Re: Radius Server Doesn't Communicate AP
Alejandro Moreno wrote: Ok, first of all, not everybody has the resources to afford an expert to do something... Then you need to think for yourself. You need to pay attention to the messages on this list. If you can't do that, you have no business asking questions here. If you keep asking network questions on a RADIUS list, you can be unsubscribed from the list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ubuntu client always connect to wlan even if it is not allowed by Freeradius
-Src-IP-Address} - 192.168.2.15
Mon Oct 3 11:50:16 2011 : Info: [detail] expand:
/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
- /usr/local/var/log/radius/radacct/192.168.2.15/detail-20111003
Mon Oct 3 11:50:16 2011 : Info: [detail]
/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/192.168.2.15/detail-20111003
Mon Oct 3 11:50:16 2011 : Info: [detail] expand: %t - Mon Oct 3
11:50:16 2011
Mon Oct 3 11:50:16 2011 : Info: ++[detail] returns ok
Mon Oct 3 11:50:16 2011 : Info: ++[unix] returns ok
Mon Oct 3 11:50:16 2011 : Info: [radutmp] expand:
/usr/local/var/log/radius/radutmp - /usr/local/var/log/radius/radutmp
Mon Oct 3 11:50:16 2011 : Info: [radutmp] expand: %{User-Name} - salons
Mon Oct 3 11:50:16 2011 : Info: ++[radutmp] returns ok
Mon Oct 3 11:50:16 2011 : Info: ++[exec] returns noop
Mon Oct 3 11:50:16 2011 : Info: [attr_filter.accounting_response] expand:
%{User-Name} - salons
Mon Oct 3 11:50:16 2011 : Debug: attr_filter: Matched entry DEFAULT at line 12
Mon Oct 3 11:50:16 2011 : Info: ++[attr_filter.accounting_response] returns
updated
Sending Accounting-Response of id 2 to 192.168.2.15 port 32847
Mon Oct 3 11:50:16 2011 : Info: Finished request 1.
Mon Oct 3 11:50:16 2011 : Info: Cleaning up request 1 ID 2 with timestamp +17
Mon Oct 3 11:50:16 2011 : Debug: Going to the next request
Mon Oct 3 11:50:16 2011 : Info: Ready to process requests.
Do you have any idea of how to correct this ?
Thank you very much,
Regards,
Fred
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ubuntu client always connect to wlan even if it is not allowed by Freeradius
2011/10/3 PROST Frédéric f.pr...@mb-line.com:
But if the connection is correct at the first time and if I then change one
of those parameters (ie, disable MAC address on the radius server or change
login on my Ubuntu workstation), I can still connect to my WLAN.
The only way to correct this problem is to physically switch off and on the
wlan card on Ubuntu workstation.
Have you tried restarting radius?
Mon Oct 3 11:55:51 2011 : Info: ++- entering policy
rewrite.calling_station_id {...}
Mon Oct 3 11:55:51 2011 : Info: +++? if ((Calling-Station-Id)
%{Calling-Station-Id} =~ /^%{config:policy.mac-addr}$/i)
AFAIK changes to config file (e.g. policy.conf) is re-read only when
FR is restarted or HUP-ed.
Here is the Freeradius log file for the second connection, after disable MAC
Address and restarted FreeRadius (it connects directly without checking MAC
address) :
rad_recv: Accounting-Request packet from host 192.168.2.15 port 32847, id=2,
length=152
That's accounting request, not access request.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ldap patch for access_attr_deny_value
Hi all,
This patch is an attempt to have a more generic custom access_attr
support, by introducing a new ldap module configuration parameter
named access_attr_deny_value allowing to check arbitrary access_attr
attribute value to reject user.
Without this patch, configured access_attr attribute is checked
against a static,(hard-coded) FALSE value.
With this patch, rlm_ldap module user can configure not only custom
access_attr attribute, but also custom access_attr_deny_value value to
control user lock status.
Default value remains FALSE, to maintain backward compatibility.
This patch has been made because if, for example, inetUserStatus is
used at ldap server level to control lock user status, this control is
done by ldap server when user tries to bind to the ldap.
From freeradius point of view, if ldap bind is not done for any reason
(e.I. because radiusd received a MSCHAP challenge, and just replayed
MSCHAP using ntPassword or lmPassword retrieved during author) , ldap
server will not have occation to reject the user at binding, so
radiusd has to do the job himself for inetUserStatus to be honored.
