize section. Your tests
SHOULD work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unsubscribe
Unsubscribe. Thanks, Attention: Any non-official business related views, opinions and other information presented in this electronic mail are solely those of the sender/author. Burgan Bank does not endorse or accept responsibility for their opinions. If you are not the addressed indicated in this mail or responsible for delivering this message to the intended, you should delete this message and notify the sender immediately. --- Burgan Bank S.A.K www.burgan.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Don't work freeradius with MySQL.
hi, turn on the SQL debug logging in FreeRADIUS and see what the output of the SQl was alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Don't work freeradius with MySQL.
rad_recv: Access-Request packet from host 192.168.1.7:1119, id=0, length=44 User-Name = fred User-Password = wilma Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = fred, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 ==radius_xlat: '' ## modcall[authorize]: module sql returns fail for request 0 modcall: leaving group authorize (returns fail) for request 0 OK. You have done something to radiusd.conf and broken the configuration. Username should appear in there. Go back to the default configuration, only uncomment sql entries and try again. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: extract different field from ldap on nas's ip address base
Is it possible to extract (to filter) different field in a ldap entry on the base of the nas ip address? ok i've found out this old thread http://lists.cistron.nl/pipermail/freeradius-users/2004-December/039132.html and it was realy usefull, but i still have problem to make the rule in users file match the packet can someone tell me where to find out a guide, tutorial, README about the fields i can use in the rules inside users file? thanks, arjuna - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP error
Hi, i have OS RHEL5 it looks like it didnt build with the required debug parts - once again, as you are using the SPEC for your distro they could have other things that mess it up - I can only help if you build from the source and leave package management stuff alone. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EXAMPLE: unlang removing attribute inside a test
Hi Alan
The documentation does not mention these options so I assume that you
mean it would need writing ?
One option is to add more filtering operators. e.g. -~, meaning
regex match, and remove. Or perhaps a better way, is to add a
filter section:
filter request { # filter out attributes matching the following
Foo =~ /bar/ # remove by regex
}
Also, adding a require section may be useful, too:
require request { # filter out attributes NOT matching
Foo =~ /bar/
}
As I have not written much C code in 15 years, its going to take me
awhile to work that one out.
Cheers
Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: extract different field from ldap on nas's ip address base
Look at the freeradius dictionaries. All of those. Ivan Kalik Kalik Informatika ISP Dana 24/1/2008, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: Is it possible to extract (to filter) different field in a ldap entry on the base of the nas ip address? ok i've found out this old thread http://lists.cistron.nl/pipermail/freeradius-users/2004-December/039132.html and it was realy usefull, but i still have problem to make the rule in users file match the packet can someone tell me where to find out a guide, tutorial, README about the fields i can use in the rules inside users file? thanks, arjuna - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: unlang? - reject unknown?
man unlang. Look for case-insensitive. In this case, you would
delete that users file entry, and use unlang
authorize {
...
if (%{User-Name} =~ /special/i) {
update reply {
Reply-Message = Cannot use this user account
reject
}
}
...
That should work.
I added this to the authorize section of radiusd.conf just after preprocess
and before auth_log and it gives the error:
radiusd.conf[1810]: ERROR: Unknown attribute reject
radiusd.conf[1808]: Failed to parse update subsection.
radiusd.conf[1788]: Errors parsing authorize section.
Have I messed up here by misunderstanding you completely!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EXAMPLE: unlang removing attribute inside a test
Mike O'Connor wrote: The documentation does not mention these options so I assume that you mean it would need writing ? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang? - reject unknown?
Dean, Barry wrote:
I added this to the authorize section of radiusd.conf just after
preprocess and before auth_log and it gives the error:
radiusd.conf[1810]: ERROR: Unknown attribute reject
radiusd.conf[1808]: Failed to parse update subsection.
radiusd.conf[1788]: Errors parsing authorize section.
Have I messed up here by misunderstanding you completely!
Nope. It should be:
if (...) {
update reply {
Reply-Message := ...
