multiple radiusVSA in ldap.attrmap
Hi, I would like to have a profil administrator on my openldap wich allows administrator to authenticate on cisco and foundry equipment and enters directly in Privileged EXEC level. So I read VSA attribute in dictionary.foundry and dictionary.cisco. I created my profile in OpenLDAP and I am logging on my cisco and see the reply log to see what is reply. With this profil : dn: cn=administrateur,ou=Profiles,dc=netplus,dc=fr objectClass: radiusObjectProfile objectClass: top objectClass: radiusprofile radiusServiceType: NAS-Prompt-User cn: administrateur radiusVSA: shell:priv-lvl=15 radiusReplyItem: Foundry-Privilege-Level = 0 radiusReplyItem: Foundry-Command-String = * radiusReplyItem: Foundry-Command-Exception-Flag = 0 radiusReplyItem: Foundry-INM-Privilege = 15 + in ldap.attrmap I add replyItem $GENERIC$ radiusReplyItem [...] replyItem Cisco-AVPairradiusVSA I see in my log : Fri Jun 12 12:01:07 2009 Packet-Type = Access-Accept Reply-Message = Utilisateur: fmehault, group: Administrateur Cisco-AVPair = shell:priv-lvl=15 Service-Type = NAS-Prompt-User With this profil : dn: cn=administrateur,ou=Profiles,dc=netplus,dc=fr objectClass: radiusObjectProfile objectClass: top objectClass: radiusprofile radiusServiceType: NAS-Prompt-User cn: administrateur radiusVSA: shell:priv-lvl=15 radiusVSA: 0 radiusVSA: 15 + in ldap.attrmap I add replyItem Cisco-AVPair radiusVSA replyItem Foundry-Privilege-Level radiusVSA replyItem Foundry-INM-PrivilegeradiusVSA I see in my log : Fri Jun 12 12:14:49 2009 Packet-Type = Access-Accept Reply-Message = Utilisateur: fmehault, group: Administrateur Foundry-INM-Privilege = AAA_pri_15 Foundry-Privilege-Level = 15 Cisco-AVPair = shell:priv-lvl=15 Service-Type = NAS-Prompt-User I don't succeed to give good value for each attribute with OpenLDAP, ldapattrmap, radiusVSA ... In addition, I can't to have two radiusVSA attributes with the same value in OpenLDAP. So I woul like to know if it is possible to have just one profil with several attributes for different constructor (foundry, cisco, fortinet ...). Or I have to do a profil administratorCisco, administratorFoundry, ... Thanks for your help in advance Regards, François Mehault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: multiple radiusVSA in ldap.attrmap
Thanks Alan Dekok and Ivan Kalik, I will try the two way you sent me in my labo. -Message d'origine- De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org] De la part de Alan DeKok Envoyé : vendredi 12 juin 2009 13:28 À : FreeRadius users mailing list Objet : Re: multiple radiusVSA in ldap.attrmap François Mehault wrote: + in ldap.attrmap I add replyItem Cisco-AVPair radiusVSA replyItem Foundry-Privilege-Level radiusVSA replyItem Foundry-INM-PrivilegeradiusVSA You can't do that. You are mapping the radiusVSA item to 3 different RADIUS attributes. This will NOT work. I don’t succeed to give good value for each attribute with OpenLDAP, ldapattrmap, radiusVSA … In addition, I can’t to have two radiusVSA attributes with the same value in OpenLDAP. Yes, you can. Read the comments at the top of ldap.attrmap. Use the += operator. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
segmentation fault with group in huntgroups
Hi All, I want to use huntgroup to restrict access to certain huntgroups to certaingroups of users. So I edit my huntgroups file : swLaboNAS-IP-Address == 192.168.0.50 Group = administrateur I guess that administrateur is a Ldap-Group, isn't it ? And I use OpenLDAP to store my users and my radiusGroupName. dn: ou=Profiles,dc=netplus,dc=fr objectClass: organizationalUnit objectClass: top ou: Profiles dn: cn=administrateur,ou=Profiles,dc=netplus,dc=fr objectClass: radiusObjectProfile objectClass: top objectClass: radiusprofile radiusServiceType: NAS-Prompt-User radiusVSA: shell:priv-lvl=15 cn: administrateur dn: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr givenName:: RnJhbsOnb2lz sn: MEHAULT uid: fmehault uidNumber: 1203 objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: radiusprofile radiusGroupName: administrateur homeDirectory: /home/fmehault loginShell: /usr/local/bin/zsh cn: Francois MEHAULT gidNumber: 1203 userPassword: {SHA}C5wmJdwh7wX2rU3fR8XyA4N6oyw= So I understand that fmehault is able to authenticate on the NAS 192.168.0.50. But I have a segmentation fault of radiusd. I created also the posix group administrateur which includes fmehault. rad_recv: Access-Request packet from host 192.168.0.50 port 1812, id=67, length=80 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = fmehault Calling-Station-Id = 192.168.0.80 User-Password = mdp +- entering group authorize {...} zsh: segmentation fault radiusd -X # id fmehault uid=1203(fmehault) gid=1203 groups=1203,1400(administrateur) What is the problem ? If someone has a documentation/howto about huntgroups and group, I am interested. Regards, François Mehault Netplus Communication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: segmentation fault with group in huntgroups
I use version 2.1.4 on FreeBSD, but with Ldap-Group rather than Group in huntgroups file, it works. -Message d'origine- De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org] De la part de Alan DeKok Envoyé : jeudi 11 juin 2009 14:54 À : FreeRadius users mailing list Objet : Re: segmentation fault with group in huntgroups François Mehault wrote: So I understand that fmehault is able to authenticate on the NAS 192.168.0.50. But I have a segmentation fault of radiusd. I created also the posix group administrateur which includes fmehault. Which version are you using? +- entering group authorize {...} zsh: segmentation fault radiusd –X My guess is that you're using modules from one version of the server, and a server binary from another. What does the *full* debugging output say? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems with Cisco switch and authorization.
