Remove Domain from User-Name
Hi,
I've successfully set up freeradius for EAP-PEAP Authentication
with MSCHAP on my AD Domain, but I'm facing a problem on accounting:
I'm using SQL accounting and can't get rid of the DOMAIN\ part
for the sql_user_name, I've tried using the Stripped-User-Name variable
but it remains empty.
I've also tried using hints file to define a proper
Stripped-User-Name, with the following:
DEFAULT User-Name =~ DOMAIN\\(.*)
Stripped-User-Name := %{1}
Still without any success, so I investigate on the realm module
who do recognize the DOMAIN\ part of User-Name but then it look for
proxying (which I don't have) and don't give me a Stripped-User-Name
anyway ...
I'm stucked, is there anyone here who can give me a hand on
this?
Thanks in advance
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tag and Untag a port in several VLAN
Fabien COMBERNOUS wrote: [...] So i used the other possibility with Egress-VLAN-Name instead of Egress-VLANID. It is easier to understand the meaning of the value and it works with my version of FreeRadius. About the dynamic vlan assignment i use the two methods explained in [1] : - some ports are single untaged vlan : all works fine. - some ports are multiple tagged and untagged vlan : the ports of the switch looks tagged and untagged as expected but the packets are not rooted as expected. The input packets are not transmited to the output expected. I tagged and untagged manually some others ports similarly to my sql backend and all packets are well routed. In the single untagged vlan method, 3 parameters are needed. In the multiple tagged/untagged vlan method i used only several times Egress-VLAN-Name. Is it necessary to use an other parameter in the sql backend other than Egress-VLAN-Name ? [1] http://wiki.freeradius.org/HP Thank you for your help. -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tag and Untag a port in several VLAN
On Aug 4, 2010, at 1:01 AM, Fabien COMBERNOUS wrote: Fabien COMBERNOUS wrote: [...] So i used the other possibility with Egress-VLAN-Name instead of Egress-VLANID. It is easier to understand the meaning of the value and it works with my version of FreeRadius. About the dynamic vlan assignment i use the two methods explained in [1] : - some ports are single untaged vlan : all works fine. - some ports are multiple tagged and untagged vlan : the ports of the switch looks tagged and untagged as expected but the packets are not rooted as expected. The input packets are not transmited to the output expected. I tagged and untagged manually some others ports similarly to my sql backend and all packets are well routed. In the single untagged vlan method, 3 parameters are needed. In the multiple tagged/untagged vlan method i used only several times Egress-VLAN-Name. Is it necessary to use an other parameter in the sql backend other than Egress-VLAN-Name ? To answer your question no, only a single attribute is required. This isn't a FreeRADIUS question, please contact me off list at arran.cudbard-b...@hp.com with a statement of what you're trying to accomplish and the model numbers and firmware revisions of your switches. Regards, Arran [1] http://wiki.freeradius.org/HP Thank you for your help. -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Remove Domain from User-Name
I've found the following searching in the mailing list, that may solve my
issue, but I don't know where I have to insert it within the conf files (and
which one ...):
if (User-Name =~ /^DOMAIN\\(.*)/) {
update request {
Stripped-User-Name := %{1}
}
}
I know that will sounds trivial for most of you, but I really appreciate some
help ...
-Message d'origine-
De : freeradius-users-
bounces+benoit.bianchi=enel@lists.freeradius.org
[mailto:freeradius-users-
bounces+benoit.bianchi=enel@lists.freeradius.org] De la part de
benoit.bian...@enel.com
Envoyé : mercredi 4 août 2010 09:21
À : freeradius-users@lists.freeradius.org
Objet : Remove Domain from User-Name
Hi,
I've successfully set up freeradius for EAP-PEAP Authentication
with MSCHAP on my AD Domain, but I'm facing a problem on accounting:
I'm using SQL accounting and can't get rid of the DOMAIN\ part
for the sql_user_name, I've tried using the Stripped-User-Name variable
but it remains empty.
I've also tried using hints file to define a proper
Stripped-User-Name, with the following:
DEFAULT User-Name =~ DOMAIN\\(.*)
Stripped-User-Name := %{1}
Still without any success, so I investigate on the realm module
who do recognize the DOMAIN\ part of User-Name but then it look for
proxying (which I don't have) and don't give me a Stripped-User-Name
anyway ...
I'm stucked, is there anyone here who can give me a hand on
this?
