Re: Returning attributes based on group membership using NTLM_AUTH
Cect ! :)
-Arran
On 3 Aug 2011, at 06:19, Moe, John wrote:
Sorry to reply to my own post, but I think I've found the answer; can
someone let me know if I'm on the right track?
I believe that I should be using ntlm_auth to *only* validate the *password*
in the authenticate section. And then I'll need to configure the LDAP
module and use Ldap-Group as an additional item to match against in the
users file to return the appropriate Service-Type attribute?
John H. Moe
Network Support - Hatch IT
HATCH
Tel: +61 (7) 3166
Direct: +61 (7) 3166 7684
Fax: +61 (7) 3368 3754
Mobile: +61 438 772 425
61 Petrie Terrace, Brisbane, Queensland Australia 4000
-Original Message-
From: freeradius-users-bounces+jmoe=hatch.com...@lists.freeradius.org
[mailto:freeradius-users-
bounces+jmoe=hatch.com...@lists.freeradius.org] On Behalf Of Moe, John
Sent: Wednesday, 3 August 2011 9:33 AM
To: freeradius-users@lists.freeradius.org
Subject: Returning attributes based on group membership using NTLM_AUTH
I'm trying to set up switch logons for IT staff. Some will get
operator
(limited, read-only) access, some get manager (full) access. I've got
two
Active Directory groups that control which access they get.
I've got the ntlm_auth section working with two different instances,
one for
each, using the --require-membership-of switch to ntlm_auth.
modules/ntlm_auth
exec ntlm_auth.swcmgr {
wait = yes
program = /usr/bin/ntlm_auth --request-nt-key --domain=
MYDOMAIN
--username=%{User-Name} --password=%{User-Password}
--require-membership-of=MYDOMAIN\\SWITCH-MANAGERS
}
exec ntlm_auth.swcoper {
wait = yes
program = /usr/bin/ntlm_auth --request-nt-key --domain=
MYDOMAIN
--username=%{User-Name} --password=%{User-Password}
--require-membership-of=MYDOMAIN\\SWITCH-OPERATORS
}
End of file
I've also got the following in my users file:
users
DEFAULT Auth-Type = ntlm_auth.swcmgr, Service-Type == 7,
NAS-Port-Type == 5
Service-Type := 6,
# Fall-Through = Yes
#DEFAULTAuth-Type = ntlm_auth.swcoper, Service-Type ==
7,
NAS-Port-Type == 5
# Service-Type := 7
End of file
And in sites-enabled/default, I've listed these two in the authenticate
section.
With the config above, it'll let managers in with manager access, but
not
operators. If I comment out the first DEFAULT line in the users file,
and
uncomment the second, it'll let operators in with operator access, but
not
managers. But if I uncomment out both, operators get denied access on
the
first DEFAULT line, and processing stops. If I uncomment out the
Fall-Through line, it appears to only fall-through on success of the
first
DEFAULT section, not on failure.
What's the best way to accomplish what I want? I think I'd need to use
unlang somehow, but the sites-enabled/default says unlang should go in
post-auth, and I think I need it in the authenticate section? Or
should I
be looking to do it in the modules/ntlm_auth file? Is this too
complicated
for unlang, should I be looking at perl or python? Or am I
overcomplicating
things? Any pointers would be appreciated.
John H. Moe
Network Support - Hatch IT
HATCH
Tel: +61 (7) 3166
Direct: +61 (7) 3166 7684
Fax: +61 (7) 3368 3754
Mobile: +61 438 772 425
61 Petrie Terrace, Brisbane, Queensland Australia 4000
*
NOTICE - This message from Hatch is intended only for the use of the
individual or entity to which it is addressed and may contain information
which is privileged, confidential or proprietary.
