Remove Domain from User-Name
Hi, I've successfully set up freeradius for EAP-PEAP Authentication with MSCHAP on my AD Domain, but I'm facing a problem on accounting: I'm using SQL accounting and can't get rid of the DOMAIN\ part for the sql_user_name, I've tried using the Stripped-User-Name variable but it remains empty. I've also tried using hints file to define a proper Stripped-User-Name, with the following: DEFAULT User-Name =~ DOMAIN\\(.*) Stripped-User-Name := %{1} Still without any success, so I investigate on the realm module who do recognize the DOMAIN\ part of User-Name but then it look for proxying (which I don't have) and don't give me a Stripped-User-Name anyway ... I'm stucked, is there anyone here who can give me a hand on this? Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tag and Untag a port in several VLAN
Fabien COMBERNOUS wrote: [...] So i used the other possibility with Egress-VLAN-Name instead of Egress-VLANID. It is easier to understand the meaning of the value and it works with my version of FreeRadius. About the dynamic vlan assignment i use the two methods explained in [1] : - some ports are single untaged vlan : all works fine. - some ports are multiple tagged and untagged vlan : the ports of the switch looks tagged and untagged as expected but the packets are not rooted as expected. The input packets are not transmited to the output expected. I tagged and untagged manually some others ports similarly to my sql backend and all packets are well routed. In the single untagged vlan method, 3 parameters are needed. In the multiple tagged/untagged vlan method i used only several times Egress-VLAN-Name. Is it necessary to use an other parameter in the sql backend other than Egress-VLAN-Name ? [1] http://wiki.freeradius.org/HP Thank you for your help. -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tag and Untag a port in several VLAN
On Aug 4, 2010, at 1:01 AM, Fabien COMBERNOUS wrote: Fabien COMBERNOUS wrote: [...] So i used the other possibility with Egress-VLAN-Name instead of Egress-VLANID. It is easier to understand the meaning of the value and it works with my version of FreeRadius. About the dynamic vlan assignment i use the two methods explained in [1] : - some ports are single untaged vlan : all works fine. - some ports are multiple tagged and untagged vlan : the ports of the switch looks tagged and untagged as expected but the packets are not rooted as expected. The input packets are not transmited to the output expected. I tagged and untagged manually some others ports similarly to my sql backend and all packets are well routed. In the single untagged vlan method, 3 parameters are needed. In the multiple tagged/untagged vlan method i used only several times Egress-VLAN-Name. Is it necessary to use an other parameter in the sql backend other than Egress-VLAN-Name ? To answer your question no, only a single attribute is required. This isn't a FreeRADIUS question, please contact me off list at arran.cudbard-b...@hp.com with a statement of what you're trying to accomplish and the model numbers and firmware revisions of your switches. Regards, Arran [1] http://wiki.freeradius.org/HP Thank you for your help. -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Remove Domain from User-Name
I've found the following searching in the mailing list, that may solve my issue, but I don't know where I have to insert it within the conf files (and which one ...): if (User-Name =~ /^DOMAIN\\(.*)/) { update request { Stripped-User-Name := %{1} } } I know that will sounds trivial for most of you, but I really appreciate some help ... -Message d'origine- De : freeradius-users- bounces+benoit.bianchi=enel@lists.freeradius.org [mailto:freeradius-users- bounces+benoit.bianchi=enel@lists.freeradius.org] De la part de benoit.bian...@enel.com Envoyé : mercredi 4 août 2010 09:21 À : freeradius-users@lists.freeradius.org Objet : Remove Domain from User-Name Hi, I've successfully set up freeradius for EAP-PEAP Authentication with MSCHAP on my AD Domain, but I'm facing a problem on accounting: I'm using SQL accounting and can't get rid of the DOMAIN\ part for the sql_user_name, I've tried using the Stripped-User-Name variable but it remains empty. I've also tried using hints file to define a proper Stripped-User-Name, with the following: DEFAULT User-Name =~ DOMAIN\\(.*) Stripped-User-Name := %{1} Still without any success, so I investigate on the realm module who do recognize the DOMAIN\ part of User-Name but then it look for proxying (which I don't have) and don't give me a Stripped-User-Name anyway ... I'm stucked, is there anyone here who can give me a hand on this? Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: FreeRadius2MySQL
