Re: Configuring freeradius for MACsec
Iirc, Cisco macsec/trustsec is implemented with EAP-FASTv2 . Their cute way of tying you into Cisco ACS 5 or ISE alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring freeradius for MACsec
On 24.2.2012 at 8:38, in message 4f473e78.2070...@deployingradius.com, Alan DeKok al...@deployingradius.com wrote: Matija Levec wrote: What should be configured for radius to also send EAP-Key-Name AVP? Nothing. RFC 4072 says: The EAP-Key-Name AVP (Radius Attribute Type 102) is of type OctetString. It contains an opaque key identifier (name) generated by the EAP method. Exactly how this name is used depends on the link layer in question, and is beyond the scope of this document (see [EAPKey] for more discussion). Note that not all link layers use this name, and currently most EAP methods do not generate it. TTLS doesn't generate it. My guess is that Cisco has invented something themselves which defines EAP-Key-Name. Find out what that is, and we can implement it in FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html That is very likely the case. :( I'll try to get ACS 5.x and get any useful info out of it - not being very optimistic though. I'd like to thank everyone for their comments. Kind regards, Matija Levec - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring freeradius for MACsec
On 2012/02/24 09:38 AM, Alan DeKok wrote: TTLS doesn't generate it. My guess is that Cisco has invented something themselves which defines EAP-Key-Name. Find out what that is, and we can implement it in FreeRADIUS. This? http://tools.ietf.org/html/draft-aboba-radext-wlan-15 -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring freeradius for MACsec
Alan Buxey wrote: Iirc, Cisco macsec/trustsec is implemented with EAP-FASTv2 . Their cute way of tying you into Cisco ACS 5 or ISE Ah. I have some code for EAP-FAST. I might take a look at it. The reason it hasn't been integrated is that the vendor who wrote it did it as pretty much a hack. They duplicated much of the TLS code from EAP-TLS, instead of re-using it as with PEAP and TTLS. Out of general principle, that needs to be fixed before it's integrated. Duplicate code increases bugs and maintenance costs. If anyone is interested in fixing it, I can put the code on github. It's probably not that hard to fix it, it just takes time I don't have. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring freeradius for MACsec
On 02/24/2012 07:38 AM, Alan DeKok wrote: TTLS doesn't generate it. My guess is that Cisco has invented something themselves which defines EAP-Key-Name. Find out what that is, and we can implement it in FreeRADIUS. FWIW, a bit more digging shows section 1.4.1 of RFC 5247 is relevant, saying that: EAP-Key-Name = eap type || eap session id ...and appendix A lists Peer-Id, Server-Id and Session-Id values for existing methods. Sadly, since neither PEAP nor TTLS were ever standardised, it skips those :o( RFC 5216 suggests that EAP-TLS, and possibly all TLS-based methods in the absence of an alternative, might define EAP-Key-Name as: eap type || 0x0d || tls client random || tls server random But it's all very unclear, and I'm struggling to see what the point is; what is all this crud for? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Authentication by group and time.
Hello, I managed to make it work, thanks. I have another question. The User is connected to the radius server and the time came that he can not stay connected, the radius makes the disconnect? Thanks , Angelo De: freeradius-users-bounces+angelo-listas=prolinx.com...@lists.freeradius.org [mailto:freeradius-users-bounces+angelo-listas=prolinx.com...@lists.freeradius.org] Em nome de ousmane sanogo Enviada em: quinta-feira, 23 de fevereiro de 2012 07:45 Para: FreeRadius users mailing list Assunto: Re: Authentication by group and time. Hello, look here http://wiki.freeradius.org/FAQ#How+do+I+use+Login-Time+for+groups%2C+not+for+users%3F Le 22 février 2012 19:42, Listas Angelo angelo-lis...@prolinx.com.br a écrit : Freeradius Dear users, good afternoon! I have a radius server using a mysql database authentication by performing login and mac address working very well. Now I need to implement a new plan of authentication where some users can only connect at a certain time of day (eg Monday to Friday from 18:00 to 22:00 pm and throughout the weekend). Looking for something in the documentation found on the Login-Time Freeradius but found nothing of how to deploy this in my current configuration structure. Has anyone made this and could give me some idea of how to do? Thank you! Angelo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Oauth2 Google?
Hello, I'm wondering if I could get help, or find documentation(even just a draft) on setting up Oauth2 on a freeradius server(omniauth?). I'm looking to use my google apps domain user database, to manage users, and control access through an Untangle captive portal, which is already setup(then probably drop the portal and do EAP, though I'll play to see if I can start with EAP). Also if I'm on the completely wrong/old track, I'm no too worried about changing the plan now. Thanks for the time/sorry for not lurking more before posting, Jesse - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Oauth2 Google?
On 24/02/12 15:43, Jesse Crayston wrote: Hello, I'm wondering if I could get help, or find documentation(even just a draft) on setting up Oauth2 on a freeradius server(omniauth?). I'm looking to use my google apps domain user database, to manage users, and control access through an Untangle captive portal, which is already setup(then probably drop the portal and do EAP, though I'll play to see if I can start with EAP). Also if I'm on the completely wrong/old track, I'm no too worried about changing the plan now. It sounds like you're on the wrong track; none of the bits and pieces you've mentioned fit together. Can you explain in more detail what you're trying to accomplish? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Oauth2 Google?