}
reject
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Problem with Vista EAP-PEAP Authentication
Hi All, I solved this problem using cert gen tools from 2.0.1 version of FreeRadius, as advised by Alan. Sending Access-Accept of id 108 to 10.40.0.114 port 1073 User-Name = LDAPAFONE\\nsouleman MS-MPPE-Recv-Key = 0x98a6ba5cb9a9a972244128a592224d932a0350aaf8d4dda665a7472e4479c0b7 MS-MPPE-Send-Key = 0x07405f0d8af6adda158c16a0dbb2581c9be219dcf251fc9c8d74bb8c2498edb4 EAP-Message = 0x03090004 Message-Authenticator = 0x Thanks, problem Solved. Nicolas SOULEMAN. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Force Auth-Type
Alan DeKok [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Markus Moeller wrote:
I am new to freeradius and try to authenticate users with pam and
authorize
with ldap groups. I try to find a minimal configuration but have some
problems forcing the Auth-Type to be PAM.
You are aware that this will make EAP and many other authentication
methods impossible?
That is not my requirement right now
...
authorize {
auth_log
ldap
}
You can add the following just after ldap:
update control {
Auth-Type := PAM
}
Only if I set set_auth_type = yes in radiusd.conf for ldap and change
authorize in default to:
Auth-Type LDAP {
pam
}
That was the only way I could get it to work. If I use update control
anybody can login, whereas in my setup only a user who exits in ldap get
AUth-Type set to LDAP all other users have an empty value and therefore can
not authenticate.
Please don't do that.
Is there also a way to disable the use of the ldap.attribute mapping as I
really don't need it ?
You'll have to edit the source code.
I have changed my setup to use files and a users file together with a
private radius attribute mapped to an ldap entry. e.g.
dictionary has:
Attribute user-location 3000 string
ldap.attrmap:
checkitem user-location office-address
in users I have
DEFAULT user-location == LDN, Auth-Type := Reject
Reply-message = You are not allowed to login
DEFAULT AUTH-Type := PAM
in site-enabled/default I have
Authorize {
ldap
files
}
authenticate {
pam
}
Unfortunatly that does not work as I never hit the first default statement
in users despite having a user-location of LDN. What do I do wrong here ?
How can I use an ldap query result to deny/allow access ?
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Thank you
Markus
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP error
Amr el-Saeed wrote: i have OS RHEL5 yes, i'm sure i added the option in the SPEC file and then build the RPM and about the second issue , i didn't have a debugging kernel but i got one and install it and boot with it and got the same output !! made RPM file with ( rpmbuild -ta freeradius-1.1.7.tar.gz ) rpmbuild creates a separate package with the debugging information. You need to install the debuginfo rpm which was created in addition to the other rpms it created to get the debugging symbols, etc. I doubt you'll need a kernel with debugging. -- John Dennis [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
simple Ldap-group search
Background: When a user associated with the ssid Guest, the user will authenticate against a FreeRadius server. If he has a university account, the FreeRadius server will authenticate him via LDAP. If he does not have a university account, the FreeRadius server will do the authentication with a guest account database. Goal: To reduce the chance to do the LDAP search, the LDAP-group search is successful if the user is in the LDAP and no matter which LDAP group he is in. My shot and the problem: I am trying to do a wildcard search in LDAP-Group search, but it looks like the wildcard could not work. Related entries in the file users, omitted DEFAULT Called-Station-Id =~ .*Guest, myldap-Ldap-Group == *, Autz-Type := Ldap1, Auth-Type := Ldap1 DEFAULT Called-Station-Id =~ .*Guest, Group == guest, Autz-Type := Web, Auth-Type := System omitted Debug output, output omitted rlm_ldap: performing search in ou=people,dc=myuniv,dc=ca, with filter ((cn=*)(|((objectClass=GroupOfNames)(member=))((objectClass=GroupOfUnique Names)(uniquemember= output omitted rlm_ldap::groupcmp: Group * not found or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 ++[files] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [cxu] (from client localhost port 0) Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Questions: 1. Is there any way to make the wildcard LDAP-group search work? 2. Whether unlang could be applied here and how? 3. Any advice? Thanks! Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to enable ldap during authentication
On Jan 24, 2008 9:59 AM, Alan DeKok [EMAIL PROTECTED] wrote:
Tomasz Zieleniewski wrote:
Still something is wrong.
