Re: Freeradius with OpenLDAP (Suse Enterprise 10)
Zitat von David W Bell [EMAIL PROTECTED]: Markus Krause wrote: Zitat von David W Bell [EMAIL PROTECTED]: Markus Krause wrote: Zitat von David W Bell [EMAIL PROTECTED]: Markus Krause wrote: Zitat von David W Bell [EMAIL PROTECTED]: LDAP is installed and working out of the box, having been set to be used for authenication during the SUSE install. This is proven by the ability to log in to the box, both locally and via SSH I installed freeRADIUS from the latest source and it is working also. freeRADIUS seems unable to find a password for the user during Authenication. I issue the following on my workstation [EMAIL PROTECTED]:~$ echo User-Name = belld,Password=p455w0rd | radclient 212.95.255.242:1812 auth testing Received response ID 99, code 3, length = 20 And see the following from freeRADIUS Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host 212.95.252.25 port 20758, id=99, length=45 User-Name = belld User-Password = p455w0rd +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = belld, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for belld WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=belld) expand: dc=dxi,dc=net - dc=dxi,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user belld authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - belld attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 99 to 212.95.252.25 port 20758 Waking up in 4.9 seconds. What I cant work out is whether this is due to an LDAP or a RADIUS config problem. what is the result of the following commands (using a terminal): ldapsearch -x -h localhost -b dc=dxi,dc=net uid=belld ldapsearch -x -h localhost -b dc=dxi,dc=net -D cn=Administrator,dc=dxi,dc=net -w trPic4n03 uid=belld if they (especially the latter) do not return a value for the field userPassword the problem is on the LDAP side. markus -- This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks Markus. I thought of that - and had done the 1st search and HAD noticed there was no LDAP password set # extended LDIF # # LDAPv3 # base dc=dxi,dc=net with scope subtree # filter: uid=belld # requesting: ALL # # belld, people, dxi.net dn: uid=belld,ou=people,dc=dxi,dc=net cn: David Bell gidNumber: 100 givenName: David homeDirectory: /home/belld loginShell: /bin/bash objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson shadowInactive: -1 shadowMax: 9 shadowMin: 0 shadowWarning: 7 sn: Bell uid: belld uidNumber: 1000 shadowLastChange: 13920 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [EMAIL PROTECTED]:~ I thought this was because LDAP was handing that aspect over to something else but your second command shows a password. [EMAIL PROTECTED]:~ ldapsearch -x -h localhost -b dc=dxi,dc=net -D cn=Administrator,dc=dxi,dc=net -w trPic4n03 uid=belld # extended LDIF # # LDAPv3 # base dc=dxi,dc=net with scope subtree # filter: uid=belld
Re: Freeradius with OpenLDAP (Suse Enterprise 10)
Zitat von David W Bell [EMAIL PROTECTED]: LDAP is installed and working out of the box, having been set to be used for authenication during the SUSE install. This is proven by the ability to log in to the box, both locally and via SSH I installed freeRADIUS from the latest source and it is working also. freeRADIUS seems unable to find a password for the user during Authenication. I issue the following on my workstation [EMAIL PROTECTED]:~$ echo User-Name = belld,Password=p455w0rd | radclient 212.95.255.242:1812 auth testing Received response ID 99, code 3, length = 20 And see the following from freeRADIUS Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host 212.95.252.25 port 20758, id=99, length=45 User-Name = belld User-Password = p455w0rd +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = belld, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for belld WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=belld) expand: dc=dxi,dc=net - dc=dxi,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user belld authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - belld attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 99 to 212.95.252.25 port 20758 Waking up in 4.9 seconds. What I cant work out is whether this is due to an LDAP or a RADIUS config problem. what is the result of the following commands (using a terminal): ldapsearch -x -h localhost -b dc=dxi,dc=net uid=belld ldapsearch -x -h localhost -b dc=dxi,dc=net -D cn=Administrator,dc=dxi,dc=net -w trPic4n03 uid=belld if they (especially the latter) do not return a value for the field userPassword the problem is on the LDAP side. markus -- This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] smime.p7s Description: S/MIME krytographische Unterschrift - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with OpenLDAP (Suse Enterprise 10)
Zitat von David W Bell [EMAIL PROTECTED]: Markus Krause wrote: Zitat von David W Bell [EMAIL PROTECTED]: LDAP is installed and working out of the box, having been set to be used for authenication during the SUSE install. This is proven by the ability to log in to the box, both locally and via SSH I installed freeRADIUS from the latest source and it is working also. freeRADIUS seems unable to find a password for the user during Authenication. I issue the following on my workstation [EMAIL PROTECTED]:~$ echo User-Name = belld,Password=p455w0rd | radclient 212.95.255.242:1812 auth testing Received response ID 99, code 3, length = 20 And see the following from freeRADIUS Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host 212.95.252.25 port 20758, id=99, length=45 User-Name = belld User-Password = p455w0rd +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = belld, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for belld WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=belld) expand: dc=dxi,dc=net - dc=dxi,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user belld authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - belld attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 99 to 212.95.252.25 port 20758 Waking up in 4.9 seconds. What I cant work out is whether this is due to an LDAP or a RADIUS config problem. what is the result of the following commands (using a terminal): ldapsearch -x -h localhost -b dc=dxi,dc=net uid=belld ldapsearch -x -h localhost -b dc=dxi,dc=net -D cn=Administrator,dc=dxi,dc=net -w trPic4n03 uid=belld if they (especially the latter) do not return a value for the field userPassword the problem is on the LDAP side. markus -- This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks Markus. I thought of that - and had done the 1st search and HAD noticed there was no LDAP password set # extended LDIF # # LDAPv3 # base dc=dxi,dc=net with scope subtree # filter: uid=belld # requesting: ALL # # belld, people, dxi.net dn: uid=belld,ou=people,dc=dxi,dc=net cn: David Bell gidNumber: 100 givenName: David homeDirectory: /home/belld loginShell: /bin/bash objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson shadowInactive: -1 shadowMax: 9 shadowMin: 0 shadowWarning: 7 sn: Bell uid: belld uidNumber: 1000 shadowLastChange: 13920 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [EMAIL PROTECTED]:~ I thought this was because LDAP was handing that aspect over to something else but your second command shows a password. [EMAIL PROTECTED]:~ ldapsearch -x -h localhost -b dc=dxi,dc=net -D cn=Administrator,dc=dxi,dc=net -w trPic4n03 uid=belld # extended LDIF # # LDAPv3 # base dc=dxi,dc=net with scope subtree # filter: uid=belld # requesting: ALL # # belld, people, dxi.net dn: uid=belld,ou=people,dc=dxi,dc=net cn: David Bell gidNumber: 100 givenName: David
Re: Freeradius with OpenLDAP (Suse Enterprise 10)
Zitat von David W Bell [EMAIL PROTECTED]: Markus Krause wrote: Zitat von David W Bell [EMAIL PROTECTED]: Markus Krause wrote: Zitat von David W Bell [EMAIL PROTECTED]: LDAP is installed and working out of the box, having been set to be used for authenication during the SUSE install. This is proven by the ability to log in to the box, both locally and via SSH I installed freeRADIUS from the latest source and it is working also. freeRADIUS seems unable to find a password for the user during Authenication. I issue the following on my workstation [EMAIL PROTECTED]:~$ echo User-Name = belld,Password=p455w0rd | radclient 212.95.255.242:1812 auth testing Received response ID 99, code 3, length = 20 And see the following from freeRADIUS Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host 212.95.252.25 port 20758, id=99, length=45 User-Name = belld User-Password = p455w0rd +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = belld, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for belld WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=belld) expand: dc=dxi,dc=net - dc=dxi,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user belld authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - belld attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 99 to 212.95.252.25 port 20758 Waking up in 4.9 seconds. What I cant work out is whether this is due to an LDAP or a RADIUS config problem. what is the result of the following commands (using a terminal): ldapsearch -x -h localhost -b dc=dxi,dc=net uid=belld ldapsearch -x -h localhost -b dc=dxi,dc=net -D cn=Administrator,dc=dxi,dc=net -w trPic4n03 uid=belld if they (especially the latter) do not return a value for the field userPassword the problem is on the LDAP side. markus -- This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks Markus. I thought of that - and had done the 1st search and HAD noticed there was no LDAP password set # extended LDIF # # LDAPv3 # base dc=dxi,dc=net with scope subtree # filter: uid=belld # requesting: ALL # # belld, people, dxi.net dn: uid=belld,ou=people,dc=dxi,dc=net cn: David Bell gidNumber: 100 givenName: David homeDirectory: /home/belld loginShell: /bin/bash objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson shadowInactive: -1 shadowMax: 9 shadowMin: 0 shadowWarning: 7 sn: Bell uid: belld uidNumber: 1000 shadowLastChange: 13920 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [EMAIL PROTECTED]:~ I thought this was because LDAP was handing that aspect over to something else but your second command shows a password. [EMAIL PROTECTED]:~ ldapsearch -x -h localhost -b dc=dxi,dc=net -D cn=Administrator,dc=dxi,dc=net -w trPic4n03 uid=belld # extended LDIF # # LDAPv3 # base dc=dxi,dc=net with scope subtree # filter: uid=belld # requesting: ALL # # belld, people, dxi.net dn: uid=belld,ou=people
Re: FreeRADIUS 1.1.6 has been released.
Hi Alan and all core developpers involved in this release, first thanks for your great work on freeradius! I just downloaded the 1.1.6 release via ftp and tried to build debian packages on Etch and rpms on SLES10, here is the almost successful story: ;-) * debian:+ building worked just out of the box, but when trying to install freeradius-dialupadmin_1.1.6-0_all.deb it complains about missing php4, but actually php5 is installed (and should work as earlier version of dialupadmin did). the rest of it (i tested right now sql, ldap and eap) works perfect! * suse linux enterprise server 10: the file suse/freeradius.spec contains the line Version: 1.1.5 so rpmbuild fails. after changing this to 1.1.6 all the build command works, and the packages can be installed without further problems! and the radius server itself of course runs! now eagerly waiting for 2.0 :-) regards markus Zitat von Alan DeKok [EMAIL PROTECTED]: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The only new features in this release are a few dictionaries. All of the other changes are bug fixes, including the double-free's that were in 1.1.5. We also fixed approximately 30 bugs found by Coverity (http://scan.coverity.com). One of the bugs found by Coverity was a memory leak in the EAP-TTLS module. We recommend that everyone using EAP-TTLS upgrade to 1.1.6. See http://freeradius.org for further information, including pointers to the source code, and the security announcement. Alan DeKok. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBRh42R6kul4vkAkl9AQJVmQP/Tvkt2CosUd/DBrt2K+QS0rak54kce6JO qKP5rEzL27xLeoxZgQKAZCI/o8Nu+/wuoNEJQWbuCs2XwtBLt9PvfmRkDoBvSFVS c/CrA9pRLZchlZ2LUfObRzWqOld6a2HslKS8EGvTJhKBfyB+eNU1MXHPi2wU/Asw j0O5YwnMftQ= =QPPf -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html +-+ | Markus Krause, Mogli-Soft | | Support for Mac OS X, Webmail/Horde, LDAP, RADIUS, MySQL| | by order of the | |Computing Center of the Max-Planck-Institute of Biochemistry | +++ | E-Mail: [EMAIL PROTECTED] | Tel.: 089 - 89 40 85 99 | | [EMAIL PROTECTED] | Fax.: 089 - 89 40 85 98 | | Skype: markus.krause | iChat: [EMAIL PROTECTED] | +++ -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.1.6 has been released.