FYI http://wiki.freeradius.org/Cisco ,maybe it can help you Regards, François -Message d'origine- De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org] De la part de Alan DeKok Envoyé : mercredi 10 juin 2009 10:22 À : FreeRadius users mailing list Objet : Re: Problems with Cisco switch and authorization. Jeff Davis wrote: Sorry - I'm a n00b to this project. Trying to get OpenLDAP-based authentication working (well the auth DOES work) but cannot seem to get authorization working. Googling has so far failed me. Perhaps someone on this list can clue me in... Have you run the server in debug mode as suggested in the FAQ, README, man page, etc..? users file has the following: DEFAULT Service-Type == NAS-Prompt-User Service-Type := NAS-Prompt-User, Cisco-AVPair += shell:priv-lvl=15 If those attributes are being sent back to the NAS, then fix the NAS so that it follows the instructions sent by the RADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [freeradius] fail-over ldap + reply-item missing
Hum, now all works perfectly. My reply-item are present now, I will try now to understand why it works. Thanks to Ivan Kalik for his help and all freeradius project. Ldap.attrmap: [...] checkItem Cleartext-Password userPassword Users: DEFAULT ldaplabobe2-Ldap-Group == administrateur, User-Profile := cn=administrateur,ou=Profiles,dc=netplus,dc=fr Reply-Message = Utilisateur: %{User-name}, group: Administrateur, Fall-Through = yes DEFAULT ldaplabobe2-Ldap-Group == stagiaire, User-Profile := cn=stagiaire,ou=Profiles,dc=netplus,dc=fr Reply-Message = Utilisateur: %{User-name}, group: Stagiaire, Fall-Through = yes DEFAULT ldaplabobe1-Ldap-Group == administrateur, User-Profile := cn=administrateur,ou=Profiles,dc=netplus,dc=fr Reply-Message = Utilisateur: %{User-name}, group: Administrateur, Fall-Through = yes DEFAULT ldaplabobe1-Ldap-Group == stagiaire, User-Profile := cn=stagiaire,ou=Profiles,dc=netplus,dc=fr Reply-Message = Utilisateur: %{User-name}, group: Stagiaire, Fall-Through = yes Radiusd.conf: Instantiate { [...] ldaplabobe2 ldaplabobe1 } /site-available/default: Redundant { ldaplabobe2 ldaplabobe1} in section authorize and authenticate - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[freeradius] fail-over ldap + reply-item missing
Hi all I try to do a fail-over with two ldap on my freeradius. I read this article http://wiki.freeradius.org/Fail-over, I instantiated two openldap modules and i use the keyword redundant in my /raddb/site-available/default in authorize and authenticate section. redundant { Primary-ldap Secondary-ldap } I also enabled reply_log When the two ldap are launched, it works. reply log : Tue Jun 9 11:45:53 2009 Packet-Type = Access-Accept Reply-Message = Utilisateur: fmehault, group: Administrateur Cisco-AVPair = shell:priv-lvl=15 Service-Type = NAS-Prompt-User But if i stop the Secondary-ldap, I have just : reply log : Tue Jun 9 11:49:19 2009 Packet-Type = Access-Accept I can see in my log that radiusd try to contact Secondary-ldap at first. Why ? Then it test 3 times, rather than test Primary-ldap, why ? I will be please to give you more information about my problem to help me to fix it, ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop rlm_ldap: Entering ldap_groupcmp() [files] expand: dc=netplus,dc=fr - dc=netplus,dc=fr [files] WARNING: Deprecated conditional expansion :-. See man unlang for details [files] expand: ((uid=%{Stripped-User-Name:-%{User-Name}})(radiusHuntgroupName=%{Huntgroup-name})) - ((uid=fmehault)(radiusHuntgroupName=swLabo)) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.96.18.4:389, authentication 0 rlm_ldap: bind as cn=root,dc=netplus,dc=fr/secret to 10.96.18.4:389 rlm_ldap: cn=root,dc=netplus,dc=fr bind to 10.96.18.4:389 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 [...] rlm_ldap: cn=root,dc=netplus,dc=fr bind to 10.96.18.4:389 failed: Can't contact LDAP server [...] rlm_ldap: cn=root,dc=netplus,dc=fr bind to 10.96.18.4:389 failed: Can't contact LDAP server resume : Primary-ldap started Secondary-ldap started It works Primary-ldap stoped Secondary-ldap started It works Primary-ldap started Secondary-ldap stoped Access-Accept without reply-item ... If someone can explain me what is my problem Regards, François - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [freeradius] fail-over ldap + reply-item missing
Thanks for your responce, I read http://freeradius.org/radiusd/doc/rlm_ldap , I am focus on section GROUP SUPPORT. So I have two ldap module instances in raddb/modules/ldap : ldap ldaplabobe2 { [...] } ldap ldaplabobe1 { [...] } I added the ldap module in the instantiate{} block in radiusd.conf. instantiate { exec expr expiration logintime ldaplabobe2 ldaplabobe1 } I use this form in my raddb/users : DEFAULT ldaplabobe2-Ldap-Group == administrateur, User-Profile := cn=administrateur,ou=Profiles,dc=netplus,dc=fr Reply-Message = Utilisateur: %{User-name}, group: Administrateur, Fall-Through = yes DEFAULT ldaplabobe2-Ldap-Group == stagiaire, User-Profile := cn=stagiaire,ou=Profiles,dc=netplus,dc=fr Reply-Message = Utilisateur: %{User-name}, group: Stagiaire, Fall-Through = yes DEFAULT ldaplabobe1-Ldap-Group == administrateur, User-Profile := cn=administrateur,ou=Profiles,dc=netplus,dc=fr Reply-Message = Utilisateur: %{User-name}, group: Administrateur, Fall-Through = yes DEFAULT ldaplabobe1-Ldap-Group == stagiaire, User-Profile := cn=stagiaire,ou=Profiles,dc=netplus,dc=fr Reply-Message = Utilisateur: %{User-name}, group: Stagiaire, Fall-Through = yes Instead of DEFAULT Ldap-Group == administrateur, User-Profile := cn=administrateur,ou=Profiles,dc=netplus,dc=fr Reply-Message = Utilisateur: %{User-name}, group: Administrateur, Fall-Through = yes DEFAULT Ldap-Group == stagiaire, User-Profile := cn=stagiaire,ou=Profiles,dc=netplus,dc=fr Reply-Message = Utilisateur: %{User-name}, group: Stagiaire, Fall-Through = yes Then I still use redundant in authorize and authenticate section in raddb/site-available/default (I test whithout also) And now I have Access-Reject for all, some reply-item are in the users file, others are in my openldap (I use radiusgroupname with ou=profiles,dc=netplus,dc=fr + radiusprofile attribute ...) So I progress I think but it doesn't work for now. Sorry if I need some help, I begin with openldap, I read lot of documentation freeradius, openldap, PAM (my head will explose) and all is new for me , so maybe I read the solution at my problem but don't remember :s Thansk for your help. Regards, François rad_recv: Access-Request packet from host 192.168.0.50 port 1812, id=253, length=80 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = fmehault Calling-Station-Id = 192.168.0.80 User-Password = toto +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/radacct/192.168.0.50/auth-detail-20090609 [auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/192.168.0.50/auth-detail-20090609 [auth_log] expand: %t - Tue Jun 9 16:27:02 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = fmehault, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop rlm_ldap: Entering ldap_groupcmp() [files] expand: dc=netplus,dc=fr - dc=netplus,dc=fr [files] WARNING: Deprecated conditional expansion :-. See man unlang for details [files] expand: ((uid=%{Stripped-User-Name:-%{User-Name}})(radiusHuntgroupName=%{Huntgroup-name})) - ((uid=fmehault)(radiusHuntgroupName=swLabo)) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.96.18.10:389, authentication 0 rlm_ldap: bind as cn=root,dc=netplus,dc=fr/secret to 10.96.18.10:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=netplus,dc=fr, with filter ((uid=fmehault)(radiusHuntgroupName=swLabo)) rlm_ldap: ldap_release_conn: Release Id: 0 [files] expand: (|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) - (|((objectClass=GroupOfNames)(member=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=netplus,dc=fr, with filter ((cn=administrateur)(|((objectClass=GroupOfNames)(member=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr rlm_ldap: object not found rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=Francois
RE: [freeradius] fail-over ldap + reply-item missing
(following my last mail) I read in my log: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user So in the user file I replace DEFAULT ldaplabobe2-Ldap-Group == administrateur, User-Profile := cn=administrateur,ou=Profiles,dc=netplus,dc=fr Reply-Message = Utilisateur: %{User-name}, group: Administrateur, Fall-Through = yes By DEFAULT ldaplabobe2-Ldap-Group == administrateur, User-Profile := cn=administrateur,ou=Profiles,dc=netplus,dc=fr, Auth-Type := LDAP Reply-Message = Utilisateur: %{User-name}, group: Administrateur, Fall-Through = yes And I start radiud -X and I have : /usr/local/etc/raddb/users[247]: Parse error (check) for entry DEFAULT: Unknown value LDAP for attribute Auth-Type Errors reading /usr/local/etc/raddb/users /usr/local/etc/raddb/modules/files[7]: Instantiation failed for module files /usr/local/etc/raddb/sites-enabled/inner-tunnel[111]: Failed to find module files. /usr/local/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. } } Errors initializing modules But in raddb/site-available/default, in section authenticate i have Auth-Type LDAP : authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { redundant { ldaplabobe2 ldaplabobe1 } } eap } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: checkval module
Hi I think you have to do like this : checkval checkNasPortId { item-name = NAS-Port-Id check-name = NAS-Port-Id data-type = string notfound-reject = yes } checkval checkNasPortType { item-name = NAS-Port-Type check-name = NAS-Port-Type data-type = string notfound-reject = yes } and in your /site-available/default you load checkNasPortId checkNasPortType instead of checkval #checkval checkNasPortId checkNasPortType I hope I help you François De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org] De la part de Amr el-Saeed Envoyé : mercredi 3 juin 2009 15:36 À : FreeRadius users mailing list Objet : checkval module Hi every one I am using freeradius 1.1.7 i am configuring checkval to check for Nas-Port-Type , i need to make it checks for Nas-Port-Id also . this is the radius.conf checkval sections checkval { item-name = NAS-Port-Id check-name = NAS-Port-Id item-name = NAS-Port-Type check-name = NAS-Port-Type data-type = string notfound-reject = yes } but actually it process the first entry only which is NAS-Port-Id and ignore the second one which is NAS-Port-Type . Is that possible to make the radius to check both items ?? thanks Amr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 1 freeradius with 2 openldap (multi master)