Trying to get my users to have the same password on a radius server, as they do on the google apps domain. On Feb 24, 2012 8:45 AM, Phil Mayers p.may...@imperial.ac.uk wrote: On 24/02/12 15:43, Jesse Crayston wrote: Hello, I'm wondering if I could get help, or find documentation(even just a draft) on setting up Oauth2 on a freeradius server(omniauth?). I'm looking to use my google apps domain user database, to manage users, and control access through an Untangle captive portal, which is already setup(then probably drop the portal and do EAP, though I'll play to see if I can start with EAP). Also if I'm on the completely wrong/old track, I'm no too worried about changing the plan now. It sounds like you're on the wrong track; none of the bits and pieces you've mentioned fit together. Can you explain in more detail what you're trying to accomplish? - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sqlcounter doesn't increase counter
Hello Fellow Freeradius-Users,
I have freeradius-1.1.3 installed on Cent OS and I have Cisco C2960 switch
as my NAS.
I have a task to allocate browsing time 2hrs per day to students in our
computer labs.
Logs from radius in debug mode, counter doesn't increase it always shows
(Check item - counter) is greater than zero; check_item=120, counter=0.
Users are not signed out after Max-Daily-Session is reached.
I want to be able to disconnect a user logged in after they reach their
maximum daily session.
Kindly find below config files which indicate maximum daily session of 120
seconds for testing purposes.
I have searched through Freeradius's mailing-List but have not found
solution yet. I will be grateful for any help.
Thank you.
###
config on Cisco switch C2960
#
aaa new-model
!
!
aaa group server radius dot1x
!
aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization exec default group radius if-authenticated
aaa authorization network default group radius
aaa accounting send stop-record authentication failure
aaa accounting suppress null-username
aaa accounting session-duration ntp-adjusted
aaa accounting update newinfo periodic 1
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting connection default start-stop group radius
aaa accounting resource default start-stop-failure group radius
interface FastEthernet0/9
switchport access vlan 6
switchport mode access
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer inactivity 5
dot1x pae both
dot1x max-req 3
spanning-tree portfast
radius-server host 10.1.7.202 auth-port 1812 acct-port 1813 key key
###
/etc/raddb/sqlcounter.conf
sqlcounter noresetcounter {
counter-name = Max-All-Session-Time
check-name = Max-All-Session
sqlmod-inst = sql
key = User-Name
reset = never
query = SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='%{%k}'
}
sqlcounter dailycounter {
filename = ${raddbdir}/db.daily
count-attribute = Acct-Session-Time
driver = rlm_sqlcounter
allowed-servicetype = Framed-User
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
sqlmod-inst = sqlcca3
key = User-Name
reset = daily
query = SELECT SUM(AcctSessionTime - GREATEST((%b -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '%b'
}
sqlcounter monthlycounter {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
sqlmod-inst = sqlcca3
key = User-Name
reset = monthlyquery = SELECT
SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0))
FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime '%b'
}
##
/etc/raddb/radius.conf
##
modules {
$INCLUDE ${confdir}/sqlcounter.conf
instantiate {
exec
expr
dailycounter
}
authorize {
preprocess
mschap
suffix
eap
files
sql
dailycounter
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
}
###
/etc/raddb/users
###
clare Max-Daily-Session := 120, User-Password := password
Auth-Type := Reject, Reply-Message = Your time limit is
used,
Simultaneous-Use := 1,
#
Dubug output
#
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.1.5.4:1645, id=220, length=244
User-Name = clare
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = EC-30-91-1D-69-89
Calling-Station-Id = 00-1E-33-D5-7A-68
EAP-Message =
0x0209002b19001703010020205ecf13b3dc88bd738478cf6a2111e5903a5089b64e282bc15b5c7c6c0e771c
Message-Authenticator = 0x2cac65588536701091195c7b06db31a1
Cisco-AVPair =
Re: rlm_sqlcounter doesn't increase counter
hi, you dont seem to have SQL enabled in the accounting section... the WIKI entry should work http://wiki.freeradius.org/Rlm_sqlcounter alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
adding radius accounts
Is there a tool/addon to add and remove radius accounts in the users file without modify the file directly. Also can the users file be configured to authenticate based on linux users already existing. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Total Data download
Hi, Is there any tool or script with help of which I can get to know how much data downloaded by all user in last 30 days. Please share the solution. Best regards, Fazal Ahmed Malik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use checking
Hi,
i need little help with this. I have MySQL setup with freeradis, that is
working. Now for Simultaneous-Use checking there are no querys to uncomment
inside sql.conf by default (installed freeradius over apt-get ).
Now i added to sql.conf
simul_count_query = SELECT COUNT(*) FROM radacct WHERE
UserName='%{SQL-User-Name}' AND AcctStopTime = 0
simul_verify_query = SELECT RadAcctId, AcctSessionId, UserName,
NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol
FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0
Group checking is disabled.
What else i have to do to get this checking started?
Thx!
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Simultaneous-Use-checking-tp5514541p5514541.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
