ldap module, which objects return check and reply items
Hi. Out of curiosity, which objects does the ldap module check for checkitems and replyitems? Only the object that identifies the user and the object pointed to by User-Profile? I mapped a seeAlso attribute in ldap.attrmap but I don't see it being pulled from a group object the user is matched against. thanks mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP and non-EAP on same port?
Right now we have freeradius configured so that EAP and non-EAP are handled by separate virtual servers which are listening on separate virtual ports. We'd like to simplify our configuration and use the same port for both. I've looked through the documentation without much success. Does anyone have an example configuration of this? Thanks. -- Bruce Bruce Bauman - Systems Administrator Rutgers University Office of Information Technology Campus Computing Services - Central Systems and Services Office ~ (848) 445-6363 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and non-EAP on same port?
Bruce Bauman wrote: Right now we have freeradius configured so that EAP and non-EAP are handled by separate virtual servers which are listening on separate virtual ports. Why? We'd like to simplify our configuration and use the same port for both. I've looked through the documentation without much success. There's no magic here. There's no documentation on how do I do EAP?. Because none is needed. EAP is just another module you list (or not) in a virtual server. So... list eap in the virtual serverm as is done in the example files raddb/sites-available/default, and also raddb/sites-available/inner-tunnel. Does anyone have an example configuration of this? The default configuration does EAP and non-EAP on the same port. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and non-EAP on same port?
On 03/07/13 15:29, Bruce Bauman wrote:
Right now we have freeradius configured so that EAP and non-EAP are
handled by separate virtual servers which are listening on separate
virtual ports.
We'd like to simplify our configuration and use the same port for both.
I've looked through the documentation without much success.
Does anyone have an example configuration of this?
The default config handles both eap and non-EAP just fine. You just list
the eap and other auth modules (mschap, pap, chap) in authorize
and authenticate, and pull the password info from LDAP/SQL/files as per
usual.
However, it's likely you mean something more than the simple config
you've specified. Can you be more specific about what is unclear to you?
If you want to do some logic conditional on whether the request is EAP
or not, you can do this;
authorize {
...
if (EAP-Message) {
# we're an EAP request
sql
eap
blahblah
}
else {
# we're non-eap
files
ldap
mschap
chap
pap
}
...
}
And of course, the inner EAP auth can be sent to a virtual server - see
the sample eap.conf that comes with the server.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicated records in RADACCT with differents delay times
Hi Arran, Could you tell me what is the reason why there are duplicated records in radacct? NAS's configuration mistakes? Why AcctUniqueId is not a UNIQUE INDEX by default? Is a bug? Could I have any problem after execute this alter into the radacct table? I hope your answer. Best regards, Antonio. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicated records in RADACCT with differents delay times
On 3 Jul 2013, at 15:50, Antonio Fernández Pérez antoniofernan...@fabergames.com wrote: Hi Arran, Could you tell me what is the reason why there are duplicated records in radacct? NAS's configuration mistakes? Why AcctUniqueId is not a UNIQUE INDEX by default? Is a bug? Should of been UNIQUE INDEX by default, this is fixed in current SQL schema files. Could I have any problem after execute this alter into the radacct table? Nope, just adding the UNIQUE INDEX should fix it. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap module, which objects return check and reply items
I have reported you dozens of times as spam yet get several emails a day from you. I am not a part of a technicians advice social net work site a university campus tit bits on the delight of identifying gremlins on a computer or discussion forum group on the intricacies of using a computer. What are you replying toi On Wed, Jul 3, 2013 at 2:00 PM, Martin Kraus lists...@wujiman.net wrote: Hi. Out of curiosity, which objects does the ldap module check for checkitems and replyitems? Only the object that identifies the user and the object pointed to by User-Profile? I mapped a seeAlso attribute in ldap.attrmap but I don't see it being pulled from a group object the user is matched against. thanks mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap module, which objects return check and reply items
On 3 Jul 2013, at 16:07, RONAN BLANEY ikeavolkswa...@gmail.com wrote: I have reported you dozens of times as spam yet get several emails a day from you. I am not a part of a technicians advice social net work site a university campus tit bits on the delight of identifying gremlins on a computer or discussion forum group on the intricacies of using a computer. What are you replying toi On Wed, Jul 3, 2013 at 2:00 PM, Martin Kraus lists...@wujiman.net wrote: Hi. Out of curiosity, which objects does the ldap module check for checkitems and replyitems? Only the object that identifies the user and the object pointed to by User-Profile? I mapped a seeAlso attribute in ldap.attrmap but I don't see it being pulled from a group object the user is matched against. thanks mk It's like the list has it's very own pair of furbys. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicated records in RADACCT with differents delay times
Ok, thank you for your answer. Best regards, Antonio. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name not set when using nostrip?