Internet communications cannot be guaranteed to be secure or error-free as
information could be intercepted, corrupted, lost, arrive late or contain
viruses. By communicating with us via e-mail, you accept such risks. When
addressed to our clients, any information, drawings, opinions or advice
(collectively, information) contained in this e-mail is subject to the
terms and conditions expressed in the governing agreements. Where no such
agreement exists, the recipient shall neither rely upon nor disclose to
others, such information without our written consent. Unless otherwise
agreed, we do not assume any liability with respect to the accuracy or
completeness of the information set out in this e-mail. If you have received
this message in error, please notify us immediately by return e-mail and
destroy and delete the message from your computer.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Packet of Disconnect PHP
Its possible... IIRC (and this was a long long time a go) type is just an integer value http://www.php.net/manual/en/function.radius-create-request.php and also though there are two constants defined, it can actually be *any* integer value, so just use type 40 for POD. You'll need to make sure you have the right combination of attributes to identify the user, some NAS are *VERY* picky. -Arran PS I think the RADIUS stuff is an extension, so you'll need to install it using PECL. On 3 Aug 2011, at 01:03, mark fennema wrote: Hello, I'm working on getting a hotspot set up, and I need the ability to have a user log themselves out, so that they can connect on another computer. I have it set up so that the user can enter their information and have it log them out, but it doesn't disconnect them from the router, so they can continue using the internet until they disconnect from the wireless, so I need to send a packet of disconnect. Is there a way to do this in php? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Packet of Disconnect PHP
I didn't even know there were Radius functions in PHP...
Anyway, I did do my POD with PHP:
First get all the information you need from the database:
SELECT
`radcheck`.`username`,
`radcheck`.`attribute`,
`radcheck`.`value`*1024*1024*1024,
`radacct`.`framedipaddress`,
`radacct`.`xascendsessionsvrkey`,
`radacct`.`nasipaddress`,
`radacct`.`acctstoptime`,
`radacct`.`realm`
FROM
`radcheck`
CROSS JOIN
`radacct`
ON
`radcheck`.`username` = `radacct`.`username`
WHERE
.
Then you can use this to pipe it through radclient, assuming your web server
hosting this script is the same as your Radius server this is quite easy:
$disconnect=exec('
echo User-Name = '.$row[0].', Framed-IP-Address =
'.$row[3].', X-Ascend-Session-Svr-Key = '.$row[4].', NAS-IP-Address =
'.$row[5].' | radclient -x NAS.IP.ADD.RESS:PORT disconnect SECRET
');
This way I am iterating through a list of accounts returned by the query (do
some calculations) and then kick them off the network.
Maybe not the most sophisticated method but it does the trick.
Hope this helps
Kind regards
Marius Pesé
Mindspring Computing
-Original Message-
From: freeradius-users-bounces+marius=mindspring.co...@lists.freeradius.org
[mailto:freeradius-users-bounces+marius=mindspring.co...@lists.freeradius.org]
On Behalf Of Arran Cudbard-Bell
Sent: Wednesday, August 03, 2011 8:21 AM
To: FreeRadius users mailing list
Subject: Re: Packet of Disconnect PHP
Its possible... IIRC (and this was a long long time a go) type is just an
integer value http://www.php.net/manual/en/function.radius-create-request.php
and also though there are two constants defined, it can actually be *any*
integer value, so just use type 40 for POD.
You'll need to make sure you have the right combination of attributes to
identify the user, some NAS are *VERY* picky.
-Arran
PS I think the RADIUS stuff is an extension, so you'll need to install it using
PECL.
On 3 Aug 2011, at 01:03, mark fennema wrote:
Hello, I'm working on getting a hotspot set up, and I need the ability
to have a user log themselves out, so that they can connect on another
computer. I have it set up so that the user can enter their
information and have it log them out, but it doesn't disconnect them
from the router, so they can continue using the internet until they
disconnect from the wireless, so I need to send a packet of
disconnect. Is there a way to do this in php?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Packet of Disconnect PHP
If you're using Mikrotik, you can use Mikrotik API for this...
It works very good...
Especially if you need to disconnect all users
On 8/3/2011 8:50 AM, Marius Pesé wrote:
I didn't even know there were Radius functions in PHP...