I have the following authorize section:
...
In which the default configuration has been massively changed.
I'm not sure where else to document this: If you are not clear on how
the server works, then DO NOT CHANGE THE DEFAULT CONFIGURATION.
If the configuration you've created doesn't work, then it's clear that
there's something missing. In that case, follow the instructions in the
man page for how to create a working configuration.
...
Thu Jan 24 09:40:35 2008 : Debug: ++[ldap] returns ok
Thu Jan 24 09:40:35 2008 : Debug: auth: type Local
Something in your local changes has set Auth-Type := Local.
I didn't set it explicit. I don't know what caused setting Auth-Type to
Local!!
But I found my error. The problem was in ldap
I didn't have Auth-Type Set in radius and I used old config from docs
directory which didn't have set_auth_type parameter.
Can you please explain WHY you're doing that, WHERE you found
documentation saying that it was a good idea, and WHAT you think it's
doing?
The documentation that comes with 2.0 tries very hard to explain that
setting Auth-Type is almost always wrong. Is there somewhere else we
need to document this?
In addition, you're mapping a hashed password to a clear-text password:
Thu Jan 24 09:40:35 2008 : Debug: rlm_ldap: LDAP attribute
userPassword as RADIUS attribute Cleartext-Password ==
{MD5}SNNMxdM+Zfvr//0yEp0DuA==
Again, this is NOT in the default configuration, and WILL NOT WORK.
Similar problem my LDAP server return hashed passwords instead of plain-text
i added additional parameter in LDAP which solved the issue.
Start off with the default configuration. Configure the ldap
module, and un-comment it from the authorize section. Your tests
SHOULD work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Project site down
On Wed 23 Jan 2008, Frank Büttner wrote: Hello, can it be, that the site is down? Unfortunately apache is getting stuck for some reason. I am still trying to figure out why. Sorry for the bumps. -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Force Auth-Type
Markus Moeller wrote:
That was the only way I could get it to work. If I use update control
anybody can login, whereas in my setup only a user who exits in ldap get
AUth-Type set to LDAP all other users have an empty value and therefore
can not authenticate.
The LDAP module setting Auth-Type to LDAP is a bit of a hack. I
understand that you're depending on it, but the behavior may change in
the future. It's changed (slightly) in the past, to fix some issues.
It's better to have the policy *explicitly* state what you want.
I have changed my setup to use files and a users file together with a
private radius attribute mapped to an ldap entry
That's reasonable. It's a pretty simple fix to permit an empty
ldap.attrmap definition.
in users I have
DEFAULT user-location == LDN, Auth-Type := Reject
Reply-message = You are not allowed to login
DEFAULT AUTH-Type := PAM
That should mostly work. In 2.0, it's much easier just to put that
directly in a policy in a configuration file.
Unfortunatly that does not work as I never hit the first default
statement in users despite having a user-location of LDN. What do I do
wrong here ? How can I use an ldap query result to deny/allow access ?
if (%{ldap: stuff... } == bar) {
...
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to enable ldap during authentication
Tomasz Zieleniewski wrote: I didn't set it explicit. I don't know what caused setting Auth-Type to Local!! But I found my error. The problem was in ldap I didn't have Auth-Type Set in radius and I used old config from docs directory which didn't have set_auth_type parameter. OK. Similar problem my LDAP server return hashed passwords instead of plain-text i added additional parameter in LDAP which solved the issue. If you map the hashed password to Password-With-Header, and add the pap module to the authorize section, it should work, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
certificates in FR 2.0.1 on windows doesnt works
hi to all. created the certificates with the default config files in FR 2.0.1 with ./bootstrap created the client certificate with make client the import of the ca.pem and server.crt in winxp is OK. they link with each-other ok ( ca-server ) the import of client.p12 is ok but it doesnt have a valid link it is ca-server-client and the details of the server certificate tells that is not authorized to issue certificates . the client certificates tells that is issued by the server not by the ca. the question is : the client certificate should be issued by the server or by the ca? if its to be issued by the ca then the Makefile in cert dirs have to be modified. in fact after modified the Makefile and client.cnf and re-importing them in xp then the linkage is ok. ( ca-client ) is this a prob ? or what ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IP Pool defined, but radius does not hand out an IP address.
