multiple radiusVSA in ldap.attrmap
Hi, I would like to have a profil administrator on my openldap wich allows administrator to authenticate on cisco and foundry equipment and enters directly in Privileged EXEC level. So I read VSA attribute in dictionary.foundry and dictionary.cisco. I created my profile in OpenLDAP and I am logging on my cisco and see the reply log to see what is reply. With this profil : dn: cn=administrateur,ou=Profiles,dc=netplus,dc=fr objectClass: radiusObjectProfile objectClass: top objectClass: radiusprofile radiusServiceType: NAS-Prompt-User cn: administrateur radiusVSA: shell:priv-lvl=15 radiusReplyItem: Foundry-Privilege-Level = 0 radiusReplyItem: Foundry-Command-String = * radiusReplyItem: Foundry-Command-Exception-Flag = 0 radiusReplyItem: Foundry-INM-Privilege = 15 + in ldap.attrmap I add replyItem $GENERIC$ radiusReplyItem [...] replyItem Cisco-AVPairradiusVSA I see in my log : Fri Jun 12 12:01:07 2009 Packet-Type = Access-Accept Reply-Message = Utilisateur: fmehault, group: Administrateur Cisco-AVPair = shell:priv-lvl=15 Service-Type = NAS-Prompt-User With this profil : dn: cn=administrateur,ou=Profiles,dc=netplus,dc=fr objectClass: radiusObjectProfile objectClass: top objectClass: radiusprofile radiusServiceType: NAS-Prompt-User cn: administrateur radiusVSA: shell:priv-lvl=15 radiusVSA: 0 radiusVSA: 15 + in ldap.attrmap I add replyItem Cisco-AVPair radiusVSA replyItem Foundry-Privilege-Level radiusVSA replyItem Foundry-INM-PrivilegeradiusVSA I see in my log : Fri Jun 12 12:14:49 2009 Packet-Type = Access-Accept Reply-Message = Utilisateur: fmehault, group: Administrateur Foundry-INM-Privilege = AAA_pri_15 Foundry-Privilege-Level = 15 Cisco-AVPair = shell:priv-lvl=15 Service-Type = NAS-Prompt-User I don't succeed to give good value for each attribute with OpenLDAP, ldapattrmap, radiusVSA ... In addition, I can't to have two radiusVSA attributes with the same value in OpenLDAP. So I woul like to know if it is possible to have just one profil with several attributes for different constructor (foundry, cisco, fortinet ...). Or I have to do a profil administratorCisco, administratorFoundry, ... Thanks for your help in advance Regards, François Mehault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: multiple radiusVSA in ldap.attrmap
Thanks Alan Dekok and Ivan Kalik, I will try the two way you sent me in my labo. -Message d'origine- De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org] De la part de Alan DeKok Envoyé : vendredi 12 juin 2009 13:28 À : FreeRadius users mailing list Objet : Re: multiple radiusVSA in ldap.attrmap François Mehault wrote: + in ldap.attrmap I add replyItem Cisco-AVPair radiusVSA replyItem Foundry-Privilege-Level radiusVSA replyItem Foundry-INM-PrivilegeradiusVSA You can't do that. You are mapping the radiusVSA item to 3 different RADIUS attributes. This will NOT work. I don’t succeed to give good value for each attribute with OpenLDAP, ldapattrmap, radiusVSA … In addition, I can’t to have two radiusVSA attributes with the same value in OpenLDAP. Yes, you can. Read the comments at the top of ldap.attrmap. Use the += operator. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
segmentation fault with group in huntgroups
Hi All,
I want to use huntgroup to restrict access to certain huntgroups to
certaingroups of users. So I edit my huntgroups file :
swLaboNAS-IP-Address == 192.168.0.50
Group = administrateur
I guess that administrateur is a Ldap-Group, isn't it ? And I use OpenLDAP to
store my users and my radiusGroupName.
dn: ou=Profiles,dc=netplus,dc=fr
objectClass: organizationalUnit
objectClass: top
ou: Profiles
dn: cn=administrateur,ou=Profiles,dc=netplus,dc=fr
objectClass: radiusObjectProfile
objectClass: top
objectClass: radiusprofile
radiusServiceType: NAS-Prompt-User
radiusVSA: shell:priv-lvl=15
cn: administrateur
dn: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr
givenName:: RnJhbsOnb2lz
sn: MEHAULT
uid: fmehault
uidNumber: 1203
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: radiusprofile
radiusGroupName: administrateur
homeDirectory: /home/fmehault
loginShell: /usr/local/bin/zsh
cn: Francois MEHAULT
gidNumber: 1203
userPassword: {SHA}C5wmJdwh7wX2rU3fR8XyA4N6oyw=
So I understand that fmehault is able to authenticate on the NAS 192.168.0.50.
But I have a segmentation fault of radiusd. I created also the posix group
administrateur which includes fmehault.
rad_recv: Access-Request packet from host 192.168.0.50 port 1812, id=67,
length=80
NAS-IP-Address = 192.168.0.50
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = fmehault
Calling-Station-Id = 192.168.0.80
User-Password = mdp
+- entering group authorize {...}
zsh: segmentation fault radiusd -X
# id fmehault
uid=1203(fmehault) gid=1203 groups=1203,1400(administrateur)
What is the problem ? If someone has a documentation/howto about huntgroups and
group, I am interested.
Regards,
François Mehault
Netplus Communication
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: segmentation fault with group in huntgroups
I use version 2.1.4 on FreeBSD, but with Ldap-Group rather than Group in
huntgroups file, it works.