Zitat von [EMAIL PROTECTED]: Hi, * debian: building worked just out of the box, but when trying to install freeradius-dialupadmin_1.1.6-0_all.deb it complains about missing php4, but actually php5 is installed (and should work as earlier version of dialupadmin did). the rest of it (i tested right now sql, ldap and eap) works perfect! hmmm, is it PHP5 that should be dependancy on debian now? Etch was released last week so part of my thinks so i am not sure, debian etch (released on 8. april) contains both php4 and php5 and i think there might be a lof users/admins which still use/prefer php4 on their systems. so what about something like - Package: freeradius-dialupadmin Architecture: all Depends: php4 | php4-cgi | php5 | php5-cgi Recommends: ${perl:Depends} Suggests: apache2-mpm-prefork | httpd, php4-mysql | php4-pgsql | php5-mysql | php5-pgsql, libdate-manip-perl Description: set of PHP scripts for administering a FreeRADIUS server These scripts provide a web-based interface for administering a FreeRADIUS server which stores authentication information in either SQL or LDAP. - in the debian control file? i don't know if this could lead to something weired, e.g. php5 with php4-mysql or something else but the average admin should be able to avoid this. at least it works here for me ... (well the pages are displayed correctly in a browser, i can not test more as i am using ldap as backend here) regards markus +-+ | Markus Krause, Mogli-Soft | | Support for Mac OS X, Webmail/Horde, LDAP, RADIUS, MySQL| | by order of the | |Computing Center of the Max-Planck-Institute of Biochemistry | +++ | E-Mail: [EMAIL PROTECTED] | Tel.: 089 - 89 40 85 99 | | [EMAIL PROTECTED] | Fax.: 089 - 89 40 85 98 | | Skype: markus.krause | iChat: [EMAIL PROTECTED] | +++ -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
howto define Auth-Type in perl script?
Hi list! i am writing a perl script to authorize and authenticate users. authorization works (so the script itself works and seems to be used by freeradius as expected) but as i do not know how to define the Auth-Type with the perl script i get the following error message no Auth-Type found when running radiusd -XAs. How can i set Auth-Type from a perl script or how is this done correctly? Thanks in advance for any hints! regards, markus +-+ | Markus Krause, Mogli-Soft | | Support for Mac OS X, Webmail/Horde, LDAP, RADIUS, MySQL| | by order of the | |Computing Center of the Max-Planck-Institute of Biochemistry | +++ | E-Mail: [EMAIL PROTECTED] | Tel.: 089 - 89 40 85 99 | | [EMAIL PROTECTED] | Fax.: 089 - 89 40 85 98 | | Skype: markus.krause | iChat: [EMAIL PROTECTED] | +++ -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: howto define Auth-Type in perl script?
Zitat von Tomas Hoger [EMAIL PROTECTED]: On 3/18/07, Markus Krause [EMAIL PROTECTED] wrote: i am writing a perl script to authorize and authenticate users. authorization works (so the script itself works and seems to be used by freeradius as expected) but as i do not know how to define the Auth-Type with the perl script i get the following error message no Auth-Type found when running radiusd -XAs. How can i set Auth-Type from a perl script or how is this done correctly? $RAD_CHECK{'Auth-Type'}= 'FOO'; th. thanks a lot, that works! (embarassing how easy that was!) with best regards markus +-+ | Markus Krause, Mogli-Soft | | Support for Mac OS X, Webmail/Horde, LDAP, RADIUS, MySQL| | by order of the | |Computing Center of the Max-Planck-Institute of Biochemistry | +++ | E-Mail: [EMAIL PROTECTED] | Tel.: 089 - 89 40 85 99 | | [EMAIL PROTECTED] | Fax.: 089 - 89 40 85 98 | | Skype: markus.krause | iChat: [EMAIL PROTECTED] | +++ -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian
Zitat von Tas Dionisakos [EMAIL PROTECTED]: Hello All, I just compiled radius and tried to create the deb packages using the method mentioned on the freeradius wiki. When the process finishes the deb packages are version 1.1.3, is there a way of correcting this as apt gets confused? just edit debian/changelog, put a new version description at the beginning of the file, such as (from freeradius ... to the line containing the email address and date): start of debian/changelog freeradius (1.1.5-0) unstable; urgency=low * Added more dictionaries * Dictionary files now MUST NOT be globally writable. * Configuration files now MUST NOT be globally readable, or globally writable. * Be more aggressive about freeing memory on clean exit. This helps track down run-time leaks. * Updated rlm_python to something usable * Added experimental sql HPW IPPools. -- Nicolas Baradakis [EMAIL PROTECTED] Mon, 09 Mar 2007 20:06:04 +0100 = end of example this is only an example, the actual text is not so important, just the version number in brackets, and of course add _your_ email address! regards markus +-+ | Markus Krause, Mogli-Soft | | Support for Mac OS X, Webmail/Horde, LDAP, RADIUS, MySQL| | by order of the | |Computing Center of the Max-Planck-Institute of Biochemistry | +++ | E-Mail: [EMAIL PROTECTED] | Tel.: 089 - 89 40 85 99 | | [EMAIL PROTECTED] | Fax.: 089 - 89 40 85 98 | | Skype: markus.krause | iChat: [EMAIL PROTECTED] | +++ -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building freeradius 1.1.5 packages on Debian
Zitat von Alan DeKok [EMAIL PROTECTED]: Nils Olav Brandstorp Bekken wrote: Hi I tried building Debian packages on the latest 1.1.5 and ended up with packages named 1.1.3, is that the way its supposed to be? Obviously no. I'm not sure what to fix in the debian directory to get the correct version updated... Alan DeKok. afaik the debian package builder takes this information from the file debian/changelog. regards markus +-+ | Markus Krause, Mogli-Soft | | Support for Mac OS X, Webmail/Horde, LDAP, RADIUS, MySQL| | by order of the | |Computing Center of the Max-Planck-Institute of Biochemistry | +++ | E-Mail: [EMAIL PROTECTED] | Tel.: 089 - 89 40 85 99 | | [EMAIL PROTECTED] | Fax.: 089 - 89 40 85 98 | | Skype: markus.krause | iChat: [EMAIL PROTECTED] | +++ -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authorisation (but not authentication) via LDAP
Zitat von Phil Mayers [EMAIL PROTECTED]: Markus Krause wrote: i am not sure if your approach could really fullfill my needs (no redundancy, serving different types of requests) ... but i would really like to know ;-) Hmm. Without more details it's difficult to say, but what you need does not sound excessively difficult. At most, Autz-Type should suffice. Why are you finding you need to set Auth-Type? i thought this is necessary as i use redundant sections. in users i have something like: DEFAULT Huntgroup-Name == vpn, Autz-Type := LdapUser, Auth-Type := LdapUser some parts of my radiusd.conf: - radiusd.conf parts modules { ... ldap LdapUser1 { ldapserv1 } ldap LdapUser2 { ldapserv2 } ... } authorize { ... Autz-Type LdapUser { redundant { LdapUser1 LdapUser2 } } ... } authenticate { ... Auth-Type LdapUser { redundant { LdapUser1 LdapUser2 } } ... } - it seems that if the authorization is successfully done by LdapUser1 the Auth-Type is set LdapUser1. if i do not set it to LdapUser in the file users i get the error message No authenticate method (Auth-Type) configuration found for the request: Rejecting the user. if i set Auth-Type to LdapUser in users it works. it also works without setting this if i do not use redundant settings (just call the module LdapUser). The ldap module can be peculiar in this regard - are you authenticating the users by doing simple bind, or are you extracting the passwords from ldap and using rlm_pap and such? i am just authenticating by doing simple bind. if i should post more details please let me know! with best regards markus -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authorisation (but not authentication) via LDAP
Zitat von Phil Mayers [EMAIL PROTECTED]: Markus Krause wrote: modules { ... ldap LdapUser1 { ldapserv1 } ldap LdapUser2 { ldapserv2 } ... } authorize { ... Autz-Type LdapUser { redundant { LdapUser1 LdapUser2 } } ... } authenticate { ... Auth-Type LdapUser { redundant { LdapUser1 LdapUser2 } } ... } You should be able to replace this last bit with: authenticate { Auth-Type LdapUser1 { LdapUser1 } Auth-Type LdapUser2 { LdapUser2 } } ...and set the set_auth_type = yes on each LDAP module. The general idea is that MODULES should set Auth-Type (to themselves) indicating that they will handle the authenticate phase. Note that the above is still redundant - if the ldap module answered during the authorize phase, there's clearly only a miniscule chance it will have failed by the time authenticate runs. And in fact, if ldap1 succeeds during authorize but fails during authenticate, arguably passing it to ldap2 is an error - example, the user might have just changed their password so ldap1 fails, but ldap2 is still replicating so thinks the old password is valid. ok, i agree with you, enough redundancy can be achieved by this also. (the ldap servers used here are both consumers of the same provider, all with very low load so it seems quite unlikely that they run out of sync, but one never know...) but what if the Auth-Type is not set, for example in a perl module (btw. how can i set the auth-type? that would solve my problem here!). example: we (will) have a wlan which can be used by all our users known in ldap and we have additional accounts saved in sql, which can be given to guests by our departments and research groups, these accounts are then valid for a fixed (preset) number of days since their first usage. to check this i wrote a small perl script which works. so for authorization i use in radiusd.conf: - part of radiusd.conf authorization { Autz-Type WLAN { group { mpi-sta { ok = return } redundant { LdapUser1 LdapUser2 } } } } authentication { Auth-Type WLAN { mpi-sta { notfound = 1 } redundant { LdapUser1 LdapUser2 } } } the Auth-Type is set in users according to the huntgroup of the wlan-switch as the perl skript does not set auth-type (because i did not find any documentation on how to set it) so i had to force auth-type to WLAN, now it works. -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newbie question
as far as i kno udp usually has no states so netstat can show nothing on port 1812 (most of the time). just a few guesses: did you try radtest or radclient? does tcpdump udp port 1812 show any attempts of the ap to connect to the server? did you set up clients.conf? markus Zitat von M. Onur ERGiN [EMAIL PROTECTED]: When I run radiusd, it says it is running properly, but I check with netstat -n and I don't see anything listenning on port 1812. The port setting in the configuration file is '0' (which is I think 1812 by default). Is this normal? I don't think my ap can access to radius server.. Regards, Onur. Phil Mayers [EMAIL PROTECTED] wrote: M. Onur ERGiN wrote: Hello, I am pretty new to radius.. I have installed the latest version on Fedora Core 5. I configured my AP. But now, I can't figure out how will the wireless clients authenticate. How will they enter their username/passwords? This is not a radius question. Wireless clients running 802.1x will have some software (known as a supplicant) built in, which prompts for the username/password and execute the EAP traffic exchange to the AP (which is forwarded to the radius server by the AP) I suggest you do some reading on 802.1x on wireless. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Don't get soaked. Take a quick peak at the forecast with theYahoo! Search weather shortcut. +-+ | Markus Krause, Mogli-Soft | | Support for Mac OS X, Webmail/Horde, LDAP, RADIUS | | by order of the | |Computing Center of the Max-Planck-Institute of Biochemistry | +++ | E-Mail: [EMAIL PROTECTED] | Tel.: 089 - 89 40 85 99 | | [EMAIL PROTECTED] | Fax.: 089 - 89 40 85 98 | | Skype: markus.krause | iChat: [EMAIL PROTECTED] | +++ -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authorisation (but not authentication) via LDAP
Zitat von Martin Whinnery [EMAIL PROTECTED]: Hi. Probly just me not understanding... What I want is for our switches to only allow access to MAC addresses in our LDAP database. I don't want to store passwords on our LDAP host entries. I'm set up to check LDAP during authorisation, and it correctly returns authorised / not authorised depending on whether the appropriate attribute contains the right value. The trouble comes with authentication - either I set Auth-Type := Accept, in which case and failed authorisation is overridden, or I allow authentication to carry on against LDAP ( or System, or whatever ), in which case it fails always and access is denied, even for authorised MACs. Is there a way to make the Authorisation part final and authoritative? As I say, probly just being stoopid. Mart -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html don't no if it is a good solution, but i just do this by setting the following in radiusd.conf: authenticate { ... Auth-Type LdapMAC { ok } ... } the Auth-Type is set in users file depending on huntgroups: DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC i assume there are better/smarter sollutions as one can read don't set Auth-Type on many places but it works here ;-) regards markus +-+ | Markus Krause, Mogli-Soft | | Support for Mac OS X, Webmail/Horde, LDAP, RADIUS | | by order of the | |Computing Center of the Max-Planck-Institute of Biochemistry | +++ | E-Mail: [EMAIL PROTECTED] | Tel.: 089 - 89 40 85 99 | | [EMAIL PROTECTED] | Fax.: 089 - 89 40 85 98 | | Skype: markus.krause | iChat: [EMAIL PROTECTED] | +++ -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authorisation (but not authentication) via LDAP
