Re: Setting Auth-Type to Accept using unlang
Abel Alejandro wrote:
if (!Auth-Type) {
Auth-Type is a control item, and is in the control item list. It's
not in the RADIUS packet.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Spaces inside usernames
This is on FreeRADIUS Version 1.1.7. I use 'mysql' to authenticate users.
I had one customer use a name something like fred @domain.dom - ie -
there is a space after 'fred' and before the '@' sign.
This was being logged in my 'radacct' table with the space intact.
I've since managed to find the customer and fix the 'space'.
I've also changed radiusd.conf ...
nospace_user = before
nospace_pass = before
(nospace_pass - seems like a good idea as well!)
(Both were previously set to no)
The user was authentication just fine - so some sort of stripping of the
realm was happening before validation - so some sort of ignore the
space appears to have been happening...
but what I'd like to know is will nospace_user = before fix future
problems of this sort?
In addition - in my SQL statement - if the user does not provide a realm
- then I append a default realm - which also may have allowed the name
to authenticate... (I have some old users who are set in their ways). I
see I also compare the two parts (username and realm) separately.
authorize_check_query = SELECT userid as id,UserName,'Password' as
Attribute,password as Value,'==' as op FROM useracct WHERE
Username='%{Stripped-User-Name}' AND realm=( case when '%{Realm}'='NULL'
then 'domain.dom' else '%{Realm}' end) AND status2 ORDER BY id
--
. . ___. .__ Posix Systems - Sth Africa
/| /| / /__ [EMAIL PROTECTED] - Mark J Elkins, SCO ACE, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting Auth-Type to Accept using unlang
How do I test if Auth-Type is not set?
I tried with:
if (!Auth-Type) {
That should work (I don't have 2.1.1 installed but I have tested that in
2.0.5 some time ago). You have added that in authorize (not
authenticate) after pap entry? Post the debug.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[awful patch] Multiple levels of TLS nesting is invalid.
So saith FreeRADIUS 2.1.1, but I wasn't trying to do multiple levels of
TLS nesting. I'm trying to use virtual servers so that a single radiusd
can terminate TTLS/PEAP for multiple subrealms, _and_ use the inner-tunnel
trick, keeping the configs completely independent for each subrealm. This
allows me to hook up different departments with different AAA
infrastructures into one radius set-up for our eduroam service.
My default server has a pair of listen{} blocks, and little else:
authorize {
suffix
}
authenticate {
}
So, rlm_realm finds my virtual servers in proxy.conf, eg:
realm dcs.qmul.ac.uk {
nostrip
virtual_server = dcs
}
..and dcs has its own EAP config, which references a virtual_server
dcs-inner for the PEAP/TTLS innards, which has _its_ own EAP config.
My problem is that eap.c (line 219), as called by dcs-inner, notices the
request has a grandparent, and assumes it's multiple layers of TLS
nesting. Interestingly, the comment omits the magic word TLS. I think
perhaps that the virtual servers appear to count as layers. Anyway, this
braindead patch makes it work for me:
--- freeradius-server-2.1.1/src/modules/rlm_eap/eap.c.orig 2008-09-25
09:41:26.0 +0100
+++ freeradius-server-2.1.1/src/modules/rlm_eap/eap.c 2008-10-14
15:19:53.800553926 +0100
@@ -216,10 +216,13 @@
/*
* Multiple levels of nesting are invalid.
*/
- if (handler-request-parent handler-request-parent-parent) {
- RDEBUG2(Multiple levels of TLS nesting is invalid.);
+ if (handler-request-parent handler-request-parent-parent
handler-request-parent-parent-parent ) {
+ RDEBUG2(Multiple levels of TLS nesting is really invalid.);
return EAP_INVALID;
}
+ if (handler-request-parent handler-request-parent-parent) {
+ RDEBUG2(Multiple levels of nesting is thought invalid, continuing
anyway.);
+ }
/*
* Figure out what to do.
..and my radiusd -X output now looks like this:
Found Auth-Type = dcs-inner-eap
+- entering group authenticate {...}
[dcs-inner-eap] Request found, released from the list
[dcs-inner-eap] Multiple levels of nesting is thought invalid, continuing
anyway.
[dcs-inner-eap] EAP/mschapv2
[dcs-inner-eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] Found NT-Password
[mschap] Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[dcs-inner-eap] returns handled
So.. I hope this is useful. Do drop me a mail on- or off-list on
mb/[EMAIL PROTECTED], if you want any further information or if
I'm not being clear enough.
