ldap: multiple radius profiles
Dear listmembers, I have following setup: - Centos 6.4 - freeradius version: radiusd: FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on Oct 3 2012 at 01:22:51 - authorization authentication in ldap (openldap) What I am trying to achieve is: - manage radius profiles completely in ldap with replyItems - return reply Items of multiple profiles to a user if he belongs to multiple profiles Example RADIUS Profiles: dn: uid=aosReadWrite,ou=profiles,ou=radius,dc=example,dc=com cn: AOS Read-Write objectClass: radiusObjectProfile objectClass: radiusProfile uid: aosReadWrite radiusReplyItem: Alcatel-Access-Priv += Alcatel-Read-Priv radiusReplyItem: Alcatel-Access-Priv += Alcatel-Write-Priv radiusReplyItem: Alcatel-Access-Priv += Alcatel-Admin-Priv radiusReplyItem: Alcatel-Acce-Priv-F-W1 = 0x radiusReplyItem: Alcatel-Acce-Priv-F-W2 = 0x dn: uid=sosReadWrite,ou=profiles,ou=radius, dc=example,dc=com cn: screenOS Read-Write objectClass: radiusObjectProfile objectClass: radiusProfile uid: sosReadWrite radiusReplyItem: NS-Admin-Privilege = Root-Admin Example RADIUS User: dn: uid=hachmer,ou=users,ou=radius,dc=example,dc=com cn: Tobias Hachmer givenName: Tobias mail: tobias.hach...@stadt-frankfurt.de radiusServiceType: Administrative-User sn: Hachmer uid: hachmer objectClass: top objectClass: inetOrgPerson objectClass: radiusProfile userPassword:: ... radiusGroupName: aosReadWrite radiusGroupName: sosReadWrite I don't know how to configure FreeRADIUS to read the radiusGroupName attribute and attach the configured return Items to the return list. Using unlang I am able to do this: if(Ldap-Group == cn=aosReadWrite,ou=groups,ou=radius,dc=example,dc=com) { update reply { Alcatel-Access-Priv = Alcatel-Read-Priv Alcatel-Access-Priv += Alcatel-Write-Priv Alcatel-Access-Priv += Alcatel-Admin-Priv Alcatel-Acce-Priv-F-W1 := 0x Alcatel-Acce-Priv-F-W2 := 0x Alcatel-Asa-Access := All } } if(Ldap-Group == cn=sosReadWrite,ou=groups,ou=radius, dc=example,dc=com ) { update reply { NS-Admin-Privilege := Root-Admin } } This is working fine but has the disadvantage that I have to configure the return items static into freeradius configuration files. I want to manage these profiles also in ldap. Is this possible? Kind regards, Tobias Hachmer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap: multiple radius profiles
I don’t know how to configure FreeRADIUS to read the “radiusGroupName” attribute and attach the configured return Items to the return list. *configured reply items to the reply list. Using unlang I am able to do this: if(Ldap-Group == cn=aosReadWrite,ou=groups,ou=radius,dc=example,dc=com) { update reply { Alcatel-Access-Priv = Alcatel-Read-Priv Alcatel-Access-Priv += Alcatel-Write-Priv Alcatel-Access-Priv += Alcatel-Admin-Priv Alcatel-Acce-Priv-F-W1 := 0x Alcatel-Acce-Priv-F-W2 := 0x Alcatel-Asa-Access := All } } if(Ldap-Group == cn=sosReadWrite,ou=groups,ou=radius, dc=example,dc=com ) { update reply { NS-Admin-Privilege := Root-Admin } } This is working fine but has the disadvantage that I have to configure the return items static into freeradius configuration files. Yes. I want to manage these profiles also in ldap. Is this possible? Well yes, that's the point of RADIUS profile in LDAP. You need to set the profile_attribute configuration item to radiusGroupName. IIRC you also need to use full DNs for the radiusGroupName values. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: radiusclient-ng in Debian
The FTP masters just accepted the new freeradius-client package, it should be available to install now using apt-get I've opened a bug request for removal of the radiusclient-ng package from the Debian archive On 19/07/13 19:25, Daniel Pocock wrote: On 15/07/13 23:21, Daniel Pocock wrote: On 15/07/13 21:51, Alan DeKok wrote: Daniel Pocock wrote: I just opened this report against radiusclient-ng in Debian (see below), can anybody else comment on the situation, in particular, for compatibility? Is there any urgency for Debian to update to the new client code? It has a number of bugs fixed. The old radiusclient-ng code is no longer maintained. I'm in the pkg-voip group at Debian so I can potentially package this new version of the library I've uploaded this today, it is in Debian's approval queue now For anybody who can't wait, packaging artifacts are here: Vcs-Git: git://git.debian.org/pkg-voip/freeradius-client.git Vcs-Browser: http://git.debian.org/?p=pkg-voip/freeradius-client.git;a=summary - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: client code for long extended attributes?