When I connect a client to freeradius the client authenticates, gets an
accept/accept, but does not get an IP address. I've tried it with the
Group and Pool-Name directives in each client's block, and I've tried it
with them in a DEFAULT by themselves. Neither has handed out an IP address.
System vitals:
radius:/etc/freeradius# uname -a
Linux radius 2.6.18-5-686 #1 SMP Mon Dec 24 16:41:07 UTC 2007 i686 GNU/Linux
radius:/etc/freeradius# cat /etc/debian_version
4.0
radius:/etc/freeradius# freeradius -v
freeradius: FreeRADIUS Version 1.1.3, for host i486-pc-linux-gnu, built
on Dec 16 2006 at 23:48:11
# radtest umcc xx localhost 0 xxx
Sending Access-Request of id 144 to 127.0.0.1 port 1812
User-Name = umcc
User-Password = bts10200
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=144, length=44
Service-Type = Framed-User
Framed-IP-Netmask = 255.255.255.255
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
radius.log:
Thu Jan 24 11:20:51 2008 : Info: rlm_exec: Wait=yes but no output
defined. Did you mean output=none?
Thu Jan 24 11:20:51 2008 : Info: Ready to process requests.
Thu Jan 24 11:32:33 2008 : Auth: Login OK: [umcc] (from client
localhost-testing port 0)
users:
umccUser-Password == xx
Service-Type = Framed-User,
Framed-IP-Netmask = 255.255.255.255,
Group == main_pool,
Pool-Name := main_pool,
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobsen-TCP-IP
radiusd.conf (pertinent sections)
ippool main_pool {
range-start = 208.64.35.2
range-stop = 208.64.35.254
netmask = 255.255.255.255
cache-size = 253
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = yes
maximum-timeout = 0
}
accounting {
detail
unix
radutmp
main_pool
}
post-auth {
main_pool
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Novice user. Authenticate against Radius Server
Hi guys. I'm a beginner with the Radius protocol. I've been using Linux for a while now, so I hope it doesn't take me too long to catch the idea. Sorry in advance if a make some stupid questions. Ok, here I go. I'm in a new job. My boss told me that they attempted to setup a Hotspot for free public access. But they want the users to register with us (this is a government office) for usage statistics, accounting, etc. They say the only missing part is a Radius Server where to authenticate the users. The steps are as follows: 1.- The user uses his laptop to access Internet, open the web browser and get a Welcome Page, where they have to login 2-. When they give user an password, the access point verifies it against a Radius Server, just for access statistics purposes. 3.- If it's a valid user, he/she can have access to Internet. Some sort of that is the idea. Nothing sophisticated, only that users must be registered. Can anyone point me to the right path ?? Thanks in advance... German Anguiano B. _ ¡Actúa tu película favorita y gana fabulosos premios! http://cine.prodigymsn.com/nanometraje - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Novice user. Authenticate against Radius Server
German Anguiano Bayardo wrote: They say the only missing part is a Radius Server where to authenticate the users. The steps are as follows: 1.- The user uses his laptop to access Internet, open the web browser and get a Welcome Page, where they have to login 2-. When they give user an password, the access point verifies it against a Radius Server, just for access statistics purposes. 3.- If it's a valid user, he/she can have access to Internet. ... Can anyone point me to the right path ?? You want a captive portal, like http://coova.org/wiki/index.php/CoovaChilli Once that's set up, a RADIUS server should be relatively easy. Install, follow the docs... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Novice user. Authenticate against Radius Server