Zitat von Phil Mayers [EMAIL PROTECTED]: Markus Krause wrote: don't no if it is a good solution, but i just do this by setting the following in radiusd.conf: authenticate { ... Auth-Type LdapMAC { ok } ... } the Auth-Type is set in users file depending on huntgroups: DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC i assume there are better/smarter sollutions as one can read don't set Auth-Type on many places but it works here ;-) Sorry, but it's an awful suggestion. Don't do it, and certainly don't recommend others do it. There's no need to go setting Auth-Type to random values. no need to say sorry, and i did not meant this as a suggestion but just show how i did it, along with the warning that it is not a good solution. and i am really open for any suggestions/corrections! The correct way to do this is to reject unknown, not blindly accept known. hmm, maybe i should have been more precisely on what i am doing, at least i am not thinking to blindly accept known. let me describe the scenario and what i am doing: we have a radius server which is contacted by a vpn-concentrator, a wlan-router and several switches which have dynamic ports (with vlan based on mac) and 802.1x ports (vlan based on users). depending on the huntgroup (chosen via nas-ip-address) i am setting auth-type and autz-type. i read on several places that this is commonly a very bad idea but i could not think of another way to solve it and it works for me (at least it seems so). again, i am open for any suggestions/corrections! the users for vpn and wlan are authenticated/authorized via ldap user entries ((uid=..)(objectclass=posixaccount)), some accounts for wlan are also stored in sql (for guests, only valid for a fixed amount of days after first usage). the vlans for users and devices are stored in radiusprofiles. then finally the mac addresses are stored in a way a dhcpd server can understand also, so i do not have redundant entries (easier to maintain), all known mac addreses are therefor accepted, unknown are rejected (i am using an ldap query 'filter = (dhcpHWAddress=ethernet %{Stripped-User-Name:-%{User-Name}})' and base 'base_filter = (|(objectClass=dhcpHost)(objectClass=ipNetwork))' to verify in the autz section). and here again: any suggestions/corrections are really appreciated! since now (just in testing, not yet fully in production) this solution does what it should, but there are certainly better ways to do this! Example - you could modify the ldap group membership query to find groups based on both the username and callingstationid: groupmembership_filter = (| ((objectClass=GroupOfMacaddrs)(member=%{Calling-Station-Id})) ((objectClass=GroupOfNames)(member=%{Ldap-UserDn})) ) Then in ldap: dn: cn=GoodMacs,dc=example,dc=com objectClass: top objectClass: GroupOfMacadds member: 00:11:22:33:44:55 member: 66:77:88:99:aa:bb Then in the users file: DEFAULT Ldap-Group == GoodMacs Fall-Through = No DEFAULT Auth-Type := Reject Reply-Message = your mac is unknown There are lots of variations of this scheme. i am not sure if your approach could really fullfill my needs (no redundancy, serving different types of requests) ... but i would really like to know ;-) with best regards markus +-+ | Markus Krause, Mogli-Soft | | Support for Mac OS X, Webmail/Horde, LDAP, RADIUS | | by order of the | |Computing Center of the Max-Planck-Institute of Biochemistry | +++ | E-Mail: [EMAIL PROTECTED] | Tel.: 089 - 89 40 85 99 | | [EMAIL PROTECTED] | Fax.: 089 - 89 40 85 98 | | Skype: markus.krause | iChat: [EMAIL PROTECTED] | +++ -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authorisation (but not authentication) via LDAP
Zitat von Martin Whinnery [EMAIL PROTECTED]: Thanks Markus, the problem seems to be that the authorisation pass returns notfound, whereas I want it to reject, as if it found an entry in LDAP without the appropriate attribute. Mart Hi Mart, ugh, you are of course right, i forgot on important detail, sorry! (has been quite a time since i set this up and it is getting quite late in the night now ...) directly after the ldap entry in authorize a call a small perl script which checks for $RAD_REQUEST{'Module-Failure-Message'}, and if it is set then return with RLM_MODULE_REJECT, so 'notfound' is replaced by 'reject'. i must admit that this actually is a very dirty solution ... i should really overthink it (altough it works ...) regards markus +-+ | Markus Krause, Mogli-Soft | | Support for Mac OS X, Webmail/Horde, LDAP, RADIUS | | by order of the | |Computing Center of the Max-Planck-Institute of Biochemistry | +++ | E-Mail: [EMAIL PROTECTED] | Tel.: 089 - 89 40 85 99 | | [EMAIL PROTECTED] | Fax.: 089 - 89 40 85 98 | | Skype: markus.krause | iChat: [EMAIL PROTECTED] | +++ -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing characters from usernames
I am doing this using the attr_rewrite module in radiusd.conf, i have the following section: modules { attr_rewrite macaddress_rewrite { attribute = User-Name searchin = packet searchfor = - replacewith = : new_attribute = no append = no } } i call it just before the actual ldap-module i am using. hth regards markus Zitat von Andrew Zirkel [EMAIL PROTECTED]: I was thinking I could do something like this with a regular expression: User-Name =~ tr/-//d but I'm not sure where to do it and if it will work. I'm using a mysql back end so I was thinking in the sql.conf file. Has anyone done something like this before? Thanks, Andy On Jan 31, 2007, at 4:05 PM, Andrew Zirkel wrote: Is there a way to parse the input of a username and password before it is passed to the back end database? I'm doing mac address authentication and some devices are passing the mac address with dashes, where I need to have no separation between the octets. I basically need to strip out these dashes from the input. Thanks Andy Zirkel -List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Markus Krause email: [EMAIL PROTECTED] Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS by order of the Computing Center of the Max-Planck-Institute of Biochemistry Tel.: 089 - 89 40 85 99 Fax.: 089 - 89 40 85 98 -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why Freeradius and Mysql dont work?
Zitat von yao guoxian [EMAIL PROTECTED]: Platform and Environment: Freeradius:1.0.5 on Redhat 9 MySQL:MySQL-standard-5.0.20-linux-i686 Step: 1. create database radius; 2.mysql -uroot -prootpass radius db_mysql.sql ; 3.Edit radiusd.conf and sql.conf; Debug Result: Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 202.117.7.223:1490, id=6, length=47 User-Name = barney CHAP-Password = 0xad35a90d409c25b78b6d148a531358d9ac Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module preprocess returns ok for request 2 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 2 modcall[authorize]: module mschap returns noop for request 2 rlm_realm: No '@' in User-Name = barney, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 2 radius_xlat: 'barney' rlm_sql (sql): sql_set_user escaped user -- 'barney' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'barney' ORDER BY id' rlm_sql (sql): Ignoring unconnected handle 4.. rlm_sql (sql): Ignoring unconnected handle 3.. rlm_sql (sql): Ignoring unconnected handle 2.. rlm_sql (sql): Ignoring unconnected handle 1.. rlm_sql (sql): Ignoring unconnected handle 0.. rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0 modcall[authorize]: module sql returns fail for request 2 modcall: group authorize returns fail for request 2 Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 202.117.7.223:1490, id=6, length=47 Discarding duplicate request from client liv1:1490 - ID: 6 --- Walking the entire request list --- Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 6 with timestamp 45bca7cb Nothing to do. Sleeping until we see a request. From the above results, I guess mysql doesnt work. But I can access databases from the command line .The Freeradius Server worked well when I use the user, not using MySQL. Any suggestion? Did you double-check the settings in sql.conf? It seems that freeradius can not connect to the mysql server. The startup messages (in debug mode) at my installation has the lines: sql: safe-characters = @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: / rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 Module: Instantiated sql (sql) Do you see those? Regards markus -- Markus Krause email: [EMAIL PROTECTED] Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS by order of the Computing Center of the Max-Planck-Institute of Biochemistry Tel.: 089 - 89 40 85 99 Fax.: 089 - 89 40 85 98 -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: strange error in freeradius
Zitat von Semenenko Pavel [EMAIL PROTECTED]: I have 2.6.18-gentoo-r6 kernel, and freeradius-1.1.3-r2 I correctly configure radius for working with certificates in debug mode (radiusd -fX), then add it into init scripts, and try to start... Ooops!.. it don't start ;( # /usr/sbin/radiusd Sun Jan 28 20:58:13 2007 : Info: Starting - reading configuration files ... # In log only: # cat /var/log/radius/radius.log | tail -n 1 Sun Jan 28 20:58:13 2007 : Info: rlm_eap_tls: Loading the certificate file as a chain # just a suggestion of a non-expert: if this is the point as freeradius stops: did you check that the tls-related files (certs etc.) are readable by the user/group freeradius is running if started by init? Just for testing: set the permissions to 666 and see if radiusd starts I try rebuild radius, try version 1.1.4, without result. Any ideas?.. - regards markus -- Markus Krause email: [EMAIL PROTECTED] Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS by order of the Computing Center of the Max-Planck-Institute of Biochemistry Tel.: 089 - 89 40 85 99 Fax.: 089 - 89 40 85 98 -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: strange error in freeradius
Zitat von Semenenko Pavel [EMAIL PROTECTED]: I have 2.6.18-gentoo-r6 kernel, and freeradius-1.1.3-r2 I correctly configure radius for working with certificates in debug mode (radiusd -fX), then add it into init scripts, and try to start... Ooops!.. it don't start ;( # /usr/sbin/radiusd Sun Jan 28 20:58:13 2007 : Info: Starting - reading configuration files ... # In log only: # cat /var/log/radius/radius.log | tail -n 1 Sun Jan 28 20:58:13 2007 : Info: rlm_eap_tls: Loading the certificate file as a chain # just a suggestion of a non-expert: if this is the point as freeradius stops: did you check that the tls-related files (certs etc.) are readable by the user/group freeradius is running if started by init? Just for testing: set the permissions to 666 and see if radiusd starts I try rebuild radius, try version 1.1.4, without result. Any ideas?.. - regards markus -- Markus Krause email: [EMAIL PROTECTED] Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS by order of the Computing Center of the Max-Planck-Institute of Biochemistry Tel.: 089 - 89 40 85 99 Fax.: 089 - 89 40 85 98 -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: post-proxy section and local proxy
Hi Alan, thanks for your answer! Zitat von Alan DeKok [EMAIL PROTECTED]: Markus Krause wrote: i found out that if i am doing local proxying (by setting authhost = LOCAL in proxy.conf) That's NOT local proxying. It's a hack for telling the server that the realm exists, and it's authoritative. the section post-proxy, which contains attr_filter, is _not_ processed. Because the request isn't proxied. Is this really the intended behaviour and if yes, can i change it (without hacking the code on myself?) It's the intended behavior. ok, that sounds obvious regarding that thats no proxying, of course :-) Maybe try the postauth section? That's really for handling replies from the current server to the NAS. hmm, that sounds interesting, but i could not find any information (which i could unterstand) on how to do that. would that mean to write a module of my own? maybe in pearl? Could you please give a small example on how to replace reply attribute? Thank you very much in advance for your help! With best regards markus Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Markus Krause email: [EMAIL PROTECTED] Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS by order of the Computing Center of the Max-Planck-Institute of Biochemistry Tel.: 089 - 89 40 85 99 Fax.: 089 - 89 40 85 98 -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
post-proxy section and local proxy
Hi List, i am still stuck in the problem on how to overwrite replies from freeradius to a nas depending on realms (see http://marc.theaimsgroup.com/?l=freeradius-usersm=116824114228037w=2 and http://marc.theaimsgroup.com/?l=freeradius-usersm=116903668505574w=2) and trying different things to solve this (i got no repsonses so far which, of course, is not a complaint! maybe i am asking the wrong or a too dump question ...) i found out that if i am doing local proxying (by setting authhost = LOCAL in proxy.conf) the section post-proxy, which contains attr_filter, is _not_ processed. If i am using a real proxy (authhost = anotherradius:1812) attr_filter does what i want it to do, it replaces some reply-attributes (for VLAN in my case). Is this really the intended behaviour and if yes, can i change it (without hacking the code on myself?) Or does someone know a better solution for my problem? Thanks in advance for any help! Regards markus -- Markus Krause email: [EMAIL PROTECTED] Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS by order of the Computing Center of the Max-Planck-Institute of Biochemistry Tel.: 089 - 89 40 85 99 Fax.: 089 - 89 40 85 98 -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
setting user profile depending on realms?