If radiusd does not do the job, only ldap-binded user will be rejected
(by ldap) but non-binded user will be accepted, thus making ldap
settings disabling the user with inetUserStatus set to inactive will
not be honored at radius level and user will be unexpectedly accepted.
For example,
${confdir}/modules/ldap :
access_attr = inetUserStatus # OID
2.16.840.1.113730.3.1.692
access_attr_deny_value = inactive
With this setup, if inetUSerStatus is set to inactive in ldap
directory for a particular user, this user will be rejected early
during authorization.
Best regards,
Fred MAISON
###
diff -u ./src/freeradius-server/src/modules/rlm_ldap/rlm_ldap.c
./Documents/Radius/Freeradius/freeradius-server-2.1.12/src/modules/rlm_ldap/rlm_ldap.c
--- ./src/freeradius-server/src/modules/rlm_ldap/rlm_ldap.c 2011-09-20
14:11:34.0 +0200
+++
./Documents/Radius/Freeradius/freeradius-server-2.1.12/src/modules/rlm_ldap/rlm_ldap.c
2011-09-29
17:39:32.0 +0200
@@ -146,6 +146,7 @@
char *default_profile;
char *profile_attr;
char *access_attr;
+ char*access_attr_deny_value;
char *passwd_hdr;
char *passwd_attr;
int auto_header;
@@ -304,6 +305,8 @@
offsetof(ldap_instance,access_attr), NULL, NULL},
{access_attr_used_for_allow, PW_TYPE_BOOLEAN,
offsetof(ldap_instance,default_allow), NULL, yes},
+ {access_attr_deny_value, PW_TYPE_STRING_PTR,
+offsetof(ldap_instance,access_attr_deny_value), NULL, FALSE},
{chase_referrals, PW_TYPE_BOOLEAN,
offsetof(ldap_instance,chase_referrals), NULL, NULL},
{rebind, PW_TYPE_BOOLEAN,
@@ -1405,8 +1408,8 @@
if (inst-access_attr) {
if ((vals = ldap_get_values(conn-ld, msg, inst-access_attr))
!= NULL) {
if (inst-default_allow){
- RDEBUG(checking if remote access for %s is
allowed by %s,
request-username-vp_strvalue, inst-access_attr);
- if (!strncmp(vals[0], FALSE, 5)) {
+ RDEBUG(checking if remote access for user %s
is %s by %s,
request-username-vp_strvalue, inst-access_attr_deny_value,
inst-access_attr);
+ if (!strncmp(vals[0],
inst-access_attr_deny_value,
sizeof(inst-access_attr_deny_value))) {
RDEBUG(dialup access disabled);
snprintf(module_fmsg,sizeof(module_fmsg), [%s] Access
Attribute denies access, inst-xlat_name);
module_fmsg_vp =
pairmake(Module-Failure-Message, module_fmsg, T_OP_EQ);
###
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ubuntu client always connect to wlan even if it is not allowed by Freeradius
PROST Frédéric wrote: It seems that it has a kind of cache but I can't determine where and how to disable it (on my Radius server). FreeRADIUS doesn't cache authentications. The issue is likely that your switch is caching the status of the MAC address. Here is a freeradius log extract of the first connection where we can see that it checks the MAC address I'm *presuming* that this is for an Access-Request. I don't know, because you've deleted most of the debug output. Here is the Freeradius log file for the second connection, after disable MAC Address and restarted FreeRadius (it connects directly without checking MAC address) : Read it: rad_recv: Accounting-Request packet from host 192.168.2.15 port 32847, id=2, length=152 That's not an Access-Request. The NAS (or switch) is starting an accounting session without first authenticating the user. Do you have any idea of how to correct this ? Fix the switch so that it sends Access-Requests when a user connects to it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ubuntu client always connect to wlan even if it is not allowed by Freeradius
On 3 Oct 2011, at 12:04, Fajar A. Nugraha wrote:
2011/10/3 PROST Frédéric f.pr...@mb-line.com:
But if the connection is correct at the first time and if I then change one
of those parameters (ie, disable MAC address on the radius server or change
login on my Ubuntu workstation), I can still connect to my WLAN.
The only way to correct this problem is to physically switch off and on the
wlan card on Ubuntu workstation.
Have you tried restarting radius?
