Sleep before a response?
I have a broken NAS with a bad race condition, and need to delay responses to it (like sleep 1;). Is there an easy method (maybe via unlang?) to do this? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy everything but eap-md5 via Unlang?
Is there a way to match on the EAP type in unlang? I need to be able to proxy everything except incoming eap-md5 requests (which need to be handled remotely). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Forging a RADIUS request within a module
On Fri, Dec 12, 2008 at 7:45 AM, Geoffroy ARNOUD geo.arn...@gmail.comwrote: During authentication process, I need to send an Accounting-Start to a network equipment Just out of interest - what is network equipment going to do with the accounting request? It's a network filtering appliance. The Accounting-Request ships attributes that say which filtering policy must be applied to the user traffic. And these attributes can't be sent in the access-accept? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and MySql custom attributes
have created a dictionary.slipstream file with the following: VENDOR Slipstream 7000 ATTRIBUTE SlipStream-Auth True string Slipstream However, that will not authenticate the slip client. If I hardcode the attribute into the auth_reply query, the client is then authenticated. (Query = authorize_reply_query = SELECT '','Slipstream-Auth','true',':-' FROM radius_auth WHERE Username = '%{SQL-User-Name}' Any ideas where to go to get this working correctly? Post the output of radiusd -X. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and MySql custom attributes
authorize_reply_query = SELECT '',Username,'Profile',Profiles,':=' FROM radius_auth WHERE Username = '%{SQL-User-Name}' It's doing exactly what you tell it to do. query: SELECT '',Username,'Profile',Profiles,':=' FROM radius_auth WHERE Username = '[EMAIL PROTECTED]' There's the query as you defined it above... Sending Access-Accept of id 46 to 206.174.130.217 port 40278 Profile := Slip And there's the access-accept with a reply attribute of Profile := Slip. In your database you clearly have a column titled 'Profile' in radius_auth with value of Slip for the row for the username [EMAIL PROTECTED] To get what you want, you would need a column titled Slipstream-Auth with a value of True for the row for the username [EMAIL PROTECTED]. But all this is actually a bit horkie. It makes little sense to have to add a column everytime you want a random check/reply attribute. It's bad practice and going to be terribly inefficient by any database backend. Why is it that you don't want to follow the provided schema (in 2.x raddb/sql/mysql/) and predefined queries? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius error: Discarding conflicting packet
But what do you mean for fix the nas? Should I use another brand/model of AP? What I am trying to tell you is are the about of 30 AP's that I am using broken? Yes. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP - TLS Client Certification Stored Removable Media
On Tue, Nov 4, 2008 at 11:18 AM, Aydın KOÇAK [EMAIL PROTECTED] wrote: Hello All; I have a question about EAP - TLS . How can I configure client certification stored from removable media (ex: usb memor, smartcard, etc..). I have already used EAP - TLS with client certification stored on Windows (cliet) but i need a solution that user can authenticate when insert his usb memory and logout when remove his usb memory ? This is a question specific to the client OS. Specifically, you are relying on functionality provided by middleware (and OS hooks). Also, let's be clear here, you're talking about a USB *token* not a USB flash drive. While similar in technology, very different in many ways. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error in the negotiations certificates
On Fri, Oct 17, 2008 at 4:00 PM, Martin Silvero [EMAIL PROTECTED]wrote: and that I did when I run radiusd-X I get an error in the inicializacion modules: eap.conf: How about the output from radiusd -X? You commented out md5 from eap.conf, but you are likely still trying to instantiate it in the sites-enabled/default virtual server. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Username Rewrites based on Hint / Realm