-Message d'origine-
De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org
[mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org]
De la part de Alan DeKok
Envoyé : jeudi 11 juin 2009 14:54
À : FreeRadius users mailing list
Objet : Re: segmentation fault with group in huntgroups
François Mehault wrote:
So I understand that fmehault is able to authenticate on the NAS
192.168.0.50. But I have a segmentation fault of radiusd. I created also
the posix group administrateur which includes fmehault.
Which version are you using?
+- entering group authorize {...}
zsh: segmentation fault radiusd –X
My guess is that you're using modules from one version of the server,
and a server binary from another.
What does the *full* debugging output say?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems with Cisco switch and authorization.
FYI http://wiki.freeradius.org/Cisco ,maybe it can help you Regards, François -Message d'origine- De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org] De la part de Alan DeKok Envoyé : mercredi 10 juin 2009 10:22 À : FreeRadius users mailing list Objet : Re: Problems with Cisco switch and authorization. Jeff Davis wrote: Sorry - I'm a n00b to this project. Trying to get OpenLDAP-based authentication working (well the auth DOES work) but cannot seem to get authorization working. Googling has so far failed me. Perhaps someone on this list can clue me in... Have you run the server in debug mode as suggested in the FAQ, README, man page, etc..? users file has the following: DEFAULT Service-Type == NAS-Prompt-User Service-Type := NAS-Prompt-User, Cisco-AVPair += shell:priv-lvl=15 If those attributes are being sent back to the NAS, then fix the NAS so that it follows the instructions sent by the RADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [freeradius] fail-over ldap + reply-item missing
Hum, now all works perfectly. My reply-item are present now, I will try now to
understand why it works. Thanks to Ivan Kalik for his help and all freeradius
project.
Ldap.attrmap:
[...]
checkItem Cleartext-Password userPassword
Users:
DEFAULT ldaplabobe2-Ldap-Group == administrateur, User-Profile :=
cn=administrateur,ou=Profiles,dc=netplus,dc=fr
Reply-Message = Utilisateur: %{User-name}, group: Administrateur,
Fall-Through = yes
DEFAULT ldaplabobe2-Ldap-Group == stagiaire, User-Profile :=
cn=stagiaire,ou=Profiles,dc=netplus,dc=fr
Reply-Message = Utilisateur: %{User-name}, group: Stagiaire,
Fall-Through = yes
DEFAULT ldaplabobe1-Ldap-Group == administrateur, User-Profile :=
cn=administrateur,ou=Profiles,dc=netplus,dc=fr
Reply-Message = Utilisateur: %{User-name}, group: Administrateur,
Fall-Through = yes
DEFAULT ldaplabobe1-Ldap-Group == stagiaire, User-Profile :=
cn=stagiaire,ou=Profiles,dc=netplus,dc=fr
Reply-Message = Utilisateur: %{User-name}, group: Stagiaire,
Fall-Through = yes
Radiusd.conf:
Instantiate {
[...]
ldaplabobe2
ldaplabobe1
}
/site-available/default:
Redundant { ldaplabobe2 ldaplabobe1} in section authorize and authenticate
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[freeradius] fail-over ldap + reply-item missing
Hi all
I try to do a fail-over with two ldap on my freeradius. I read this article
http://wiki.freeradius.org/Fail-over, I instantiated two openldap modules and i
use the keyword redundant in my /raddb/site-available/default in authorize and
authenticate section.
redundant {
Primary-ldap
Secondary-ldap
}
I also enabled reply_log
When the two ldap are launched, it works.
reply log :
Tue Jun 9 11:45:53 2009
Packet-Type = Access-Accept
Reply-Message = Utilisateur: fmehault, group: Administrateur
Cisco-AVPair = shell:priv-lvl=15
Service-Type = NAS-Prompt-User
But if i stop the Secondary-ldap, I have just :
reply log :
Tue Jun 9 11:49:19 2009
Packet-Type = Access-Accept
I can see in my log that radiusd try to contact Secondary-ldap at first. Why ?
Then it test 3 times, rather than test Primary-ldap, why ?
I will be please to give you more information about my problem to help me to
fix it,
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
rlm_ldap: Entering ldap_groupcmp()
[files] expand: dc=netplus,dc=fr - dc=netplus,dc=fr
[files] WARNING: Deprecated conditional expansion :-. See man unlang for
details
[files] expand:
((uid=%{Stripped-User-Name:-%{User-Name}})(radiusHuntgroupName=%{Huntgroup-name}))
- ((uid=fmehault)(radiusHuntgroupName=swLabo))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.96.18.4:389, authentication 0
rlm_ldap: bind as cn=root,dc=netplus,dc=fr/secret to 10.96.18.4:389
rlm_ldap: cn=root,dc=netplus,dc=fr bind to 10.96.18.4:389 failed: Can't contact
LDAP server
rlm_ldap: (re)connection attempt failed
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
[...]
rlm_ldap: cn=root,dc=netplus,dc=fr bind to 10.96.18.4:389 failed: Can't contact
LDAP server
[...]
rlm_ldap: cn=root,dc=netplus,dc=fr bind to 10.96.18.4:389 failed: Can't contact
LDAP server
resume :
Primary-ldap started
Secondary-ldap started
It works
Primary-ldap stoped
Secondary-ldap started
It works
Primary-ldap started
Secondary-ldap stoped
Access-Accept without reply-item ...
If someone can explain me what is my problem
Regards,
François
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [freeradius] fail-over ldap + reply-item missing
Thanks for your responce, I read http://freeradius.org/radiusd/doc/rlm_ldap , I
am focus on section GROUP SUPPORT.