Anyway, I did do my POD with PHP:
First get all the information you need from the database:
SELECT
`radcheck`.`username`,
`radcheck`.`attribute`,
`radcheck`.`value`*1024*1024*1024,
`radacct`.`framedipaddress`,
`radacct`.`xascendsessionsvrkey`,
`radacct`.`nasipaddress`,
`radacct`.`acctstoptime`,
`radacct`.`realm`
FROM
`radcheck`
CROSS JOIN
`radacct`
ON
`radcheck`.`username` = `radacct`.`username`
WHERE
.
Then you can use this to pipe it through radclient, assuming your web server
hosting this script is the same as your Radius server this is quite easy:
$disconnect=exec('
echo User-Name = '.$row[0].', Framed-IP-Address =
'.$row[3].', X-Ascend-Session-Svr-Key = '.$row[4].', NAS-IP-Address = '.$row[5].' |
radclient -x NAS.IP.ADD.RESS:PORT disconnect SECRET
');
This way I am iterating through a list of accounts returned by the query (do
some calculations) and then kick them off the network.
Maybe not the most sophisticated method but it does the trick.
Hope this helps
Kind regards
Marius Pesé
Mindspring Computing
-Original Message-
From: freeradius-users-bounces+marius=mindspring.co...@lists.freeradius.org
[mailto:freeradius-users-bounces+marius=mindspring.co...@lists.freeradius.org]
On Behalf Of Arran Cudbard-Bell
Sent: Wednesday, August 03, 2011 8:21 AM
To: FreeRadius users mailing list
Subject: Re: Packet of Disconnect PHP
Its possible... IIRC (and this was a long long time a go) type is just an
integer value http://www.php.net/manual/en/function.radius-create-request.php
and also though there are two constants defined, it can actually be *any*
integer value, so just use type 40 for POD.
You'll need to make sure you have the right combination of attributes to
identify the user, some NAS are *VERY* picky.
-Arran
PS I think the RADIUS stuff is an extension, so you'll need to install it using
PECL.
On 3 Aug 2011, at 01:03, mark fennema wrote:
Hello, I'm working on getting a hotspot set up, and I need the ability
to have a user log themselves out, so that they can connect on another
computer. I have it set up so that the user can enter their
information and have it log them out, but it doesn't disconnect them
from the router, so they can continue using the internet until they
disconnect from the wireless, so I need to send a packet of
disconnect. Is there a way to do this in php?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segmentation fault freeradius 2.1.7 using rlm_sql
Hi, * FreeRADIUS has no notion of a stable release. Many projects maintain 'stable' or 'stale' if you go for the 'stable' release of most daemons you will not have the ability to do certain things, the latest version will have those abilities. in the FR case, the most 'tested' version is often an older version...bugs come to light, new features requested etc are in the newer version, not backported down to older versions. it makes sense to do it that way than the rock solid stable release). The rock solid stable release has been field proven, should have the absolute confidence of system administrators and be viable for multiple years (in other words you can install it and be confident once it's put in production you're good to go for several years. rubbish. sorry, but the number of times I've had to upgrade eg BIND, ISC DHCPD, apache etc from 'stable' release due to a bug, or that months new vulnerability. i dont know of ANY server daemon that could be installed and left online for years - even if there was such a mythical beast, the server it runs on needs to be reloaded at least 4 times a year due to kernel/OS vulnerabilities too ;-) security fix. When that occurs the stable release is surgically modified to fix exactly that one issue, it's minor version number is bumped. thats the wrong way to go as you spend the effort putting features way back down in the tree - and often reverting behaviour already known or fixed. ideally you have a stable version and a test-devel version - which there has been before - however, who runs what? often people run safe and wont run a test-devel version where its needed - and only when the version is 'released' do they then run it and find a bug/issue that no-one else uncovered - this has happened several times this year with 2.1.x * FreeRADIUS has way too much churn for a critical system service. Think about other system services, how often do you see kerberos, bind, iptables, pam, MySQL, etc. going through significant revisions? Are the administrators of those services constantly being told to upgrade the service because of the bug/feature du jour? all the time. BIND and MySQL in particular. I'd add OpenSSH and Apache to the list of daemons always being upgraded. those releases have gotten pushed into production. I think part of the problem is the frequent release schedule (measured in months) and the lack of a coordinated beta testing program. Releases should not occur until after they've successfully navigated a beta