On Wed, Oct 15, 2008 at 3:52 PM, Javier Fox [EMAIL PROTECTED] wrote: Hi folks, I have a bit of a conundrum trying to implement FreeRadius for a system where users from multiple ISP names must all authenticate in the same place, and I'm hoping a more experienced user can shed some light. In a nutshell, I need to do the following: -Check the 'called-station-id' of an incoming RADIUS request -If the id is A, B, or C, set a hint/realm flag to alpha -If the id is D, E, or F, set a hint/realm flag to beta -If the id is anything else, set a hint/realm flag to gamma -Based on the value of the hint/realm flag, rewrite the username before attempting authentication (by adding '@ispname1', '@ispname2', etc.) -Conversely, if the username already looks like '[EMAIL PROTECTED]', leave it alone For completeness' sake, I'm performing the authentication against a Postgres database. In its current state, the system is able to happily authenticate users as long as the username is provided in the format [EMAIL PROTECTED]; otherwise they are rejected. Our old RADIUS system (using Radiator) appears to call a perl script to perform this username rewriting, but that just seems like a nasty hack that I'd prefer to avoid. Any advice on this would be immeasurably appreciated. Thanks, J. Fox Answer: unlang http://freeradius.org/radiusd/man/unlang.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Username Rewrites based on Hint / Realm
2008/10/15 Javier Fox [EMAIL PROTECTED] I've tried every permutation of the 'if' line I can think of - quotes, no quotes, single-equal, double-equal, equal-tilde - but FreeRadius still doesn't like that 'if' line, and errors out with Line is not in 'attribute = value' format on startup. Again, I apologize if I'm missing something blatantly obvious here, but I seem to be following the exact same format as every example on the Internet; it just doesn't like it. Do I need to add some special config line so it knows to watch for (and interpret) the unlang statements? I had initially tried using a switch{} block and it complained that it didn't know what 'switch' meant. Thanks, J. Fox [EMAIL PROTECTED] wrote: if(whatever) { update request { User-Name := ... Ivan Kalik Kalik Informatika ISP Umm, oops, forgot to ask and just noticed you didn't say in your initial message. What version of FR are you using (radiusd -v)? If you aren't in 2.x, get there. Preferably 2.1.1. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: AW: AW: Problem with ntlm_auth
On Thu, Oct 9, 2008 at 10:46 AM, Alan DeKok [EMAIL PROTECTED]wrote: [EMAIL PROTECTED] wrote: And how can I do that? I cannot find something like that via Google :( Ask the Samba people? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RLM-EAP-MD5 compilation problem
rlm_eap_md5.c:24:22: error: autoconf.h: No such file or directory rlm_eap_md5.c:31:24: error: rad_assert.h: No such file or directory First, fix your paths/includes to resolve those dependencies. Then see what can't link. Also, compile against 2.1.1 (it won't fix this, but it's better in many other ways). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RLM-EAP-MD5 compilation problem
On Mon, Sep 29, 2008 at 1:46 PM, Stephen Bowman [EMAIL PROTECTED] wrote: rlm_eap_md5.c:24:22: error: autoconf.h: No such file or directory rlm_eap_md5.c:31:24: error: rad_assert.h: No such file or directory First, fix your paths/includes to resolve those dependencies. Then see what can't link. Also, compile against 2.1.1 (it won't fix this, but it's better in many other ways). And it goes without saying, you are likely going to have to work out the remaining issues with the author of rlm_eap_md5 to resolve issues against 2.x - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RLM-EAP-MD5 compilation problem
On Mon, Sep 29, 2008 at 2:44 PM, Andre Dieball [EMAIL PROTECTED]wrote: Hi Stephen the files mentioned are not in the list of file (not even in the package) which I need to copy to the freeradius sources, which leads me to the thought, that they might haven been part of freeradius 1.x but not available in 2.x anymore, that's why I'm asking Andre They are in the FreeRadius source (src/include). I'm not sure I understand what you're saying? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SLM248G switch
On Fri, Sep 26, 2008 at 3:05 PM, David Blackman [EMAIL PROTECTED] wrote: I have purchased a Linksys SLM248G switch that has 802.1x support. I am new to radius server and would like to use this switch to authenticate ports for a lab to a freeradius server. I have installed freeradius 2.1.0 on freebsd 7.0 system. It is the default configuration for FreeRadius 2.1.0 with the following added to the client.conf. client 128.227.232.133 { secret = thisislinksys shortname = 232.133 } The Linksys switch is setup as follows: IP address: 128.227.220.28 Priority: 0 Authenticatio port: 1812 number of retries: 3 timeout for reply: 3 dead time: 0 key string: thisislinksys source IP address: 128.227.232.133 usage type: 802.1x The WindowsXP setup: enable 802.1x auth: checked EAP type: MD5-challenge I do not see any output from the Freeradius server running radiusd -X. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html From the FR server, can you ping 128.227.232.133? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User-Profile per user per NAS via LDAP?