Hi list! We have an internal LAN with several VLANs, each corresponding the the unix group of the users. This VLAN information is stored in OpenLDAP (via radiusprofiledn), and that works :-) But we want to give our users the possibility to get into a special VLAN, in particular one which is called Internetcafe (in which the can use special services). I thought of doing this by adding a realm to the username, so the users can either use username or [EMAIL PROTECTED] and gets the appropriate VLAN. To do this i added the following line in /etc/raddb/users: DEFAULT User-Name =~ @ic$, User-Profile := cn=InternetCafe,ou=VLAN,o=Testnet But this works only if i do not have a radiusprofiledn attribute in the users entry in OpenLDAP, otherwise it works. Is there a way to override the userprofile given back by the freeradius if the user adds a @ic (or whatever realm) ? Or is there even a better way to achieve this goal and i am thinking in a completly wrong direction? Thanks in advance for any hints! Regards Markus -- Markus Krause email: [EMAIL PROTECTED] Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS by order of the Computing Center of the Max-Planck-Institute of Biochemistry Tel.: 089 - 89 40 85 99 Fax.: 089 - 89 40 85 98 -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
overwriting ldap radiusprofile according to realms?
Hi list, we are storing our user data in openLDAP with a radiusProfileDN attribute, which is sent back by the freeradius server (v.1.1.3, on SLES10) as expected. The profile contains information for the vlan of user. We now would like to have the possibility to let the user login in a special vlan (the internetcafe) and thought of doing this with realms, which means the user has to login with username or [EMAIL PROTECTED], setting the following in the users file: /etc/raddb/users DEFAULT User-Name =~ @ic$, User-Profile := cn=InternetCafe,ou=Netconfig,o=Test This works if the users has no radiusprofileDN stored in LDAP, but if he has such an attribute the profile data from the user is used, not the cn=InternetCafe. How can I overwrite the value for radiusprofiledn if the user appends @ic to this username? Or is there a better way to achieve this (changing the profile data / vlan according to login)? Thanks in advance for any help! Reagards Markus -- Markus Krause email: [EMAIL PROTECTED] Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS by order of the Computing Center of the Max-Planck-Institute of Biochemistry Tel.: 089 - 89 40 85 99 Fax.: 089 - 89 40 85 98 -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS for Mac OS X
Hi Paul, i compiled it on Mac OS X 10.4.7. Maybe you need XCode? (see http://developer.apple.com/tools/xcode/) regards markus Zitat von Paul Ammann [EMAIL PROTECTED]: Hi Markus Thank you for the email. I tried that and I got the same error messages. May I ask what version of Mac OS X you compiled FreeRADIUS? Best regards, Paul gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DDARWIN -Wall -D_GNU_SOURCE -DNDEBUG -I/Users/paul/Desktop/freeradius-1.1.3/src/include -c rlm_counter.c -fno-common -DPIC -o .libs/rlm_counter.o rlm_counter.c:38:18: error: gdbm.h: No such file or directory rlm_counter.c:84: error: parse error before 'GDBM_FILE' rlm_counter.c:84: warning: no semicolon at end of struct or union rlm_counter.c:88: error: parse error before '}' token rlm_counter.c:88: warning: type defaults to 'int' in declaration of 'rlm_counter_t' rlm_counter.c:88: warning: data definition has no type or storage class rlm_counter.c:116: error: parse error before 'rlm_counter_t' rlm_counter.c:117: error: parse error before 'rlm_counter_t' rlm_counter.c:118: error: parse error before 'rlm_counter_t' rlm_counter.c:119: error: parse error before 'rlm_counter_t' rlm_counter.c:120: error: parse error before 'rlm_counter_t' rlm_counter.c:121: error: parse error before 'rlm_counter_t' rlm_counter.c:122: error: parse error before 'rlm_counter_t' rlm_counter.c:123: error: parse error before 'rlm_counter_t' rlm_counter.c: In function 'counter_cmp': Markus Krause [EMAIL PROTECTED] wrote: hi paul, i did a successful compile (at least without perl and sql modules as i did not have the development files installed) about a month ago. its just: ./configure --enable-develper make sudo make install then i had a working freeradius server! this too is mentioned in the wiki. regards markus Zitat von Paul Ammann : Hi I'm looking for information for compiling / downloading FreeRADIUS for Mac OS X. I searched the list, and all the information seem outdated or inconclusive. Best regards, Paul -- Markus Krause email: [EMAIL PROTECTED] Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS by order of the Computing Center of the Max-Planck-Institute of Biochemistry Tel.: 089 - 89 40 85 99 Fax.: 089 - 89 40 85 98 -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Markus Krause email: [EMAIL PROTECTED] Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS by order of the Computing Center of the Max-Planck-Institute of Biochemistry Tel.: 089 - 89 40 85 99 Fax.: 089 - 89 40 85 98 -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS for Mac OS X
hi paul, i did a successful compile (at least without perl and sql modules as i did not have the development files installed) about a month ago. its just: ./configure --enable-develper make sudo make install then i had a working freeradius server! this too is mentioned in the wiki. regards markus Zitat von Paul Ammann [EMAIL PROTECTED]: Hi I'm looking for information for compiling / downloading FreeRADIUS for Mac OS X. I searched the list, and all the information seem outdated or inconclusive. Best regards, Paul -- Markus Krause email: [EMAIL PROTECTED] Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS by order of the Computing Center of the Max-Planck-Institute of Biochemistry Tel.: 089 - 89 40 85 99 Fax.: 089 - 89 40 85 98 -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki
Zitat von King, Michael [EMAIL PROTECTED]: Anyone else having trouble getting to the Wiki right now? yes, does not work here ... (munich ;-) markus -- Markus Krause email: [EMAIL PROTECTED] Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS by order of the Computing Center of the Max-Planck-Institute of Biochemistry Tel.: 089 - 89 40 85 99 Fax.: 089 - 89 40 85 98 This message was sent using IMP, the Internet Messaging Program. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Short Deployment Platform Questionaire
Zitat von Peter Nixon [EMAIL PROTECTED]: Hi Guys In order to bring our documentation up to date, can everyone please take a few seconds to report to me (either privately or to the list) what deployment platform(s) you are running FreeRADIUS on. In particular I am looking for non Linux/x86 information. The more information you can give me the better, but everything helps. I would like to know answers to the following questions (In order of importance) * What Operating System and Version are you running FreeRADIUS on? Debian Sarge 3.1 (in use) SuSE Linux Enterprise Server 9 (updated by SLES 10, see below) SuSE Linux Enterprise Server 10 OpenSuSE 10.0 (just for testing) Mac OS X 10.4.7 (_not_ Server, for testing only) * What architecture are you running on (x86, x86_64, Sparc, IA64, PPC etc)? x86 (in use, all Linux systems) PPC (Mac OS X) * What version of FreeRADIUS do you have in production? 1.1.3 (all updated lately) * Approximately how many AAA users do you have? ~ 900 users (in use, currently in LDAP) ~ 1200 devices (mac authentication, planned, still testing ...) * Did you install a vendor package, downloaded package, selfbuilt package or source install? Debian: selfbuilt package SuSE: selfbuilt package Mac OS X 10.4.7 (not server!): source install * If you built FreeRADIUS yourself, please list any special installation/compilation steps you needed to take to make it work on your platform. Debian and SuSE: worked out of the box Mac OS X 10.4.7 (not server!): the ./configure script adds a line INSTALLSTRIP = -s in Make.inc which produces errors (as reported: Symbol not found: _debug_flag). Remove the -s option solves the problem, another solution is running ./configure --enable-developer. so the following works: # ./configure --enable-developer # make # sudo make install maybe important: i did not build any of the following modules due to missing libraries (did it just for testing and contriubution, its not a productive system; maybe next year ...): any sql-module, unixodbc, rlm_counter, rlm_ippool Thanks in Advance from the FreeRADIUS Development Team thanks in return to all developers for their great work and assistance! markus -- Markus Krause email: [EMAIL PROTECTED] Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS by order of the Computing Center of the Max-Planck-Institute of Biochemistry Tel.: 089 - 89 40 85 99 Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot compile and run on Mac OS X 10.4.7
Zitat von Nicolas Baradakis [EMAIL PROTECTED]: Michael Check wrote: On 8/22/06, Michael Check [EMAIL PROTECTED] wrote: We tried googling around and we're happy to hear that freeradius will be a part of 10.5, but we'd like to get it running now... There really is no other docs we've found on getting it compiled (after difficulty like the above) and installed. Certainly nothing recent anyway. Is it true that it _should_ just work? :) Thanks in advance for any assistance, This is issue is not really solved, I didn't get it to compile, but I thought those of you that are looking for a solution to run freeRADIUS on OSX should look to the package installer that I found. It is quite recent (version 1.1.0pre0) and runs great. I don't own an Apple machine, so I'm not able to test it myself. However from what I read on the mailing lists, it should be possible to build version 1.1.3 of FreeRADIUS on Mac OS 10.4.7 with the following commands: $ configure --enable-developer $ make $ su - # make install it was actually me who reported sucessful compiling ... i just rechecked it: # downloaded freeradius-1.1.3.tar.gz # ./configure --enable-developer # make # sudo make install and freeradius runs and responds to radtest. another way would be ./configure, then remove the option -s in the line INSTALLSTRIP = -s, then make, sudo make install, dont now about additional differences to --enable-developer (except from warning flags). but i should point out that i do not use any sql-module (do not have the libraries installed which were required) or unixodbc, and have no libgdbm, so there is no rlm_counter, rlm_ippool. maybe there is your problem? i am using a recent mac os 10.4.7 on an ancient g4 powerbook. regards markus -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Markus Krause email: [EMAIL PROTECTED] Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS by order of the Computing Center of the Max-Planck-Institute of Biochemistry Tel.: 089 - 89 40 85 99 Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot compile and run on Mac OS X 10.4.7