So I have two ldap module instances in raddb/modules/ldap :
ldap ldaplabobe2 { [...] }
ldap ldaplabobe1 { [...] }
I added the ldap module in the instantiate{} block in radiusd.conf.
instantiate {
exec
expr
expiration
logintime
ldaplabobe2
ldaplabobe1
}
I use this form in my raddb/users :
DEFAULT ldaplabobe2-Ldap-Group == administrateur, User-Profile :=
cn=administrateur,ou=Profiles,dc=netplus,dc=fr
Reply-Message = Utilisateur: %{User-name}, group: Administrateur,
Fall-Through = yes
DEFAULT ldaplabobe2-Ldap-Group == stagiaire, User-Profile :=
cn=stagiaire,ou=Profiles,dc=netplus,dc=fr
Reply-Message = Utilisateur: %{User-name}, group: Stagiaire,
Fall-Through = yes
DEFAULT ldaplabobe1-Ldap-Group == administrateur, User-Profile :=
cn=administrateur,ou=Profiles,dc=netplus,dc=fr
Reply-Message = Utilisateur: %{User-name}, group: Administrateur,
Fall-Through = yes
DEFAULT ldaplabobe1-Ldap-Group == stagiaire, User-Profile :=
cn=stagiaire,ou=Profiles,dc=netplus,dc=fr
Reply-Message = Utilisateur: %{User-name}, group: Stagiaire,
Fall-Through = yes
Instead of
DEFAULT Ldap-Group == administrateur, User-Profile :=
cn=administrateur,ou=Profiles,dc=netplus,dc=fr
Reply-Message = Utilisateur: %{User-name}, group: Administrateur,
Fall-Through = yes
DEFAULT Ldap-Group == stagiaire, User-Profile :=
cn=stagiaire,ou=Profiles,dc=netplus,dc=fr
Reply-Message = Utilisateur: %{User-name}, group: Stagiaire,
Fall-Through = yes
Then I still use redundant in authorize and authenticate section in
raddb/site-available/default (I test whithout also)
And now I have Access-Reject for all, some reply-item are in the users file,
others are in my openldap (I use radiusgroupname with
ou=profiles,dc=netplus,dc=fr + radiusprofile attribute ...)
So I progress I think but it doesn't work for now. Sorry if I need some help, I
begin with openldap, I read lot of documentation freeradius, openldap, PAM (my
head will explose) and all is new for me , so maybe I read the solution at my
problem but don't remember :s
Thansk for your help.
Regards,
François
rad_recv: Access-Request packet from host 192.168.0.50 port 1812, id=253,
length=80
NAS-IP-Address = 192.168.0.50
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = fmehault
Calling-Station-Id = 192.168.0.80
User-Password = toto
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/radacct/192.168.0.50/auth-detail-20090609
[auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to
/var/log/radacct/192.168.0.50/auth-detail-20090609
[auth_log] expand: %t - Tue Jun 9 16:27:02 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = fmehault, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
rlm_ldap: Entering ldap_groupcmp()
[files] expand: dc=netplus,dc=fr - dc=netplus,dc=fr
[files] WARNING: Deprecated conditional expansion :-. See man unlang for
details
[files] expand:
((uid=%{Stripped-User-Name:-%{User-Name}})(radiusHuntgroupName=%{Huntgroup-name}))
- ((uid=fmehault)(radiusHuntgroupName=swLabo))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.96.18.10:389, authentication 0
rlm_ldap: bind as cn=root,dc=netplus,dc=fr/secret to 10.96.18.10:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=netplus,dc=fr, with filter
((uid=fmehault)(radiusHuntgroupName=swLabo))
rlm_ldap: ldap_release_conn: Release Id: 0
[files] expand:
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
- (|((objectClass=GroupOfNames)(member=cn\3dFrancois
MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dFrancois
MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=netplus,dc=fr, with filter
((cn=administrateur)(|((objectClass=GroupOfNames)(member=cn\3dFrancois
MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dFrancois
MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr
rlm_ldap: object not found
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=Francois
RE: [freeradius] fail-over ldap + reply-item missing
(following my last mail)
I read in my log:
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
So in the user file I replace
DEFAULT ldaplabobe2-Ldap-Group == administrateur, User-Profile :=
cn=administrateur,ou=Profiles,dc=netplus,dc=fr
Reply-Message = Utilisateur: %{User-name}, group: Administrateur,
Fall-Through = yes
By
DEFAULT ldaplabobe2-Ldap-Group == administrateur, User-Profile :=
cn=administrateur,ou=Profiles,dc=netplus,dc=fr, Auth-Type := LDAP
Reply-Message = Utilisateur: %{User-name}, group: Administrateur,
Fall-Through = yes
And I start radiud -X and I have :
/usr/local/etc/raddb/users[247]: Parse error (check) for entry DEFAULT: Unknown
value LDAP for attribute Auth-Type
Errors reading /usr/local/etc/raddb/users
/usr/local/etc/raddb/modules/files[7]: Instantiation failed for module files
/usr/local/etc/raddb/sites-enabled/inner-tunnel[111]: Failed to find module
files.
/usr/local/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize
section.
