Re: errors when check with huntgroup
Hi, Subject: Re: errors when check with huntgroup hi, you've edited a whole lot of stuff out of your debug log...including the stuff which actually matters where the failure actually occurs (you just kept the part where the end result was recorded). alan Below the full output (radiusd -X) when user access is rejected. I compared with the output when successed and it differs from the one below with++[files] returns noop I put the words === FIRST DIFFERENCE to find it easily. users file contains : bp3 Cleartext-Password := test , Calling-Station-Id == 844b.f5b8.d423 , Cisco-AVPair == ssid=ipl_dsi , Huntgroup-Name == wifi with : , Huntgroup-Name == wifi when the reject occurs. huntgroup file contains : wifiNAS-IP-Address == 172.20.100.53 Thanks for any help. Bertrand. radiusd -X FreeRADIUS Version 2.2.0, for host i686-pc-linux-gnu, built on Mar 11 2013 at 13:51:19 Copyright (C) 1999-2012 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/dhcp_sqlippool including configuration file /usr/local/etc/raddb/sql/mysql/ippool-dhcp.conf including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/cache including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/radrelay including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/replicate including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/redis including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/dynamic_clients including configuration file /usr/local/etc/raddb/modules/soh including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/rediswho including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file
Re: How to use checkval
Do you need RPM? Can you not just build and install from the source? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: errors when check with huntgroup
hi, add 'preprocess' to top of your authorize section in inner-tunnel ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
Hi Alan, I'm trying it now, compile from source and generated rpm. But now i stuck at 2 dependencies. Hmm, can you show me how to build and install from source? Any link? Isn't that still need dependencies? libpcap-devel is needed by freeradius-server-2.2.0-0.x86_64 sqlite3-devel is needed by freeradius-server-2.2.0-0.x86_64 I have been search aroudn from the DVD ISO of SLES SP4, also from Novell repo still cant find it. Anyone can help? Thanks Danny On Fri, Mar 15, 2013 at 4:33 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Do you need RPM? Can you not just build and install from the source? alan -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
Hi All, i just wanted to know, is there anyway i can still use 1.1.7 and have the ability to check empty Calling-Station-Id? It can used any method as long it worked. I already tried install / compile but a lot of dependencies i cant find it at the DVD / ISO and also from Novell repo i could not find it too. Thanks a lot. Danny On Fri, Mar 15, 2013 at 1:12 AM, Alan DeKok al...@deployingradius.comwrote: Danny Kurniawan wrote: So is anyone know how to do the following in the FreeRadius 1.1.7 ? if(control:Calling-Station-Id == ){ reject } You don't. Version 1 doesn't suppot unlang. I just want to reject the packet if the Control (or maybe check) is empty or has no value. I could not afford to upgrade at this time as it's a native freeradius comes with SLES 10 and i'm not sure how to compile the new radius there. There's a suse directory in the tarball. You should be able to build a SUSE RPM yourself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap connection status
Hi, I think you should take a look at this : http://wiki.freeradius.org/config/Fail%20over - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add LDAP groups as extra attributes
On 14 mar 2013, at 18:44, Arran Cudbard-Bell wrote: That'd be the LDAP-UserDN attribute… I know, but that attribute isn't presented to the python function call. Is there another way such as an environmental variable or just please update the source? :) regards, Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap connection status
On 15.03.2013 12:08, Chitrang Srivastava wrote: Hi, I want to do something like this in *authorize* section ldap { fail = return } if(fail) { files_local } else { files } something like that should work. The ldap module will fail if the servers are unreachable. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
