Re: Freeradius capable of url-redirect
Nathan McDavit-Van Fleet wrote: I'm afraid I still can't get this to work at all. Is the server sending the correct attributes to the NAS? If yes, blame the NAS. Otherwise, fix your configuration. I decided to pare down my test to its simplest form. Basically I created a test user with the AVPair configuration as below. Which is basically what Cisco describes in its documentation (but with ACS). # test user test_login Cleartext-Password := test_pass Cisco-AVPair += url-redirect=http://www.cisco.com/index.html;, Service-Type = Outbound-User So essentially this user should indeed trigger the controller with that AVPair configuration. Later I plan on dynamically triggering it when someone authenticated using TTLs. (I've also tried = instead of += for the AVPair). Do simple tests to see if it works. If you have ACS, use wireshark to see what ACS sends in response, and make FreeRADIUS send the same thing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Authentication - Bad Idea?
Jim Rice wrote: The MikroTik routers can be configured to send a variety of MAC address formats, the default is XX:XX:XX:XX:XX:XX Which isn't the format recommended by the RFCs sigh. It can also be set to include the same MAC address in the Password field, instead of NULL, but I do not see any added benefit to that. There isn't much benefit... but both are bad ideas. but had to set Auth-Type := Accept. Hmm... that's probably not the best way to do it, but if it works... Is there a best (or better) way? Not really, unfortunately. Do I need to be concerned with MAC spoofing? Of course. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Authentication - Bad Idea?
On Wed, Feb 02, 2011 at 02:00:52PM -0600, Gary Gatten wrote: On shared medium, I don't *think* dupe macs will cause much problem, unless maybe a congestion algorithm tweaks traffic to/from that mac. I'm not an expert in that area, just speaking from experience. Layer 1 --- I have little experience with radio, and if it's a single radio cell with omnidirectional antenna it might not make much difference (*). Layer 2 --- With switches: they learn which port owns the MAC address, and then only send traffic to the latest seen port. If it keeps changing, there will be substantial packet loss. Layer 3 --- If two people are on the same IP address then of course that will mess things up royally, so one will have to manually choose a different one. Now, if two different IPs share the same MAC address, it will usually work unless one of the devices has IP forwarding enabled. If they do, then when terminal A sees frames for B's IP address will forward them to its default route. The router will then re-send the packet to B, and hence you will get a storm of duplicate packets (multiplied by the TTL). Regards, Brian. (*) If the radio station has multiple antennas to beam the signal in the correct direction, I imagine it might not work well if it sees the same client in two places at once. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question regarding nested WiMAX TLV formatting
Dear all, I wish to deploy FreeRadius on a WiMAX setup, and I need a modern version of FreeRadius in order to use WiMAX-Packet-Flow-Descriptor-v2 and nested TLVs (according to http://freeradius.1045715.n5.nabble.com/Sub-TLV-s-td3336559.html, I should use the git/2.2 version of FreeRadius - which I did compile and run successfully). My question is about how to configure/describe/format the nested TLVs in the reply (not in the dictionary), either in the users file or in the MySQL tables (e.g. in radgroupreply). Indeed, in the following example : how can I express the fact that the WiMAX-PFDv2-Packet-Data-Flow-Id attribute is *inside* the WiMAX-Packet-Flow-Descriptor-v2 ? what should I put in the value field for WiMAX-Packet-Flow-Descriptor-v2, since the real value is constituted by the following TLVs ? How can I say end-tlv at some point so that the Some-other-attribute is no longer inside WiMAX-Packet-Flow-Descriptor-v2 but is at the root level ? INSERT INTO `radgroupreply` (`id`, `groupname`, `attribute`, `op`, `value`) VALUES (1, 'Gold', 'WiMAX-Packet-Flow-Descriptor-v2', ':=', '??') (2, 'Gold', 'WiMAX-PFDv2-Packet-Data-Flow-Id', ':=', '1') # inside the first one ... (100, 'Gold', 'Some-other-attribute', ':=', 'foobar') Best regards, -- Adrien Demarez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius Client UDP port selection
Hello Friends, Now the radius client UDP port is selected randomly, Is there a way by which i can mention the server to use perticular UDP port nbsp;as client port. 1. Is there a way where i can configure port numbers for client and server?2. Or if i need to change the code then in which function i have to change? I want client udp port number should be greater than 32767. Kindly help me. Thanks and Regards,VIJAY S.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Client UDP port selection
vijay s sheelavantar s_vija...@rediffmail.com wrote: Now the radius client UDP port is selected randomly, Is there a way by which i can mention the server to use perticular UDP port nbsp;as client port. 1. Is there a way where i can configure port numbers for client and server? 2. Or if i need to change the code then in which function i have to change? I want client udp port number should be greater than 32767. ...the 1990's called...they want their firewall security policy back. Whatever it is you are hoping to achieve[1], this is not going to help you. Cheers [1] what does pinning the client source address give you? -- Alexander Clouter .sigmonster says: No line available at 300 baud. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Client UDP port selection
vijay s sheelavantar s_vija...@rediffmail.com wrote: Now the radius client UDP port is selected randomly, Is there a way by which i can mention the server to use perticular UDP port nbsp;as client port. Well, this would imply that your radius client would exactly be able to authenticate one Supplicant simultaneous.(one udp-socket) And thats probably not that what you want. 2. Or if i need to change the code then in which function i have to change? I want client udp port number should be greater than 32767. The UDP Header Format offers 16Bit for Source and Destination Port. So, this will be possible. But you have to tell it your software to use Ports above 32767. -- Mit freundlichen Grüßen, Tobias Koopmann - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html