}
}
Errors initializing modules
But in raddb/site-available/default, in section authenticate i have Auth-Type
LDAP :
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
redundant {
ldaplabobe2
ldaplabobe1
}
}
eap
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: checkval module
Hi
I think you have to do like this :
checkval checkNasPortId {
item-name = NAS-Port-Id
check-name = NAS-Port-Id
data-type = string
notfound-reject = yes
}
checkval checkNasPortType {
item-name = NAS-Port-Type
check-name = NAS-Port-Type
data-type = string
notfound-reject = yes
}
and in your /site-available/default you load checkNasPortId checkNasPortType
instead of checkval
#checkval
checkNasPortId
checkNasPortType
I hope I help you
François
De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org
[mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org]
De la part de Amr el-Saeed
Envoyé : mercredi 3 juin 2009 15:36
À : FreeRadius users mailing list
Objet : checkval module
Hi every one
I am using freeradius 1.1.7
i am configuring checkval to check for Nas-Port-Type , i need to make it checks
for Nas-Port-Id also .
this is the radius.conf checkval sections
checkval {
item-name = NAS-Port-Id
check-name = NAS-Port-Id
item-name = NAS-Port-Type
check-name = NAS-Port-Type
data-type = string
notfound-reject = yes
}
but actually it process the first entry only which is NAS-Port-Id and ignore
the second one which is NAS-Port-Type .
Is that possible to make the radius to check both items ??
thanks
Amr
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 1 freeradius with 2 openldap (multi master)
Well, I read the documentation, but I don't succeed to fix my problem, and I
don't know if the solution is in this documentation:
I use the attribute redundant and we can read:
* redundant{...} and append{...} are just shortcuts. You could write
group {
sql1 {
fail = 1
notfound = 2
noop = return
ok = return
updated = return
reject = return
userlock = return
invalid = return
handled = return
}
sql2 {
fail = 1
notfound = 2
noop = return
ok = return
updated = return
reject = return
userlock = return
invalid = return
handled = return
}
}
instead of
redundant {
sql1
sql2
}
but the latter is just a whole lot easier to read.
When I use redundant, I understand it's equivalent to have groups which are
failable. My problem is I have failover between two ldaps, and if the first
ldap is used, it works because I have:
Sending Access-Accept of id 93 to 192.168.0.50 port 1812
Reply-Message = Utilisateur: fmehault, group: Administrateur
Cisco-AVPair = shell:priv-lvl=15
Service-Type = NAS-Prompt-User
Finished request 0.
And if the first failed, the second ldap is used, so we can say that it's
works, but it fails because I have:
Sending Access-Accept of id 94 to 192.168.0.50 port 1812 Finished request 0.
It fails because the Access-Accept was built without Cisco-AVPair =
shell:priv-lvl=15 and Service-Type = NAS-Prompt-User. And I don't know why, I
don't understand,
Thanks Alan for your help, I will continue to read the failover documentation,
maybe there is something that I missed, If someone has another lead ..
Regards,
François
-Message d'origine-
De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org
[mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org]
De la part de a.l.m.bu...@lboro.ac.uk
Envoyé : vendredi 29 mai 2009 18:04
À : FreeRadius users mailing list
Objet : Re: 1 freeradius with 2 openldap (multi master)
Hi,
And now, if I start radiusd and slapd on server A and not on server B, it
works. And if I stop slapd on server A, and start slapd on server B, it
doesn't work. It's maybe a lead...
this is documented
http://wiki.freeradius.org/Fail-over
you need the group to be failable etc
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1 freeradius with 2 openldap (multi master)
Hi All
I have one freeradius and 2 openldap (multi - master). And I want my freeradius
use the second openldap if the first crash. So in freeradius I instantiate the
module ldap :
Ldap ldapmaster {
[...]
}
Ldap ldapbackup {
[...]
}
And in my site-available/default I load the two modules. If my two openldap are
alive, authentication succeed, but if one of them fall, authentication failed,
so like this I have a « AND » between modules, and not a « OR » like I would. I
don't know if I am really clear, i don't speak very well, sorry.
So If some understand the problem that I try to describe and if you know how I
can fix my problem, could you help me please ? thanks,
Regards,
François
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 1 freeradius with 2 openldap (multi master)
redundant-load-balance {
ldap1 # 50%, unless ldap2 is down, then 100%
ldap2 # 50%, unless ldap1 is down, then 100%
}
Seems perfect, thanks a lot !
-Message d'origine-
De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org
[mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org]
De la part de Alan DeKok
Envoyé : vendredi 29 mai 2009 15:10
À : FreeRadius users mailing list
Objet : Re: 1 freeradius with 2 openldap (multi master)
François Mehault wrote:
And in my site-available/default I load the two modules. If my two
openldap are alive, authentication succeed, but if one of them fall,
authentication failed, so like this I have a « AND » between modules,
and not a « OR » like I would. I don’t know if I am really clear, i
don’t speak very well, sorry.
$ man unlang
Look for redundant
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 1 freeradius with 2 openldap (multi master)
Well, I fact I have two servers: A and B.
A has freeradius + openldap
B has openldap bacukp
So on server A, I put in /site-available/default:
In authentication section :
Redundant {
Ldapmaster
Ldapbackup
}
and authorize section :
Auth-Type LDAP {
redundant {
Ldapmaster
Ldapbackup
}
}
Modelue Ldapmaster has attribute server=127.0.0.1, and Ldapbackup has
attribute server=192.168.x.x (Ip of server B)
Well, If I shutdown my openldap on server A, freeradius on server A will
discuss with openldap on server B, and it works perfectly !
[Ldapbackup] user fmehault authenticated succesfully
++[ Ldapbackup] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 93 to 192.168.0.50 port 1812
Reply-Message = Utilisateur: fmehault, group: Administrateur
Cisco-AVPair = shell:priv-lvl=15
Service-Type = NAS-Prompt-User
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 93 with timestamp +11
Ready to process requests.
