RE: Allowing user from one realm but not another
Because I was never sure how to keep em off the other realm. They should all be stuck on realm I put em on -Original Message- From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org [mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Sunday, February 14, 2010 2:43 AM To: FreeRadius users mailing list Subject: Re: Allowing user from one realm but not another Jeff A wrote: I have three different realms users can login with For examples they are (foo.net, bar.net, beg.net) Are all users valid on all realms? If so, why? Say bi...@foo.net mailto:bi...@foo.net has abused the foo.net realm now I need him solely on the beg.net and disallowing the other two realms. In other words reject him before if he trys to use the old realm again. In other words I want to allow only billy to use this one new realm and be rejected if he trys another realm. Then you need a rule specifically for that user. This has to take place I figure in preproxy, cause my users file is authenticated minus the realm in proxy.. You can still access the Realm attribute in the users file: bob Realm != foo.net, Auth-Type := Reject Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allowing user from one realm but not another
On Sun, Feb 14, 2010 at 6:18 PM, Jeff A je...@globalco.net wrote: Because I was never sure how to keep em off the other realm. They should all be stuck on realm I put em on I assume you want it for all users, instead of just one user? It'd be a lot easier if you don't strip the realm. Any particular reason why you do that? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Allowing user from one realm but not another
I strip the realm off cause backend billing that creates the users file is rodopi, and All users from that have no realm just the username -Original Message- From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org [mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On Behalf Of Fajar A. Nugraha Sent: Sunday, February 14, 2010 6:32 AM To: FreeRadius users mailing list Subject: Re: Allowing user from one realm but not another On Sun, Feb 14, 2010 at 6:18 PM, Jeff A je...@globalco.net wrote: Because I was never sure how to keep em off the other realm. They should all be stuck on realm I put em on I assume you want it for all users, instead of just one user? It'd be a lot easier if you don't strip the realm. Any particular reason why you do that? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allowing user from one realm but not another
On Sun, Feb 14, 2010 at 8:23 PM, Jeff A je...@globalco.net wrote: I strip the realm off cause backend billing that creates the users file is rodopi, and So how would you know which user is supposed to be in which realm if the backend doesn't supply that? If it were me, I'd modify the billing program to create users with realm. Also, I'd use database backend to store users. But hey, ultimately it's your choice. If you're fine with editing user file then Alan's example should work. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Allowing user from one realm but not another
Your idea is best. I think I will modify, but for a work around till I get a chance to get everything turned around. I will use Alan's example.. My question is this Can his example contain more than one realm to reject between the quotes? bob Realm != foo.net, Auth-Type := Reject Jeff -Original Message- From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org [mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On Behalf Of Fajar A. Nugraha Sent: Sunday, February 14, 2010 9:04 AM To: FreeRadius users mailing list Subject: Re: Allowing user from one realm but not another On Sun, Feb 14, 2010 at 8:23 PM, Jeff A je...@globalco.net wrote: I strip the realm off cause backend billing that creates the users file is rodopi, and So how would you know which user is supposed to be in which realm if the backend doesn't supply that? If it were me, I'd modify the billing program to create users with realm. Also, I'd use database backend to store users. But hey, ultimately it's your choice. If you're fine with editing user file then Alan's example should work. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allowing user from one realm but not another
On Feb 14, 2010, at 6:11 AM, Jeff A wrote: Your idea is best. I think I will modify, but for a work around till I get a chance to get everything turned around. I will use Alan's example.. My question is this Can his example contain more than one realm to reject between the quotes? bob Realm != foo.net, Auth-Type := Reject That's not the realm you're rejecting, but the one you're accepting, rejecting access if the username is bob and the realm is not equal to foo.net. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple Incoming realms with Separate Databases
I was just wondering if anyone could explain how the sites-available and sites-enabled directory's work in freeradius, I Have been looking for some time but cant find much information. Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Incoming realms with Separate Databases
Brett Johanson wrote: I was just wondering if anyone could explain how the sites-available and sites-enabled directory's work in freeradius, I Have been looking for some time but cant find much information. raddb/sites-available/README The available ones are... available, but not used. Create soft links from enable to available to enable them. This is a common pattern used by Apache, among other services. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Allowing user from one realm but not another
Having problems getting access reject to work, seems like no matter what I try it lets this test user on in every realm I am using cistron compat to accommodate my userfile inputted by rodopi dialuptest Password = secret Framed-Protocol = PPP, Service-Type = Framed-User, Session-Timeout = 14400, Ascend-Data-Filter = ip in forward tcp est, Ascend-Data-Filter = ip in forward dstip 0.0.0.0/24, Ascend-Data-Filter = ip in drop tcp dstport = 25, Ascend-Data-Filter = ip in forward, Port-Limit = 1, Realm = foo.net, Auth-Type = Reject I have tried adding the ! and : symbol in the above line (makes no difference) Still can login on all three realms Also have tried the realm item as a check item, quote, and no options with same results If a check item its placed on same line as username etc but still no go as below example dialuptest Password = secret Realm = foo.net, Auth-Type = Reject Jeff -Original Message- From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org [mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On Behalf Of Chris Sent: Sunday, February 14, 2010 12:33 PM To: FreeRadius users mailing list Subject: Re: Allowing user from one realm but not another On Feb 14, 2010, at 6:11 AM, Jeff A wrote: Your idea is best. I think I will modify, but for a work around till I get a chance to get everything turned around. I will use Alan's example.. My question is this Can his example contain more than one realm to reject between the quotes? bob Realm != foo.net, Auth-Type := Reject That's not the realm you're rejecting, but the one you're accepting, rejecting access if the username is bob and the realm is not equal to foo.net. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to make an open auth realm?