Mon Oct 3 11:55:51 2011 : Info: ++- entering policy
rewrite.calling_station_id {...}
Mon Oct 3 11:55:51 2011 : Info: +++? if ((Calling-Station-Id)
%{Calling-Station-Id} =~ /^%{config:policy.mac-addr}$/i)
AFAIK changes to config file (e.g. policy.conf) is re-read only when
FR is restarted or HUP-ed.
Or in this case the users file :)
-Arran
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap patch for access_attr_deny_value
Please note :
As I am not a C developper, I just mimics what is already done in
rlm_ldap.c to create this patch, which only checks agains FALSE
value.
So, this patch is not sufficient to manage multiple possible values :
For example, inetUserStatus has
- 2 possible REJECT values :
* inactive
* deleted
- 1 possible ACCEPT value
* active
I am not able to create the patch to support checking on multiple
custom reject values
For example : support access_attr_deny_value as a list with
space-separated values to check :
access_attr_deny_value = inactive deleted
or as a list with | separated value :
access_attr_deny_value = inactive|deleted
Best regards,
Fred Maison
2011/10/3 Fred fred.mai...@gmail.com:
Hi all,
This patch is an attempt to have a more generic custom access_attr
support, by introducing a new ldap module configuration parameter
named access_attr_deny_value allowing to check arbitrary access_attr
attribute value to reject user.
Without this patch, configured access_attr attribute is checked
against a static,(hard-coded) FALSE value.
With this patch, rlm_ldap module user can configure not only custom
access_attr attribute, but also custom access_attr_deny_value value to
control user lock status.
Default value remains FALSE, to maintain backward compatibility.
This patch has been made because if, for example, inetUserStatus is
used at ldap server level to control lock user status, this control is
done by ldap server when user tries to bind to the ldap.
From freeradius point of view, if ldap bind is not done for any reason
(e.I. because radiusd received a MSCHAP challenge, and just replayed
MSCHAP using ntPassword or lmPassword retrieved during author) , ldap
server will not have occation to reject the user at binding, so
radiusd has to do the job himself for inetUserStatus to be honored.
If radiusd does not do the job, only ldap-binded user will be rejected
(by ldap) but non-binded user will be accepted, thus making ldap
settings disabling the user with inetUserStatus set to inactive will
not be honored at radius level and user will be unexpectedly accepted.
For example,
${confdir}/modules/ldap :
access_attr = inetUserStatus # OID
2.16.840.1.113730.3.1.692
access_attr_deny_value = inactive
With this setup, if inetUSerStatus is set to inactive in ldap
directory for a particular user, this user will be rejected early
during authorization.
Best regards,
Fred MAISON
###
diff -u ./src/freeradius-server/src/modules/rlm_ldap/rlm_ldap.c
./Documents/Radius/Freeradius/freeradius-server-2.1.12/src/modules/rlm_ldap/rlm_ldap.c
--- ./src/freeradius-server/src/modules/rlm_ldap/rlm_ldap.c 2011-09-20
14:11:34.0 +0200
+++
./Documents/Radius/Freeradius/freeradius-server-2.1.12/src/modules/rlm_ldap/rlm_ldap.c
2011-09-29
17:39:32.0 +0200
@@ -146,6 +146,7 @@
char *default_profile;
char *profile_attr;
char *access_attr;
+ char *access_attr_deny_value;
char *passwd_hdr;
char *passwd_attr;
int auto_header;
@@ -304,6 +305,8 @@
offsetof(ldap_instance,access_attr), NULL, NULL},
{access_attr_used_for_allow, PW_TYPE_BOOLEAN,
offsetof(ldap_instance,default_allow), NULL, yes},
+ {access_attr_deny_value, PW_TYPE_STRING_PTR,
+ offsetof(ldap_instance,access_attr_deny_value), NULL, FALSE},
{chase_referrals, PW_TYPE_BOOLEAN,
offsetof(ldap_instance,chase_referrals), NULL, NULL},
{rebind, PW_TYPE_BOOLEAN,
@@ -1405,8 +1408,8 @@
if (inst-access_attr) {
if ((vals = ldap_get_values(conn-ld, msg, inst-access_attr))
!= NULL) {
if (inst-default_allow){
- RDEBUG(checking if remote access for %s is
allowed by %s,
request-username-vp_strvalue, inst-access_attr);
- if (!strncmp(vals[0], FALSE, 5)) {
+ RDEBUG(checking if remote access for user %s
is %s by %s,
request-username-vp_strvalue, inst-access_attr_deny_value,
inst-access_attr);
+ if (!strncmp(vals[0],
inst-access_attr_deny_value,
sizeof(inst-access_attr_deny_value))) {
RDEBUG(dialup access disabled);
snprintf(module_fmsg,sizeof(module_fmsg), [%s] Access
Attribute denies access, inst-xlat_name);
module_fmsg_vp =
pairmake(Module-Failure-Message, module_fmsg, T_OP_EQ);
###
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rlm_ldap Login withount a identity