Another test, I stop daemon openldap on server B and start openldap on server
A, so I imagine my freeradius will discuss with openldap on server A. But PB :
[Ldapmaster] user fmehault authenticated succesfully
+++[ Ldapmaster] returns ok
++- policy redundant returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 94 to 192.168.0.50 port 1812
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 94 with timestamp +10
Ready to process requests.
My NAS is Cisco Catalyst 2950, and I use radius VSA Cisco-AVPair. As you can
see in the log, I am succesfully authenticated, And freeradius send me
Access-Accept, without Raply-Message, Cisco-AVPair, Service-Type ... Why ???
On cisco:
User Access Verification
Username: fmehault
Password:
% Authorization failed.
My two ldaps are both striclty the same, it's sur because if I don't use unlang
redundant, it works.
Someone has an idea ??
Thanks for your help,
Regards,
François
-Message d'origine-
De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org
[mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org]
De la part de François Mehault
Envoyé : vendredi 29 mai 2009 15:27
À : FreeRadius users mailing list
Objet : RE: 1 freeradius with 2 openldap (multi master)
redundant-load-balance {
ldap1 # 50%, unless ldap2 is down, then 100%
ldap2 # 50%, unless ldap1 is down, then 100%
}
Seems perfect, thanks a lot !
-Message d'origine-
De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org
[mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org]
De la part de Alan DeKok
Envoyé : vendredi 29 mai 2009 15:10
À : FreeRadius users mailing list
Objet : Re: 1 freeradius with 2 openldap (multi master)
François Mehault wrote:
And in my site-available/default I load the two modules. If my two
openldap are alive, authentication succeed, but if one of them fall,
authentication failed, so like this I have a « AND » between modules,
and not a « OR » like I would. I don’t know if I am really clear, i
don’t speak very well, sorry.
$ man unlang
Look for redundant
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: check-item NAS-IP-ADdress Calling-Station-ID with openldap
Checkval with Calling-station-id works fine ! And I want to check also the IP
of the NAS to authenticate my user.
rlm_checkval: Item Name: Calling-Station-Id, Value: 192.168.0.80
rlm_checkval: Value Name: Calling-Station-Id, Value: 192.168.0.80
++[station-check] returns ok
NAS-IP-Address can be forged. Use Client-IP-Address. I am not sure why did
it come out like that in checkval when elsewhere in the debug it looks OK.
I try with Client-IP-Address instead of NAS-IP-Address but it don't works:
rad_recv: Access-Request packet from host 192.168.0.50 port 1812, id=162,
length=80
NAS-IP-Address = 192.168.0.50
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = fmehault
Calling-Station-Id = 192.168.0.80
User-Password = toto
+- entering group authorize {...}
[...]
rlm_checkval: Could not find item named Client-IP-Address in request
rlm_checkval: Could not find attribute named Client-IP-Address in check pairs
++[nas-check] returns notfound
My ldap:
dn: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr
givenName:: RnJhbsOnb2lz
sn: MEHAULT
uid: fmehault
cn: Francois MEHAULT
homeDirectory: /home/admins/fmehault
loginShell: /usr/local/bin/zsh
gidNumber: 1203
uidNumber: 1203
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: radiusprofile
objectClass: hostObject
radiusGroupName: stagiaire
userPassword: {MD5}9x2+UmKKP4OnerSUgXUlxg==
radiusNASIpAddress: 192.168.0.50
host: labobe1
radiusCheckItem: Client-IP-Address = 192.168.0.50
radiusCallingStationId: 192.168.0.80
My checval modul:
checkval station-check {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
notfound-reject = yes
}
checkval nas-check {
item-name = Client-IP-Address
check-name = Client-IP-Address
data-type = ipaddr
notfound-reject = yes
}
Thanks Ivan Kalik for your first response
Regards,
François
-Message d'origine-
De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org
[mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org]
De la part de Ivan Kalik
Envoyé : lundi 11 mai 2009 13:29
À : FreeRadius users mailing list
Objet : Re: check-item NAS-IP-ADdress Calling-Station-ID with openldap
I want to use FreeRadius to administer network equipement. I use also
OpenLDAP to stock information about users. FreeRADIUS and OpenLDAP are
installed on the same server FreeBSD 7.0.
I contact a Network equipement (like catalyst cisco 2950 v12.1) with putty
(ssh/telnet).
I have 2 questions :
- Why my calling-station-id in the request is a IP and not a MAC
?
Because you are using telnet/ssh. Same applies to VPN. PPPoE (wired and
wireless) request should have mac address in that field. Dial-up should
have phone number.
- When I authenticate on the cisco 2950, I have in my log «
rlm_checkval: Item Name: NAS-IP-Address, Value: À¨ » instead of
192.168.0.50, what is the problem ???
NAS-IP-Address can be forged. Use Client-IP-Address. I am not sure why did
it come out like that in checkval when elsewhere in the debug it looks OK.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
communication safe ssh - NAS - FreeRADIUS ?
Hi, I authenticate on cisco equipments via ssh/telnet. There is no supplicant, so I don't understand in my case and i would like to know if the communication between my cisco equipment and my FreeRadius safe is. I have a secret shared between both. I understand that the communciation between freeradius and the client radius use the protocol Radius. But in my case there is no PEAP, EAP/TLS ... Someone can confirm me please if the communication is safe ? because I afraid to see in the file users my password in clear-text. Is it possible to use md5, ssha ... and how ? Thanks, Regards, François - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: check-item NAS-IP-ADdress Calling-Station-ID with openldap
Well, I am using checkval to check the attribute NAS-IP-Address, what I want : I have several users and several NAS, some users allows to authenticate on some NAS, and others not. I use an openldap database. Each users have an attribute radiusCheckItem. I don't know if I am right, if it's the good way to do what I need, but I am a novice with freeRadisu and OpenLDAP. -Message d'origine- De : Ivan Kalik [mailto:t...@kalik.net] Envoyé : mardi 19 mai 2009 13:46 À : François Mehault Objet : RE: check-item NAS-IP-ADdress Calling-Station-ID with openldap [...] rlm_checkval: Could not find item named Client-IP-Address in request rlm_checkval: Could not find attribute named Client-IP-Address in check pairs ++[nas-check] returns notfound OK. It can't work since Client-IP-Address is not in the request. Can you remind me: why are you using checkval? Multiple values for NAS IP? Your user entry has only one. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: communication safe ssh - NAS - FreeRADIUS ?