) *** Warning: This library needs some functionality provided by /System/Library/Perl/5.8.6/darwin-thread-multi-2level/auto/DynaLoader/DynaLoader.a. *** I have the capability to make that library automatically link in when *** you link to this library. But I can only do this if you have a *** shared version of the library, which you do not appear to have. gcc -dynamiclib -flat_namespace -undefined suppress -o .libs/rlm_perl-1.1.2.so rlm_perl.lo /usr/local/lib/libradius.dylib -L/usr/local/lib -L/System/Library/Perl/5.8.6/darwin-thread-multi-2level/CORE -lperl -ldl -lm -lc -lresolv -lpthread -lc -install_name /usr/local/lib/rlm_perl-1.1.2.so /usr/local/src/freeradius-1.1.2/install-sh -c -c .libs/rlm_perl-1.1.2.soT /usr/local/lib/rlm_perl-1.1.2.so (cd /usr/local/lib rm -f rlm_perl.so ln -s rlm_perl-1.1.2.so rlm_perl.so) /usr/local/src/freeradius-1.1.2/install-sh -c -c .libs/rlm_perl.lai /usr/local/lib/rlm_perl.la /usr/local/src/freeradius-1.1.2/install-sh -c -c .libs/rlm_perl.a /usr/local/lib/rlm_perl.a ranlib /usr/local/lib/rlm_perl.a chmod 644 /usr/local/lib/rlm_perl.a AND RUNNING sudo radiusd -X, the following error results: read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib radiusd.conf[1565] Failed to link to module 'rlm_exec': dlopen(/usr/local/lib/rlm_exec-1.1.2.so, 9): Symbol not found: _debug_flag Referenced from: /usr/local/lib/rlm_exec-1.1.2.so Expected in: flat namespace AND QUITS IMMEDIATELY --- We tried googling around and we're happy to hear that freeradius will be a part of 10.5, but we'd like to get it running now... There really is no other docs we've found on getting it compiled (after difficulty like the above) and installed. Certainly nothing recent anyway. Is it true that it _should_ just work? :) Thanks in advance for any assistance, Michael Check - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Markus Krause email: [EMAIL PROTECTED] Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS by order of the Computing Center of the Max-Planck-Institute of Biochemistry Tel.: 089 - 89 40 85 99 Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AAA
Zitat von Roger Thomas [EMAIL PROTECTED]: Quoting Alan DeKok [EMAIL PROTECTED]: Roger Thomas [EMAIL PROTECTED] wrote: My LDAP knowledge is quite shallow and as such I would like to use - openLDAP only for authentication - MySQL for authorization and accounting If that is possible, do I *still* need to extend my LDAP schema with ~/doc/examples/openldap.schema ? I don't think so. If all you're using LDAP for is usernames passwords, that should be in the default schema. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I ran radtest and it complained that there is no dialupAccess attribute, so access is denied by default. -- snippet from debug screen -- ... ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example,dc=com, with filter ([EMAIL PROTECTED]) rlm_ldap: no dialupAccess attribute - access denied by default rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns userlock for request 0 modcall: leaving group authorize (returns userlock) for request 0 Invalid user (rlm_ldap: Access Attribute denies access): [EMAIL PROTECTED]/thepassword] (from client localhost port 10) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 144 to 127.0.0.1 port 32803 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 144 with timestamp 44cff3d6 Nothing to do. Sleeping until we see a request. I noticed that 'dialupAccess' attribute is defined in the radiusprofile objectClass (openldap.schema). Means radiusd expects that objectClass to be made available. Wonder if there is any way around this? just comment out the line access_attr = dialupAccess in the ldap section of your module definition. hth markus -- Roger --- Sign Up for free Email at http://ureg.home.net.my/ --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Markus Krause email: [EMAIL PROTECTED] Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS by order of the Computing Center of the Max-Planck-Institute of Biochemistry Tel.: 089 - 89 40 85 99 Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error in Radius.log
Zitat von LeRoy DeVries [EMAIL PROTECTED]: I'm getting the following error in the radius log and don't know how to handle it. I assume it's handled somewhere within the radius.conf file but I can't find anything about it. Sun Dec 25 09:28:07 2005 : Error: rlm_sql: Failed to create the pair: Unknown attribute Max-All-Session add a line to your dictionary file (on suse: /etc/raddb/dictionary): ATTRIBUTE Max-All-Session 3000 integer Sun Dec 25 09:28:07 2005 : Error: rlm_sql (sql): Error getting data from database are you sure you set the correct variables in sql.conf, e.g. user who is allowd to connect to sql db and password? an example: sql { server = localhost login = radiusd password donttellanyone } Sun Dec 25 09:28:07 2005 : Error: rlm_sql (sql): SQL query error; rejecting user I'm a newbie to all this and am stumbling along :) -- LeRoy Dorothy Location: http://map.datastormusers.com/user2.cfm?user=1591 My Web Page: http://www.rvfulltimer.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html regards markus -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error in Radius.log
Zitat von LeRoy DeVries [EMAIL PROTECTED]: On Monday 26 December 2005 06:15, Markus Krause wrote: Zitat von LeRoy DeVries [EMAIL PROTECTED]: I'm getting the following error in the radius log and don't know how to handle it. I assume it's handled somewhere within the radius.conf file but I can't find anything about it. Sun Dec 25 09:28:07 2005 : Error: rlm_sql: Failed to create the pair: Unknown attribute Max-All-Session add a line to your dictionary file (on suse: /etc/raddb/dictionary): ATTRIBUTE Max-All-Session 3000 integer Thanks Markus... Now I'm getting the following Mon Dec 26 08:13:56 2005 : Error: radiusd.conf: SQL modules aren't allowed in 'authenticate' sections -- they have no such method. yes, it is not intended to be used in this section ;-) i hope i did not use this in the example config file i sent you! If I remove the sql from that section it doesn't complain. How does sql handle this. Also as a side note, I tried logging on using a wireless client and the loggin in failed both on the sql ( database is populated) and USERS (uncommented steve) but I can't find any logs on why. what says freeradius if started in debug mode (freeradius -XA) ? and what says radtest? regards markus -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error in Radius.log
Zitat von LeRoy DeVries [EMAIL PROTECTED]: On Monday 26 December 2005 12:41, Markus Krause wrote: I'm finally making progress. Now I'm getting the following: modcall: group authorize returns ok for request 0 auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. even though the password that I entered in the login is correct. i am not an expert but it seems that you (or some module) sets auth-type to local. what does your authorize and authenticate sections in radiusd.conf look like? regards, markus -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: patch for sqlcounter, please test!
Zitat von Damjan [EMAIL PROTECTED]: query = SELECT TO_DAYS(NOW()) - MIN(TO_DAYS(AcctStartTime)) FROM radacct WHERE UserName = '%{%k}' LIMIT 1; this actually works very well, a user logs in and is allowed to access to the network until the date changes e.g. the second time if he is allowed access for two days. but as i am saving the days as days in the mysql database, i run into trouble with Session-Timeout because rlm_sqlcounter assumes that the query returns seconds and the user gets a session timeout of the remaining days as seconds (a value between 1 and 7!). putting the day limit as seconds into the database does (in my case/opinion) not make any sense here. Hmm.. this is the first time I see your question, i posted it 5.10.2005, but that's no problem, there are so many questions on the list and i learned a lot ;-) but you could've modified your query like so: query = SELECT 3600*TO_DAYS(NOW()) - MIN(TO_DAYS(AcctStartTime)) i think you meant 86400 (60 x 60 x 24) ? i tried something like that too and it worked, but you see how easily the time is calculated wrong ;-) and to have a simple parameter seems to me more simple and flexible. Alternativelly, you could use the Expire attribute, you just put a date in it, and Freeradius will calculate the Session-Timeout. but doesn't the exipre attribute have to be set to a fixed date? i want to have the account lets say three days from first usage. regards, markus -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: use of pam and sql db simultaneously
Zitat von Alan DeKok [EMAIL PROTECTED]: Markus Krause [EMAIL PROTECTED] wrote: i would like to authenticate users via pam and sql. Huh? I don't know what that means. Usually if the user has a password, they have one password, which can be stored in one place. You don't need to use both PAM SQL. sorry for not writing in more details what i am intending to do (i didn't want you to have to read too much), reading my first email now again there is not much info :-( ,so: a cisco vpn concentrator is planned to be used to connect two groups of users to parts of our network 1) our regular users with unix accounts - pam 2) guests, which should get access only for some days - sql so the concentrator gets a username/password combination and asks the radius server if they are valid authenticate { pam } That guarantees that CHAP MS-CHAP won't work. actually i think i do not need them, but as i am still at the beginning with freeradius i may be wrong here ... (corrections welcome! ;-) users known by pam get access-accept, but those in sql don't, Because that's what you configured the server to do. The problem is that you forced ALL users to be authenticated via PAM, when it's not necessary. that's how i (mis)understood the docu in /usr/share/doc/packages/freeradius/rlm_pam where it says: Use Auth-Type = Pam in the users file. if i do not enter this line in /etc/raddb/users no user at all in pam can be authenticated. what am i doing wrong here? do theses modules (rlm_pam and rlm_sql) exclude each other? Only if you configure them that way. how can i use them simultaneously i.e. in parallel? Try this configuration. It should work. See doc/configurable_failover for details. [snipped config example] thank you very much, this works exactly how i want it! (i just left out pap/chap/mschap as i still asume that i do not need them) to do this via failover did not came to my mind! (which now seems so obvious!) In summary, if you're not sure how to configure the server, DO NOT do massive edits to radiusd.conf. You'll almost definitely get it wrong. The default configuration is there for a reason: it works. Alan DeKok. sorry, but i am still learning to work with freeradius and really appreciate all info and corrections! what confused me was that rlm_ldap just returns notfound if a user is not in the database (i am using this in another installation) and rlm_pam returns reject. (or am i wrong again?) thanks again for your help! with best regards markus -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
patch for sqlcounter, please test!