Dears , I am planing to migrate from Aradial to FreeRadius2 and i currently have 1 subscribers so can please guide me of how i can setup the freeradius 2 with MYSQL to be 100% ready for such production Thanks in advanced ,,, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: FreeRadius2MySQL
On 2010/08/04 01:35 PM, Student University wrote: so can please guide me of how i can setup the freeradius 2 with MYSQL to be 100% ready for such production That's easy. All you need to do is read the documentation. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple LDAP search
Hi all I got LDAP working on FreeRADIUS Version 2.1.8, with SUSE 10.1 Now i need to do the following if the user is not found in the 1st LDAP search, that searches in o=EC, then it must search again in o=HLT. I would like to know where to create these files. Thank you Wayne van der Merwe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple LDAP search
Wayne Van der Merwe wrote: Hi all I got LDAP working on FreeRADIUS Version 2.1.8, with SUSE 10.1 Now i need to do the following if the user is not found in the 1st LDAP search, that searches in o=EC, then it must search again in o=HLT. I would like to know where to create these files. What files do you mean? The LDAP module doesn't support that kind of search. You should configure multiple LDAP modules with different search filters, and use fail-over. See man unlang and doc/configurable_failover Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Prevent logging of testusers?
Hi, I'm searching for a way to prevent testlogins getting logged. Is this possible? How? ;) -- Jens Weibler IT Services Hochschule Darmstadt www.h-da.de University of Applied Sciences Fachbereich Informatik www.fbi.h-da.de Schöfferstr. 8b D-64295 Darmstadt Tel +49 6151 16-8425 Fax +49 6151 16-8935 jens.weib...@h-da.de smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius, rlm_sql and tagged attributes
I need to reply to NAS with same attributes with different tags. All works ok when i'm using users file. But when i'm migrating to rlm_sql, only first instance of attribute goes in reply: mysql SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'test' ORDER BY id; ++---+---+-++ | id | groupname | attribute | value | op | ++---+---+-++ | 6 | test | Framed-IP-Address | 255.255.255.254 | = | | 7 | test | Service-Type | Framed-User | = | | 8 | test | Acct-Interim-Interval | 1800| = | | 9 | test | PPPD-Pool-Number | ippool | = | | 16 | test | Ip-Address-Pool-Name | ippool | = | | 19 | test | Service-Name:1| GUEST | = | | 20 | test | Service-Name:2| INET| = | | 21 | test | Service-Options:1 | 0 | = | | 22 | test | Service-Options:2 | 1 | = | | 28 | test | Context-Name | Internet| = | ++---+---+-++ 10 rows in set (0.01 sec) rad_recv: Access-Request packet from host 127.0.0.1 port 3, id=248, length=252 User-Name = t...@test CHAP-Password = 0x01f304695c088000b6a248776d9ec67084 CHAP-Challenge = 0xc581f30d3a2736d1a039596397c627fd Service-Type = Framed-User Framed-Protocol = PPP NAS-Identifier = Redback NAS-Port = 33619968 NAS-Real-Port = 553652128 NAS-Port-Type = Virtual NAS-Port-Id = 2/1 vlan-id 4000 pppoe 6 Medium-Type = 11 Mac-Address = 00-0c-29-bd-8b-a1 Platform-Type = 3 OS-Version = 6.2.1.2 Acct-Session-Id = 010068BE-4C596DEB NAS-IP-Address = 172.26.201.21 Proxy-State = 0x3632 server guest { +- entering group authorize ++[preprocess] returns ok rlm_chap: Setting 'Auth-Type := CHAP' ++[chap] returns ok users: Matched entry DEFAULT at line 163 ++[files] returns ok expand: %{User-Name} - t...@test rlm_sql (sql): sql_set_user escaped user -- 't...@test' rlm_sql (sql): Reserving sql socket id: 65 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 't...@test' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 't...@test' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 't...