Thanks in advance
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: FreeRadius2MySQL
Dears , I am planing to migrate from Aradial to FreeRadius2 and i currently have 1 subscribers so can please guide me of how i can setup the freeradius 2 with MYSQL to be 100% ready for such production Thanks in advanced ,,, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: FreeRadius2MySQL
On 2010/08/04 01:35 PM, Student University wrote: so can please guide me of how i can setup the freeradius 2 with MYSQL to be 100% ready for such production That's easy. All you need to do is read the documentation. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple LDAP search
Hi all I got LDAP working on FreeRADIUS Version 2.1.8, with SUSE 10.1 Now i need to do the following if the user is not found in the 1st LDAP search, that searches in o=EC, then it must search again in o=HLT. I would like to know where to create these files. Thank you Wayne van der Merwe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple LDAP search
Wayne Van der Merwe wrote: Hi all I got LDAP working on FreeRADIUS Version 2.1.8, with SUSE 10.1 Now i need to do the following if the user is not found in the 1st LDAP search, that searches in o=EC, then it must search again in o=HLT. I would like to know where to create these files. What files do you mean? The LDAP module doesn't support that kind of search. You should configure multiple LDAP modules with different search filters, and use fail-over. See man unlang and doc/configurable_failover Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Prevent logging of testusers?
Hi, I'm searching for a way to prevent testlogins getting logged. Is this possible? How? ;) -- Jens Weibler IT Services Hochschule Darmstadt www.h-da.de University of Applied Sciences Fachbereich Informatik www.fbi.h-da.de Schöfferstr. 8b D-64295 Darmstadt Tel +49 6151 16-8425 Fax +49 6151 16-8935 jens.weib...@h-da.de smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius, rlm_sql and tagged attributes
I need to reply to NAS with same attributes with different tags.
All works ok when i'm using users file. But when i'm migrating to
rlm_sql, only first instance of attribute goes in reply:
mysql SELECT id, groupname, attribute, value, op FROM radgroupreply
WHERE groupname = 'test' ORDER BY id;
++---+---+-++
| id | groupname | attribute | value | op |
++---+---+-++
| 6 | test | Framed-IP-Address | 255.255.255.254 | = |
| 7 | test | Service-Type | Framed-User | = |
| 8 | test | Acct-Interim-Interval | 1800| = |
| 9 | test | PPPD-Pool-Number | ippool | = |
| 16 | test | Ip-Address-Pool-Name | ippool | = |
| 19 | test | Service-Name:1| GUEST | = |
| 20 | test | Service-Name:2| INET| = |
| 21 | test | Service-Options:1 | 0 | = |
| 22 | test | Service-Options:2 | 1 | = |
| 28 | test | Context-Name | Internet| = |
++---+---+-++
10 rows in set (0.01 sec)
rad_recv: Access-Request packet from host 127.0.0.1 port 3, id=248,
length=252
User-Name = t...@test
CHAP-Password = 0x01f304695c088000b6a248776d9ec67084
CHAP-Challenge = 0xc581f30d3a2736d1a039596397c627fd
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Identifier = Redback
NAS-Port = 33619968
NAS-Real-Port = 553652128
NAS-Port-Type = Virtual
NAS-Port-Id = 2/1 vlan-id 4000 pppoe 6
Medium-Type = 11
Mac-Address = 00-0c-29-bd-8b-a1
Platform-Type = 3
OS-Version = 6.2.1.2
Acct-Session-Id = 010068BE-4C596DEB
NAS-IP-Address = 172.26.201.21
Proxy-State = 0x3632
server guest {
+- entering group authorize
++[preprocess] returns ok
rlm_chap: Setting 'Auth-Type := CHAP'
++[chap] returns ok
users: Matched entry DEFAULT at line 163
++[files] returns ok
expand: %{User-Name} - t...@test
rlm_sql (sql): sql_set_user escaped user -- 't...@test'
rlm_sql (sql): Reserving sql socket id: 65
expand: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id - SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 't...@test' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}'
ORDER BY id - SELECT id, username, attribute, value, op FROM
radreply WHERE username = 't...@test' ORDER BY id
expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -
SELECT groupname FROM radusergroup WHERE username =
't...@test' ORDER BY priority
expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id - SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname =
'test' ORDER BY id
rlm_sql (sql): User found in group test
expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}'
ORDER BY id - SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname =
'test' ORDER BY id
rlm_sql (sql): Released sql socket id: 65
++[sql] returns ok
rad_check_password: Found Auth-Type CHAP
auth: type CHAP
+- entering group CHAP
rlm_chap: login attempt by t...@test with CHAP password
rlm_chap: Using clear text password ilser56 for user t...@test
authentication.