hi list! part of a radius-related project is to allow access to our guests and visitors at our institute to parts of our network, of course only with username and password, and do some logging. the idea is that guests get an account and a password which they can use for a period of one to seven days (according to setup). to achieve this i am using the sqlcounter module using the following query: query = SELECT TO_DAYS(NOW()) - MIN(TO_DAYS(AcctStartTime)) FROM radacct WHERE UserName = '%{%k}' LIMIT 1; this actually works very well, a user logs in and is allowed to access to the network until the date changes e.g. the second time if he is allowed access for two days. but as i am saving the days as days in the mysql database, i run into trouble with Session-Timeout because rlm_sqlcounter assumes that the query returns seconds and the user gets a session timeout of the remaining days as seconds (a value between 1 and 7!). putting the day limit as seconds into the database does (in my case/opinion) not make any sense here. as i posted a question about this some two months ago to the freeradius users list unfortunately nobody had a solution available, but i can remember several answers (to the list an by private mail) that this feature would be nice! so i finaly tried some coding today and now here is my proposal: add an optional parameter 'timeunit' to sqlcounter.conf that represents the time unit used in the query and the check value (in the sql db), my config then reads: + /etc/raddb/sqlcounter.conf sqlcounter shorttermaccounts { counter-name = Short-Term-Account check-name = Max-Days-Passed sqlmod-inst = sql key = User-Name reset = never timeunit = days query = SELECT TO_DAYS(NOW()) - MIN(TO_DAYS(AcctStartTime)) FROM radacct WHERE UserName = '%{%k}' LIMIT 1; } - /etc/raddb/sqlcounter.conf in rlm_sqlcounter.c i added some lines which (if 'timeunit' is set) multiply the value of 'res' (i assume this is the remaining time of allowd success) by an appropriate value to get seconds. in this case Session-Timeout is returned correctly. possible values for timeunit are minutes, hours, days, and weeks (for now). a patch to version 1.0.5 can be found as attachment to this email. i ran several tests and it is also working with different queries (like the ones in the doc), but i would appreciate others to do some testing if it really works. but as it seems that nobody has made a proposal/code for this yet, what do think about it? i put this also on bugs.freeradius.org but could not find the component rlm_sqlcounter so i put it in modules, i hope i did not mess up things! hoping for many feedback! ;-) with best regards, markus -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] --- rlm_sqlcounter-original.c 2005-12-16 15:05:54.725659800 +0100 +++ rlm_sqlcounter.c 2005-12-16 15:20:10.761522568 +0100 @@ -72,6 +72,7 @@ char *sqlmod_inst; /* instance of SQL module to use, usually just 'sql' */ char *query; /* SQL query to retrieve current session time */ char *reset; /* daily, weekly, monthly, never or user defined */ + char *timeunit; /* minutes, hours, days or weeks */ time_t reset_time; time_t last_reset; int key_attr; /* attribute number for key field */ @@ -94,6 +95,7 @@ { sqlmod-inst, PW_TYPE_STRING_PTR, offsetof(rlm_sqlcounter_t,sqlmod_inst), NULL, NULL }, { query, PW_TYPE_STRING_PTR, offsetof(rlm_sqlcounter_t,query), NULL, NULL }, { reset, PW_TYPE_STRING_PTR, offsetof(rlm_sqlcounter_t,reset), NULL, NULL }, + { timeunit, PW_TYPE_STRING_PTR, offsetof(rlm_sqlcounter_t,timeunit), NULL, NULL }, { NULL, -1, 0, NULL, NULL } }; @@ -544,6 +546,7 @@ int ret=RLM_MODULE_NOOP; int counter=0; int res=0; + int timemultiplier=1; DICT_ATTR *dattr; VALUE_PAIR *key_vp, *check_vp; VALUE_PAIR *reply_item; @@ -612,6 +615,27 @@ * Check if check item counter */ res=check_vp-lvalue - counter; + + /* + * If timeunit is set in sqlcounter.conf set timemultiplier + */ + if( data-timeunit != NULL ) { + if(strcmp(data-timeunit, minutes) == 0 ) { + timemultiplier = 60; + } else if(strcmp(data-timeunit, hours) == 0 ) { + timemultiplier = 3600; + } else if(strcmp(data-timeunit, days) == 0 ) { + timemultiplier = 86400; + } else if(strcmp(data-timeunit, weeks) == 0 ) { + timemultiplier = 604800; + } else { + radlog(L_ERR, rlm_sqlcounter: Unknown value for timeunit \%s\ in sqlcounter.conf, data-timeunit); + return -1; + } + } + if( timemultiplier ) + res *= timemultiplier; + if (res 0) { DEBUG2(rlm_sqlcounter: (Check item - counter) is greater than
RE: regexp with ldap
hello edvin, as nobody seems to know an answer to my question i modified the filter to filter=(dhcpHWAddress=ethernet %{User-Name}) which works good but has of course nothing to with regexp, thats why i did not post this solution/workaroung to the list. maybe this can not be done using regexp because it is not a part of a radius variable which must be changed here but an ldap response. i was indeed able to modify User-Name using attr_rewrite, for example change aa:bb:cc:dd:ee:ff to aabbccddeeff but that of course did not help. if anyone knows a way to achieve this by regexp (or another better / more sophisticated way) i am still very interested in every example! regards markus Zitat von Seferovic Edvin [EMAIL PROTECTED]: Hello, has anyone got this working. I have a similar setup, but Ive decided to have an extra copy of mac-addresses in my ldap tree for mac-auth. Markus, have you found a solution? Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Krause Sent: Donnerstag, 24. November 2005 01:15 To: freeradius-users@lists.freeradius.org Subject: regexp with ldap hi all, i am using freeradius 1.0.5 on sles 9. what i want to achieve: network devices send their mac-address to a switch, which then sends access-request packages to the freeradius. the mac-addresses are stored in an ldap tree using the objectclass dhcpHost and the entry dhcpHWAddress (which is also used for dhcp). unfortunately the attribute dhcpHWAddress contains entries like ethernet 00:11:22:33:44:55 and not only the mac address. (how) can i use regexp to get the necessary information from ldap? i read variables.txt but seem to be misunderstanding the concept (sorry, i am not an english native speaker ..). do i have to enter something in the ldap section in 'filter=...' radiusd.conf? could someone give me some examples? thanks in advance for any hints! best regards, markus -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Outter User-Name for Accounting in EAP-TTLS
i posted the same question a week a so ago, alan suggested to send the user-name back with the radius response. unfortunately this did not help, it seems that the accesspoints we were using (foundry ironpoint 200) mix them up, foundry is currently examining the case. which ap are you using? regards, markus Zitat von kevin [EMAIL PROTECTED]: I am resending this 'cause nobody reponded. Any idea? Kevin I want to use FreeRadius for proxy so our map is like AP - FreeRadius - MyRadius Problem is MyRadius gets user-name=anonymous in accounting. Is there a way that we can put a real user-name to accounting? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pb w/ accounting: wrong username (anonymous) used
i found another weired thing: the account log file /var/log/radius/radacct/192.168.10.2./detail-20051114 does contain the correct username entries, in the mysql table raddact the account start logging is missing: +++ /var/log/radius/radacct/192.168.10.2./detail-20051114: Mon Nov 14 18:10:08 2005 Acct-Delay-Time = 0 NAS-Identifier = AP-T-01 User-Name = test1 Acct-Status-Type = Start Acct-Session-Id = 00:0E:35:C4:70:A8 Acct-Authentic = RADIUS Calling-Station-Id = 000e35c470a8 Called-Station-Id = 000cdb8be098 NAS-IP-Address = 192.168.10.2 Service-Type = Framed-User NAS-Port-Type = Wireless-802.11 Client-IP-Address = 192.168.10.2 Acct-Unique-Session-Id = 8d85887a1ead2772 Timestamp = 1131988208 Mon Nov 14 18:10:26 2005 Acct-Delay-Time = 0 NAS-Identifier = AP-T-01 Acct-Input-Octets = 10209 Acct-Output-Octets = 9614 Acct-Input-Packets = 80 Acct-Output-Packets = 40 User-Name = test1 Acct-Status-Type = Stop Acct-Session-Id = 00:0E:35:C4:70:A8 Acct-Session-Time = 19 Acct-Authentic = RADIUS Acct-Terminate-Cause = Lost-Service Calling-Station-Id = 000e35c470a8 Called-Station-Id = 000cdb8be098 NAS-IP-Address = 192.168.10.2 Service-Type = Framed-User NAS-Port-Type = Wireless-802.11 Client-IP-Address = 192.168.10.2 Acct-Unique-Session-Id = 8d85887a1ead2772 Timestamp = 1131988226 --- (/var/log/radius/radacct/192.168.10.2./detail-20051114) +++ mysql output: mysql select * from radacct where AcctUniqueID=8d85887a1ead2772; +---+---+--+--+---+--+---+-+-+-+-+---+---+--+-+--+-+--++-++-++---+ | RadAcctId | AcctSessionId | AcctUniqueId | UserName | Realm | NASIPAddress | NASPortId | NASPortType | AcctStartTime | AcctStopTime | AcctSessionTime | AcctAuthentic | ConnectInfo_start | ConnectInfo_stop | AcctInputOctets | AcctOutputOctets | CalledStationId | CallingStationId | AcctTerminateCause | ServiceType | FramedProtocol | FramedIPAddress | AcctStartDelay | AcctStopDelay | +---+---+--+--+---+--+---+-+-+-+-+---+---+--+-+--+-+--++-++-++---+ |43 | 00:0E:35:C4:70:A8 | 8d85887a1ead2772 | test1| | 192.168.10.2 | 0 | Wireless-802.11 | 2005-11-14 18:10:08 | 2005-11-14 18:10:26 | 19 | RADIUS| | | 10209 | 9614 | 000cdb8be098| 000e35c470a8 | Lost-Service | Framed-User || | 0 | 0 | +---+---+--+--+---+--+---+-+-+-+-+---+---+--+-+--+-+--++-++-++---+ 1 row in set (0.00 sec) mysql --- it seems that the sql accounting (always! tried several times) never gets an accounting start. can this be due to misconfiguration or is there something broken in the sql module? thanks in advance for any hints! regards, markus Zitat von Alan DeKok [EMAIL PROTECTED]: Markus Krause [EMAIL PROTECTED] wrote: Sending Access-Accept of id 238 to 192.168.10.2:2430 Session-Timeout = 600 User-Name := test1 ... rad_recv: Accounting-Request packet from host 192.168.10.2:9000, id=15, length=123 Acct-Delay-Time = 0 NAS-Identifier = AP-T-01 User-Name = anonymous Your NAS is broken. Call the manufacturer, and ask them for a firmware upgrade that allows it to support RADIUS properly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de
sqlcounter and session-timeout
hi all, i have set up freeradius v1.0.5 with experimental modules on a sles 9 system. i am storing the user information in a mysql db, which works. then i wanted to set configure some short term accounts which are only valid for some days, to be more exact: after the first usage of a username the account should be valid until midnight (the same, following, .. days). testing with ntradping worked. to achieve this i use the following in radiusd.conf, sqlcounter.conf and dictionary: + radiusd.conf authorize { preprocess eap files sql shorttermaccount } authenticate { eap } accounting { detail unix radutmp sql } - (radiusd.conf) + sqlcounter.conf sqlcounter shorttermaccount { counter-name = Short-Term-Account check-name = Max-Days-Passed sqlmod-inst = sql key = User-Name reset = never query = SELECT TO_DAYS( NOW() ) - TO_DAYS( AcctStartTime ) FROM radacct WHERE UserName = '%{%k}' LIMIT 1; } - (sqlcounter.conf) + dictionary ATTRIBUTE Max-Days-Passed 3000integer - (dictionary) in the mysql db i have: + mysql output mysql select * from radcheck; ++--+-++--+ | id | UserName | Attribute | op | Value| ++--+-++--+ | 6 | guest2 | Password| := | secret99 | | 7 | guest2 | Max-Days-Passed | := | 1| ++--+-++--+ - (mysql output) testing with ntradping shows access-accept (unil midnight after first accounting). but when using an ironpoint 200 ap i run into the following problem: the reply message contains Session-Timeout := 1 which is (as it seems) sent by sqlcounter, which means the client (a windows xp sp2 with intel pro 2200bg) reconnects every second!! i already tried to enter the user guest2 in mysql in the table radreply: mysql output: mysql select * from radreply; ++--+-++---+--+ | id | UserName | Attribute | op | Value | prio | ++--+-++---+--+ | 1 | guest2 | Session-Timeout | := | 600 |1 | ++--+-++---+--+ 1 row in set (0.00 sec) - (mysql output) but this only affects user which have no attribute Max-Days-Passed... how can i override the value of session-timeout, lets say for 10 minutes (i dont care if a user can stay connected until 0:10) ?? thanks in advance for any hints!! with best regards, markus -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pb w/ accounting: wrong username (anonymous) used
hi all! my setup: radius server: freeradius v.1.0.5 on sles 9, user db in mysql clients: windows xp sp2 intel pro 2200bg * using intel pro/wireless software * using secure w2 user can connect via a foundry ironpoint 200, but accounting does not work as the username used as entry in the mysql table radacct is always anonymous! the table radpostauth does contain entries from both anonymous and user1. how can i fix this? thanks in advance for any hints!! with best regards, markus -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_radutmp: No NAS-Port seen
