Re: Passing variables from inner tunnel
Hi, Thank your for your answer. Just return User-Name in the reply and do a repeat LDAP query on your outer layer; doing a 'cn' lookup should be instantaneous... I'm a little puzzled on how to accomplish this! Regards Jean -- View this message in context: http://old.nabble.com/Passing-variables-from-inner-tunnel-tp29279811p29286932.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Passing variables from inner tunnel
Hi, I think I understand the problem here, there are multiple request done to freeradius in the process of authenticating the user and since I'm trying to access the variable that was set in the previous request it is simply empty... Jean -- View this message in context: http://old.nabble.com/Passing-variables-from-inner-tunnel-tp29279811p29287687.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Passing variables from inner tunnel
HI, Since I need to have the LDAP-UserDn in the post-auth section of the default-server is there a way to execute a LDAP query in this part? Jean -- View this message in context: http://old.nabble.com/Passing-variables-from-inner-tunnel-tp29279811p29287788.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Passing variables from inner tunnel
Hi,
I'm trying to pass the value of LDAP-UserDn from the inner-tunnel
to the default server. I have read unlang and also tried many combinations
including update outer.control from the inner tunnel and nothing worked...
Here is a debug output where we can see that the User-Dn get expanded
correctly in the tunnel but is empty in the default server.
++[eap] returns ok
+- entering group post-auth {...}
expand: %{control:LDAP-UserDn} - cn=aruba,ou=etudiant,o=org
Exec-Program output: etudiant
Exec-Program-Wait: plaintext: etudiant
Exec-Program: returned: 0
++[reply] returns noop
++[outer.control] returns noop
} # server inner-tunnel
[eap] Freeing handler
++[eap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
expand: %{control:LDAP-UserDn} -
PHP Notice: Undefined offset: 0 in /etc/freeradius/scripts/php3 on line 4
Exec-Program output: dewor
Exec-Program-Wait: plaintext: dewor
Exec-Program: returned: 0
Thanks
Jean
--
View this message in context:
http://old.nabble.com/Passing-variables-from-inner-tunnel-tp29279811p29279811.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No known good password was found in LDAP
Hi,
I have a setup with a laptop, access-point, wireless-controller, freeradius
2.1.8 (ubuntu 10.04)
and SLES 10 eDirectory.
When I put the username and password in the users file everything works fine
(802.1x, PEAP)
When I try to move authentication with the eDirectory with ldap, I get the
Warning no known...
but then the user is authorized. ([ldap] user aruba authorized to use remote
access)
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=aruba)
[ldap] expand: o=org - o=org
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to xxx.yyy.110.136:389, authentication 0
[ldap] bind as cn=admin,o=org/admin to xxx.yyy.110.136:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in o=org, with filter (uid=aruba)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user aruba authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
The password stored in eDirectory is valid.
My understanding of eDirectory is that it will never let you see the actual
password
of a user, it will hash it first. Is this behavior of freeradius normal?
Later in the process the user is rejected because no Auth-Type was found,
is this related?
Jean
--
View this message in context:
http://old.nabble.com/No-%22known-good%22-password-was-found-in-LDAP-tp29239201p29239201.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redirection to the NAS of an external CoA request
Here are a few lines from my cfg files:
In radiusd.conf:
proxy_requests = yes
$INCLUDE proxy.conf
In proxy.conf:
#(this is where I want to forward)
home_server aruba {
type = coa
ipaddr = xx.yy.110.148
port = 1812
src_ipaddr = xx.yy.110.128
coa {
# Initial retransmit interval: 1..5
irt = 2
# Maximum Retransmit Timeout: 1..30 (0 == no maximum)
mrt = 16
# Maximum Retransmit Count: 1..20 (0 == retransmit forever)
mrc = 5
# Maximum Retransmit Duration: 5..60
mrd = 30
}
secret = testing123
}
home_server_pool to_aruba {
home_server = aruba
}
###Not really sure about the validity of the last 3 lines...
And now I'm puzzled as to how to set the Home-server-pool
as stated in recv-coa section of coa:
recv-coa {
# CoA Disconnect packets can be proxied in the same
# way as authentication or accounting packets.
# Just set Proxy-To-Realm, or Home-Server-Pool, and the
# packets will be proxied.
I tried to find the way that it is done for authentication packet
and did not succeed.
Also I just want to know if my understanding about the whole
process of proxying the CoA is right:
The default server config file is of no use here, in the coa
I have to state somehow that I want the request to be forwarded
to the controller and in the proxy.conf file I have to create
this controller-server so that freeradius won't complain about
an unknown IP address.
Jean
Alan DeKok-2 wrote:
newtownz wrote:
I'm trying to figure out how to send a CoA from freeRadius
to the NAS. The set-up I have involves two servers and an
Aruba controller.
i.e. proxying CoA packets through FreeRADIUS to the NAS.