rlm_chap: chap user t...@test authenticated succesfully
++[chap] returns ok
Login OK: [t...@test/CHAP-Password] (from client localhost port 33619968)
} # server guest
Sending Access-Accept of id 248 to 127.0.0.1 port 3
Framed-Protocol = PPP
Session-Timeout = 172800
Framed-IP-Address = 255.255.255.254
Framed-Compression = Van-Jacobson-TCP-IP
Service-Type = Framed-User
Acct-Interim-Interval = 1800
PPPD-Pool-Number = ippool
Ip-Address-Pool-Name = ippool
Service-Name:1 = GUEST
Service-Options:1 = 0
Context-Name = Internet
Proxy-State = 0x3632
Finished request 374.
--
С уважением, Евгений Кожуховский
Руководитель группы сервисных платформ
УИТ ЦИТС МГТС РУП Белтелеком
+375-29-3998175
+375-29-7561625
+375-17-3060026
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, rlm_sql and tagged attributes
Sorry, solved.. Changed = to += Evgeniy Kozhuhovskiy пишет: I need to reply to NAS with same attributes with different tags. All works ok when i'm using users file. But when i'm migrating to rlm_sql, only first instance of attribute goes in reply: | 19 | test | Service-Name:1| GUEST | = | | 20 | test | Service-Name:2| INET| = | | 21 | test | Service-Options:1 | 0 | = | | 22 | test | Service-Options:2 | 1 | = | | 28 | test | Context-Name | Internet| = | -- С уважением, Евгений Кожуховский Руководитель группы сервисных платформ УИТ ЦИТС МГТС РУП Белтелеком +375-29-3998175 +375-29-7561625 +375-17-3060026 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, rlm_sql and tagged attributes
Evgeniy Kozhuhovskiy wrote: I need to reply to NAS with same attributes with different tags. All works ok when i'm using users file. But when i'm migrating to rlm_sql, only first instance of attribute goes in reply: This is documented. See doc/rlm_sql. You need to use +=, not =. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple LDAP search
Our setup (see below) works in the way you describe: if a valid username
is found in ldap1 return ok otherwise (notfound) OR (fail) look in
ldap2; if found return ok otherwise (notfound) OR (fail) look in ldap3
etc
modules
ldap ldap1 {
server = localhost
basedn = ou=TrinityStudentLogins,dc=our-domain
filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
edir_account_policy_check=no
timeout = 4
timelimit = 3
net_timeout = 3
}
ldap ldap2 {
config for different ldap server or different ou
}
ldap ldap3 {
config for different ldap server or different ou
}
authorise {
preprocess
chap
mschap
suffix
redundant {
ldap1 {
fail = 1
noop = 2
notfound = 3
ok = return
reject = return
userlock = return
invalid = return
}
ldap2 {
fail = 1
noop = 2
notfound = 3
ok = return
reject = return
userlock = return
invalid = return
}
ldap3 {
fail = 1
noop = 2
notfound = 3
ok = return
reject = return
userlock = return
invalid = return
}
authenticate {
ldap1
ldap2
ldap3
chap
}
Gary Prosser
-
IT Manager
Trinity College, Bristol (http://www.trinity-bris.ac.uk)
-Original Message-
From: Wayne Van der Merwe vdme...@gmail.com
Reply-To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
To: freeradius-users@lists.freeradius.org
Subject: Multiple LDAP search
Date: Wed, 4 Aug 2010 14:09:00 +0200
Hi all
I got LDAP working on FreeRADIUS Version 2.1.8, with SUSE 10.1
Now i need to do the following if the user is not found in the 1st LDAP
search, that searches in o=EC, then it must search again in o=HLT.
I would like to know where to create these files.
Thank you
Wayne van der Merwe
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
To ensure you receive email from Trinity College into your inbox, please add
@trinity-bris.ac.uk to your email safe list (also known as whitelist).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Trouble migrating EAP TLS authentication from Free Radius 1.1.8 to 2.1.9
Hi,
I've been trying to migrate the FreeRadius server from 1.1.8 to the
latest (stable) release (2.1.9 at the last try, 2.1.8 before that). I'm
using EAP TLS to authenticate modem connection to our DSLAM (using 2 way
authentication). The 1.1.8 server has no trouble performing the task,
however, the 2.1.x server doesn't ever complete the authentication
process. From what I can tell, once the 1.1.8 server gets the final TLS
ACK it allows the connection, but the 2.1.x server is looking for
something else.