Júlíus Þór Bess Ríkharðsson wrote: For some reason I cannot get Stripped-User-Name attribute to get populated when using nostrip for a realm. Is this normal behaviour or am I missing something? That's how it works. If you don't strip the name, you don't get a stripped name. I need the User-Name attribute unchanged for EAP but it gets stripped as expected when nostrip is unset. Then set nostrip. What do you want it to do? You're talking about problems, not about goals. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name not set when using nostrip?
On 03/07/13 16:24, Júlíus Þór Bess Ríkharðsson wrote: Hi, For some reason I cannot get Stripped-User-Name attribute to get populated when using nostrip for a realm. Is this normal behaviour or am I missing something? Normal. nostrip means don't populate Stripped-User-Name I need the User-Name attribute unchanged for EAP but it gets stripped as expected when nostrip is unset. strip on the realm should not change User-Name; it just populates Stripped-User-Name. Also, your debug isn't EAP. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejected proxy requests not making it to the client
Ok. I'll be firing up gdb and adding more logging. Before I did that I added a post_proxy detail log to see what the proxy server saw in that phase and for Access-Rejected packets they never get to the post_proxy section. Not sure if that sheds any more light on this. Anyway, so I know where to focus my debugging, I want to make sure I understand how a proxied packet makes its way through the system. Is the path: authorize - pre_proxy - post_proxy That's how it looks from the debug logs. Do the authenticate sections ever get hit? Any other sections I should look into? On Jul 2, 2013, at 3:33 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 2 Jul 2013, at 19:28, Ti Leggett legg...@mcs.anl.gov wrote: I'm not seeing a spin lock, but I'm running a 2.2.1 branch version that I believe you pointed me at to fix an rlm_krb5 issue I was seeing earlier this year. Is there an update for that branch or should I be moving to some other version/branch? On Jul 2, 2013, at 1:03 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 2 Jul 2013, at 18:51, Alan DeKok al...@deployingradius.com wrote: Ti Leggett wrote: I'm not sure how the script could be blocking the server after it's already ran and returned the updated packet so the proxying can take place which does happen: I don't know. All I know is that the default configuration doesn't have child threads blocking when sending Access-Reject. The problem is due to a local change on your system. There was a bug in rlm_perl which caused it to go into an infinite loop processing reply attributes. Check if radiusd is using 100% cpu, if it is, upgrade. Then it's not the same issue. Break out GDB, set relevant breakpoints, and see where it's hanging, that's all I can suggest. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejected proxy requests not making it to the client
On 3 Jul 2013, at 17:19, Ti Leggett legg...@mcs.anl.gov wrote: Ok. I'll be firing up gdb and adding more logging. Before I did that I added a post_proxy detail log to see what the proxy server saw in that phase and for Access-Rejected packets they never get to the post_proxy section. Not sure if that sheds any more light on this. Anyway, so I know where to focus my debugging, I want to make sure I understand how a proxied packet makes its way through the system. Is the path: authorize - pre_proxy - post_proxy That's how it looks from the debug logs. Do the authenticate sections ever get hit? That's the correct flow. authorize - pre-proxy - post-proxy - post-auth Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
multiple ldap instances, which instance is used for searching?
Hi.
I had to create 3 instances for the ldap module. One is the default
ldap {
}
and then I got two named
ldap ldap-eduroam {
}
ldap ldap-netdefault {
}
I'm using the two named for doing attribute pulling in post-proxy.
Now my setup stopped working because suddenly ldap-eduroam was checking for
groups when matching Ldap-Group. I was under the impression that when not
specificed with ldap-eduroam-Ldap-Group the default ldap entry would be used.
I had to instantiate the ldap modules in a special order
instantiate {
ldap-eduroam
ldap-netdefault
ldap
}
so the ldap instance would take over again. Is this an expected behaviour?
Will this solution hold or should I name the ldap instance as well and use
the name-Ldap-Group everywhere?
thanks
mk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple ldap instances, which instance is used for searching?
On 03/07/13 17:34, Martin Kraus wrote:
Now my setup stopped working because suddenly ldap-eduroam was checking for
groups when matching Ldap-Group. I was under the impression that when not
specificed with ldap-eduroam-Ldap-Group the default ldap entry would be used.
No. Most recently instantiated, which can be essentially random.
Basically, don't do this; if you have 1 ldap instance, don't use
Ldap-Group, always use instance-Ldap-Group
I had to instantiate the ldap modules in a special order
instantiate {
ldap-eduroam
ldap-netdefault
ldap
}
so the ldap instance would take over again. Is this an expected behaviour?