Well, I read the documentation, but I don't succeed to fix my problem, and I don't know if the solution is in this documentation: I use the attribute redundant and we can read: * redundant{...} and append{...} are just shortcuts. You could write group { sql1 { fail = 1 notfound = 2 noop = return ok = return updated = return reject = return userlock = return invalid = return handled = return } sql2 { fail = 1 notfound = 2 noop = return ok = return updated = return reject = return userlock = return invalid = return handled = return } } instead of redundant { sql1 sql2 } but the latter is just a whole lot easier to read. When I use redundant, I understand it's equivalent to have groups which are failable. My problem is I have failover between two ldaps, and if the first ldap is used, it works because I have: Sending Access-Accept of id 93 to 192.168.0.50 port 1812 Reply-Message = Utilisateur: fmehault, group: Administrateur Cisco-AVPair = shell:priv-lvl=15 Service-Type = NAS-Prompt-User Finished request 0. And if the first failed, the second ldap is used, so we can say that it's works, but it fails because I have: Sending Access-Accept of id 94 to 192.168.0.50 port 1812 Finished request 0. It fails because the Access-Accept was built without Cisco-AVPair = shell:priv-lvl=15 and Service-Type = NAS-Prompt-User. And I don't know why, I don't understand, Thanks Alan for your help, I will continue to read the failover documentation, maybe there is something that I missed, If someone has another lead .. Regards, François -Message d'origine- De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org] De la part de a.l.m.bu...@lboro.ac.uk Envoyé : vendredi 29 mai 2009 18:04 À : FreeRadius users mailing list Objet : Re: 1 freeradius with 2 openldap (multi master) Hi, And now, if I start radiusd and slapd on server A and not on server B, it works. And if I stop slapd on server A, and start slapd on server B, it doesn't work. It's maybe a lead... this is documented http://wiki.freeradius.org/Fail-over you need the group to be failable etc alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1 freeradius with 2 openldap (multi master)
Hi All I have one freeradius and 2 openldap (multi - master). And I want my freeradius use the second openldap if the first crash. So in freeradius I instantiate the module ldap : Ldap ldapmaster { [...] } Ldap ldapbackup { [...] } And in my site-available/default I load the two modules. If my two openldap are alive, authentication succeed, but if one of them fall, authentication failed, so like this I have a « AND » between modules, and not a « OR » like I would. I don't know if I am really clear, i don't speak very well, sorry. So If some understand the problem that I try to describe and if you know how I can fix my problem, could you help me please ? thanks, Regards, François - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 1 freeradius with 2 openldap (multi master)
redundant-load-balance { ldap1 # 50%, unless ldap2 is down, then 100% ldap2 # 50%, unless ldap1 is down, then 100% } Seems perfect, thanks a lot ! -Message d'origine- De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org] De la part de Alan DeKok Envoyé : vendredi 29 mai 2009 15:10 À : FreeRadius users mailing list Objet : Re: 1 freeradius with 2 openldap (multi master) François Mehault wrote: And in my site-available/default I load the two modules. If my two openldap are alive, authentication succeed, but if one of them fall, authentication failed, so like this I have a « AND » between modules, and not a « OR » like I would. I don’t know if I am really clear, i don’t speak very well, sorry. $ man unlang Look for redundant Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 1 freeradius with 2 openldap (multi master)
Well, I fact I have two servers: A and B. A has freeradius + openldap B has openldap bacukp So on server A, I put in /site-available/default: In authentication section : Redundant { Ldapmaster Ldapbackup } and authorize section : Auth-Type LDAP { redundant { Ldapmaster Ldapbackup } } Modelue Ldapmaster has attribute server=127.0.0.1, and Ldapbackup has attribute server=192.168.x.x (Ip of server B) Well, If I shutdown my openldap on server A, freeradius on server A will discuss with openldap on server B, and it works perfectly ! [Ldapbackup] user fmehault authenticated succesfully ++[ Ldapbackup] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 93 to 192.168.0.50 port 1812 Reply-Message = Utilisateur: fmehault, group: Administrateur Cisco-AVPair = shell:priv-lvl=15 Service-Type = NAS-Prompt-User Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 93 with timestamp +11 Ready to process requests. Another test, I stop daemon openldap on server B and start openldap on server A, so I imagine my freeradius will discuss with openldap on server A. But PB : [Ldapmaster] user fmehault authenticated succesfully +++[ Ldapmaster] returns ok ++- policy redundant returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 94 to 192.168.0.50 port 1812 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 94 with timestamp +10 Ready to process requests. My NAS is Cisco Catalyst 2950, and I use radius VSA Cisco-AVPair. As you can see in the log, I am succesfully authenticated, And freeradius send me Access-Accept, without Raply-Message, Cisco-AVPair, Service-Type ... Why ??? On cisco: User Access Verification Username: fmehault Password: % Authorization failed. My two ldaps are both striclty the same, it's sur because if I don't use unlang redundant, it works. Someone has an idea ?? Thanks for your help, Regards, François -Message d'origine- De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org] De la part de François Mehault Envoyé : vendredi 29 mai 2009 15:27 À : FreeRadius users mailing list Objet : RE: 1 freeradius with 2 openldap (multi master) redundant-load-balance { ldap1 # 50%, unless ldap2 is down, then 100% ldap2 # 50%, unless ldap1 is down, then 100% } Seems perfect, thanks a lot ! -Message d'origine- De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org] De la part de Alan DeKok Envoyé : vendredi 29 mai 2009 15:10 À : FreeRadius users mailing list Objet : Re: 1 freeradius with 2 openldap (multi master) François Mehault wrote: And in my site-available/default I load the two modules. If my two openldap are alive, authentication succeed, but if one of them fall, authentication failed, so like this I have a « AND » between modules, and not a « OR » like I would. I don’t know if I am really clear, i don’t speak very well, sorry. $ man unlang Look for redundant Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: check-item NAS-IP-ADdress Calling-Station-ID with openldap
Checkval with Calling-station-id works fine ! And I want to check also the IP of the NAS to authenticate my user. rlm_checkval: Item Name: Calling-Station-Id, Value: 192.168.0.80 rlm_checkval: Value Name: Calling-Station-Id, Value: 192.168.0.80 ++[station-check] returns ok NAS-IP-Address can be forged. Use Client-IP-Address. I am not sure why did it come out like that in checkval when elsewhere in the debug it looks OK. I try with Client-IP-Address instead of NAS-IP-Address but it don't works: rad_recv: Access-Request packet from host 192.168.0.50 port 1812, id=162, length=80 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = fmehault Calling-Station-Id = 192.168.0.80 User-Password = toto +- entering group authorize {...} [...] rlm_checkval: Could not find item named Client-IP-Address in request rlm_checkval: Could not find attribute named Client-IP-Address in check pairs ++[nas-check] returns notfound My ldap: dn: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr givenName:: RnJhbsOnb2lz sn: MEHAULT uid: fmehault cn: Francois MEHAULT homeDirectory: /home/admins/fmehault loginShell: /usr/local/bin/zsh gidNumber: 1203 uidNumber: 1203 objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: radiusprofile objectClass: hostObject radiusGroupName: stagiaire userPassword: {MD5}9x2+UmKKP4OnerSUgXUlxg== radiusNASIpAddress: 192.168.0.50 host: labobe1 radiusCheckItem: Client-IP-Address = 192.168.0.50 radiusCallingStationId: 192.168.0.80 My checval modul: checkval station-check { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string notfound-reject = yes } checkval nas-check { item-name = Client-IP-Address check-name = Client-IP-Address data-type = ipaddr notfound-reject = yes } Thanks Ivan Kalik for your first response Regards, François -Message d'origine- De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org] De la part de Ivan Kalik Envoyé : lundi 11 mai 2009 13:29 À : FreeRadius users mailing list Objet : Re: check-item NAS-IP-ADdress Calling-Station-ID with openldap I want to use FreeRadius to administer network equipement. I use also OpenLDAP to stock information about users. FreeRADIUS and OpenLDAP are installed on the same server FreeBSD 7.0. I contact a Network equipement (like catalyst cisco 2950 v12.1) with putty (ssh/telnet). I have 2 questions : - Why my calling-station-id in the request is a IP and not a MAC ? Because you are using telnet/ssh. Same applies to VPN. PPPoE (wired and wireless) request should have mac address in that field. Dial-up should have phone number. - When I authenticate on the cisco 2950, I have in my log « rlm_checkval: Item Name: NAS-IP-Address, Value: À¨ » instead of 192.168.0.50, what is the problem ??? NAS-IP-Address can be forged. Use Client-IP-Address. I am not sure why did it come out like that in checkval when elsewhere in the debug it looks OK. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
communication safe ssh - NAS - FreeRADIUS ?
Hi, I authenticate on cisco equipments via ssh/telnet. There is no supplicant, so I don't understand in my case and i would like to know if the communication between my cisco equipment and my FreeRadius safe is. I have a secret shared between both. I understand that the communciation between freeradius and the client radius use the protocol Radius. But in my case there is no PEAP, EAP/TLS ... Someone can confirm me please if the communication is safe ? because I afraid to see in the file users my password in clear-text. Is it possible to use md5, ssha ... and how ? Thanks, Regards, François - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: check-item NAS-IP-ADdress Calling-Station-ID with openldap
Well, I am using checkval to check the attribute NAS-IP-Address, what I want : I have several users and several NAS, some users allows to authenticate on some NAS, and others not. I use an openldap database. Each users have an attribute radiusCheckItem. I don't know if I am right, if it's the good way to do what I need, but I am a novice with freeRadisu and OpenLDAP. -Message d'origine- De : Ivan Kalik [mailto:t...@kalik.net] Envoyé : mardi 19 mai 2009 13:46 À : François Mehault Objet : RE: check-item NAS-IP-ADdress Calling-Station-ID with openldap [...] rlm_checkval: Could not find item named Client-IP-Address in request rlm_checkval: Could not find attribute named Client-IP-Address in check pairs ++[nas-check] returns notfound OK. It can't work since Client-IP-Address is not in the request. Can you remind me: why are you using checkval? Multiple values for NAS IP? Your user entry has only one. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: communication safe ssh - NAS - FreeRADIUS ?