Hello! I have one question is it possible to add some information on the end of the line in radius.log like user not in db when I let in users without account in my database? POzdrawiam Marcin S. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with freeradius accounting proxy
Hi All, I've got Freeradius (2.1.7, Ubuntu Hardy) setup to answer some requests itself, and others get proxied away. All accounting requests get proxied away. My Cisco LNS is sending periodic accounting requests , every ten minutes. We have enough concurrent sessions online that there's a steady rain of accounting packets, about one-3 per second on average. After some reasonably short period of time (currently approx 30-40 minutes) Freeradius stops responding to accounting requests. Auth requests (when they happen) are still fine, however because our auth volume is low, our Cisco ends up seeing the lack of response to accounting messages as 'dead radius', and no further auth attempts are being sent. TCPDUMP shows the accounting requests are still being received on the freeradius box, but the outbound/proxied messages have just stopped. Any suggestions as to what might be wrong/where to look? Phil P - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with freeradius accounting proxy
I've upgraded to 2.1.8 , and still the same. Oddly enough, it says the *ACCT* port is zombie (which it isn't , we're still seeing responses frequently). *and* the un-zombie recovery does an AUTH, so there is no case where the ACCT port will UN zombify. Phil P On Mon, Feb 15, 2010 at 1:42 PM, Phil Pierotti phil.piero...@gmail.comwrote: Hi All, I've got Freeradius (2.1.7, Ubuntu Hardy) setup to answer some requests itself, and others get proxied away. All accounting requests get proxied away. My Cisco LNS is sending periodic accounting requests , every ten minutes. We have enough concurrent sessions online that there's a steady rain of accounting packets, about one-3 per second on average. After some reasonably short period of time (currently approx 30-40 minutes) Freeradius stops responding to accounting requests. Auth requests (when they happen) are still fine, however because our auth volume is low, our Cisco ends up seeing the lack of response to accounting messages as 'dead radius', and no further auth attempts are being sent. TCPDUMP shows the accounting requests are still being received on the freeradius box, but the outbound/proxied messages have just stopped. Any suggestions as to what might be wrong/where to look? Phil P - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with freeradius accounting proxy
Phil Pierotti wrote: TCPDUMP shows the accounting requests are still being received on the freeradius box, but the outbound/proxied messages have just stopped. Any suggestions as to what might be wrong/where to look? The logs from the server? I don't understand why you're looking at tcpdump, and not the FreeRADIUS logs. In 2.1.7, you can also use raddebug to get the debug logs from a running server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checking password and doing something else during authenticate...
Alan DeKok wrote: Johan Meiring wrote: To sum up my understanding of how freeradius works. authorise = select auth type OK... a database would be better, but fine. I assume sql module in authorise. I basically want freeradius to do the PAP/CHAP stuff and AFTER that I want to do things like check the users CAP. Use post-auth. I was under the impression that you cannot override the auth decision in post auth. I'm sure i've read it somewhere on the list. Obviously not.. Thanks! -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dynamic reply attribute, based on nas type
Hi, Situation: All users can login to different nas types. Problem: I need a different value for simult.-use check depending on the nas a user logs on to. Is there a way to do this? (using FR1.1.7 for now) tnx. Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