Yes
Will this solution hold or should I name the ldap instance as well and use
the name-Ldap-Group everywhere?
Yes
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple ldap instances, which instance is used for searching?
On 3 Jul 2013, at 17:34, Martin Kraus lists...@wujiman.net wrote:
Hi.
I had to create 3 instances for the ldap module. One is the default
ldap {
}
and then I got two named
ldap ldap-eduroam {
}
ldap ldap-netdefault {
}
That right there:
https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/src/modules/rlm_ldap/rlm_ldap.c#L511
Would be a bug.
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple ldap instances, which instance is used for searching?
On 3 Jul 2013, at 17:47, Phil Mayers p.may...@imperial.ac.uk wrote: On 03/07/13 17:34, Martin Kraus wrote: Now my setup stopped working because suddenly ldap-eduroam was checking for groups when matching Ldap-Group. I was under the impression that when not specificed with ldap-eduroam-Ldap-Group the default ldap entry would be used. No. Most recently instantiated, which can be essentially random. Basically, don't do this; if you have 1 ldap instance, don't use Ldap-Group, always use instance-Ldap-Group Yeah, that's awful behaviour. I've fixed it for 3.0.0, I guess if people are using it, probably not a good idea to change it for 2.x.x. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and non-EAP on same port?
Hi, We'd like to simplify our configuration and use the same port for both. the default configuration does that alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name not set when using nostrip?
Júlíus Þór Bess Ríkharðsson wrote: Alan: The goal is to be able to use EAP and still be able to authorize user using LDAP. The objects name is obviously not named realm\user. Yes. Plenty of other people get this to work. The behaviour is the same for EAP (just longer output :)), I don't get the option of Stripped-User-Name. And when I unset nostrip; User-Name gets stripped along with Stripped-User-Name being set and the tunnel doesn't work. You've set the request to be proxied. Why? What's wrong with just processing the request in the inner-tunnel virtual server? i.e. configure raddb/sites-available/inner-tunnel to do LDAP lookups for the user. If you're not sure how the server works, you shouldn't be creating a complicated configuration. [ldap-innra.umsja.is] performing search in DC=innra,DC=umsja,DC=is, with filter (sAMAccountName=umsja\5ctest.juliusbess) [ldap-innra.umsja.is] rebind to URL ldap://DomainDnsZones.innra.umsja.is/DC=DomainDnsZones,DC=innra,DC=umsja,DC=is [ldap-innra.umsja.is] rebind to URL ldap://ForestDnsZones.innra.umsja.is/DC=ForestDnsZones,DC=innra,DC=umsja,DC=is [ldap-innra.umsja.is] object not found [ldap-innra.umsja.is] search failed So... what is hard to understand about that? Without nostrip: [ldap-innra.umsja.is] performing search in DC=innra,DC=umsja,DC=is, with filter (sAMAccountName=test.juliusbess) [ldap-innra.umsja.is] rebind to URL ldap://ForestDnsZones.innra.umsja.is/DC=ForestDnsZones,DC=innra,DC=umsja,DC=is [ldap-innra.umsja.is] rebind to URL ldap://DomainDnsZones.innra.umsja.is/DC=DomainDnsZones,DC=innra,DC=umsja,DC=is [ldap-innra.umsja.is] looking for check items in directory... [ldap-innra.umsja.is] extensionAttribute10 - Jira-Key == MEF [ldap-innra.umsja.is] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? And that should be useful, too. You've butchered the default configuration. Why? Just... why? - stsrt with the default configuration - ensure that LDAP works for non-EAP - ensure that LDAP works with the inner-tunnel use v2.2.0 for this. Really. Read raddb/sites-available/inner-tunnel - configure the realm as a LOCAL realm. - it WILL WORK. Whatever you've done is four times the work, more complicated, and fragile. And the LDAP lookups aren't working at *all*. So even if you fix the EAP / User-Name issue, the system STILL won't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejected proxy requests not making it to the client
Ti Leggett wrote: Ok. I'll be firing up gdb and adding more logging. Before I did that I added a post_proxy detail log to see what the proxy server saw in that phase and for Access-Rejected packets they never get to the post_proxy section. I'm not sure how that happens. The proxy reply is *immediately* processed through the post_proxy section. Not sure if that sheds any more light on this. Anyway, so I know where to focus my debugging, I want to make sure I understand how a proxied packet makes its way through the system. Is the path: authorize - pre_proxy - post_proxy That's how it looks from the debug logs. Do the authenticate sections ever get hit? Any other sections I should look into? No. See src/main/event.c. It's complicated, but there aren't many references to processing the proxy reply. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name not set when using nostrip?