Matt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [awful patch] Multiple levels of TLS nesting is invalid.
hi, hmmm, something about that process and flow doesnt sound right at all. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Number of Clients
Hi there, I'm graphing the stats of the configured clients we have. Currently I use something like snip echo Message-Authenticator = 0x00, FreeRADIUS-Statistics-Type = 35, FreeRADIUS-Stats-Client-Number = 21 | radclient 127.0.0.1:18120 status veryverysecret /snip to retrive them.That works out fine. What I now miss is a way to actually get a list of clients, either the number (Stats-Client-Number), or even better a list of ips. Is it somehow possible to also get the number of clients via the server status? Or is there another possibility, besides parsing the config file. Thanks in advance, Bernhard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Number of Clients
Hi, Hi there, I'm graphing the stats of the configured clients we have. Currently I use something like snip echo Message-Authenticator = 0x00, FreeRADIUS-Statistics-Type = 35, FreeRADIUS-Stats-Client-Number = 21 | radclient 127.0.0.1:18120 status veryverysecret /snip to retrive them.That works out fine. What I now miss is a way to actually get a list of clients, either the number (Stats-Client-Number), or even better a list of ips. Is it somehow possible to also get the number of clients via the server status? Or is there another possibility, besides parsing the config file. with 2.1.1 you can do radmin -e 'show client list' | wc -l ..and far far more than just that noddy example alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Number of Clients
Bernhard Miklautz wrote: I'm graphing the stats of the configured clients we have. See also scripts/freeradius_auth, scripts/freeradius_acct. They are scripts for munin, to do graphing of overall server statistics. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem Accounting with PostGreSQL
[EMAIL PROTECTED] wrote: We are using PostGreSQL for accounting. But when we made a query, we saw all tables are empty except radpostauth and we need informations about radacct table. This is in the FAQ. If the NAS doesn't send accounting packets, the server won't be able to log accounting information. So, when we were using FreeRADIUS 1.1.7, we changed postgresql.conf's last comment like that: That is useless. It hides the problem. It doesn't *create* accounting data, because only the NAS can do that. Fix the NAS so that it sends accounting packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pls help: restrict authentication for certain realms from particular clients
Hi all, We just upgraded our freeradius server from 1.7 to 2.1.1. I'd like to restrict authentication requests as following: client A accepts: @realm1, @realm2 client B accepts: @realm2, @realm3 so that requests like follwoing will be rejected: @realm3 to client A @realm1 to client B Would anyone please help? Sorry for newbie question. Thank you very much. /ST Wong - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pool name per nas AND per user
[EMAIL PROTECTED] a écrit :
Use unlang to set Pool-Name.
OK, i guess this soltuion is flexible enough for want i want to do.
So In the authorize section i tried to add an update directive where i
define a variable which has the result of the sql query as value.
Then i want to concatenate this variable with the value of the Pool-Name
attribute as defined in the users file and set it as the new value of
Pool-Name. I think this would work for what i want to do.
update control {
%{MANA-DSL-Type} = mysqldb:SELECT value FROM radcheck
WHERE attribute='Subscription-Type' AND username='%{User-Name}'
if (%{MANA-DSL-Type}) {
Pool-Name := %{Pool-Name}%{ADSL-Type}
}
}
My problem is i don't know how to define variable with unlang. I have
tried making a new directionary with special attribute but it doesn't
seems to work. here is what ot looks like:
# -*- text -*-
# Define internal attribute to use for ME
#
VENDORME11434
BEGIN-VENDORME
ATTRIBUTEMANA-DSL-Type1string
END-VENDORME
Does anyone knows how i can acheive this?
Ivan Kalik
Kalik Informatika ISP
Dana 14/10/2008, Alexandre Chapellon [EMAIL PROTECTED]
piše:
Hello,
I have freeradius authenticating ADSL users (several types ADSL).
request are comming from several BAS (my NASes).
I would like freeradius to give customers IP addresses from differents
IP pools based on the NAS from which the request come from (huntgroups
does it perfectly today) but also based on the type for ADSL is
authenticated (this information is stored in the sql database and so the
NAS is completely unaware of it)
ex:
As a reminder, i want thoose pools
pool_NAS1_ADSL512
pool_NAS1_ADSL1024
pool_NAS2_ADSL512
pool_NAS2_ADSL1024
if i am user1 who owns a 1024kb/s ADSL account, I want to have Pool-Name
pool_NAS1_ADSL1024 if the request comes from NAS1 and pool_NAS2_ADSL1024
if the request comes from NAS2...and so on.