On 20/07/13 14:56, Alan DeKok wrote: Daniel Pocock wrote: Should this code be shared with the client project freeradius-client? No. The freeradius-client code is pretty bad. Or is it preferred to build a new client (or shared library) from the freeradius-server repository eventually? The client code is already LGPL'd. So it could be used as a client. Could you please clarify that - it is possible to build a client library from the server source tarball? In Debian, I see libfreeradius2 built from the server source tarball but that appears to be server-side library code, or is it also for client applications? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: client code for long extended attributes?
Daniel Pocock wrote: Could you please clarify that - it is possible to build a client library from the server source tarball? Yes. RedHat already packages libfreeradius-radius as a separate RPM, IIRC. In Debian, I see libfreeradius2 built from the server source tarball but that appears to be server-side library code, or is it also for client applications? Yes. It's a fully-featured LGPL'd RADIUS library. It handles everything related to RADIUS. Sockets, encoding, decoding, dictionaries, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: radiusclient-ng in Debian
Daniel Pocock wrote: The FTP masters just accepted the new freeradius-client package, it should be available to install now using apt-get I've opened a bug request for removal of the radiusclient-ng package from the Debian archive Thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rlm_perl in func_authenticate
thanks for your replay On Sep 2, 2013 12:36 AM, Alan DeKok al...@deployingradius.com wrote: Mehdi Ravanbakhsh wrote: i have some problem in Understanding of capability of Rlm_perl in authenticate ... if i use this : DEFAULT Auth-Type = Perl Fall-Through = yes then all user authenticate be done with this Auth-Type ? Yes. That's what you told it to do. So what is happen to PAP , CHAP module ? They're not called. and what is the relation of all module in authenticate section ? Read the comments before the authenticate section. And doc/aaa.rst. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-tls ignore client cert expiry check - crazy idea?
Hi All, Just to let you all know I did get all my setup working (took me a while being not a linux guru) but it does work as expected. Just in case anyone was wondering :) Many thanks all Ken :) On 29 August 2013 at 16:05 ken.farrington ken.farring...@802.co.uk wrote: Hi All, Is there a way if I had 10 clients in my home lab and all the certs expire tomorrow, that rather than re-provide all the certs to my clients, I can frigg the radius server time, to still accpet them. Im guessing this is a no, but from what I see, the client cert is presented, and check against the server time. Would this be correct? Many thanks in advanced Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: ldap: multiple radius profiles
I don't know how to configure FreeRADIUS to read the radiusGroupName attribute and attach the configured return Items to the return list. *configured reply items to the reply list. Of course, sorry for inaccuracy. I want to manage these profiles also in ldap. Is this possible? Well yes, that's the point of RADIUS profile in LDAP. You need to set the profile_attribute configuration item to radiusGroupName. IIRC you also need to use full DNs for the radiusGroupName values. That was the missing hint. Thank you Arran! It is working as expected. Kind regards, Tobias Hachmer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html