Running version 2.0.5, with LDAP backend for authentication/authorization. Needed functionality: A single user account needs a different ldap/radius profile depending on which huntgroup the request is coming in on... the reason is that each user has a different Framed-IP-Address for each VPN concentrator they are coming in on. So each user needs a profile per NAS, I believe. I have separated out each NAS into its appropriate huntgroup, and am matching on that in the users file. Also trying to dynamically set the User-Profile. DEFAULT Huntgroup-Name == jup-rtr-xauth, Ldap-Group == `cn=%{Huntgroup-Name},ou=Groups,ou=Radius,dc=geowireless,dc=net`, User-Profile := `uid=%{User-Name},ou=jup-rtr-xauth,ou=Profiles,ou=Radius,dc=geowireless,dc=net` Fall-Through = no (entire users file at the end of this message). The user is authenticated successfully (so the group matching and the %{Huntgroup-Name} expansion are working fine), but the User-Profile is not being set. If I hard code in the value for uid, it works, so the problem is in the variable. radiusd -X output: rad_recv: Access-Request packet from host 192.168.17.1 port 57383, id=124, length=121 User-Name = sbowman User-Password = XXX Acct-Session-Id = NS-0035 NAS-IP-Address = 192.168.17.1 NAS-Port = 24824 NAS-Port-Type = Virtual Called-Station-Id = 75.145.224.194 Calling-Station-Id = 140.32.244.99 Netscreen-Attr-10 = 0x0003 +- entering group authorize expand: %{Packet-Src-IP-Address} - 192.168.17.1 ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = sbowman, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop rlm_ldap: Entering ldap_groupcmp() expand: ou=People,dc=domain,dc=net - ou=People,dc=domain,dc=net WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=sbowman) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.domain.net:389, authentication 0 rlm_ldap: setting TLS CACert File to /etc/pki/tls/certs/ca-bundle.crt rlm_ldap: starting TLS request done: ld 0x84e1340 msgid 1 rlm_ldap: bind as uid=redpillradius,ou=Clients,dc=domain,dc=net/XXX to ldap.domain.net:389 rlm_ldap: waiting for bind result ... request done: ld 0x84e1340 msgid 2 rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=domain,dc=net, with filter (uid=sbowman) request done: ld 0x84e1340 msgid 3 rlm_ldap: ldap_release_conn: Release Id: 0 expand: (|((objectClass=GroupOfNames)(member=%{check:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{check:Ldap-UserDn}))) - (|((objectClass=GroupOfNames)(member=uid\3dsbowman\2cou\3dPeople\2cdc\3ddomain\2cdc\3dnet))((objectClass=GroupOfUniqueNames)(uniquemember=uid\3dsbowman\2cou\3dPeople\2cdc\3ddomain\2cdc\3dnet))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=domain,dc=net, with filter ((cn=disabled)(|((objectClass=GroupOfNames)(member=uid\3dsbowman\2cou\3dPeople\2cdc\3ddomain\2cdc\3dnet))((objectClass=GroupOfUniqueNames)(uniquemember=uid\3dsbowman\2cou\3dPeople\2cdc\3ddomain\2cdc\3dnet request done: ld 0x84e1340 msgid 4 rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group disabled not found or user is not a member. expand: cn=%{Huntgroup-Name},ou=Groups,ou=Radius,dc=domain,dc=net - cn=jup-rtr-xauth,ou=Groups,ou=Radius,dc=domain,dc=net rlm_ldap: Entering ldap_groupcmp() expand: ou=People,dc=domain,dc=net - ou=People,dc=domain,dc=net expand: (|((objectClass=GroupOfNames)(member=%{check:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{check:Ldap-UserDn}))) - (|((objectClass=GroupOfNames)(member=uid\3dsbowman\2cou\3dPeople\2cdc\3ddomain\2cdc\3dnet))((objectClass=GroupOfUniqueNames)(uniquemember=uid\3dsbowman\2cou\3dPeople\2cdc\3ddomain\2cdc\3dnet))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=jup-rtr-xauth,ou=Groups,ou=Radius,dc=domain,dc=net, with filter (|((objectClass=GroupOfNames)(member=uid\3dsbowman\2cou\3dPeople\2cdc\3ddomain\2cdc\3dnet))((objectClass=GroupOfUniqueNames)(uniquemember=uid\3dsbowman\2cou\3dPeople\2cdc\3ddomain\2cdc\3dnet))) request done: ld 0x84e1340 msgid 5 rlm_ldap::ldap_groupcmp: User found in group cn=jup-rtr-xauth,ou=Groups,ou=Radius,dc=domain,dc=net rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 209 ++[files] returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for sbowman WARNING: Deprecated conditional expansion :-. See man unlang for details
Re: EAP-TLS - Authenticating only certain users
Ok, so I put a list of usernames in the users file with an Auth-Type := EAP ? Right now, everyone with a valid client certificate is authenticated (nobody is listed in the users file). Once I start enumerating them in the users file, will it have an implicit deny all of everyone who isn't in the users file? Also - is there a way to define a different users file per NAS? On 2/17/07, Alan DeKok [EMAIL PROTECTED] wrote: Stephen Bowman wrote: When using EAP-TLS as the only method in freeradius, is there a way to define a list of allowed users, perhaps by the CN on their client certificate? Or the User-Name attribute, which should be the same as the client CN. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS - Authenticating only certain users
When using EAP-TLS as the only method in freeradius, is there a way to define a list of allowed users, perhaps by the CN on their client certificate? I want it so that not *everyone* who has a certificate signed by the CA list can authenticate, but rather a select few (of which I know the CN of their certificates). Thanks... Stephen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS - CRL Checking - Expired?
We're using FreeRadius as the EAP server in a wireless environment. All clients have smart cards, so as such we're using EAP-TLS. My question is in relation to CRL checking. I currently download CRLs nightly, but over the weekend it looks like perhaps the CRL download failed as nobody could connect, and in the logs is a series of errors like: Error: -- verify error:num=12:CRL has expiredWhat determines the expire time of a CRL?I noticed that within the CRL there is a Next Update field.. is this what it uses? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html