Any idea?
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pool name per nas AND per user
[EMAIL PROTECTED] a écrit :
Use unlang to set Pool-Name.
OK, i guess this soltuion is flexible enough for want i want to do.
So In the authorize section i tried to add an update directive where i
define a variable which has the result of the sql query as value.
Then i want to concatenate this variable with the value of the Pool-Name
attribute as defined in the users file and set it as the new value of
Pool-Name. I think this would work for what i want to do.
update control {
%{MANA-DSL-Type} = mysqldb:SELECT value FROM radcheck
WHERE attribute='Subscription-Type' AND username='%{User-Name}'
if (%{MANA-DSL-Type}) {
Pool-Name := %{Pool-Name}%{ADSL-Type}
}
}
My problem is i don't know how to define variable with unlang. I have
tried making a new directionary with special attribute but it doesn't
seems to work. here is what ot looks like:
# -*- text -*-
# Define internal attribute to use for ME
#
VENDORME11434
BEGIN-VENDORME
ATTRIBUTEMANA-DSL-Type1string
END-VENDORME
Does anyone knows how i can acheive this?
Oops here is the error i get:
ERROR: Unknown vendor name in attribute name %{MANA-DSL-Type}
Ivan Kalik
Kalik Informatika ISP
Dana 14/10/2008, Alexandre Chapellon [EMAIL PROTECTED]
piše:
Hello,
I have freeradius authenticating ADSL users (several types ADSL).
request are comming from several BAS (my NASes).
I would like freeradius to give customers IP addresses from differents
IP pools based on the NAS from which the request come from (huntgroups
does it perfectly today) but also based on the type for ADSL is
authenticated (this information is stored in the sql database and so the
NAS is completely unaware of it)
ex:
As a reminder, i want thoose pools
pool_NAS1_ADSL512
pool_NAS1_ADSL1024
pool_NAS2_ADSL512
pool_NAS2_ADSL1024
if i am user1 who owns a 1024kb/s ADSL account, I want to have Pool-Name
pool_NAS1_ADSL1024 if the request comes from NAS1 and pool_NAS2_ADSL1024
if the request comes from NAS2...and so on.
Any idea?
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pls help: restrict authentication for certain realms from particularclients
clientA Realm == realm3, Auth-Type := Reject You can achieve the same using unlang, groups in SQL, ... Ivan Kalik Kalik Informatika ISP Dana 14/10/2008, ST Wong (ITSC) [EMAIL PROTECTED] piše: Hi all, We just upgraded our freeradius server from 1.7 to 2.1.1. I'd like to restrict authentication requests as following: client A accepts: @realm1, @realm2 client B accepts: @realm2, @realm3 so that requests like follwoing will be rejected: @realm3 to client A @realm1 to client B Would anyone please help? Sorry for newbie question. Thank you very much. /ST Wong - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sqlippool/rlm_sql_query relocation error (mysql)
Recently upgraded from 1.0.4 to 2.1.1 to use sqlippool. Chiefly because
rlm_ippool began failing on us.
Server with sql accounting is working well, but I'm experiencing a relocation
error with sqlippool. I had to use --with-system-libtool to build freeradius
with libtool 2.2.4. Relocation errors on linking otherwise.