Oki, thanks. In fact, I want my radius client crypt my passwd in md5 for example, and freeradius check the MD5 hash. So I understand I have to use PAP ? In my modul ldap I think I have to put « password_attribute = userPassword ». But If I do, I have to put my password in clear in my ldap, otherwise it don't works. Also, I can comment the « password_attribute = userPassword » in my ldap module and put my password in md5/ssha etc... in openldap and it works. But I don't know very well why ?? modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = auto auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = /var/log/radwtmp } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = Password: auth_type = PAP } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = /usr/local/etc/raddb/certs/server.pem certificate_file = /usr/local/etc/raddb/certs/server.pem CA_file = /usr/local/etc/raddb/certs/ca.pem private_key_password = whatever dh_file = /usr/local/etc/raddb/certs/dh random_file = /usr/local/etc/raddb/certs/random fragment_size = 1024 include_length = yes check_crl = no cipher_list = DEFAULT make_cert_command = /usr/local/etc/raddb/certs/bootstrap cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = inner-tunnel } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = inner-tunnel } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org] De la part de Nicolas Goutte Envoyé : mardi 19 mai 2009 14:45 À : FreeRadius users mailing list Objet : Re: communication safe ssh - NAS - FreeRADIUS ? Am 19.05.2009 um 14:14 schrieb François Mehault: Hi, I authenticate on cisco equipments via ssh/telnet. There is no supplicant, so I don't understand in my case and i would like to know if the communication between my cisco equipment and my FreeRadius safe is. I have a secret shared between both. I understand that the communciation between freeradius and the client radius use the protocol Radius. But in my case there is no PEAP, EAP/TLS ... Someone can confirm me please if the communication is safe ? because I afraid to see in the file users my password in clear-text. Is it possible to use md5, ssha ... and how ? For the compatibility, see http://deployingradius.com/documents/protocols/compatibility.html Thanks, Regards, François - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: check-item NAS-IP-ADdress Calling-Station-ID with openldap
Thanks Ivan ! With huntgroup it works perfectly, now I am searching to manage my huntgroup whith ldap, no longer with the file huntgroup. Each users have the primitive radiusHuntgroupName, but I want to define my huntgroup in ldap, is it possible you think ? Regards, Francois -Message d'origine- De : Ivan Kalik [mailto:t...@kalik.net] Envoyé : mardi 19 mai 2009 15:09 À : François Mehault Objet : RE: check-item NAS-IP-ADdress Calling-Station-ID with openldap Well, I am using checkval to check the attribute NAS-IP-Address, what I want : I have several users and several NAS, some users allows to authenticate on some NAS, and others not. I use an openldap database. Each users have an attribute radiusCheckItem. I don't know if I am right, if it's the good way to do what I need, but I am a novice with freeRadisu and OpenLDAP. Well, if user is going to have only one value for NAS IP, then you don't need checkval - just map appropriate attribute as check item in raddb/ldap.attrmap. If he should be allowed on several devices it might be better to use huntgroups/sqlhuntgroups - as long as there are not too many combinations. Same applies to mac address - if user can use only one there is no need to use checkval. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius client on fedora 10 ?
Hi, I would like to know is there any radius client on fedora 10 ? pam_radius ? other ? Regards, François - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS or supplicant, pam_radius or xsupplicant
Hi All I have to install a FreeRADIUS to authenticate some users on network equipement (like a Catalyst cisco). I just want to authenticate users on the cisco switch, no vlan attribution ... So i conclude that I don't have to install/configure supplicant on my computer (windows XP), the computer I use to contact the switch via telnet/ssh. Could you confirm me that I'm right ? I would like also to authenticate users on UNIX servers. Also, I just need to authenticate the users on servers, So I conclude that I configure pam_radius on these servers and no install/configure xsupllicant. Servers are RADIUS client/NAS and no supplicant. Of course I would like to have a safe communication beetween NAS and FreeRADIUS. Could you say me if I selected the good configuration, or if I am totally wrong. I read comments in files configuration and a lot of documentation on the web, but the case described are often with supplicant - NAS - FreeRADIUS, with Authentication on the supplicant for vlan attribution. I don't understand wery well when I have to install xsupplicant or pam_radius on my server UNIX, if my Server is a supplicant or a NAS. Thanks for your help François - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: check-item NAS-IP-ADdress Calling-Station-ID with openldap