My LDAP server requires autentication, but for security reasson I cant let a user with permission to read all data from outher to made the bind for radius. Studing the log and using radiusd in debug mod I discovered if I let the identity and password in black the raius try log with the login and password provide by the user of radius, and it binds, but afther it also tryes retrive the user info with the user login, what fails. There is a way to do the login with LDAP without the identity or password? Using the information provide by the user to try bind in LDAP and if bind is sucessufull the RADIUS autenticates?? Sorry bad English Esdras Caleb -- (Você irá para o céu ou não? Acesse www.BoaPessoa.com.br já para saber!) Não se VAI à Igreja. Se É Igreja. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication sub in perl
On 03/10/11 13:48, Alex rsm wrote: Alan, Thank you for the response. How can I build the FreeRADIUS with EAP support? I checked the configure and Makefile anc couldn't figure it out No need to edit the Makefile. You need to install a package called something like openssl-devel and then attempt to build FreeRADIUS again. Jonathan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Virtual server basic proxy configuration?
Freeradius gurus,
I have looked over the documentation and searched for examples and
haven't found anything concrete that I feel will solve my configuration.
Perhaps someone has implemented this or can offer up some advice on how
to approach this.
Basically wanting to create a virtual server listening on port 1818 that
simply proxies ALL AUTH requests to radius1.gatech.edu port 1812. I am
used to the virtual-server configuration as I have multiple radius based
services running on different ports, but am not sure how to only proxy
those entries on that particular virtual server and not the other
virtual servers I have running on this server. At a first read/glance,
it looks like the proxy settings might apply to all virtual servers
instead of just the one on port 1818 that I am defining.
From reading proxy.conf would I just define something like:
home_server radius1 {
type = auth
ipaddr = 10.10.10.10
port = 1818
secret = testing123
}
Now...I am not sure how to apply this to a single virtual server. All I
really want to do is redirect the requests and respond.
Any tips would be appreciated,
- John Douglass, Georgia Institute of Technology
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Virtual server basic proxy configuration?
On 3 Oct 2011, at 17:22, John Douglass wrote:
Freeradius gurus,
I have looked over the documentation and searched for examples and haven't
found anything concrete that I feel will solve my configuration. Perhaps
someone has implemented this or can offer up some advice on how to approach
this.
Basically wanting to create a virtual server listening on port 1818 that
simply proxies ALL AUTH requests to radius1.gatech.edu port 1812. I am used
to the virtual-server configuration as I have multiple radius based services
running on different ports, but am not sure how to only proxy those entries
on that particular virtual server and not the other virtual servers I have
running on this server. At a first read/glance, it looks like the proxy
settings might apply to all virtual servers instead of just the one on port
1818 that I am defining.
From reading proxy.conf would I just define something like:
home_server radius1 {
type = auth
ipaddr = 10.10.10.10
port = 1818
secret = testing123
}
Now...I am not sure how to apply this to a single virtual server. All I
really want to do is redirect the requests and respond.
Just use a listen block within the virtual server { } configuration. There's a
template one in radiusd.conf
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Virtual server basic proxy configuration?
John Douglass wrote:
Basically wanting to create a virtual server listening on port 1818 that
simply proxies ALL AUTH requests to radius1.gatech.edu port 1812.
Read raddb/sites-available/README
It explains virtual servers in detail.
At a first read/glance,
it looks like the proxy settings might apply to all virtual servers
Yes.
From reading proxy.conf would I just define something like:
Which defines a home server, just like normal.
Now...I am not sure how to apply this to a single virtual server. All I
really want to do is redirect the requests and respond.
Redirecting the requests involves setting Proxy-To-Realm. So you'll
need to set up a realm home server pool for the above home server.
Or, just use the old-style realms definition. It will still work.