rlm_sql (sql): Reserving sql socket id: 3
[sqlippool] expand: %{User-Name} - [EMAIL PROTECTED]
[sqlippool] sql_set_user escaped user -- '[EMAIL PROTECTED]'
[sqlippool] expand: START TRANSACTION - START TRANSACTION
ld.so.1: radiusd: fatal: relocation error: file
+/usr/local/lib/rlm_sqlippool-2.1.1.so: symbol rlm_sql_query: referenced symbol
+not found
--
André Dalle
Systems Administrator
NCF Internet
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access rights for some users ou users groups with
I've configured my tables as follows : mysql select * from usergroup; ++--+-+ | id | UserName | GroupName | ++--+-+ | 13 | st234824 | test_radius | ++--+-+ mysql select * from radcheck; ++--++++ | id | UserName | Attribute | op | Value | ++--++++ | 1 | st234824 | Crypt-Password | := | LqI8nHgSp/pTY | ++--++++ mysql select * from radgroupcheck; ++-+---++---+ | id | GroupName | Attribute | op | Value | ++-+---++---+ | 4 | test_radius | Auth-Type | := | TLS | ++-+---++---+ mysql select * from nas; ++---+---+---+---++---+-+ | id | nasname | shortname | type | ports | secret | community | description | ++---+---+---+---++---+-+ | 6 | 192.168.9.155 | switch| cisco | 1812 | bonjour| | | | 9 | 192.168.9.154 | webmail01 | other | 1812 | testing123 | | | Which type of attributes should I use to access from webmail01, but not switch for example ? thanks De: [EMAIL PROTECTED] de la part de [EMAIL PROTECTED] Date: lun. 13/10/2008 19:30 À: freeradius-users@lists.freeradius.org Objet : Freeradius-Users Digest, Vol 42, Issue 80 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. access rights for some users ou users groups with freeradius and mysql (BADAOUI Nasr-Eddine (P)) 2. Re: access rights for some users ou users groups with freeradius andmysql ([EMAIL PROTECTED]) 3. Re: One user - Different Service Type depending on NAS (Alan DeKok) 4. Re: NAS-Identifier (Paul Bartell) 5. FR2.1.1 Solaris 5.10 x86 32-bit race condition (Chris Howley) 6. Re: FR2.1.1 Solaris 5.10 x86 32-bit race condition (Alan DeKok) 7. Authentication ok but not login on a Netopia (Gamaliel Bedolla) 8. syntax errors on mysql ip pools (Marcelus Trojahn) -- Message: 1 Date: Mon, 13 Oct 2008 13:51:28 +0200 From: BADAOUI Nasr-Eddine (P) [EMAIL PROTECTED] Subject: access rights for some users ou users groups with freeradius and mysql To: freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 Hi, I'd like to know how to authorize some users or users's group created in mysql tables can logged only on some mysql's clients, with freeradius. Mysql's tables are : nas table for clients radcheck table for users radgropucheck table usergroup table many thanks -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20081013/d09394e0/attachment.html -- Message: 2 Date: Mon, 13 Oct 2008 13:24:07 +0100 From: [EMAIL PROTECTED] Subject: Re: access rights for some users ou users groups with freeradius and mysql To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 If I understood you well, you want some users or groups to have access from NAS1 but not from NAS2. Add attribute NAS-IP Address with appropriate value to radcheck or radgroupcheck table. Ivan Kalik Kalik Informatika ISP Dana 13/10/2008, BADAOUI Nasr-Eddine (P) [EMAIL PROTECTED] pi?e: Hi, I'd like to know how to authorize some users or users's group created in mysql tables can logged only on some mysql's clients, with freeradius. Mysql's tables are : nas table for clients radcheck table for users radgropucheck table usergroup table many thanks -- Message: 3 Date: Mon, 13 Oct 2008 14:24:45 +0200 From: Alan DeKok [EMAIL PROTECTED] Subject: Re: One user - Different Service Type depending on NAS To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1 Mats Blomgren B wrote: 3 of the users should have full access
Re: Setting Auth-Type to Accept using unlang
On Tue, Oct 14, 2008 at 4:39 AM, [EMAIL PROTECTED] wrote:
How do I test if Auth-Type is not set?
I tried with:
if (!Auth-Type) {
That should work (I don't have 2.1.1 installed but I have tested that in
2.0.5 some time ago). You have added that in authorize (not
authenticate) after pap entry? Post the debug.
The problem is that if (!Auth-Type) returns true even when the user is valid.
Here is a debug when the user is valid.