Hi All, I want to use FreeRadius to administer network equipement. I use also OpenLDAP to stock information about users. FreeRADIUS and OpenLDAP are installed on the same server FreeBSD 7.0. I contact a Network equipement (like catalyst cisco 2950 v12.1) with putty (ssh/telnet). To resume : Windows XP - ssh or telnet - Cisco 2950 (client radius/authenticator/NAS) - EAPoRadius (I suppose) - FreeRADIUS OpenLDAP For the moment, I don't install/configure supplicant on the Windows XP, I don't know if it's require because I don't want to use FreeRADIUS to auhtenticate my Windows session. I have an active directory to do this. I configure slapd.conf, radius.conf, clients.conf, module ldap etc ... and it's works. And now I would like to add some check-item like NAS-IP-Address and Caliing-Station-ID. But I don't succeed :s, I use checkval to do this. I have 2 questions : - Why my calling-station-id in the request is a IP and not a MAC ? - When I authenticate on the cisco 2950, I have in my log « rlm_checkval: Item Name: NAS-IP-Address, Value: À¨ » instead of 192.168.0.50, what is the problem ??? I think I have numerous problem, If you see one of them, could you inform me ? I am a novice with freeradius (and openldap also :s ). I could give you all information you need to help me to fix my problem. Thanks for your help, Regards Francçois MEHAULT On my cisco 2950 : aaa new-model aaa authentication login default local group radius aaa authorization exec default group radius local aaa authorization network default group radius My ldap.attrmap : checkItem Calling-Station-Id radiusCallingStationId checkItem NAS-IP-Address radiusNASIpAddress Extract of my openldap : dn: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr givenName:: RnJhbsOnb2lz sn: MEHAULT uid: fmehault cn: Francois MEHAULT homeDirectory: /home/admins/fmehault loginShell: /usr/local/bin/zsh gidNumber: 1203 uidNumber: 1203 objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: radiusprofile radiusGroupName: stagiaire radiusCallingStationId: 192.168.0.80 - I put a IP address and not a Mac address because in the request it's a IP and not a mac, I don't know why... radiusNASIpAddress: 192.168.0.60 - in fact, the NAS IP is 192.168.0.50, but I put .60 to have Access-Reject userPassword: {SSHA}tOoPUvtVW5O3+StoxScmQLiGFTO5l/+z 12:34[labobe2:~]# radiusd -X FreeRADIUS Version 2.1.4, for host i386-portbld-freebsd7.0, built on Apr 16 2009 at 12:03:36 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A [...] radiusd: Loading Clients client 192.168.0.50 { require_message_authenticator = no secret = cherche shortname = swlabo nastype = cisco } radiusd: Instantiating modules [...] modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_ldap Module: Instantiating ldap ldap { server = 127.0.0.1 port = 389 password = secret identity = cn=root,dc=netplus,dc=fr net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = allow tls { start_tls = no require_cert = allow } basedn = dc=netplus,dc=fr filter = (uid=%{Stripped-User-Name:-%{User-Name}}) base_filter = (objectclass=radiusprofile) auto_header = no access_attr_used_for_allow = yes groupname_attribute = cn groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) groupmembership_attribute = radiusGroupName dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group [...] rlm_ldap: LDAP radiusVSA mapped to RADIUS Cisco-AVPair conns: 0x2852c240 Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = /usr/local/etc/raddb/huntgroups hints = /usr/local/etc/raddb/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_checkval Module: Instantiating station-check checkval station-check { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string notfound-reject = no } rlm_checkval: Registered name Calling-Station-Id for attribute 31
test
De : François Mehault Envoyé : mardi 12 mai 2009 11:27 À : 'freeradius-users@lists.freeradius.org' Cc : François Mehault Objet : RE: check-item NAS-IP-ADdress Calling-Station-ID with openldap Hi All, I want to use FreeRadius to administer network equipement. I use also OpenLDAP to stock information about users. FreeRADIUS and OpenLDAP are installed on the same server FreeBSD 7.0. I contact a Network equipement (like catalyst cisco 2950 v12.1) with putty (ssh/telnet). To resume : Windows XP - ssh or telnet - Cisco 2950 (client radius/authenticator/NAS) - EAPoRadius (I suppose) - FreeRADIUS OpenLDAP For the moment, I don't install/configure supplicant on the Windows XP, I don't know if it's require because I don't want to use FreeRADIUS to auhtenticate my Windows session. I have an active directory to do this. I configure slapd.conf, radius.conf, clients.conf, module ldap etc ... and it's works. And now I would like to add some check-item like NAS-IP-Address and Caliing-Station-ID. But I don't succeed :s, I use checkval to do this. I have 2 questions : - Why my calling-station-id in the request is a IP and not a MAC ? - When I authenticate on the cisco 2950, I have in my log « rlm_checkval: Item Name: NAS-IP-Address, Value: À¨ » instead of 192.168.0.50, what is the problem ??? I think I have numerous problem, If you see one of them, could you inform me ? I am a novice with freeradius (and openldap also :s ). I could give you all information you need to help me to fix my problem. Thanks for your help, Regards Francçois MEHAULT On my cisco 2950 : aaa new-model aaa authentication login default local group radius aaa authorization exec default group radius local aaa authorization network default group radius My ldap.attrmap : checkItem Calling-Station-Id radiusCallingStationId checkItem NAS-IP-Address radiusNASIpAddress Extract of my openldap : dn: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr givenName:: RnJhbsOnb2lz sn: MEHAULT uid: fmehault cn: Francois MEHAULT homeDirectory: /home/admins/fmehault loginShell: /usr/local/bin/zsh gidNumber: 1203 uidNumber: 1203 objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: radiusprofile radiusGroupName: stagiaire radiusCallingStationId: 192.168.0.80 - I put a IP address and not a Mac address because in the request it's a IP and not a mac, I don't know why... radiusNASIpAddress: 192.168.0.60 - in fact, the NAS IP is 192.168.0.50, but I put .60 to have Access-Reject userPassword: {SSHA}tOoPUvtVW5O3+StoxScmQLiGFTO5l/+z 12:34[labobe2:~]# radiusd -X FreeRADIUS Version 2.1.4, for host i386-portbld-freebsd7.0, built