Oki, thanks. In fact, I want my radius client crypt my passwd in md5 for
example, and freeradius check the MD5 hash. So I understand I have to use PAP ?
In my modul ldap I think I have to put « password_attribute = userPassword ».
But If I do, I have to put my password in clear in my ldap, otherwise it don't
works. Also, I can comment the « password_attribute = userPassword » in my ldap
module and put my password in md5/ssha etc... in openldap and it works. But I
don't know very well why ??
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = auto
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = /var/log/radwtmp
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = Password:
auth_type = PAP
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = /usr/local/etc/raddb/certs/server.pem
certificate_file = /usr/local/etc/raddb/certs/server.pem
CA_file = /usr/local/etc/raddb/certs/ca.pem
private_key_password = whatever
dh_file = /usr/local/etc/raddb/certs/dh
random_file = /usr/local/etc/raddb/certs/random
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = DEFAULT
make_cert_command = /usr/local/etc/raddb/certs/bootstrap
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = inner-tunnel
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = inner-tunnel
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org
[mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org]
De la part de Nicolas Goutte
Envoyé : mardi 19 mai 2009 14:45
À : FreeRadius users mailing list
Objet : Re: communication safe ssh - NAS - FreeRADIUS ?
Am 19.05.2009 um 14:14 schrieb François Mehault:
Hi,
I authenticate on cisco equipments via ssh/telnet. There is no supplicant, so I
don't understand in my case and i would like to know if the communication
between my cisco equipment and my FreeRadius safe is. I have a secret shared
between both. I understand that the communciation between freeradius and the
client radius use the protocol Radius. But in my case there is no PEAP, EAP/TLS
...
Someone can confirm me please if the communication is safe ? because I afraid
to see in the file users my password in clear-text. Is it possible to use md5,
ssha ... and how ?
For the compatibility, see
http://deployingradius.com/documents/protocols/compatibility.html
Thanks,
Regards,
François
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Have a nice day!
Nicolas Goutte
extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany
Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: check-item NAS-IP-ADdress Calling-Station-ID with openldap
Thanks Ivan ! With huntgroup it works perfectly, now I am searching to manage my huntgroup whith ldap, no longer with the file huntgroup. Each users have the primitive radiusHuntgroupName, but I want to define my huntgroup in ldap, is it possible you think ? Regards, Francois -Message d'origine- De : Ivan Kalik [mailto:t...@kalik.net] Envoyé : mardi 19 mai 2009 15:09 À : François Mehault Objet : RE: check-item NAS-IP-ADdress Calling-Station-ID with openldap Well, I am using checkval to check the attribute NAS-IP-Address, what I want : I have several users and several NAS, some users allows to authenticate on some NAS, and others not. I use an openldap database. Each users have an attribute radiusCheckItem. I don't know if I am right, if it's the good way to do what I need, but I am a novice with freeRadisu and OpenLDAP. Well, if user is going to have only one value for NAS IP, then you don't need checkval - just map appropriate attribute as check item in raddb/ldap.attrmap. If he should be allowed on several devices it might be better to use huntgroups/sqlhuntgroups - as long as there are not too many combinations. Same applies to mac address - if user can use only one there is no need to use checkval. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius client on fedora 10 ?
Hi, I would like to know is there any radius client on fedora 10 ? pam_radius ? other ? Regards, François - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS or supplicant, pam_radius or xsupplicant
Hi All I have to install a FreeRADIUS to authenticate some users on network equipement (like a Catalyst cisco). I just want to authenticate users on the cisco switch, no vlan attribution ... So i conclude that I don't have to install/configure supplicant on my computer (windows XP), the computer I use to contact the switch via telnet/ssh. Could you confirm me that I'm right ? I would like also to authenticate users on UNIX servers. Also, I just need to authenticate the users on servers, So I conclude that I configure pam_radius on these servers and no install/configure xsupllicant. Servers are RADIUS client/NAS and no supplicant. Of course I would like to have a safe communication beetween NAS and FreeRADIUS. Could you say me if I selected the good configuration, or if I am totally wrong. I read comments in files configuration and a lot of documentation on the web, but the case described are often with supplicant - NAS - FreeRADIUS, with Authentication on the supplicant for vlan attribution. I don't understand wery well when I have to install xsupplicant or pam_radius on my server UNIX, if my Server is a supplicant or a NAS. Thanks for your help François - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: check-item NAS-IP-ADdress Calling-Station-ID with openldap
Hi All,
I want to use FreeRadius to administer network equipement. I use also OpenLDAP
to stock information about users. FreeRADIUS and OpenLDAP are installed on the
same server FreeBSD 7.0.
I contact a Network equipement (like catalyst cisco 2950 v12.1) with putty
(ssh/telnet).