++[sql] returns ok
++[pap] returns updated
++? if (!Auth-Type)
? Evaluating !(Auth-Type) - FALSE
++? if (!Auth-Type) - TRUE
++- entering if (!Auth-Type) {...}
+++? if (!NAS-IP-Address == 196.12.161.237)
? Evaluating !(NAS-IP-Address == 196.12.161.237) - FALSE
+++? if (!NAS-IP-Address == 196.12.161.237) - TRUE
+++- entering if (!NAS-IP-Address == 196.12.161.237) {...}
[reply] returns updated
[control] returns updated
+++- if (!NAS-IP-Address == 196.12.161.237) returns updated
++- if (!Auth-Type) returns updated
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
+- entering group post-auth {...}
I am using the following in the authorize section right after pap:
if (!Auth-Type) {
if (!NAS-IP-Address == X.X.X.X) {
update reply {
Reply-Message = Restricted Access
MS-Primary-DNS-Server = X.X.X.X
MS-Secondary-DNS-Server = X.X.X.X
RP-Max-Sessions-Per-User = 100
}
update control {
Auth-Type := Accept
Pool-Name := invaliduser_pool
}
}
}
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: TLV format in WiMAX dictionary
Stefano Colagreco wrote: ASN-GW receive attribute but not recognize attribute of WiMAX QoS. Then it's not WiMAX compatible. Simple, isn't it? Looking at the trace of ASN-GW i've noticed the following mistakes: - vendor-unkonwn-type29:00 06 06 00 07 D0 00 Mistake? If you don't want to do QoS, don't send it a QoS attribute. If the ASN-GW doesn't support QoS, buy a standards-compatible gateway. ASN-GW I used is guaranteed as fully compliant with WiMAX standard. Well, ask for your money back, or for an updated version that's compliant with the WiMAX standard. The QoS attribute has been around for a LONG time in WiMAX. Over a year, IIRC. So there's no excuse for the vendor to ignore it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem Accounting with PostGreSQL
Hi,
We are using PostGreSQL for accounting. But when we made a query, we saw
all tables are empty except radpostauth and we need informations about
radacct table. So, when we were using FreeRADIUS 1.1.7, we changed
postgresql.conf's last comment like that:
We changed this comment:
postauth_query = INSERT INTO ${postauth_table} (username, pass, reply,
authdate) VALUES ('%{User-Name}', '%{User-Password:-Chap-Password}',
'%{reply:Packet-Type}', NOW())
like that:
postauth_query = INSERT into ${acct_table1} \
(AcctSessionId, AcctUniqueId, UserName, Realm,
NASIPAddress, NASPortId, NASPortType, AcctStartTime,
AcctAuthentic, \
ConnectInfo_start, CalledStationId, CallingStationId,
ServiceType, FramedProtocol, FramedIPAddress,
AcctStartDelay, XAscendSessionSvrKey) \
values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', \
'%{NAS-Port}', '%{NAS-Port-Type}', ('%S'::timestamp -
'%{Acct-Delay-Time:-0}'::interval), '%{Acct-Authentic}',
'%{Connect-Info}', \
'%{Called-Station-Id}', '%{Calling-Station-Id}',
'%{Service-Type}', '%{Framed-Protocol}', \
NULLIF('%{Framed-IP-Address}', '')::inet, 0,
'%{X-Ascend-Session-Svr-Key}')
And it worked:)
But now, we are using FreeRADIUS 2.0.4 and when we have changed
postgresql.conf like over, it doesn't work. When someone tries to
connect with FreeRADIUS, it gives Login Incorrect message.
Is there any link including a solution about my problem?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: TLV format in WiMAX dictionary
Looking at the trace of ASN-GW i've noticed the following mistakes: - vendor-unkonwn-type29:00 06 06 00 07 D0 00 ASN-GW I used is guaranteed as fully compliant with WiMAX standard. Fine. So you can ask them for the updated dictionary then. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Best method to filter on calling-station-ID/IP Address?
All, I have VPN users who connect to a Cisco ASA firewall, which authenticates using radius off of Freeradius. I would like to enforce which IP addresses users may connect from. Am I correct to assume the Radius server is the best place to perform this? If so, what is the best way to go about doing this? Since our users.conf is programitcally generated, hopefully the changing part of the configuration can be isolated to this file? Below is an example login from the free-radius server. I want to filter on Calling-Station-Id, to enforce a specified source IP which may vary by user. Thanks! rad_recv: Access-Request packet from host 3.3.3.3:1025, id=177, length=157 User-Name = john User-Password = NAS-Port = Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = 1.1.1.1 Calling-Station-Id = 2.2.2.2 NAS-Port-Type = Virtual Tunnel-Client-Endpoint:0 = 4.4.4.4 NAS-IP-Address = 3.3.3.3 Cisco-AVPair = ip:source-ip=2.2.2.2N\233 Processing the authorize section of radiusd.conf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLV format in WiMAX dictionary
Stefano Colagreco wrote: I try to use freeradius-2.1.1 to autenticate wimax user. In dictionary.wimax some attribute is defined TLV. I try to send its to ASN-GW in two ways. First way - One attribute with multivalue: That won't work. Second way - A sequence of attribute: That will work. It's been tested with equipment from multiple vendors. WiMAX-QoS-Id=01 WiMAX-Media-Flow-Type=Robust-Browser WiMAX-Schedule-Type=BEST-EFFORT WiMAX-Traffic-Priority=0 WiMAX-Maximum-Sustained-Traffic-Rate=512000 In the first case I receive an Access-Reject (for invalid TLV format). In the second send all attribute to ASN-GW but some of it do not come recognized. What does that mean? Some are not recognized? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pool name per nas AND per user
So In the authorize section i tried to add an update directive where i
define a variable which has the result of the sql query as value.