@test' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'test' ORDER BY id rlm_sql (sql): User found in group test expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'test' ORDER BY id rlm_sql (sql): Released sql socket id: 65 ++[sql] returns ok rad_check_password: Found Auth-Type CHAP auth: type CHAP +- entering group CHAP rlm_chap: login attempt by t...@test with CHAP password rlm_chap: Using clear text password ilser56 for user t...@test authentication. rlm_chap: chap user t...@test authenticated succesfully ++[chap] returns ok Login OK: [t...@test/CHAP-Password] (from client localhost port 33619968) } # server guest Sending Access-Accept of id 248 to 127.0.0.1 port 3 Framed-Protocol = PPP Session-Timeout = 172800 Framed-IP-Address = 255.255.255.254 Framed-Compression = Van-Jacobson-TCP-IP Service-Type = Framed-User Acct-Interim-Interval = 1800 PPPD-Pool-Number = ippool Ip-Address-Pool-Name = ippool Service-Name:1 = GUEST Service-Options:1 = 0 Context-Name = Internet Proxy-State = 0x3632 Finished request 374. -- С уважением, Евгений Кожуховский Руководитель группы сервисных платформ УИТ ЦИТС МГТС РУП Белтелеком +375-29-3998175 +375-29-7561625 +375-17-3060026 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, rlm_sql and tagged attributes
Sorry, solved.. Changed = to += Evgeniy Kozhuhovskiy пишет: I need to reply to NAS with same attributes with different tags. All works ok when i'm using users file. But when i'm migrating to rlm_sql, only first instance of attribute goes in reply: | 19 | test | Service-Name:1| GUEST | = | | 20 | test | Service-Name:2| INET| = | | 21 | test | Service-Options:1 | 0 | = | | 22 | test | Service-Options:2 | 1 | = | | 28 | test | Context-Name | Internet| = | -- С уважением, Евгений Кожуховский Руководитель группы сервисных платформ УИТ ЦИТС МГТС РУП Белтелеком +375-29-3998175 +375-29-7561625 +375-17-3060026 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, rlm_sql and tagged attributes
Evgeniy Kozhuhovskiy wrote: I need to reply to NAS with same attributes with different tags. All works ok when i'm using users file. But when i'm migrating to rlm_sql, only first instance of attribute goes in reply: This is documented. See doc/rlm_sql. You need to use +=, not =. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple LDAP search
Our setup (see below) works in the way you describe: if a valid username is found in ldap1 return ok otherwise (notfound) OR (fail) look in ldap2; if found return ok otherwise (notfound) OR (fail) look in ldap3 etc modules ldap ldap1 { server = localhost basedn = ou=TrinityStudentLogins,dc=our-domain filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}}) start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 edir_account_policy_check=no timeout = 4 timelimit = 3 net_timeout = 3 } ldap ldap2 { config for different ldap server or different ou } ldap ldap3 { config for different ldap server or different ou } authorise { preprocess chap mschap suffix redundant { ldap1 { fail = 1 noop = 2 notfound = 3 ok = return reject = return userlock = return invalid = return } ldap2 { fail = 1 noop = 2 notfound = 3 ok = return reject = return userlock = return invalid = return } ldap3 { fail = 1 noop = 2 notfound = 3 ok = return reject = return userlock = return invalid = return } authenticate { ldap1 ldap2 ldap3 chap } Gary Prosser - IT Manager Trinity College, Bristol (http://www.trinity-bris.ac.uk) -Original Message- From: Wayne Van der Merwe vdme...@gmail.com Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: Multiple LDAP search Date: Wed, 4 Aug 2010 14:09:00 +0200 Hi all I got LDAP working on FreeRADIUS Version 2.1.8, with SUSE 10.1 Now i need to do the following if the user is not found in the 1st LDAP search, that searches in o=EC, then it must search again in o=HLT. I would like to know where to create these files. Thank you Wayne van der Merwe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html To ensure you receive email from Trinity College into your inbox, please add @trinity-bris.ac.uk to your email safe list (also known as whitelist). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Trouble migrating EAP TLS authentication from Free Radius 1.1.8 to 2.1.9