To resume :
Windows XP - ssh or telnet - Cisco 2950 (client radius/authenticator/NAS) -
EAPoRadius (I suppose) - FreeRADIUS OpenLDAP
For the moment, I don't install/configure supplicant on the Windows XP, I don't
know if it's require because I don't want to use FreeRADIUS to auhtenticate my
Windows session. I have an active directory to do this.
I configure slapd.conf, radius.conf, clients.conf, module ldap etc ... and it's
works. And now I would like to add some check-item like NAS-IP-Address and
Caliing-Station-ID. But I don't succeed :s, I use checkval to do this.
I have 2 questions :
- Why my calling-station-id in the request is a IP and not a MAC ?
- When I authenticate on the cisco 2950, I have in my log «
rlm_checkval: Item Name: NAS-IP-Address, Value: À¨ » instead of 192.168.0.50,
what is the problem ???
I think I have numerous problem, If you see one of them, could you inform me ?
I am a novice with freeradius (and openldap also :s ). I could give you all
information you need to help me to fix my problem.
Thanks for your help,
Regards
Francçois MEHAULT
On my cisco 2950 :
aaa new-model
aaa authentication login default local group radius
aaa authorization exec default group radius local
aaa authorization network default group radius
My ldap.attrmap :
checkItem Calling-Station-Id radiusCallingStationId
checkItem NAS-IP-Address radiusNASIpAddress
Extract of my openldap :
dn: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr
givenName:: RnJhbsOnb2lz
sn: MEHAULT
uid: fmehault
cn: Francois MEHAULT
homeDirectory: /home/admins/fmehault
loginShell: /usr/local/bin/zsh
gidNumber: 1203
uidNumber: 1203
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: radiusprofile
radiusGroupName: stagiaire
radiusCallingStationId: 192.168.0.80 - I put a IP address and not a Mac
address because in the request it's a IP and not a mac, I don't know why...
radiusNASIpAddress: 192.168.0.60 - in fact, the NAS IP is 192.168.0.50, but
I put .60 to have Access-Reject
userPassword: {SSHA}tOoPUvtVW5O3+StoxScmQLiGFTO5l/+z
12:34[labobe2:~]# radiusd -X
FreeRADIUS Version 2.1.4, for host i386-portbld-freebsd7.0, built on Apr 16
2009 at 12:03:36
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
[...]
radiusd: Loading Clients
client 192.168.0.50 {
require_message_authenticator = no
secret = cherche
shortname = swlabo
nastype = cisco
}
radiusd: Instantiating modules
[...]
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_ldap
Module: Instantiating ldap
ldap {
server = 127.0.0.1
port = 389
password = secret
identity = cn=root,dc=netplus,dc=fr
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = allow
tls {
start_tls = no
require_cert = allow
}
basedn = dc=netplus,dc=fr
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
base_filter = (objectclass=radiusprofile)
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = cn
groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
groupmembership_attribute = radiusGroupName
dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
[...]
rlm_ldap: LDAP radiusVSA mapped to RADIUS Cisco-AVPair
conns: 0x2852c240
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = /usr/local/etc/raddb/huntgroups
hints = /usr/local/etc/raddb/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_checkval
Module: Instantiating station-check
checkval station-check {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
notfound-reject = no
}
rlm_checkval: Registered name Calling-Station-Id for attribute 31
test
De : François Mehault
Envoyé : mardi 12 mai 2009 11:27
À : 'freeradius-users@lists.freeradius.org'
Cc : François Mehault
Objet : RE: check-item NAS-IP-ADdress Calling-Station-ID with openldap
Hi All,
I want to use FreeRadius to administer network equipement. I use also OpenLDAP
to stock information about users. FreeRADIUS and OpenLDAP are installed on the
same server FreeBSD 7.0.
I contact a Network equipement (like catalyst cisco 2950 v12.1) with putty
(ssh/telnet).
To resume :
Windows XP - ssh or telnet - Cisco 2950 (client radius/authenticator/NAS) -
EAPoRadius (I suppose) - FreeRADIUS OpenLDAP
For the moment, I don't install/configure supplicant on the Windows XP, I don't
know if it's require because I don't want to use FreeRADIUS to auhtenticate my
Windows session. I have an active directory to do this.
I configure slapd.conf, radius.conf, clients.conf, module ldap etc ... and it's
works. And now I would like to add some check-item like NAS-IP-Address and
Caliing-Station-ID. But I don't succeed :s, I use checkval to do this.
I have 2 questions :
- Why my calling-station-id in the request is a IP and not a MAC ?
- When I authenticate on the cisco 2950, I have in my log «
rlm_checkval: Item Name: NAS-IP-Address, Value: À¨ » instead of 192.168.0.50,
what is the problem ???
I think I have numerous problem, If you see one of them, could you inform me ?
I am a novice with freeradius (and openldap also :s ). I could give you all
information you need to help me to fix my problem.
Thanks for your help,
Regards
Francçois MEHAULT
On my cisco 2950 :
aaa new-model
aaa authentication login default local group radius
aaa authorization exec default group radius local
aaa authorization network default group radius
My ldap.attrmap :
checkItem Calling-Station-Id radiusCallingStationId
checkItem NAS-IP-Address radiusNASIpAddress
Extract of my openldap :
dn: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr
givenName:: RnJhbsOnb2lz
sn: MEHAULT
uid: fmehault
cn: Francois MEHAULT
homeDirectory: /home/admins/fmehault
loginShell: /usr/local/bin/zsh
gidNumber: 1203
uidNumber: 1203
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: radiusprofile
radiusGroupName: stagiaire
radiusCallingStationId: 192.168.0.80 - I put a IP address and not a Mac
address because in the request it's a IP and not a mac, I don't know why...
radiusNASIpAddress: 192.168.0.60 - in fact, the NAS IP is 192.168.0.50, but
I put .60 to have Access-Reject
userPassword: {SSHA}tOoPUvtVW5O3+StoxScmQLiGFTO5l/+z
12:34[labobe2:~]# radiusd -X
FreeRADIUS Version 2.1.4, for host i386-portbld-freebsd7.0, built on Apr 16
2009 at 12:03:36
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
[...]
radiusd: Loading Clients
client 192.168.0.50 {
require_message_authenticator = no
secret = cherche
shortname = swlabo
nastype = cisco
}
radiusd: Instantiating modules
[...]