wiki.freeradius.org a little bit slow actualy. On 24/01/2008, German Anguiano Bayardo [EMAIL PROTECTED] wrote: Hi guys. I'm a beginner with the Radius protocol. I've been using Linux for a while now, so I hope it doesn't take me too long to catch the idea. Sorry in advance if a make some stupid questions. Ok, here I go. I'm in a new job. My boss told me that they attempted to setup a Hotspot for free public access. But they want the users to register with us (this is a government office) for usage statistics, accounting, etc. They say the only missing part is a Radius Server where to authenticate the users. The steps are as follows: 1.- The user uses his laptop to access Internet, open the web browser and get a Welcome Page, where they have to login 2-. When they give user an password, the access point verifies it against a Radius Server, just for access statistics purposes. 3.- If it's a valid user, he/she can have access to Internet. Some sort of that is the idea. Nothing sophisticated, only that users must be registered. Can anyone point me to the right path ?? Thanks in advance... German Anguiano B. _ ¡Actúa tu película favorita y gana fabulosos premios! http://cine.prodigymsn.com/nanometraje - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool defined, but radius does not hand out an IP address.
On Thursday 24 January 2008 13:10:09 Alan DeKok wrote: And with all of the information you posted, you didn't include the most important, which is requested in the FAQ, README, INSTALL, man page, and daily on this list: radiusd -X. Is there some other place in the documentation where this should be suggested? Alan DeKok. Big red letters on the front page of the website. Or below the subscribe/unsubscribe line in the footer of every message. =) -Kevin signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool defined, but radius does not hand out an IP address.
Alan DeKok wrote: Andrew D Kirch wrote: When I connect a client to freeradius the client authenticates, gets an accept/accept, but does not get an IP address. I've tried it with the Group and Pool-Name directives in each client's block, and I've tried it with them in a DEFAULT by themselves. Neither has handed out an IP address. ... radius:/etc/freeradius# freeradius -v freeradius: FreeRADIUS Version 1.1.3, for host i486-pc-linux-gnu, built on Dec 16 2006 at 23:48:11 You should upgrade to at least 1.1.6, maybe 2.0.1 And with all of the information you posted, you didn't include the most important, which is requested in the FAQ, README, INSTALL, man page, and daily on this list: radiusd -X. Is there some other place in the documentation where this should be suggested? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html You might try putting it at the top of radiusd.conf, everyone's eventually going to see that. Because I use Debian the others are packaged and abstracted away. I used the Freeradius wiki quite a bit as well, and perhaps it could be more visible there too. In fact I think this might be an honorable use of the blink element as I was able to use the freeradius -X output to immediately debug my problem. Thank you for the help. Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool defined, but radius does not hand out an IP address.
It's all in black and white:
# for different users. The Pool-Name attribute is a *check* item not
# a reply item.
#
# Example:
# radiusd.conf: ippool students { [...] }
# users file : DEFAULT Group == students, Pool-Name := students
#
Yet, you have put it as a reply item.
Ivan Kalik
Kalik Informatika ISP
Dana 24/1/2008, Andrew D Kirch [EMAIL PROTECTED] piše:
When I connect a client to freeradius the client authenticates, gets an
accept/accept, but does not get an IP address. I've tried it with the
Group and Pool-Name directives in each client's block, and I've tried it
with them in a DEFAULT by themselves. Neither has handed out an IP address.
System vitals:
radius:/etc/freeradius# uname -a
Linux radius 2.6.18-5-686 #1 SMP Mon Dec 24 16:41:07 UTC 2007 i686 GNU/Linux
radius:/etc/freeradius# cat /etc/debian_version
4.0
radius:/etc/freeradius# freeradius -v
freeradius: FreeRADIUS Version 1.1.3, for host i486-pc-linux-gnu, built
on Dec 16 2006 at 23:48:11
# radtest umcc xx localhost 0 xxx
Sending Access-Request of id 144 to 127.0.0.1 port 1812
User-Name = umcc
User-Password = bts10200
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=144, length=44
Service-Type = Framed-User
Framed-IP-Netmask = 255.255.255.255
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
radius.log:
Thu Jan 24 11:20:51 2008 : Info: rlm_exec: Wait=yes but no output
defined. Did you mean output=none?