Then i want to concatenate this variable with the value of the Pool-Name
attribute as defined in the users file and set it as the new value of
Pool-Name. I think this would work for what i want to do.
update control {
%{MANA-DSL-Type} = mysqldb:SELECT value FROM radcheck
WHERE attribute='Subscription-Type' AND username='%{User-Name}'
if (%{MANA-DSL-Type}) {
Pool-Name := %{Pool-Name}%{ADSL-Type}
}
}
Ugh.
1. Forget custom dictionaries. Use already defined temporary attributes
from freeradius internal dictionary (ie. Tmp-String-0,...,
Tmp-Integer-0, ... etc.)
2. %{} goes around the value not attribute name:
Tmp-String-0 = %{mysqldb:SELECT value FROM...}
3. You can't put if inside the control section. You can put update
control inside if section.
update control {
read temporary value from the database
}
if(whatever) {
update control { ...
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pool name per nas AND per user
Use unlang to set Pool-Name. Ivan Kalik Kalik Informatika ISP Dana 14/10/2008, Alexandre Chapellon [EMAIL PROTECTED] piše: Hello, I have freeradius authenticating ADSL users (several types ADSL). request are comming from several BAS (my NASes). I would like freeradius to give customers IP addresses from differents IP pools based on the NAS from which the request come from (huntgroups does it perfectly today) but also based on the type for ADSL is authenticated (this information is stored in the sql database and so the NAS is completely unaware of it) ex: As a reminder, i want thoose pools pool_NAS1_ADSL512 pool_NAS1_ADSL1024 pool_NAS2_ADSL512 pool_NAS2_ADSL1024 if i am user1 who owns a 1024kb/s ADSL account, I want to have Pool-Name pool_NAS1_ADSL1024 if the request comes from NAS1 and pool_NAS2_ADSL1024 if the request comes from NAS2...and so on. Any idea? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access rights for some users ou users groups with
mysql select * from nas; ++---+---+---+---++---+-+ | id | nasname | shortname | type | ports | secret | community | description | ++---+---+---+---++---+-+ | 6 | 192.168.9.155 | switch| cisco | 1812 | bonjour| | | | 9 | 192.168.9.154 | webmail01 | other | 1812 | testing123 | | | Which type of attributes should I use to access from webmail01, but not switch for example ? NAS-IP-Address == 192.168.9.154 Ivan Kalik Kalik Imformatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: TLV format in WiMAX dictionary
Thanks Alan, ASN-GW receive attribute but not recognize attribute of WiMAX QoS. Looking at the trace of ASN-GW i've noticed the following mistakes: - vendor-unkonwn-type29:00 06 06 00 07 D0 00 ASN-GW I used is guaranteed as fully compliant with WiMAX standard. Stefano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error in the negotiations certificates
I was watching this problems https://lists.freeradius.org/pipermail/freeradius-users/2008-October/msg00248.html to solve my problem with the certificates but do not understand very well the suggestion. Create bundle as instructed. Read Makefile to see an example how to convert ca from .pem to .der. Do the same with cabundle. in the notebook client install ca.der and client.p12, at first not recognized as an entity of strength and confidence but install it by force, and the client.p12 installs fine but the state tells me that no You can find the issuer of the certificate Import cabundle.der instead of ca.der. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS with LDAP and KRB5?
Jonathan D. Proulx wrote: using 1.1.7 (forgive me) And we say... upgrade. :) It will make solving this problem easier. I have EAP-TTLS working from the files module and I have krb5 athentication working with ldap authorization fro radtest, but when I try EAP-TTLS as an ldap user I fail to connect, and the sever never seems to try the krb5 module. You will need to put something like this in the users file: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Auth-Type := Kerberos Before I start pulling my hair out is even possible? Yes. IF the inner tunnel session contains a cleartext password. CHAP won't work, and neither will MS-CHAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