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_ldap
Module: Instantiating ldap
ldap {
server = 127.0.0.1
port = 389
password = secret
identity = cn=root,dc=netplus,dc=fr
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = allow
tls {
start_tls = no
require_cert = allow
}
basedn = dc=netplus,dc=fr
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
base_filter = (objectclass=radiusprofile)
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = cn
groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
groupmembership_attribute = radiusGroupName
dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
[...]
rlm_ldap: LDAP radiusVSA mapped to RADIUS Cisco-AVPair
conns: 0x2852c240
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = /usr/local/etc/raddb/huntgroups
hints = /usr/local/etc/raddb/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_checkval
Module: Instantiating station-check
checkval station-check
OpenLDAP check item
Hi All,
I want to use FreeRadius to administer network equipement. I use also OpenLDAP
to stock information about users. FreeRADIUS and OpenLDAP are installed on the
same server FreeBSD 7.0.
I contact a Network equipement (like catalyst cisco 2950 v12.1) with putty
(ssh/telnet).
To resume :
Windows XP - ssh or telnet - Cisco 2950 (client radius/authenticator/NAS) -
EAPoRadius (I suppose) - FreeRADIUS OpenLDAP
For the moment, I don't install/configure supplicant on the Windows XP, I don't
know if it's require because I don't want to use FreeRADIUS to auhtenticate my
Windows session. I have an active directory to do this.
I configure slapd.conf, radius.conf, clients.conf, module ldap etc ... and it's
works. And now I would like to add some check-item like NAS-IP-Address and
Caliing-Station-ID. But I don't succeed :s, I use checkval to do this.
I have 2 questions :
- Why my calling-station-id in the request is a IP and not a MAC ?
- When I authenticate on the cisco 2950, I have in my log «
rlm_checkval: Item Name: NAS-IP-Address, Value: À¨ » instead of 192.168.0.50,
what is the problem ???
I think I have numerous problem, If you see one of them, could you inform me ?
I am a novice with freeradius (and openldap also :s ). I could give you all
information you need to help me to fix my problem.
Thanks for your help,
Regards
Francçois MEHAULT
On my cisco 2950 :
aaa new-model
aaa authentication login default local group radius
aaa authorization exec default group radius local
aaa authorization network default group radius
My ldap.attrmap :
checkItem Calling-Station-Id radiusCallingStationId
checkItem NAS-IP-Address radiusNASIpAddress
Extract of my openldap :
dn: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr
givenName:: RnJhbsOnb2lz
sn: MEHAULT
uid: fmehault
cn: Francois MEHAULT
homeDirectory: /home/admins/fmehault
loginShell: /usr/local/bin/zsh
gidNumber: 1203
uidNumber: 1203
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: radiusprofile
radiusGroupName: stagiaire
radiusCallingStationId: 192.168.0.80 - I put a IP address and not a Mac
address because in the request it's a IP and not a mac, I don't know why...
radiusNASIpAddress: 192.168.0.60 - in fact, the NAS IP is 192.168.0.50, but
I put .60 to have Access-Reject
userPassword: {SSHA}tOoPUvtVW5O3+StoxScmQLiGFTO5l/+z
12:34[labobe2:~]# radiusd -X
FreeRADIUS Version 2.1.4, for host i386-portbld-freebsd7.0, built on Apr 16
2009 at 12:03:36
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
[...]
radiusd: Loading Clients
client 192.168.0.50 {
require_message_authenticator = no
secret = cherche
shortname = swlabo
nastype = cisco
}
radiusd: Instantiating modules
[...]
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_ldap
Module: Instantiating ldap
ldap {
server = 127.0.0.1
port = 389
password = secret
identity = cn=root,dc=netplus,dc=fr
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = allow
tls {
start_tls = no
require_cert = allow
}
basedn = dc=netplus,dc=fr
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
base_filter = (objectclass=radiusprofile)
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = cn
groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
groupmembership_attribute = radiusGroupName
dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
[...]
rlm_ldap: LDAP radiusVSA mapped to RADIUS Cisco-AVPair
conns: 0x2852c240
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = /usr/local/etc/raddb/huntgroups
hints = /usr/local/etc/raddb/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_checkval
Module: Instantiating station-check
checkval station-check {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
notfound-reject = no
}
rlm_checkval: Registered name Calling-Station-Id for attribute 31
apologize
Hi All Sorry about my mails, I check the pipermail now. Thanks Nicolas Goutte. Regards, François De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org] De la part de Nicolas Goutte Envoyé : mardi 12 mai 2009 11:36 À : FreeRadius users mailing list Cc : François Mehault Objet : Re: test Am 12.05.2009 um 11:31 schrieb François Mehault: De : François Mehault Envoyé : mardi 12 mai 2009 11:27 À : 'freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org' Cc : François Mehault Objet : RE: check-item NAS-IP-ADdress Calling-Station-ID with openldap Hi All, Don't worry. We do receive your emails. See also http://lists.freeradius.org/pipermail/freeradius-users/2009-May/date.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