On Fri, Mar 15, 2013 at 8:47 PM, Danny Kurniawan danny.kurnia...@fairchildsemi.com wrote: Hi Alan, I'm trying it now, compile from source and generated rpm. But now i stuck at 2 dependencies. Hmm, can you show me how to build and install from source? Any link? Isn't that still need dependencies? libpcap-devel is needed by freeradius-server-2.2.0-0.x86_64 sqlite3-devel is needed by freeradius-server-2.2.0-0.x86_64 I have been search aroudn from the DVD ISO of SLES SP4, also from Novell repo still cant find it. Anyone can help? Short version? Buy a suse subscription. You'd probably find it on their repository. If you don't, you can ask their support where to find it. The other option is to use opensuse (if you still need suse-like environment), or use whatever version of FR available from http://download.opensuse.org/repositories/network:/aaa/ . They should at least have 2.1.12. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add LDAP groups as extra attributes
On 15 Mar 2013, at 08:43, Robin Helgelin lob...@gmail.com wrote: On 14 mar 2013, at 18:44, Arran Cudbard-Bell wrote: That'd be the LDAP-UserDN attribute… I know, but that attribute isn't presented to the python function call. Is there another way such as an environmental variable or just please update the source? :) Did you check the control list (config item tuple)? -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
Danny Kurniawan wrote: I already tried install / compile but a lot of dependencies i cant find it at the DVD / ISO and also from Novell repo i could not find it too. $ grep pcap suse/* suse/freeradius.spec:BuildRequires: libpcap-devel Edit that file, and delete the line. FreeRADIUS doesn't *need* anything. It can *use* pcap if you have it. But if you don't, it's fine. You may need to create a new tar file, but that should be simple. Remember, if it doesn't work, hit it with a hammer. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
Thanks Alan. Let me try that. PS : i will prepare a hammer too, but to bad the server is in US while i'm in Singapore :) If this not going to work, i will give up and ask to install brand new SLES 11 that support 2.1.1. Thanks Danny On Fri, Mar 15, 2013 at 9:49 PM, Alan DeKok al...@deployingradius.comwrote: Danny Kurniawan wrote: I already tried install / compile but a lot of dependencies i cant find it at the DVD / ISO and also from Novell repo i could not find it too. $ grep pcap suse/* suse/freeradius.spec:BuildRequires: libpcap-devel Edit that file, and delete the line. FreeRADIUS doesn't *need* anything. It can *use* pcap if you have it. But if you don't, it's fine. You may need to create a new tar file, but that should be simple. Remember, if it doesn't work, hit it with a hammer. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
Update : It works like charm :) I removed the sql3lite and libpcap, and i can compile and install it just fine. And the Radius is works.. *well i haven't really testing it in PROD, but at least it can accept connecting and unlang. Thanks Alan, really2 appreciate that. Have a good weekend. Danny On Fri, Mar 15, 2013 at 9:56 PM, Danny Kurniawan danny.kurnia...@fairchildsemi.com wrote: Thanks Alan. Let me try that. PS : i will prepare a hammer too, but to bad the server is in US while i'm in Singapore :) If this not going to work, i will give up and ask to install brand new SLES 11 that support 2.1.1. Thanks Danny On Fri, Mar 15, 2013 at 9:49 PM, Alan DeKok al...@deployingradius.comwrote: Danny Kurniawan wrote: I already tried install / compile but a lot of dependencies i cant find it at the DVD / ISO and also from Novell repo i could not find it too. $ grep pcap suse/* suse/freeradius.spec:BuildRequires: libpcap-devel Edit that file, and delete the line. FreeRADIUS doesn't *need* anything. It can *use* pcap if you have it. But if you don't, it's fine. You may need to create a new tar file, but that should be simple. Remember, if it doesn't work, hit it with a hammer. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 95, Issue 72
