Last login time in LDAP?
Does someone know if freeradius can update an LDAP user attribute as part of post processing? Would it be via xlat or unlang? tia -John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Testing LDAP server return code?
Is there a way to test the return code or message from the LDAP server so a different reply-message can be sent on server is unwilling to perform? thanks, -John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS type with NAS defined in SQL (FR 2.1.6)
I've tried dozens of ways but I can't figure out how to get the NAS type for clients defined in MySQL. The column is populated, the query has the correct fields matching the source code for the module. The module appears to populate the address, shortname, nastype, secret and virtual server. Yet when I expand ${client:nastype} I only get a value for clients defined in the clients file. SQL clients are always blank. I know I could do a special SQL query on each request, but I shouldn't have to. The data should already be in a variable. -John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using unlang to control ldap module
Is there a way I can conditionally change the config items in the ldap module, so that if NAS-Port-Type = Wireless then access_attr = X -John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and MAC Authentication
I've been told that Cisco APs won't do WPA with MAC auth in recent versions of IOS. -John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS type when NAS is stored in SQL?
I'm using the nas table in mysql to store my clients. I've found that if I try to test for client:nastype, a value is returned only for entries from clients.conf. Is there a way to get the nas type for clients in SQL? John Doppke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS type when NAS is stored in SQL?
On 3/19/2010 at 1:40 PM, freeradius-users-requ...@lists.freeradius.org wrote: Do an SQL query. %{sql: SELECT ...} Alan DeKok. I was afraid of that. I looked through the code and it appears as if rlm_sql should populate nastype along with shortname, secret, etc. Anyone know why it's not? -John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS type when NAS is stored in SQL?
-- -John On 3/19/2010 at 4:21 PM, freeradius-users-requ...@lists.freeradius.org wrote: t does if the info is there: SELECT id, nasname, shortname, type, secret FROM ${nas_table} (in fact, it can also populate the 'server' too - add that as last option in the SELECT - latest version of FreeRADIUS only!) what does the server say when you start - ie radiusd -X alan I think this is the relevent part: radius_db = radius read_groups = yes sqltrace = yes sqltracefile = /var/log/radius/sqltrace.sql readclients = yes deletestalesessions = yes num_sql_socks = 5 lifetime = 0 max_queries = 0 sql_user_name = %{User-Name} default_user_profile = sqldefault nas_query = SELECT id, nasname, shortname, type, secret FROM nas authorize_check_query = SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id authorize_reply_query = SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id authorize_group_check_query = SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id authorize_group_reply_query = SELECT id, groupname, attribute, value, op Also: rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret FROM nas rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id, nasname, shortname, type, secret FROM nas rlm_sql (sql): Read entry nasname=192.168.41.233,shortname= LAFAYETTE-IN-WAP10,secret=xxx rlm_sql (sql): Adding client 192.168.41.233 ( LAFAYETTE-IN-WAP10, server=none) to clients list rlm_sql (sql): Read entry nasname=140.171.181.215,shortname= WAP16,secret=xxx rlm_sql (sql): Adding client 192.168.181.215 ( WAP16, server=none) to clients list ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Status server python example
Does anyone have an example of getting stats from freeRadius via status-server using python and pyrad? To me it looks like I'm sending the correct packet, but the server complains about the message authenticator or shared secret. I'm pretty sure I'm calculating it per RFC. An authentication request with the same secret works, so I don't think it's that. Regards, -John Doppke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hiding passwords
Is there a way to tell freeradius not to include passwords in the log when debugging? -John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
redundant/failover modules
I've been reading the docs regarding failover and I'm not sure if the following is correct. It seems to process an extra query. group { redundant { ldap1-primary ldap1-failover } fail = 1 ok = return redundant { ldap2-primary ldap2-failover } } The intent is that if the user is not found in ldap1, then ldap2 is tried. Ldap2 should be skipped if ldap1 returns ok. In each block the failover should be tried if the primary doesnt respond. The failover works, but it seems that the ldap2 is tried even if ldap1 finds the user. Am I missing something? Regards, -John Doppke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Preventing outer EAP id from going through auth
I have a fairly standard config, using EAP/TTLS and an LDAP back end. Both EAP and non-EAP requests need to do LDAP lookups. It's working well (I did very little customizing), except I see a lot of the anonymous outer id's getting sent to the LDAP servers. I moved EAP above LDAP in the config, and it seems to have eliminated those when EAP returns 'ok', but I'm still seeing some. It looks like when EAP returns 'updated' it still runs anonymous through LDAP. I noticed the eap def has ok = return, should I add updated = return to avoid the anonymous LDAP lookups? -John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html