hi all! when running freeradius in debug mode i am finding the following message: + [snipp] rlm_acct_unique: WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent [snipp] radius_xlat: '/var/log/radius/radutmp' radius_xlat: 'anonymous' rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radumtp: WARNING: checkrad will probably not work! - is this really jsut a warning or does it mean the accounting (done for short term accounts using mysql) will not work? (as reported in another mail i only got accounting entries for user anonymous which comes from eap-ttls) thanks in advance for your help! with best regards, markus -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pb w/ accounting: wrong username (anonymous) used
into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('00:0E:35:C4:70:A8', '2c48bc3157ed8558', 'anonymous', '', '192.168.10.2', '', 'Wireless-802.11', '2005-11-12 19:20:42', '0', '0', 'RADIUS', '', '', '0', '0', '000cdb8be098', '000e35c470a8', '', 'Framed-User', '', '', '0', '0')' radius_xlat: '/var/log/radius/sqltrace.sql' rlm_sql (sql): Reserving sql socket id: 0 rlm_sql_mysql: query: INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInput Octets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('00:0E:35:C4:70:A8', '2c48bc3157ed8558', 'anonymous', '', '192.168.10. 2', '', 'Wireless-802.11', '2005-11-12 19:20:42', '0', '0', 'RADIUS', '', '', '0', '0', '000cdb8be098', '000e35c470a8', '', 'Framed-User', '', '', '0', '0') rlm_sql (sql): Released sql socket id: 0 modcall[accounting]: module sql returns ok for request 6 modcall: group accounting returns ok for request 6 Sending Accounting-Response of id 15 to 192.168.10.2:9000 Finished request 6 - (radiusd output) Access-Accept now contains the correct User-Name (or did i misunderstood your answer??) but in the mysql table radacct still username=anonymous is inserted. it seems i am on the wrong way ... or can there something wrong with the accesspoint (foundry ironpoint 200) thanks in advance for your help! regards, markus Zitat von Alan DeKok [EMAIL PROTECTED]: Markus Krause [EMAIL PROTECTED] wrote: user can connect via a foundry ironpoint 200, but accounting does not work as the username used as entry in the mysql table radacct is always anonymous! Because that's the only User-Name that the NAS sees in the Access-Request. In order to change it in the accounting packets, you have to add (or change) a User-Name attribute in the Access-Accept. The NAS will then send that name in accounting packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
using ldap, sql and pam for user authentification
hi all! i want to configure the freeradius server (1.0.5) to use ldap, sql and pam as source for user authentification. i only get the first two to work at the same time (ldap and sql) but not together with pam. if i use this in /etc/raddb/users: # users wlanAuth-Type = EAP testuser Auth-Type := Local, User-Password == secret -- all user in ldap and sql (and of course the testusers in the users file) can be authorized, but if users in pam can not, radiusd says: # radiusd debug output auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. - with the following in /etc/raddb/users: # users DEFAULT Auth-Type = Pam Fall-Through = Yes wlanAuth-Type = EAP testuser Auth-Type := Local, User-Password == secret - users in pam get an access-accept message, but not those in ldap and sql (nor the testuser in users. the debug output for a user in sql says: # radiusd debug output (only important parts as i assume) modcall: entering group authorize for request 6 modcall[authorize]: module preprocess returns ok for request 6 users: Matched entry DEFAULT at line 1 modcall[authorize]: module files returns ok for request 6 rlm_ldap: - authorize rlm_ldap: performing user authorization for nig49594 radius_xlat: '(uid=nig49594)' radius_xlat: 'dc=mogli,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=mogli,dc=de, with filter (uid=nig49594) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns notfound for request 6 radius_xlat: 'nig49594' rlm_sql (sql): sql_set_user escaped user -- 'nig49594' [snipp sql queries] rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module sql returns ok for request 6 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: (Check item - counter) is greater than zero rlm_sqlcounter: Authorized user nig49594, check_item=1, counter=0 rlm_sqlcounter: Sent Reply-Item for user nig49594, Type=Session-Timeout, value=1 modcall[authorize]: module onedayaccounts returns ok for request 6 modcall: group authorize returns ok for request 6 rad_check_password: Found Auth-Type Pam auth: type PAM Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 pam_pass: using pamauth string radiusd for pam.conf lookup pam_pass: function pam_authenticate FAILED for nig49594. Reason: User not known to the underlying authentication module modcall[authenticate]: module pam returns reject for request 6 modcall: group authenticate returns reject for request 6 auth: Failed to validate the user. - same for an ldap user: # radiusd debug output (snipped again) rlm_ldap: - authorize rlm_ldap: performing user authorization for ldapuser radius_xlat: '(uid=ldapuser)' radius_xlat: 'dc=mogli,dc=de' [snipp] rlm_ldap: user ldapuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 radius_xlat: 'ldapuser' rlm_sql (sql): sql_set_user escaped user -- 'ldapuser' [snipp] rlm_sql (sql): User ldapuser not found in radcheck rlm_sql (sql): User ldapuser not found in radgroupcheck rlm_sql (sql): User not found rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns notfound for request 0 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module onedayaccounts returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Pam auth: type PAM Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 pam_pass: using pamauth string radiusd for pam.conf lookup pam_pass: function pam_authenticate FAILED for ldapuser. Reason: User not known to the underlying authentication module modcall[authenticate]: module pam returns reject for request 0 modcall: group authenticate returns reject for request 0 auth: Failed to validate the user. Login incorrect: [ldapuser] (from client wlan port 0) - it seems that the pam returns reject if a user is not found by pam, sql and ldap reutrn nofound. how can i set up the pam part to return notfound and not overwrite the ok request by the other modules? thanx in advance for your help! regards markus -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http
erros building suse rpm
hi list, i tried to build an rpm-package for suse using freeradius-1.0.5 on both sles 9 and suse 10.0-oss with same results. unfortunately it did not go smoothly, here is what i did and what happend: 1) i edited freeradius.spec: - correcting the version info in the second line from 1.0.2 to 1.0.5 - changing versino from 1.0.4 to 1.0.5 in the section with name, licence, group, etc. - in BuildRequires i removed postgresql, libnscd, libzio. the reason for removing the last two was that i could not find them in sles9. does anyone know in which package they should be? but i think that the building problems do not depend on these. 2) at the end of CFLAGS in the section %build i added --with-experimental-modules (i need the sqlcounter module) 3) then i run rpmbuild -ba freeradius.spec. at the end (i assume after compiling, on bundling the package) i get: + Checking for unpackaged file(s): /usr/lib/rpm/check-files /var/tmp/freeradius-1.0.5-build error: Installed (but unpackaged) file(s) found: /etc/raddb/example.pl RPM build errors: Installed (but unpackaged) file(s) found: /etc/raddb/example.pl - as i do not use/need rlm_perl i just uncommented the line containing this information (after install-scripts: in src/modules/rlm_perl/Makefile.in) the building is succesfull, and the installed package works correctly. what would the correct action and not a work-around? regards, markus -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: erros building suse rpm
hello and thanks a lot for your help! i used your second proposal (just in case someone needs it): in freeradius.spec i added the following line after %config(noreplace) /etc/raddb/attrs: %config /etc/raddb/example.pl with this line (and the changes mentioned in my first email, see below) building the rpm works perfectly. regards, markus Zitat von Andrew Teixeira [EMAIL PROTECTED]: Hello, I'm no expert on freeradius, but I have done some extensive RPM packaging, so my suggestions are as follows: At the end of the %install section of the SPEC file, just add a line stating rm -f %{buildroot}/etc/raddb/example.pl. That will remove the unwanted file. - or - Add the /etc/raddb/example.pl to the %files section to add this file to the distribution, thus making it no longer an unpackaged file. - or - Add the following define to the SPEC file: %define _unpackaged_files_terminate_build 0 I primarily package RPMs on Mandriva Linux, so I'm not sure if the third option is the same on SUSE, but you might try to give it a whirl since it is probably the easiest option to try. Basically, it still checks for the unpackaged files, but won't prevent the package from being built if unpackaged files are found. The most portable solutions, however, are the first two. On 10/22/05, Markus Krause [EMAIL PROTECTED] wrote: hi list, i tried to build an rpm-package for suse using freeradius-1.0.5 on both sles 9 and suse 10.0-oss with same results. unfortunately it did not go smoothly, here is what i did and what happend: 1) i edited freeradius.spec: - correcting the version info in the second line from 1.0.2 to 1.0.5 - changing versino from 1.0.4 to 1.0.5 in the section with name, licence, group, etc. - in BuildRequires i removed postgresql, libnscd, libzio. the reason for removing the last two was that i could not find them in sles9. does anyone know in which package they should be? but i think that the building problems do not depend on these. 2) at the end of CFLAGS in the section %build i added --with-experimental-modules (i need the sqlcounter module) 3) then i run rpmbuild -ba freeradius.spec. at the end (i assume after compiling, on bundling the package) i get: + Checking for unpackaged file(s): /usr/lib/rpm/check-files /var/tmp/freeradius-1.0.5-build error: Installed (but unpackaged) file(s) found: /etc/raddb/example.pl RPM build errors: Installed (but unpackaged) file(s) found: /etc/raddb/example.pl - as i do not use/need rlm_perl i just uncommented the line containing this information (after install-scripts: in src/modules/rlm_perl/Makefile.in) the building is succesfull, and the installed package works correctly. what would the correct action and not a work-around? regards, markus -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap filter question
hi all! to verify some network devices which want to connect to a switch we want to use radius and store the mac-addresses in ldap. the switch passes the ethernet-mac-address to radius which should then be checked against the ldap entry for dhcp, there is an attribte dhcpHWAddress we already use successfully for dhcp. the dhcpHWAddress contains something like ethernet 00:0e:35:c4:70:a8. how can i teach radius to use just the octect value (without the word ethernet=) of this attribute? i assume that i have to define something like 'filter = dhcpHWAddress=%u ', but how to strip of ethernet? thanks in advance for any tipps! regards, markus -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access for 24 hours after first login?
Zitat von Alan DeKok [EMAIL PROTECTED]: Markus Krause [EMAIL PROTECTED] wrote: i set up freeradius succesfully for authentification against pam and users file :-) Please don't use authentification. It's authentication. sorry for my poor english, it's not my mother-tongue ... now i want to enhance the functionality about the following feature: setting up several predefined (guest) accounts with a generated username and password. this account should be valid from the first time it is used (first login) for 24 hours (or even better until 23:59 that day). rlm_counter. Set it for 24 hours of access, and reset=never. i read about this, but does this not mean that the user has an online time of 24 hours (or whatever i set in Max-All-Session-Time), so he can login until he has been active for 24 hours in sum? thanks in advance for your help! markus Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [m0n0wall] RE: access for 24 hours after first login?