Le 15/03/2013 12:00, freeradius-users-requ...@lists.freeradius.org a écrit : hi, add 'preprocess' to top of your authorize section in inner-tunnel ? alan Thanks Alan, it works . Couldn't it be a default behavior ? I'm doing migration from FR 1.x and user-password had the syntax user-password == password . I'm wondering why the syntax is now with :=? the http://freeradius.org/radiusd/man/users.html says : Attribute := Value Always matches as a check item, and replaces in the configuration items any attribute of the same name. If no attribute of that name appears in the request, then this attribute is added. As a reply item, it has an identical meaning, but for the reply items, instead of the request items. Attribute == Value As a check item, it matches if the named attribute is present in the request, AND has the given value. Not allowed as a reply item. Bertrand - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What cert import to Windows Clients
DeKok. -- Message: 4 Date: Thu, 14 Mar 2013 20:41:08 + From: a.l.m.bu...@lboro.ac.uk To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: What cert import to Windows Clients Message-ID: 20130314204108.gg31...@lboro.ac.uk Content-Type: text/plain; charset=us-ascii Hi, 01.pem ca.der ca.key ca.pem dh server.crt server.csr server.key server.p12 server.pem What are that files I have import to windows clients machine ? for EAP-TLS ? as thats a certificate authentication method you need to generate client certificatesthe standard provided script will make client.* files and you'll need the client.der or client.cer file. I have installed ca.der on an windows XP but unseccessfull. I can't to connect at the network Wireless. doing what if you only have ca.der installed - and you put it into the correct certificate store as per microsoft docs (or various correct online resources) then you can only be doing PEAP with that windows XP client - so ensure its using a username/password that is known to the RADIUS server alan -- Message: 5 Date: Fri, 15 Mar 2013 07:52:06 +0800 From: Danny Kurniawan danny.kurnia...@fairchildsemi.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: How to use checkval Message-ID: canxjhbzh0ttcyojqzkydhidka6ovlecgxcr-sxoxnw1lwat...@mail.gmail.com Content-Type: text/plain; charset=utf-8 Hi All, Sorry for this beginner question again. I have read the wiki i will need some hint from any of you: 1. So which files that i need to download from http://freeradius.org/download.html ? Version 2.2.0: tar.gz OR Version 2.2.0: tar.bz2 ? 2. So after i download one of them just copy it here : * /usr/src/packages/SOURCES* ? Or i should extract the content? 3. So the spec files has to be removed from .tar file or just copy it out? 4. Which file that i should edit to include this --with-edir option during configure ? I believe the usage of this is for radius to be able to like check account lockedOut, account disabled etc? Thanks a bunch Danny On Fri, Mar 15, 2013 at 2:00 AM, Alan DeKok al...@deployingradius.comwrote: Danny Kurniawan wrote: I have read some article about compiling our own rpm. I only concern about the --edir integration. Add that to the suse files. Look for the script running configure. So is there any input for me whether after i upgrade using the rpm that i build my self, can i still using it with edir? As i saw somewhere article that said make sure you used --edir option when install freeradius that doesnt come with the OS You can edit the files in the suse directory. Its just this is PROD server and I'm not really expert in Linux, so if you / anyone else can give me a link or guide steps on how to upgrade the free radius manually on my SLES 10 i will be very happy. See the wiki. http://wiki.freeradius.org/building/Build Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny -- next part -- An HTML attachment was scrubbed... URL: http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130315/add36bd9/attachment-0001.html -- Message: 6 Date: Fri, 15 Mar 2013 12:11:12 +1100 From: Fajar A. Nugraha l...@fajar.net To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: How to use checkval Message-ID: CAG1y0seXqZtjZrv2MEZfeEmo=ryumzmwzj1_kgqekaq25wb...@mail.gmail.com Content-Type: text/plain; charset=iso-8859-1 On Fri, Mar 15, 2013 at 10:52 AM, Danny Kurniawan danny.kurnia...@fairchildsemi.com wrote: Hi All, Sorry for this beginner question again. I have read the wiki i will need some hint from any of you: 1. So which files that i need to download from http://freeradius.org/download.html ? Version 2.2.0: tar.gz OR Version 2.2.0: tar.bz2 ? Same thing. Please spend some time to learn about archive formats. For example: http://www.dslreports.com/faq/3999 2. So after i download one of them just copy it here : * /usr/src/packages/SOURCES* ? Or i should extract the content? 3. So the spec files has to be removed from .tar file or just copy it out? This is beyond the scope of this list. Please learn about building RPM packages, especially on suse. Possibly ask on suse list. In general, the bundled suse spec file assumes that you have the spec file on SPECS directory, and the bz2 file (as well as all other files on suse directory) in SOURCES. 4. Which file that i should edit to include this --with-edir option during configure ? I believe the usage of this is for radius to be able to like check account lockedOut, account disabled etc? If you had