program. I , for one, love having frequent releases of the server - it means we get new features. functions and fixes of behaviour rapidly in what has become a very agile area of network access. if you have a less frequent release you'll have a product with as much functionality as cisco ACS of MS NPS - ie bare and basic. dull and almost useless. of course, this depends on your market - if you are a dial-in user or run an ISP you might want the basic functions. there. done. free. dealt with. if, however, you are using it in an enterprise network environment and are looking at 802.1X with SoH, new rapid policy making, advanced external auditing using custom logging and maybe even wanting to use other RADIUS capabilities, CUI, CoA, linked to that months common backend - or wanting to use enhanced remote access systems like 'moonshot' then you need an agile project - FreeRADIUS is agile enough * Organize a rigorous beta test program. using what and who? most issues are found in demanding environments that cannot be modelled by some simulation - this isnt Apache where you can throw a tool at it. there isnt a 'generic config' that all people use. I'll find a bug in postgres that noone else has found because they all use another DB or flatfile.. or if they do use postgres they wont be throwing particular things at it (like storing a local copy of an accounting packet that wasnt received at the remote accounting server and couldnt be stored on sql-relay due to no disk space) - thats just an example by the way! - by changing to 'stable' and having a remote 'test' release you can pretty much say goodbye to the default presence of leading-tree testers. i know most people will just take the latest stable. they may have 'stable' but they'll whine when they dont have a feature...and when posting to the list i'll say its in 'testing' and they'll ask when thats coming to 'stable - answer? probably never to that stable tree because the code changes to enable that feature are vast and the profiling wont be able to pick out any weird corner cases that might happen to that stable should the functions be backported. as alan said, 1.1.x is 'stable' its also damn bare of any flexible functionality ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segmentation fault freeradius 2.1.7 using rlm_sql
Hi, This is a production server, What is the latest stable version to use? 'stable' is all in the mind ;-) we run the latest 2.1.11 from GIT on our production servers (nee 2.1.12) and a 3.x release on a couple of test servers to test/see the new functions. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disable mysql dbm during freeradius installation
Hi, Hi I am installing Freeradius and for my scenario i just need to authenticate from local files and there is no need for DBM or mysql or anything. how do i disable them during installation of freeradius. I tried using --disable-rlm-dbm and similar but it din't work out. How do i disable them from installing? Awaiting any help! Many thanks. you could go the way Alan says - why bother? the code compiled is minimal in size and isnt used if its not in the config (its all modular) - size only matters if using eg embedded device ..or use the --without-xxx where xxx is the feature. OR simply dont have the development libraries and headers for MySQL, DBM etc on your compilation server. autoconf will understand that it cant compile that stuff and not bother. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Hi, I seem to have the same issue as described in this thread, I also have XP/Novell legacy clients, and I want to move to AD from eDir. Re: Error: User-Name is not the same as MS-CHAP namehttps://lists.freeradius.org/pipermail/freeradius-users/2011-June/msg00070.html The last mention I can see of this was a few months ago, has anything changed since ? I was wondering if I can work around the issue by using realms to strip the username and then force the domain into the ntlm_auth line in the mschap module. I got some way with this approach but it still seems to wants to create the hash using the DOMAIN/USER which I'm guessing is wrong. Anyway, if there is a fix or workaround I'd be grateful if you could you let me know. Thanks, Bruce - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segmentation fault freeradius 2.1.7 using rlm_sql