Then:
server proxy_all {
authorize {
update control {
Proxy-To-Realm := nameOfRealm
}
}
}
A seven line config. Can't get much simpler than that.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication sub in perl
Hi, Thank you for the response. How can I build the FreeRADIUS with EAP support? I checked the configure and Makefile anc couldn't figure it out did you build it yourself then? if so, then what platform? as that will decide the package name. ssl-devel, ssl-devl, openssl-devel, openssl-dev are the usual names of the required RPM or PKG file that must be installed if you'd piped the output of the ./configure stage through grep eg ./configure --with-whatever-options | grep WARN you'd see all the warnings about functionality that wont work because of lack of development headers/libraries alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need help with Freeradius and 802.1X
I have searched the forum but can't find what I'm looking for. Here is my scenario: Users with Vista machines and the 802.1X supplicant configured Windows Server 2008 with Active Directory Other network connected devices and 'unknown' computers 100% Cisco LAN/WAN Here is what I want to do: Dynamic VLAN assignment based on 802.1X with Freeradius able to use Active Directory for the computers with the supplicant configured and also be able to use MySQL to do MAC authentication bypass for known devices like printers that can't use a supplicant. I don't have much experience with Freeradius but I feel this is something that would be a normal 802.1X configuration. Any help on how to configure this environment would be greatly appreciated. Thanks, John -- View this message in context: http://freeradius.1045715.n5.nabble.com/Need-help-with-Freeradius-and-802-1X-tp4865617p4865617.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: authentication sub in perl
I've built FreeRadius2.1.11 from src files on ubuntu 8.04 server: # lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 8.04.4 LTS Release:8.04 Codename: hardy # ./configure | grep WARN configure: WARNING: snmpget not found - Simultaneous-Use and checkrad.pl may not work configure: WARNING: snmpwalk not found - Simultaneous-Use and checkrad.pl may not work configure: WARNING: pcap library not found, silently disabling the RADIUS sniffer. configure: WARNING: silently not building rlm_counter. configure: WARNING: FAILURE: rlm_counter requires: libgdbm. configure: WARNING: FAILURE: rlm_dbm requires: (ndbm.h or gdbm/ndbm.h or gdbm-ndbm.h) (libndbm or libgdbm or libgdbm_compat). configure: WARNING: silently not building rlm_dbm. configure: WARNING: silently not building rlm_eap_tls. configure: WARNING: FAILURE: rlm_eap_tls requires: OpenSSL. configure: WARNING: silently not building rlm_eap_peap. configure: WARNING: FAILURE: rlm_eap_peap requires: OpenSSL. configure: WARNING: silently not building rlm_eap_ikev2. configure: WARNING: FAILURE: rlm_eap_ikev2 requires: libeap-ikev2 EAPIKEv2/connector.h. configure: WARNING: the TNCS library isn't found! configure: WARNING: silently not building rlm_eap_tnc. configure: WARNING: FAILURE: rlm_eap_tnc requires: -lTNCS. configure: WARNING: silently not building rlm_eap_ttls. configure: WARNING: FAILURE: rlm_eap_ttls requires: OpenSSL. configure: WARNING: silently not building rlm_ippool. configure: WARNING: FAILURE: rlm_ippool requires: libgdbm. configure: WARNING: neither krb5 'k5crypto' nor 'crypto' libraries are found! configure: WARNING: the comm_err library isn't found! configure: WARNING: silently not building rlm_krb5. configure: WARNING: FAILURE: rlm_krb5 requires: krb5.h krb5. configure: WARNING: silently not building rlm_ldap. configure: WARNING: FAILURE: rlm_ldap requires: libldap_r ldap.h. configure: WARNING: silently not building rlm_otp. configure: WARNING: FAILURE: rlm_otp requires: openssl-libs openssl-includes openssl-includes openssl-includes openssl-includes openssl-includes. configure: WARNING: silently not building rlm_pam. configure: WARNING: FAILURE: rlm_pam requires: libpam. configure: WARNING: silently not building rlm_perl. configure: WARNING: FAILURE: rlm_perl requires: libperl.so libperl.so. configure: WARNING: silently not building rlm_python. configure: WARNING: FAILURE: rlm_python requires: Python.h libpython2.5. configure: WARNING: silently not building rlm_sql_iodbc. configure: WARNING: FAILURE: rlm_sql_iodbc requires: libiodbc isql.h. configure: WARNING: MySQL libraries not found. Use --with-mysql-lib-dir=path. configure: WARNING: MySQL headers not found. Use --with-mysql-include-dir=path. configure: WARNING: silently not building rlm_sql_mysql. configure: WARNING: FAILURE: rlm_sql_mysql requires: libmysqlclient_r mysql.h. configure: WARNING: silently not building rlm_sql_postgresql. configure: WARNING: FAILURE: rlm_sql_postgresql requires: libpq-fe.h libpq. configure: WARNING: oracle headers not found. Use --with-oracle-include-dir=path. configure: WARNING: silently not building rlm_sql_oracle. configure: WARNING: FAILURE: rlm_sql_oracle requires: oci.h. configure: WARNING: silently not building rlm_sql_unixodbc. configure: WARNING: FAILURE: rlm_sql_unixodbc requires: libodbc sql.h. # apt-get install OpenSSL Reading package lists... Done Building dependency tree Reading state information... Done E: Couldn't find package OpenSSL # apt-get install ssl-devel Reading package lists... Done Building dependency tree Reading state information... Done E: Couldn't find package ssl-devel . Date: Mon, 3 Oct 2011 16:32:44 +0100 From: a.l.m.bu...@lboro.ac.uk To: freeradius-users@lists.freeradius.org Subject: Re: authentication sub in perl Hi, Thank you for the response. How can I build the FreeRADIUS with EAP support? I checked the configure and Makefile anc couldn't figure it out did you build it yourself then? if so, then what platform? as that will decide the package name. ssl-devel, ssl-devl, openssl-devel, openssl-dev are the usual names of the required RPM or PKG file that must be installed if you'd piped the output of the ./configure stage through grep eg ./configure --with-whatever-options | grep WARN you'd see all the warnings about functionality that wont work because of lack of development headers/libraries alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication sub in perl
Alex rsm wrote: # apt-get install OpenSSL ... E: Couldn't find package OpenSSL Use *google* to find out the names of packages on your OS. Or, search the web pages of the OS vendor. It should be less work (and faster) than posting messages to this list. This isn't a FreeRADIUS problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with Freeradius and 802.1X
johnboy68 wrote: Users with Vista machines and the 802.1X supplicant configured Windows Server 2008 with Active Directory Other network connected devices and 'unknown' computers 100% Cisco LAN/WAN Here is what I want to do: Dynamic VLAN assignment based on 802.1X with Freeradius able to use Active Directory for the computers with the supplicant configured and also be able to use MySQL to do MAC authentication bypass for known devices like printers that can't use a supplicant. It takes care, but it's not hard. Step 1, configure AD authentication. See my web page: http://deployingradius.com Step 2, configure MAC address authentication. See the Wiki. The key thing is... do each step in isolation. Don't worry about changes in Step 1 breaking step 2. Make sure you understand each piece in isolation before you try to combine them. Once you get that far come back with more questions. I don't have much experience with Freeradius but I feel this is something that would be a normal 802.1X configuration. Pretty much, yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication sub in perl
Yes yes, you've just confirmed what I said. I know you built it without openssl support...I was giving you advice on how to spot it, so that you can verify all is okay after you've installed the required development packages for openssl on your platformand Google can help you with that. alan -- Message may be brief as it has been sent from my mobile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius client redundance
Hi,
I did add the
home_server nps01 {
type = auth+acct
ipaddr = XXX.XXX.XXX.1
port = 1812,1813
secret = secretkey
rest is default? }
home_server nps02 {
type = auth+acct
ipaddr = XXX.XXX.XXX.2
port = 1812,1813
secret = secretkey
rest is default? }
home_server_pool my_auth_failover {
type = fail-over
home_server = nps01
home_server = nps02
}
But it does not seem to work, is there some attributes that i need to add,
remove or change ?