Question about radwho/radutmp dates
Hi folks, How long time does radwho/radutmp store accounting information? Thanks in advance -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy.conf realms
When doing 802.1x authentication from a Windows computer it initially sends the request with the computer credentials. The username comes across as host/E4310-D7SZZN1.domain.local. I then query LDAP in authorize and do authentication against AD. In order to do both steps the username needs to be stripped to just E4310-D7SZZN1. I was able to accomplish this by placing the following in the authorize section if (%{request:User-Name} =~ /^host\/(.*).domain.local$/) { update request { Stripped-User-Name = %{1}$ } } This worked just for the authentication section as it appears this happens after the LDAP module is called in authorize. How can I get this to happen earlier in the process? Right now I am looking at the proxy.conf file and setting a realm? Would this be the area to have this done? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy.conf realms
Well I found something that appears to work. I used the hints file. And it correctly stripped off the host/ and domain.local. However now I get the error [eap] Identity does not match User-Name, setting from EAP Identity [eap] Failed in handler On Fri, Mar 15, 2013 at 3:29 PM, Matthew Ceroni matthewcer...@gmail.comwrote: When doing 802.1x authentication from a Windows computer it initially sends the request with the computer credentials. The username comes across as host/E4310-D7SZZN1.domain.local. I then query LDAP in authorize and do authentication against AD. In order to do both steps the username needs to be stripped to just E4310-D7SZZN1. I was able to accomplish this by placing the following in the authorize section if (%{request:User-Name} =~ /^host\/(.*).domain.local$/) { update request { Stripped-User-Name = %{1}$ } } This worked just for the authentication section as it appears this happens after the LDAP module is called in authorize. How can I get this to happen earlier in the process? Right now I am looking at the proxy.conf file and setting a realm? Would this be the area to have this done? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS as auth server for OpenVPN
Hi, Can anybody please advise tutorial/howto ar good documentation on how to configure subj (FreeRADIUS as auth server for OpenVPN)? Freeradius server is already configured, i'm trying to configure openvpn to auth from freeradius. Should i use pam_radius (http://freeradius.org/pam_radius_auth/) ? Thank you for advice Best Regards, Dmitry --- Dmitry KORZHEVIN System Administrator STIDIA S.A. - Luxembourg e: dmitry.korzhe...@stidia.com m: +38 093 874 5453 w: http://www.stidia.com smime.p7s Description: ÐÑипÑогÑаÑиÑеÑÐºÐ°Ñ Ð¿Ð¾Ð´Ð¿Ð¸ÑÑ S/MIME - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS as auth server for OpenVPN
There is a pam plugin for openvpn - openvpn-auth-pam.so Deepti On Fri, Mar 15, 2013 at 4:17 PM, Dmitry Korzhevin dmitry.korzhe...@stidia.com wrote: Hi, Can anybody please advise tutorial/howto ar good documentation on how to configure subj (FreeRADIUS as auth server for OpenVPN)? Freeradius server is already configured, i'm trying to configure openvpn to auth from freeradius. Should i use pam_radius (http://freeradius.org/pam_**radius_auth/http://freeradius.org/pam_radius_auth/) ? Thank you for advice Best Regards, Dmitry --- Dmitry KORZHEVIN System Administrator STIDIA S.A. - Luxembourg e: dmitry.korzhe...@stidia.com m: +38 093 874 5453 w: http://www.stidia.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS as auth server for OpenVPN
Hi, Can anybody please advise tutorial/howto ar good documentation on how to configure subj (FreeRADIUS as auth server for OpenVPN)? http://blog.hongens.nl/guides/setting-up-openvpn-using-radius-on-freebsd/ -bino- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html