John Dennis jden...@redhat.com writes: * FreeRADIUS has way too much churn for a critical system service. Think about other system services, how often do you see kerberos, bind, iptables, pam, MySQL, etc. going through significant revisions? Are the administrators of those services constantly being told to upgrade the service because of the bug/feature du jour? I think that's unfair. All of the other services you mention have their share of release related problems. The details are too off-topic on this list, but things like having iptables completely pulled out and replaced every now-and-then (remember ipchains? Heard of nftables?) springs to mind. Or the wait-forever-for-a-new-stable-release of MySQL. And, although I haven't verified this, I'd be surprised if the RedHat packaged versions of all those services didn't include quite a few bug-fixing patches. There is no such thing as a bugfree release. * The QE component of FreeRADIUS has proven to be inadequate. I know Alan runs a set of tests and he calls for testing prior to a new release. But we've seen the amount of testing which actually occurs is inadequate because releases have gone out with significant problems and those releases have gotten pushed into production. I think part of the problem is the frequent release schedule (measured in months) and the lack of a coordinated beta testing program. Releases should not occur until after they've successfully navigated a beta program. I humbly would suggest the following: * Create and maintain a stable version. * Organize a rigorous beta test program. I guess no one is going to _oppose_ those suggestions. But both of them are kind of already there. You do have branches which are supposed to be stable. And you do have the call for testing you mention. The reason this is inadequate is probably lack of man power. How many users do actually test the proposed new release on a (near) production system? Not nearly enough, as shown by the bug reports coming in right after a release. Myself, I usually build and install such beta versions on our test system, but we do not really have a complete lab with hundreds of different big NASes and millions of real users. Some problems never show up before we put it on a real production server. Which is kind-of hard to get accepted for a beta test. The FreeRADIUS user mass is probably too low to get anything close to real testing without doing an actual release. Which brings us to the next point: * Slow down the release schedule, avoid the temptation to cut a new release because of minor new features. If production servers can't run successfully without a feature that's an indication the prior release was too hasty. Critical bug fixes should occur in the release branch and the release branch re-released. The release interval for a system service like FreeRADIUS should be measured in years, not months or weeks. I don't thing the 2.1.x history looks too bad. Except for a couple of extra bugfix releases early in the cycle, it's been 3-4-5 months between them: release_2_1_0: 2008-09-05 15:27:57 +0200 release_2_1_1: 2008-09-25 10:41:26 +0200 release_2_1_2: 2008-12-04 10:50:29 +0100 release_2_1_3: 2008-12-05 17:37:56 +0100 release_2_1_4: 2009-03-11 03:26:50 +0100 release_2_1_6: 2009-05-18 13:12:54 +0200 release_2_1_7: 2009-09-14 16:43:29 +0200 release_2_1_8: 2009-12-30 16:44:35 +0100 release_2_1_9: 2010-05-24 07:40:58 +0200 release_2_1_10: 2010-09-28 13:03:56 +0200 release_2_1_11: 2011-06-20 16:57:14 +0200 Comments? Thoughts? Do you agree/disagree? I don't think discussing strategies is very useful given the obvious lack of contributions to the project. It's not like there are resources which could/should be (re)allocated anywhere. All available resources are already used in an extremely efficient way. There are just too few of them to do all that you want. But the project could most certainly need more contributors. Why not create and maintain a stable branch, like the stable kernel branches? Like the kernel, I don't think that's really a job for the main developer(s). It's more of a janitor job. Or why not improve documentation? The new Wiki opens possibilities for anyone to contribute again. And for beta testing: It's pretty obvious that the most important missing part are the testers. Bring them in. The positions are open... In my experience the FreeRADIUS project has never ever turned down any offer to help. A simple task, which doesn't even require any longterm commitment, is just squashing a few bugs the next time there is a call for testing. Just my humble thoughts, as a fellow FreeRADIUS user. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rml_perl is not adding attributes to Access-accept
Igor Xpinha fishsemxpi...@gmail.com writes: # This is very important ! Without this script will not get the filled hashesh from main. use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK); #use Data::Dumper; # This is hash wich hold original request from radius my %RAD_REQUEST; # In this hash you add values that will be returned to NAS. my %RAD_REPLY; #This is for check items my %RAD_CHECK; drop the my scoping of any variables you want to change. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Change my submission
I will like to receive individuals email from this list but how?? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Change my submission
http://lists.freeradius.org/mailman/listinfo/freeradius-users Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