Is this a FreeRadius issue or a DSLAM problem? If DSLAM, where is the
best place to start looking for description of what should be happening?
I have openssl 1.0.0 installed on the sparc Solaris 10 server that is
running FreeRadius.
Using a single modem and debug mode, I've got the following log snippets
(from the end of the session each):
Version 1.1.8:
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 138.120.206.110:1, id=56,
length=158
NAS-Identifier = SSL-7330-3
NAS-IP-Address = 138.120.206.110
User-Name = 00:18:3F:5E:57:B0
NAS-Port = 136383488
NAS-Port-Type = xDSL
Acct-Session-Id = 173:26:18::0075
NAS-Port-Id = atm 1/1/04/13:0:32
Calling-Station-Id = \000\030?^W\260
EAP-Message = 0x020700060d00
Message-Authenticator = 0x778fd2a832af2ac150c6df5119a51f88
State = 0x2638193a96b23d3b2ac39fe35dff53cb
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 49
modcall[authorize]: module preprocess returns ok for request 49
radius_xlat:
'/usr/local/etc/raddb/var/log/radius/radacct/138.120.206.110/auth-detail-20100306'
rlm_detail:
/usr/local/etc/raddb/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/etc/raddb/var/log/radius/radacct/138.120.206.110/auth-detail-20100306
modcall[authorize]: module auth_log returns ok for request 49
modcall[authorize]: module chap returns noop for request 49
modcall[authorize]: module mschap returns noop for request 49
rlm_realm: No '@' in User-Name = 00:18:3F:5E:57:B0, looking up
realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 49
rlm_eap: EAP packet type response id 7 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 49
modcall[authorize]: module files returns notfound for request 49
modcall: group authorize returns updated for request 49
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 49
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap: Freeing handler
modcall[authenticate]: module eap returns ok for request 49
modcall: group authenticate returns ok for request 49
Sending Access-Accept of id 56 to 138.120.206.110:1
MS-MPPE-Recv-Key =
0x7b94ecfc920b6cd85506aee431a4d876e4af891c3dc51c433af623302ace6490
MS-MPPE-Send-Key =
0x370e00c44f3145ad3eaa77720d9e48a102750fcefdb44f980156c67c2dc790ee
EAP-Message = 0x03070004
Message-Authenticator = 0x
User-Name = 00:18:3F:5E:57:B0
Finished request 49
Going to the next request
Waking up in 5 seconds...
Version 2.1.9:
Waking up in 4.2 seconds.
rad_recv: Access-Request packet from host 138.120.206.113 port 1,
id=202, length=158
NAS-Identifier = SSL-7330-4
NAS-IP-Address = 138.120.206.113
User-Name = 00:1B:5B:10:97:88
NAS-Port = 136392448
NAS-Port-Type = xDSL
Acct-Session-Id = 157:52:37::0371
NAS-Port-Id = atm 1/1/04/48:0:32
Calling-Station-Id = \000\033[\020\227\210
EAP-Message = 0x020e00060d00
Message-Authenticator = 0xdffd259e9fa9cef084a12d640fb51073
State = 0x056b0543006508967ef0ed7dafcf0427
+- entering group authorize {...}
++[preprocess] returns ok
[eap] EAP packet type response id 14 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] No SSL info available. Waiting for more SSL data.
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 202 to 138.120.206.113 port 1
EAP-Message = 0x010f000a0d80
Message-Authenticator = 0x
State =
Re: Fwd: FreeRadius2MySQL
//I am planing to migrate from Aradial to FreeRadius2 //and i currently have 1 subscribers A piece of advice: DO NOT deploy Freeradius2 now! I am using FreeRadius 2.1.9 + Mysql 5.3 on FreeBSD 8.1, and the radiusd exits abnormally (although it says info: exiting normally by itself ) many times a day! I have been driven mad! and I decide to revert to freeradius 1.1.8. Believe me, or you can search exit normally but unexpectedly in maillist archive yourself. PS: deployment of freeradius is rather easy. Read its sample configuration files, and you will find them easy to understand. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
