Last login time in LDAP?
Does someone know if freeradius can update an LDAP user attribute as part of post processing? Would it be via xlat or unlang? tia -John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Testing LDAP server return code?
Is there a way to test the return code or message from the LDAP server so a different reply-message can be sent on server is unwilling to perform? thanks, -John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS type with NAS defined in SQL (FR 2.1.6)
I've tried dozens of ways but I can't figure out how to get the NAS type for
clients defined in MySQL.
The column is populated, the query has the correct fields matching the source
code for the module. The module appears to populate the address, shortname,
nastype, secret and virtual server. Yet when I expand ${client:nastype} I
only get a value for clients defined in the clients file. SQL clients are
always blank.
I know I could do a special SQL query on each request, but I shouldn't have to.
The data should already be in a variable.
-John
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using unlang to control ldap module
Is there a way I can conditionally change the config items in the ldap module, so that if NAS-Port-Type = Wireless then access_attr = X -John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and MAC Authentication
I've been told that Cisco APs won't do WPA with MAC auth in recent versions of IOS. -John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS type when NAS is stored in SQL?
I'm using the nas table in mysql to store my clients. I've found that if I try to test for client:nastype, a value is returned only for entries from clients.conf. Is there a way to get the nas type for clients in SQL? John Doppke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS type when NAS is stored in SQL?
On 3/19/2010 at 1:40 PM, freeradius-users-requ...@lists.freeradius.org
wrote:
Do an SQL query.
%{sql: SELECT ...}
Alan DeKok.
I was afraid of that.
I looked through the code and it appears as if rlm_sql should populate nastype
along with shortname, secret, etc.
Anyone know why it's not?
-John
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS type when NAS is stored in SQL?
--
-John
On 3/19/2010 at 4:21 PM, freeradius-users-requ...@lists.freeradius.org
wrote:
t does if the info is there:
SELECT id, nasname, shortname, type, secret FROM ${nas_table}
(in fact, it can also populate the 'server' too - add that as last
option in the SELECT - latest version of FreeRADIUS only!)
what does the server say when you start - ie radiusd -X
alan
I think this is the relevent part:
radius_db = radius
read_groups = yes
sqltrace = yes
sqltracefile = /var/log/radius/sqltrace.sql
readclients = yes
deletestalesessions = yes
num_sql_socks = 5
lifetime = 0
max_queries = 0
sql_user_name = %{User-Name}
default_user_profile = sqldefault
nas_query = SELECT id, nasname, shortname, type, secret FROM nas
authorize_check_query = SELECT id, username, attribute, value, op
FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
authorize_reply_query = SELECT id, username, attribute, value, op
FROM radreply
WHERE username = '%{SQL-User-Name}' ORDER BY id
authorize_group_check_query = SELECT id, groupname, attribute,
Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER
BY id
authorize_group_reply_query = SELECT id, groupname, attribute,
value, op
Also:
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname,
type, secret FROM nas
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_mysql: query: SELECT id, nasname, shortname, type, secret FROM nas
rlm_sql (sql): Read entry nasname=192.168.41.233,shortname=
LAFAYETTE-IN-WAP10,secret=xxx
rlm_sql (sql): Adding client 192.168.41.233 ( LAFAYETTE-IN-WAP10,
server=none) to clients list
rlm_sql (sql): Read entry nasname=140.171.181.215,shortname= WAP16,secret=xxx
rlm_sql (sql): Adding client 192.168.181.215 ( WAP16, server=none) to clients
list
...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Status server python example
Does anyone have an example of getting stats from freeRadius via status-server using python and pyrad? To me it looks like I'm sending the correct packet, but the server complains about the message authenticator or shared secret. I'm pretty sure I'm calculating it per RFC. An authentication request with the same secret works, so I don't think it's that. Regards, -John Doppke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hiding passwords
Is there a way to tell freeradius not to include passwords in the log when debugging? -John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
redundant/failover modules
I've been reading the docs regarding failover and I'm not sure if the following
is correct. It seems to process an extra query.
group {
redundant {
ldap1-primary
ldap1-failover
}
fail = 1
ok = return
redundant {
ldap2-primary
ldap2-failover
}
}
The intent is that if the user is not found in ldap1, then ldap2 is tried.
Ldap2 should be skipped if ldap1 returns ok. In each block the failover should
be tried if the primary doesnt respond.
The failover works, but it seems that the ldap2 is tried even if ldap1 finds
the user. Am I missing something?
Regards,
-John Doppke
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Preventing outer EAP id from going through auth
I have a fairly standard config, using EAP/TTLS and an LDAP back end. Both EAP and non-EAP requests need to do LDAP lookups. It's working well (I did very little customizing), except I see a lot of the anonymous outer id's getting sent to the LDAP servers. I moved EAP above LDAP in the config, and it seems to have eliminated those when EAP returns 'ok', but I'm still seeing some. It looks like when EAP returns 'updated' it still runs anonymous through LDAP. I noticed the eap def has ok = return, should I add updated = return to avoid the anonymous LDAP lookups? -John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