hi jonathan, thanks a lot, this seems to be (almost) what i wanted! great! :-) i am just wondering about how this (the module sqlcounter) actually works, e.g. how is the actual comparision of the calculated value in query done, does it mean, that the value returned by query has to be smaller than the one referred to by check-name (in your example Max-Secs-Passed)? what does the line sqlmod-inst = sql mean (in /usr/share/doc/freeradius/rlm_sqlcounter there is also the value sqlcc3, what does this do?) what about the following: SELECT TO_DAYS(NOW()) - TO_DAYS(AcctStartTime) from radacct WHERE UserName = '%(%k)' LIMIT 1; would this mean that a user can login until 23:59 after logged in the first time that day? thank you very much for your help (and of course the help of everybody else on this greate mailing list!) regards, markus Zitat von Jonathan De Graeve [EMAIL PROTECTED]: And here the query in case you don't like seconds ;) SELECT HOUR(SEC_TO_TIME(UNIX_TIMESTAMP() - UNIX_TIMESTAMP(AcctStartTime))) FROM radacct WHERE UserName = '%{%k}' LIMIT 1; Then All-Secs-Passed/Max-Secs-Passed should be All-Hours-Passed/Max-Hours-Passed and Max-Hours-Passed specified in Hours instead of seconds Also note this is for MySQL. Don't know if it also works on oracle and Postgres -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] -Oorspronkelijk bericht- Van: Jonathan De Graeve [mailto:[EMAIL PROTECTED] Verzonden: donderdag 6 oktober 2005 15:51 Aan: FreeRadius users mailing list CC: [EMAIL PROTECTED] Onderwerp: [m0n0wall] RE: access for 24 hours after first login? This is how I do this Use SQLcounter module Put this in sqlcounter.conf (expecting that sqlcounter is already configged in the radiusd.conf) sqlcounter validity { counter-name = All-Secs-Passed check-name = Max-Secs-Passed sqlmod-inst = sql key = User-Name reset = never query = SELECT UNIX_TIMESTAMP() - UNIX_TIMESTAMP(AcctStartTime) secs_passed_since_start FROM radacct WHERE UserName = '%{%k}' LIMIT 1 Create in the config dictionary file an attribute of Max-Secs-Passed For example: #ATTRIBUTE My-Local-String 3000string #ATTRIBUTE My-Local-IPAddr 3001ipaddr #ATTRIBUTE My-Local-Integer3002integer ATTRIBUTE Max-Secs-Passed 3000 integer In radiusd.conf: Authorize {} section: Put this: validity The Max-Secs-Passed var is defined in seconds. So if you want a user only to be able to logon in the first 24hours after his first logon, Max-Secs-Passed should be set to 86400 (60secs * 60minutes * 24) Hope this helps the question I think many people will have. You could use other check or counter-names, its just an example You also could combine this with volume limits, max total session time etc... Kind Regards -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Markus Krause Verzonden: donderdag 6 oktober 2005 12:57 Aan: freeradius-users@lists.freeradius.org Onderwerp: Re: access for 24 hours after first login? Zitat von Alan DeKok [EMAIL PROTECTED]: Markus Krause [EMAIL PROTECTED] wrote: i set up freeradius succesfully for authentification against pam and users file :-) Please don't use authentification. It's authentication. sorry for my poor english, it's not my mother-tongue ... now i want to enhance the functionality about the following feature: setting up several predefined (guest) accounts with a generated username and password. this account should be valid from the first time it is used (first login) for 24 hours (or even better until 23:59 that day). rlm_counter. Set it for 24 hours of access, and reset=never. i read about this, but does this not mean that the user has an online time of 24 hours (or whatever i set in Max-All-Session-Time), so he can login until he has been active for 24 hours in sum? thanks in advance for your help! markus Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - To unsubscribe, e-mail: [EMAIL PROTECTED
access for 24 hours after first login?
hello list, i set up freeradius succesfully for authentification against pam and users file :-) now i want to enhance the functionality about the following feature: setting up several predefined (guest) accounts with a generated username and password. this account should be valid from the first time it is used (first login) for 24 hours (or even better until 23:59 that day). this is intended for our daily visitors and guests or for conference members, the idea is to give them a username/password pair to be used just that day without much administration effort. (just generate a list of lets say 100 accounts and if they have been used just create new ones). (how) can this be realized using freeradius? has anyone set up a similar (or even better ;-) ) solution for this aim? (one-day passwords valid after first login) thanks for any help and hints! regards, markus -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian 802.1x LDAP
Zitat von Cian Phillips [EMAIL PROTECTED]: Greetings. I'm trying to get a Debian (stable) box set up to authenticate users for our Cisco Wireless Control Software via LDAP. I have tried the Debian package and can get LDAP running easily. When I try to get the eap/tls stuff working it gives me an error about missing libraries. rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory I have googled this and found some messages that suggest compiling from source and using the --shared-disabled flag at compile time but I've tried building from source and can't even get LDAP working.. each time I un-comment the ldap line from the radiusd.conf file and try to start using radiusd -x I get a segfault. for version v1.0.2: just add --with-rlm_eap_tls in debian/rules hth markus Ideally I would like to stick with Debian as that is what my other production servers are but would be willing to use something else if it makes easier work of this process. If anyone has gotten Debian + 802.1x + LDAP working or even just 802.1x + LDAP I could really use some pointers if even just to tell me it is or isn't possible. Thanks in advance. Cian Phillips Cian Phillips Director Network Systems California College of the Arts Phone: (510) 594-3745 Cell: (510) 719-0091 Fax: (510) 594-3758 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
seg. fault with eap/tls and wrong certificate
hi all! i am trying to set up eap/tls using freeradius (1.0.4, on debian sarge, built package with option -disable-shared) and ran in the following problem: if i am using the wrong certificate (both client and server certs were build like the ones in the freeradius package using adapted CA.certs) freeradius crashes! the last lines of the output from freeradius -X -A -s is: -8- rad_recv: Access-Request packet from host 192.168.0.5:1028, id=35, length=167 User-Name = test NAS-IP-Address = 192.168.0.5 NAS-Identifier = Hawalius Framed-MTU = 1496 Called-Station-Id = 00-a0-c5-d1-03-15 Calling-Station-Id = 00-30-65-16-7d-49 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020800250d80001b1503010016cfbdb541e440865ba84b325309cdc5ad9d36af5784ff State = 0x0d56c72289ea3a6f6b45a070acc255db Message-Authenticator = 0x926e442107d8167882c136d983905804 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 15 modcall[authorize]: module preprocess returns ok for request 15 modcall[authorize]: module chap returns noop for request 15 modcall[authorize]: module mschap returns noop for request 15 rlm_eap: EAP packet type response id 8 length 37 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 15 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 15 modcall: group authorize returns updated for request 15 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 15 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: TLS 1.0 Handshake [length 060b], Certificate -- verify error:num=26:unsupported certificate purpose chain-depth=0, error=26 Segmentation fault -8- actually i am not sure to have all configured correctly because i get an access-accept reply regardless of username and password but with the 'correct' certificate. btw: the client is a mac os x 10.3.9 any ideas anyone?? thanks in advance for any hint! markus -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap/tls access-accept without existing user?
hi all! first what i am using: - freeradius 1.0.4 (on debian sarge, package built with -disable-shared) - mac os x 10.3.9 - self-signed certificates built in a similar way than the ones in the package/tarball (just adapted the CA.certs script) my users file contains in addition to the unchanged standard the following lines: ---8 users 8--- testuser1 User-Password == testing testuser2 Auth-Type := Local, User-Password == testing ---8 users 8--- the only changes i made in the configuration file radiusd.conf is to comment out suffix, in eap.conf i uncommented the section with tls and ttls when trying to establish a connection from the mac powerbook using 802.1x and client certificate i get a working connection if i enter anything but testuser2, even a wrong password or no pasword or username at all works! with testuser2 i get an error and no connection. where am i missing the point? thanks in advance for any hint!! markus -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
conecpt question
hi all! what i am dreaming of (at least regarding radius ;-) ): - wlan with wpa/802.1x using freeradius - clients mostly windows xp, several mac os x, few linux (unimportant right now) - the normal users (known to the local unix network the accesspoint/switch is connected to via nis or (some day) ldap) can access easily just with their username and password, if possible without client certificates (to keep things simple for the user) - some special 'accounts' (for guests etc.) in the freeradius users files can this be realized with freeradius? as far as i understand the conecpts behind this all this means a have to use peap, eap/ttls or eap/mschap-v2, am i right? has anyone set up something like this and can help me with some ideas, hints about trap-doors and other trouble ahead? or even some example configuration files? any help is appreciated! thanks in advance for your help! ;-) markus -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication by mac adress, username and password
hi alexandre, this is a very nice idea, thank you for that! (using an external script helped me with another problem ;-) ) but actually i prefere to have all the authentication data in one place. meanwhile i managed to check username, password and calling-station-id against the data in an ldap-database. i would like to have the data in a file like /etc/freeradius/users but i could not figure out how this has to be done, i tried something like: 8 part of /etc/freeradius/users -- testuser Auth-Type := Local, User-Password == testing, Calling-Station-Id == AABBCCDDEEFF Service-Type = Framed-User, Framed-IP-Address = 192.168.0.111, 8 but freeradius returns modcall[authorize]: module files returns notfound for request 0 where can i found information about the syntax of the users file or how can i add the data for calling-station-id in this file? thanks in advance for any hints! markus Zitat von Alexandre Coninx [EMAIL PROTECTED]: On Thu, Mar 17, 2005, Markus Krause wrote: hi all, i want to authenticate users at a cisco router by checking the mac-adress, the username and the password. (how) can this be done using freeradius? Hello, I manage to do that by first checking the MAC during the authorization process with an external script (using the exec module), and then authenticating the user with user/password with wathever method you want to use (in my case PEAP-MSCHAPv2 + ntlm_auth, but any other should work). My radiusd.conf looks like this : modules { ... exec mac_check { wait = yes program = /path/to/your/script.pl %{User-Name} %{Calling-Station-Id} input_pairs = request output_pairs = reply packet_type = Access-Request ... } } authorize { preprocess auth_log mac_check mschap eap } authenticate { Auth-Type MS-CHAP { mschap } eap } The script is a simple perl script that connects to our members database, checks if the MAC is registered and belongs to the member trying to connect, and refuse (exit 1;) or accept (exit 0;) authorization based on that. There is probably a cleaner way to do that, but it works well. -- Endy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authentication by mac adress, username and password
hi all, i want to authenticate users at a cisco router by checking the mac-adress, the username and the password. (how) can this be done using freeradius? in the docu i only found the case where a mac-adress and a password were checked (both listed in /etc/users/freeradius) but not together with a username (i found info for either username or mac adress togehter with a password). and is it possible that freeradius gives the cisco router a vlan depending on the username (or maybe group)? thanks in advance for your help! markus -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian packages for download
i commented out the line and removed the dependency entry for debhelper in debian/control, now i got the following error after running dpkg-buildpackage: -8- [snip] Making dynamic in rlm_sql_mysql... make[11]: Entering directory `/root/src/freeradius-1.0.0/src/modules/rlm_sql/drivers/rlm_sql_mysql' /usr/bin/libtool --mode=compile gcc -Wall -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -I../.. -I../../../../include -I'/usr/include/mysql' -c sql_mysql.c rm -f .libs/sql_mysql.lo gcc -Wall -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -I../.. -I../../../../include -I/usr/include/mysql -c sql_mysql.c -fPIC -DPIC -o .libs/sql_mysql.lo gcc -Wall -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -I../.. -I../../../../include -I/usr/include/mysql -c sql_mysql.c -o sql_mysql.o /dev/null 21 mv -f .libs/sql_mysql.lo sql_mysql.lo /usr/bin/libtool --mode=link gcc -release 1.0.0 \ -module -export-dynamic -Wall -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -I../.. -I../../../../include \ -I'/usr/include/mysql' -o rlm_sql_mysql.la -rpath /usr/lib/freeradius sql_mysql.lo -L'/usr/lib' -lmysqlclient -lz -lcrypt -lnsl -lm rm -fr .libs/rlm_sql_mysql.la .libs/rlm_sql_mysql.* .libs/rlm_sql_mysql-1.0.0.* gcc -shared sql_mysql.lo -L/usr/lib /usr/lib/libmysqlclient.so -lz -lcrypt -lnsl -lm -Wl,-soname -Wl,rlm_sql_mysql-1.0.0.so -o .libs/rlm_sql_mysql-1.0.0.so /usr/bin/ld: cannot find -lz collect2: ld returned 1 exit status make[11]: *** [rlm_sql_mysql.la] Error 1 -8- which lib is missing there? btw: i tried to update debhelper, but that led me to many other update demands, even libc should be updated. if i did that would that not prevent the package to run on a normal debian woody system? markus Zitat von Paul Hampson [EMAIL PROTECTED]: On Tue, Aug 17, 2004 at 09:24:58AM +0200, Michael Markstaller wrote: I have some freeradius (0.9.3 to 1.0.0-pre3) using MySQL running fine on woody (but without running ldap eap, AFAIK there're unmet dependencies). just build the package from the source (one line needs to be commented out, I posted this on 2004-05-11) --- cut --- debian/rules - line 137 dh_installpam --name=radiusd - this prevents buildding on woody as dh_installpam doesn't know the --name parameter --- cut --- You'll also need to remove the version from the debhelper dependancy or force-depends dpkg-buildpackage, since the versioned dependancy is there to make this line work. _Or_ you can install a newer debhelper version onto your Woody box. ^_^ -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html