on Apr 16 2009 at 12:03:36 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A [...] radiusd: Loading Clients client 192.168.0.50 { require_message_authenticator = no secret = cherche shortname = swlabo nastype = cisco } radiusd: Instantiating modules [...] modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_ldap Module: Instantiating ldap ldap { server = 127.0.0.1 port = 389 password = secret identity = cn=root,dc=netplus,dc=fr net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = allow tls { start_tls = no require_cert = allow } basedn = dc=netplus,dc=fr filter = (uid=%{Stripped-User-Name:-%{User-Name}}) base_filter = (objectclass=radiusprofile) auto_header = no access_attr_used_for_allow = yes groupname_attribute = cn groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) groupmembership_attribute = radiusGroupName dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group [...] rlm_ldap: LDAP radiusVSA mapped to RADIUS Cisco-AVPair conns: 0x2852c240 Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = /usr/local/etc/raddb/huntgroups hints = /usr/local/etc/raddb/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_checkval Module: Instantiating station-check checkval station-check
OpenLDAP check item
Hi All, I want to use FreeRadius to administer network equipement. I use also OpenLDAP to stock information about users. FreeRADIUS and OpenLDAP are installed on the same server FreeBSD 7.0. I contact a Network equipement (like catalyst cisco 2950 v12.1) with putty (ssh/telnet). To resume : Windows XP - ssh or telnet - Cisco 2950 (client radius/authenticator/NAS) - EAPoRadius (I suppose) - FreeRADIUS OpenLDAP For the moment, I don't install/configure supplicant on the Windows XP, I don't know if it's require because I don't want to use FreeRADIUS to auhtenticate my Windows session. I have an active directory to do this. I configure slapd.conf, radius.conf, clients.conf, module ldap etc ... and it's works. And now I would like to add some check-item like NAS-IP-Address and Caliing-Station-ID. But I don't succeed :s, I use checkval to do this. I have 2 questions : - Why my calling-station-id in the request is a IP and not a MAC ? - When I authenticate on the cisco 2950, I have in my log « rlm_checkval: Item Name: NAS-IP-Address, Value: À¨ » instead of 192.168.0.50, what is the problem ??? I think I have numerous problem, If you see one of them, could you inform me ? I am a novice with freeradius (and openldap also :s ). I could give you all information you need to help me to fix my problem. Thanks for your help, Regards Francçois MEHAULT On my cisco 2950 : aaa new-model aaa authentication login default local group radius aaa authorization exec default group radius local aaa authorization network default group radius My ldap.attrmap : checkItem Calling-Station-Id radiusCallingStationId checkItem NAS-IP-Address radiusNASIpAddress Extract of my openldap : dn: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr givenName:: RnJhbsOnb2lz sn: MEHAULT uid: fmehault cn: Francois MEHAULT homeDirectory: /home/admins/fmehault loginShell: /usr/local/bin/zsh gidNumber: 1203 uidNumber: 1203 objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: radiusprofile radiusGroupName: stagiaire radiusCallingStationId: 192.168.0.80 - I put a IP address and not a Mac address because in the request it's a IP and not a mac, I don't know why... radiusNASIpAddress: 192.168.0.60 - in fact, the NAS IP is 192.168.0.50, but I put .60 to have Access-Reject userPassword: {SSHA}tOoPUvtVW5O3+StoxScmQLiGFTO5l/+z 12:34[labobe2:~]# radiusd -X FreeRADIUS Version 2.1.4, for host i386-portbld-freebsd7.0, built on Apr 16 2009 at 12:03:36 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A [...] radiusd: Loading Clients client 192.168.0.50 { require_message_authenticator = no secret = cherche shortname = swlabo nastype = cisco } radiusd: Instantiating modules [...] modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_ldap Module: Instantiating ldap ldap { server = 127.0.0.1 port = 389 password = secret identity = cn=root,dc=netplus,dc=fr net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = allow tls { start_tls = no require_cert = allow } basedn = dc=netplus,dc=fr filter = (uid=%{Stripped-User-Name:-%{User-Name}}) base_filter = (objectclass=radiusprofile) auto_header = no access_attr_used_for_allow = yes groupname_attribute = cn groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) groupmembership_attribute = radiusGroupName dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group [...] rlm_ldap: LDAP radiusVSA mapped to RADIUS Cisco-AVPair conns: 0x2852c240 Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = /usr/local/etc/raddb/huntgroups hints = /usr/local/etc/raddb/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_checkval Module: Instantiating station-check checkval station-check { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string notfound-reject = no } rlm_checkval: Registered name Calling-Station-Id for attribute 31
apologize
Hi All Sorry about my mails, I check the pipermail now. Thanks Nicolas Goutte. Regards, François De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org] De la part de Nicolas Goutte Envoyé : mardi 12 mai 2009 11:36 À : FreeRadius users mailing list Cc : François Mehault Objet : Re: test Am 12.05.2009 um 11:31 schrieb François Mehault: De : François Mehault Envoyé : mardi 12 mai 2009 11:27 À : 'freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org' Cc : François Mehault Objet : RE: check-item NAS-IP-ADdress Calling-Station-ID with openldap Hi All, Don't worry. We do receive your emails. See also http://lists.freeradius.org/pipermail/freeradius-users/2009-May/date.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html