Hi, I've been trying to migrate the FreeRadius server from 1.1.8 to the latest (stable) release (2.1.9 at the last try, 2.1.8 before that). I'm using EAP TLS to authenticate modem connection to our DSLAM (using 2 way authentication). The 1.1.8 server has no trouble performing the task, however, the 2.1.x server doesn't ever complete the authentication process. From what I can tell, once the 1.1.8 server gets the final TLS ACK it allows the connection, but the 2.1.x server is looking for something else. Is this a FreeRadius issue or a DSLAM problem? If DSLAM, where is the best place to start looking for description of what should be happening? I have openssl 1.0.0 installed on the sparc Solaris 10 server that is running FreeRadius. Using a single modem and debug mode, I've got the following log snippets (from the end of the session each): Version 1.1.8: Waking up in 5 seconds... rad_recv: Access-Request packet from host 138.120.206.110:1, id=56, length=158 NAS-Identifier = SSL-7330-3 NAS-IP-Address = 138.120.206.110 User-Name = 00:18:3F:5E:57:B0 NAS-Port = 136383488 NAS-Port-Type = xDSL Acct-Session-Id = 173:26:18::0075 NAS-Port-Id = atm 1/1/04/13:0:32 Calling-Station-Id = \000\030?^W\260 EAP-Message = 0x020700060d00 Message-Authenticator = 0x778fd2a832af2ac150c6df5119a51f88 State = 0x2638193a96b23d3b2ac39fe35dff53cb Processing the authorize section of radiusd.conf modcall: entering group authorize for request 49 modcall[authorize]: module preprocess returns ok for request 49 radius_xlat: '/usr/local/etc/raddb/var/log/radius/radacct/138.120.206.110/auth-detail-20100306' rlm_detail: /usr/local/etc/raddb/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/etc/raddb/var/log/radius/radacct/138.120.206.110/auth-detail-20100306 modcall[authorize]: module auth_log returns ok for request 49 modcall[authorize]: module chap returns noop for request 49 modcall[authorize]: module mschap returns noop for request 49 rlm_realm: No '@' in User-Name = 00:18:3F:5E:57:B0, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 49 rlm_eap: EAP packet type response id 7 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 49 modcall[authorize]: module files returns notfound for request 49 modcall: group authorize returns updated for request 49 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 49 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module eap returns ok for request 49 modcall: group authenticate returns ok for request 49 Sending Access-Accept of id 56 to 138.120.206.110:1 MS-MPPE-Recv-Key = 0x7b94ecfc920b6cd85506aee431a4d876e4af891c3dc51c433af623302ace6490 MS-MPPE-Send-Key = 0x370e00c44f3145ad3eaa77720d9e48a102750fcefdb44f980156c67c2dc790ee EAP-Message = 0x03070004 Message-Authenticator = 0x User-Name = 00:18:3F:5E:57:B0 Finished request 49 Going to the next request Waking up in 5 seconds... Version 2.1.9: Waking up in 4.2 seconds. rad_recv: Access-Request packet from host 138.120.206.113 port 1, id=202, length=158 NAS-Identifier = SSL-7330-4 NAS-IP-Address = 138.120.206.113 User-Name = 00:1B:5B:10:97:88 NAS-Port = 136392448 NAS-Port-Type = xDSL Acct-Session-Id = 157:52:37::0371 NAS-Port-Id = atm 1/1/04/48:0:32 Calling-Station-Id = \000\033[\020\227\210 EAP-Message = 0x020e00060d00 Message-Authenticator = 0xdffd259e9fa9cef084a12d640fb51073 State = 0x056b0543006508967ef0ed7dafcf0427 +- entering group authorize {...} ++[preprocess] returns ok [eap] EAP packet type response id 14 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] No SSL info available. Waiting for more SSL data. [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 202 to 138.120.206.113 port 1 EAP-Message = 0x010f000a0d80 Message-Authenticator = 0x State =
Re: Fwd: FreeRadius2MySQL
//I am planing to migrate from Aradial to FreeRadius2 //and i currently have 1 subscribers A piece of advice: DO NOT deploy Freeradius2 now! I am using FreeRadius 2.1.9 + Mysql 5.3 on FreeBSD 8.1, and the radiusd exits abnormally (although it says info: exiting normally by itself ) many times a day! I have been driven mad! and I decide to revert to freeradius 1.1.8. Believe me, or you can search exit normally but unexpectedly in maillist archive yourself. PS: deployment of freeradius is rather easy. Read its sample configuration files, and you will find them easy to understand. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html