Regards
Ole
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Radius-client-redundance-tp4822209p4866338.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius client redundance
oleaweel wrote: I did add the ... But it does not seem to work, is there some attributes that i need to add, remove or change ? See the FAQ for it doesn't work Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: authentication sub in perl
Ok,
openSLL is installed on my server. No more issue on EAP. However, my debug line
in sub authenticate still is not being called:
#example.pl
# Function to handle authorize
sub authorize {
print TEST-authorize: username=$RAD_REQUEST{'User-Name'}\n;
# For debugging purposes only
# log_request_attributes;
# Here's where your authorization code comes
# You can call another function from here:
test_call;
return RLM_MODULE_OK;
}
# Function to handle authenticate
sub authenticate {
print TEST-authenticate\n;
# For debugging purposes only
# log_request_attributes;
if ($RAD_REQUEST{'User-Name'} =~ /^baduser/i) {
# Reject user and tell him why
$RAD_REPLY{'Reply-Message'} = Denied access by rlm_perl
function;
return RLM_MODULE_REJECT;
} else {
# Accept user and set some attribute
$RAD_REPLY{'h323-credit-amount'} = 100;
return RLM_MODULE_OK;
}
}
and here is the debug:
Cleaning up request 9 ID 9 with timestamp +7
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.0.31 port 50071, id=19,
length=169
User-Name = abc
NAS-IP-Address = 10.0.0.31
NAS-Identifier = belair
NAS-Port = 0
Called-Station-Id = 00-0D-67-12-15-80:SSO_BelAir-PMIP-8021x
Calling-Station-Id = 5C-59-48-F0-34-8B
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message = 0x020801616263
Message-Authenticator = 0xb952dcdfcec1e39a79c029ccdc94c2ca
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = abc, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 0 length 8
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[sql] expand: %{User-Name} - abc
[sql] sql_set_user escaped user -- 'abc'
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -
SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'abc' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname
FROM radusergroup WHERE username = 'abc' ORDER BY
priority
rlm_sql (sql): Released sql socket id: 1
[sql] User abc not found
++[sql] returns notfound
TEST-authorize: username=abc
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Calling-Station-Id = 5C-59-48-F0-34-8B
rlm_perl: Added pair Called-Station-Id = 00-0D-67-12-15-80:SSO_BelAir-PMIP-8021x
rlm_perl: Added pair Message-Authenticator = 0xb952dcdfcec1e39a79c029ccdc94c2ca
rlm_perl: Added pair User-Name = abc
rlm_perl: Added pair NAS-Identifier = belair
rlm_perl: Added pair EAP-Message = 0x020801616263
rlm_perl: Added pair Connect-Info = CONNECT 11Mbps 802.11b
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair NAS-IP-Address = 10.0.0.31
rlm_perl: Added pair NAS-Port = 0
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair Auth-Type = EAP
++[perl] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 19 to 10.0.0.31 port 50071
EAP-Message = 0x0101001604108bc56309ea2103957c2aee6450696f68
Message-Authenticator = 0x
State = 0x2c81558c2c8051de6687486c2848c067
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.0.31 port 50071, id=20,
length=185
User-Name = abc
NAS-IP-Address = 10.0.0.31
NAS-Identifier = belair
NAS-Port = 0
Called-Station-Id = 00-0D-67-12-15-80:SSO_BelAir-PMIP-8021x
Calling-Station-Id = 5C-59-48-F0-34-8B
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message = 0x020100060319
State = 0x2c81558c2c8051de6687486c2848c067
Message-Authenticator = 0x959b11a51401f767f5b52bc58298d730
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = abc, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
Re: FW: authentication sub in perl
Alex rsm wrote: openSLL is installed on my server. No more issue on EAP. However, my debug line in sub authenticate still is not being called: Read the debug output. The perl module isn't being called in the authenticate section. Why? Because the eap module is being called. Why? Because Auth-Type := EAP is set. Why? Because the EAP module saw EAP-Message, and decided to do Auth-Type := EAP It's doing exactly what it's supposed to be doing, and what you told it to do. You didn't tell it to call the Perl module during the authenticate section. So it didn't do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Issue with installation of FreeRadiusServer (2.1.11) on Solaris