Thu Jan 24 11:20:51 2008 : Info: Ready to process requests.
Thu Jan 24 11:32:33 2008 : Auth: Login OK: [umcc] (from client
localhost-testing port 0)
users:
umccUser-Password == xx
Service-Type = Framed-User,
Framed-IP-Netmask = 255.255.255.255,
Group == main_pool,
Pool-Name := main_pool,
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobsen-TCP-IP
radiusd.conf (pertinent sections)
ippool main_pool {
range-start = 208.64.35.2
range-stop = 208.64.35.254
netmask = 255.255.255.255
cache-size = 253
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = yes
maximum-timeout = 0
}
accounting {
detail
unix
radutmp
main_pool
}
post-auth {
main_pool
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: one RADIUS server per realm setup
Hi,
I'm the guy that's trying to kinda duplicate eduroam, if you
remember - I had an outdated server and Alan recommended I update to
v2.0.1, which I have now done.
I've gotten this working (after updating my server and building
freeradius packages for it) - in 2.0.1, when I uncommented the IPASS
option in the authorize section, which says:
# Look for IPASS style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
which is exactly what I wanted, and it seems to do what I want now -
when it finds a non-local realm, it no longer tries to authorize
locally. Good. Everything is peachy.
However... question. It says in radiusd.conf:
# Setting Auth-Type = LDAP is ALMOST ALWAYS WRONG. We
# really can't emphasize this enough.
Uh. OK. That's exactly what I'm doing, and it's working :) I'm only
doing it because I wanted to reject or accept local users based on
groups, so I have the following in radiusd.conf:
groupname_attribute = gidNumber
groupmembership_filter =
((objectClass=posixAccount)(uid=%{Stripped-User-Name}))
and then the following in users:
# Allow Students
DEFAULT Ldap-Group == 200, Auth-Type := LDAP
# ...and Staff
DEFAULT Ldap-Group == 250, Auth-Type := LDAP
# ...and Faculty
DEFAULT Ldap-Group == 300, Auth-Type := LDAP
# ...and nobody else!
DEFAULT Auth-Type := Reject
Reply-Message = Only current faculty, staff or students
are allowed to log in.
It seems to do what I want. We don't store the group name in the LDAP
user entry, so I'm using the gid, which works fine.
However, is there a better way to do this that I'm not understanding?
Why shouldn't I set Auth-Type := LDAP ?
Thanks so much! I'm just trying to pay attention to the documentation,
which tells me very strongly not to do exactly what I'm doing, even
though it really seems to work.
-Josiah
[EMAIL PROTECTED] wrote:
Hi,
1. Proxy authorization as well - it's not clear how to do this. Can you?
I'd really just like to forward the entire request elsewhere, before
anything else happens, so I'd like to check the realm FIRST, and not do
anything if it's not a local realm.
yes, thats exactly what you do proxy stuff for - you'll define your
local realm, and null realm etc. you then define the realms and the
RADIUS server address for each of those realms. the requests
then get proxied to the remote systems.
its similar to what we do with eduroam in europe - and myself with
JRS (the 'UK side' of eduroam') - http://www.ja.net/roaming
I'm currently using freeradius 1.0.2, but I can upgrade if I need to.