Hi,Thanks for your replies...I'm not sure why you say that my LDAP is not working because in the second debug output you can see that I find the object and use it's DN and also extract an attribute from the object. There is no known good password however because AD doesn't store clear-text passwords. The LDAP lookup is not working, however, in the first debug output because I can't use Stripped-User-Name because of nostrip.In the second debug output I removed nostrip but that strips User-Name (See expanded User-Name and Stripped-User-Name).I made this setup so that I could keep things separated. I wanted everything for that domain to be handled in it's own virtual-server. I thought that was your idea? Am I misunderstanding virtual-servers?So... is the conclusion that; this is the behaviour of User-Name when proxied?-freeradius-users-bounces+julius.bess=nyherji...@lists.freeradius.org wrote: -To: FreeRadius users mailing listfreeradius-users@lists.freeradius.orgFrom: Alan DeKok Sent by:freeradius-users-bounces+julius.bess=nyherji...@lists.freeradius.orgDate: 07/03/2013 08:28PMSubject: Re: Stripped-User-Name not set when using nostrip?Phil Mayers wrote: Have you actually *tried* this, because itshould work. If it doesn't, it's likely a problem in your localconfig.He's *proxying* the request after stripping the User-Name. That's the immediate source of the issue. If he had just used thedefault config, it wouldn't be an issue.And his LDAP lookupsdon't return anything. So even fixing the proxying issues won'thelp. That has to be fixed, too.Alan DeKok. - Listinfo/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name not set when using nostrip?
Júlíus Þór Bess Ríkharðsson wrote: I'm not sure why you say that my LDAP is not working because in the second debug output you can see that I find the object and use it's DN and also extract an attribute from the object. There is no known good password however because AD doesn't store clear-text passwords. Then you're not really using an LDAP server. See my web page for instructions on getting FreeRADIUS to work with AD: http://deployingradius.com/documents/configuration/active_directory.html I made this setup so that I could keep things separated. I wanted everything for that domain to be handled in it's own virtual-server. I thought that was your idea? Am I misunderstanding virtual-servers? No. But you're PROXYING the tunneled request. Why? The inner-tunnel virtual server already handles the tunneled request. So... is the conclusion that; this is the behaviour of User-Name when proxied? Follow the instructions in my previous message. DON'T proxy the inner tunnel data. It's that easy. You're ignoring my instructions. You're asking irrelevant questions. You can try to figure out *why* it's going wrong. Or, you can follow instructions and have it work. Which one do you prefer? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeradius as proxy for EAP-SIM/EAP-AKA
Can I know what brand of radius server you are going to use for EAP-SIM/AKA ? I am interesting on this On Tue, Jul 2, 2013 at 3:51 PM, Phil Mayers p.may...@imperial.ac.uk wrote: On 07/02/2013 07:56 AM, Ming-Ching Tiew wrote: So this [^@]*@wlan.mncX.mccY.**3gppnetwork.orghttp://wlan.mncX.mccY.3gppnetwork.orgis unique ? All the SIMs from the same mobile operator will have the same string and it will be different from another mobile operator ? Yes, though be aware the pattern given isn't exactly valid; X and Y are N-digit numbers (the MNC and MCC, obviously). Twiddle as appropriate to make a valid regexp. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting Class attribute by LDAP Groups
Hello
Currently trying to implement a way to get the Ldap-Group used for checking
(within acct_users) into the Accounting-Request packet as the Class attribute..
I can get it to send a static variable just fine using; (I'm proxying the
account messages)
update request {
Class = Some Variable
}
However I was looking at doing something on the lines of;
update request {
Class = %{Ldap-Group}
}
Also tried defining a custom variable within the dictionary file and setting it
within acct_users however it expands to nothing in preacct section.. I must be
doing something wrong.
I did read somewhere if you included the Class variable within the reply in the
Access-Accept packet that it would be sent back and used within the accounting
messages as well but this hasn't been the case for me.
Even if it's just some static variable that I set within the 'acct_users' to
get it to send the class attribute; this will achieve my goal.
Assuming that the 'users' file and the 'acct_users' file have the same
behaviour then why can't I set Class within the 'acct_users' file like I can
with 'users' file?
Any assistance on this will be greatly appreciated. :)
Cheers,
Pat
This email, together with any attachments, is intended for the named
recipient(s) only and may contain privileged and confidential information. If
received in error, please inform the sender as quickly as possible and delete
this email and any copies from your computer network. If not an intended
recipient of this email, you must not copy, distribute or rely on it, and any
form of disclosure, modification, distribution and/or publication of this email
is prohibited. Unless stated otherwise, this email represents only the views of
the sender and not the views of Pacific Lutheran College.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