Hi, I am using solaris sparc 5.10 for installation of 2.1.11 version of FreeRadiusServer. My Configure, gmake went fine but at time of gmake install getting following error. Can anyone suggest how to fix that error? #gmake install /export/home/emsuser/Documents/freeradius-server-2.1.11/install-sh -c -d -m 755 /usr/local/sbin /export/home/emsuser/Documents/freeradius-server-2.1.11/install-sh -c -d -m 755 /usr/local/bin /export/home/emsuser/Documents/freeradius-server-2.1.11/install-sh -c -d -m 755 /usr/local/etc/raddb /export/home/emsuser/Documents/freeradius-server-2.1.11/install-sh -c -d -m 755 /usr/local/share/man /export/home/emsuser/Documents/freeradius-server-2.1.11/install-sh -c -d -m 755 /usr/local/var/run/radiusd /export/home/emsuser/Documents/freeradius-server-2.1.11/install-sh -c -d -m 700 /usr/local/var/log/radius /export/home/emsuser/Documents/freeradius-server-2.1.11/install-sh -c -d -m 700 /usr/local/var/log/radius/radacct /export/home/emsuser/Documents/freeradius-server-2.1.11/install-sh -c -d -m 755 /usr/local/share /export/home/emsuser/Documents/freeradius-server-2.1.11/install-sh -c -d -m 755 /usr/local/share/freeradius for i in 1 5 8; do \ /export/home/emsuser/Documents/freeradius-server-2.1.11/install-sh -c -d -m 755 /usr/local/share/man/man$i; \ for p in man/man$i/*.$i; do \ /export/home/emsuser/Documents/freeradius-server-2.1.11/install-sh -c -m 644 $p /usr/local/share/man/man$i; \ done \ done gmake[1]: Entering directory `/export/home/emsuser/Documents/freeradius-server-2.1.11' Making install in libltdl... gmake[2]: Entering directory `/export/home/emsuser/Documents/freeradius-server-2.1.11/libltdl' gmake[3]: Entering directory `/export/home/emsuser/Documents/freeradius-server-2.1.11/libltdl' test -z /usr/local/lib || /bin/bash /export/home/emsuser/Documents/freeradius-server-2.1.11/libltdl/install-sh -d /usr/local/lib /bin/bash ./libtool --mode=install /usr/bin/install -c 'libltdl.la' '/usr/local/lib/libltdl.la' /usr/bin/install -c .libs/libltdl.so.3.1.4 /usr/local/lib/libltdl.so.3.1.4 cp: cannot access /usr/local/lib/libltdl.so.3.1.4 install: cp /usr/local/lib/libltdl.so.3.1.4 .libs/libltdl.so.3.1.4/libltdl.so.3.1.4 failed gmake[3]: *** [install-libLTLIBRARIES] Error 2 gmake[3]: Leaving directory `/export/home/emsuser/Documents/freeradius-server-2.1.11/libltdl' gmake[2]: *** [install-am] Error 2 gmake[2]: Leaving directory `/export/home/emsuser/Documents/freeradius-server-2.1.11/libltdl' gmake[1]: *** [libltdl] Error 2 gmake[1]: Leaving directory `/export/home/emsuser/Documents/freeradius-server-2.1.11' gmake: *** [install] Error 2 Thanks, Harish- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to specify python modules used by rlm_python?
Hi everyone,
I'm trying to use rlm_python to intergrate with my own authentication
backend, but there's so little document about rlm_python. I even cannot find
how to specify the path to the python module.
Can anybody give me a hint?
Module: Instantiating module python from file
/etc/freeradius/modules/python
python_init done
python {
mod_instantiate = radiusd_test
func_instantiate = instantiate
mod_authorize = radiusd_test
func_authorize = authorize
mod_accounting = radiusd_test
func_accounting = accounting
mod_pre_proxy = radiusd_test
func_pre_proxy = pre_proxy
mod_post_proxy = radiusd_test
func_post_proxy = post_proxy
mod_post_auth = radiusd_test
func_post_auth = post_auth
mod_recv_coa = radiusd_test
func_recv_coa = recv_coa
mod_send_coa = radiusd_test
func_send_coa = send_coa
mod_detach = radiusd_test
func_detach = detach
}
rlm_python:python_load_function: module 'radiusd_test' is not found
rlm_python:EXCEPT:type 'exceptions.ImportError': No module named
radiusd_test
rlm_python:python_load_function: failed to import python function
'radiusd_test.instantiate'
/etc/freeradius/modules/python[1]: Instantiation failed for module python
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: authentication sub in perl
On Tue, Oct 4, 2011 at 3:45 AM, Alex rsm alex-...@hotmail.com wrote: Ok, openSLL is installed on my server. No more issue on EAP. However, my debug line in sub authenticate still is not being called: Found Auth-Type = EAP As Alan said, the EAP module saw EAP-Message, and decided to do Auth-Type := EAP. I highly suggest you try simple test first (e.g. with radtest and pap). Most modifications will be on sites-available/default. Once that works, applying it to EAP should be easy enough: you just need to adapt sites-available/inner-tunnel to use your perl module. PS: While not related to your perl problem, your previous post says you're using 2.1.11, which has some known bugs fixed in later version. 2.1.12 was released some time ago, so you should upgrade. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