definately upgrade - 2.0.1 the proxy stuff is soo much better
(failovers, dead timers, status requests etc)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Wm. Josiah Erikson
Computing Support
School of Cognitive Science
Hampshire College
Amherst, MA 01002
(413) 559-6091
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about forum
I saw that freeradius project has his own chat channel but what about forum? I read all emails in this list and some of these mails should be available on some kind of forum so we can share experience. What do you think? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
Thanks Alan, Looking into it more what I really need to do is take a list of existing usernames and proxy them to an external server, but allow other usernames with the same format to be handled by a virtual server in the FreeRADIUS box. The list can be in a database or a text file or hard-coded into a script, its fairly short. New usernames can be handled as a different realm no problem but some of the existing ones have to be proxied also, we're having to delegate admin of them to a customer. Any thoughts - things to watch out for or that might help? Andy On 23/01/2008, Alan DeKok [EMAIL PROTECTED] wrote: Andy Billington wrote: hi all, am looking at whether to migrate to 2.0 to create a couple of possibilities and was wondering if I can: 1. create a main vritual server 2. use unlang to parse the incoming requests and then based on whether they match a regex, proxy them to different virtual servers or to an external 3rd party RADIUS? Yes. That's one of my test cases. The only issue is that you *will* have to proxy them. i.e. set up a client of 127.0.0.1, set up different listen sections for each virtual server, and set up those listen sections as home servers. The code does not currently have a way to re-direct requests to a virtual server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about forum
There is a history of this mailing list, but searching something is a nightmare. Imho forum would be great for that. Sent from my BlackBerry® wireless device -Original Message- From: Marinko Tarlac [EMAIL PROTECTED] Date: Thu, 24 Jan 2008 22:14:23 To:FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Question about forum I saw that freeradius project has his own chat channel but what about forum? I read all emails in this list and some of these mails should be available on some kind of forum so we can share experience. What do you think? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Blank spaces after username - problem with accounting -MySqldatabase.
It is solved now. I deleted FR .4 and migrated to .7 with fresh clean install. I didn't use the old files. Thanks [EMAIL PROTECTED] wrote: Hi, Please don't be angry. I'm trying to fix this issue because it works perfectly on FR1.1.7 if you've copied the config files direct from 1.1.7 to a 2.0.0 system then there will be quirks. wheres the full debug log? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool defined, but radius does not hand out an IP address.
Andrew D Kirch wrote: When I connect a client to freeradius the client authenticates, gets an accept/accept, but does not get an IP address. I've tried it with the Group and Pool-Name directives in each client's block, and I've tried it with them in a DEFAULT by themselves. Neither has handed out an IP address. ... radius:/etc/freeradius# freeradius -v freeradius: FreeRADIUS Version 1.1.3, for host i486-pc-linux-gnu, built on Dec 16 2006 at 23:48:11 You should upgrade to at least 1.1.6, maybe 2.0.1 And with all of the information you posted, you didn't include the most important, which is requested in the FAQ, README, INSTALL, man page, and daily on this list: radiusd -X. Is there some other place in the documentation where this should be suggested? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about forum
On Jan 24, 2008 3:14 PM, Marinko Tarlac [EMAIL PROTECTED] wrote: I saw that freeradius project has his own chat channel but what about forum? I read all emails in this list and some of these mails should be available on some kind of forum so we can share experience. What do you think? What's wrong with sharing your experiances with the list? Adding a forum will be just another place I'll have to check to get my FreeRADIUS fix. -- Nicholas Hall [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
UserName, Password + MAC authentication using Cisco's BBSM 5.3
Hello, I'm using Freeradius 1.1.17 version with Cisco's BBSM. With MySqL database too. I've storing username, passwords in mysql db. For now, authentication is OK. I want to check MAC address of users while they are authenticating. Inmy radcheck table: | id | UserName| Attribute | op | Value | ++-+++---+ | 3 | java| Password | == | password | | 18 | java| Calling-Station-Id | == | aa-bb-cc-dd-ee-ff | Also, BBSM's snmp is enabled. So I can get users' MAC addresses. I want Radius server checks username, password and MAC addresses at the same time when the user authenticate. Without Calling-Station-Id, authentication is OK. When I add Calling-Station-Id, the user cannot authenticate. In which table, do I enter this attribute? Also i cannot close or deactivate user session when I want to. When i removing from BBSM Mysql db, session is still open. Or can I put expiration time at every 03 o'clock? Could someone help me abt these? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