While this should work, it's not a deeply tested scenario.
In this test set-up the client authenticates locally on the
freeRadius server. The server listen on port 3799 for a CoA request
that is generated from another computer, the freeRadius accepts
the request and sends a ACK to the generator but it does not
send anything to the NAS,
Did you configure the server to proxy the CoA request? Look for
proxy in raddb/sites-available/coa in 2.1.9.
I tried to supply in the request a
NAS-IP-Address attribute and also tried with Packet-Dst-IP-Address
with no success. Also tried different things in CoA and Originate-CoA
with the same results.
Well.. the coa documents exactly what you need to do. Trying random
*undocumented* things won't make it work.
The goal I'm trying to reach is to supply the user-name in the
CoA request that will force the client to silently reconnect and
in the meantime I will have changed the Access-List accessible to
the client.
Use a Disconnect-Request packet to make the client disconnect.
1: Is it possible to send a CoA request to the freeRadius server
and then have it relay the request to the Aruba controller?
Yes. This is called proxying
2: If it is possible what do I have to put in the configs file
and where?
This is documented.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
View this message in context:
http://old.nabble.com/Redirection-to-the-NAS-of-an-external-CoA-request-tp29206196p29216134.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Redirection to the NAS of an external CoA request
Hi, I'm trying to figure out how to send a CoA from freeRadius to the NAS. The set-up I have involves two servers and an Aruba controller. +--+ CoA-Request +--+ | | | Ubuntu | | NAS || RADIUS | | Aruba | CoA-Response | Server | |Controller | -| 2.1.9| +--+ +--+ | Port 3799 | | | | +--+ | | | Request | | Generator | | | +--+ In this test set-up the client authenticates locally on the freeRadius server. The server listen on port 3799 for a CoA request that is generated from another computer, the freeRadius accepts the request and sends a ACK to the generator but it does not send anything to the NAS, I tried to supply in the request a NAS-IP-Address attribute and also tried with Packet-Dst-IP-Address with no success. Also tried different things in CoA and Originate-CoA with the same results. The goal I'm trying to reach is to supply the user-name in the CoA request that will force the client to silently reconnect and in the meantime I will have changed the Access-List accessible to the client. 1: Is it possible to send a CoA request to the freeRadius server and then have it relay the request to the Aruba controller? 2: If it is possible what do I have to put in the configs file and where? Thank you Jean -- View this message in context: http://old.nabble.com/Redirection-to-the-NAS-of-an-external-CoA-request-tp29206196p29206196.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redirection to the NAS of an external CoA request
Hi,
Ok I found that if I put
update coa {
Packet-dst-IP-Address := 127.0.0.1
User-Name := test
}
like it's written in the doc(sigh...) the server
relays the request.
The only problem I have left is the
Warning Unknown destination IP
if I put another address than 127.0.0.1
Jean
newtownz wrote:
Hi,
I'm trying to figure out how to send a CoA from freeRadius
to the NAS. The set-up I have involves two servers and an
Aruba controller.
+--+ CoA-Request +--+
| | | Ubuntu |
| NAS || RADIUS |
| Aruba | CoA-Response | Server |
|Controller | -| 2.1.9|
+--+ +--+
| Port 3799
|
|
|
|
+--+
| |
| Request |
| Generator |
| |
+--+
In this test set-up the client authenticates locally on the
freeRadius server. The server listen on port 3799 for a CoA request
that is generated from another computer, the freeRadius accepts
the request and sends a ACK to the generator but it does not
send anything to the NAS, I tried to supply in the request a
NAS-IP-Address attribute and also tried with Packet-Dst-IP-Address
with no success. Also tried different things in CoA and Originate-CoA
with the same results.
The goal I'm trying to reach is to supply the user-name in the
CoA request that will force the client to silently reconnect and
in the meantime I will have changed the Access-List accessible to
the client.
1: Is it possible to send a CoA request to the freeRadius server
and then have it relay the request to the Aruba controller?
2: If it is possible what do I have to put in the configs file
and where?
Thank you
Jean
--
View this message in context:
http://old.nabble.com/Redirection-to-the-NAS-of-an-external-CoA-request-tp29206196p29208311.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRadius Disconnect-Message
Hi Alan, Sorry about the quotes... I'll have a look at the CoA. Thank you for your answer. Jean newtownz wrote: Hi, Quote from another post: 2.1.9 supports disconnect. It's for disconnecting users. Alan DeKok. and another one: The Freeradius server will not do this for you You have to write maybe 10 lines of configuration to get this done. Alan DeKok. Here are my questions: 1 - Is freeRadius server able to send a disconnect-request? 2 - If so, where can I get information on how to do this? 3 - Do we still have to use radclient to send the message? Thank you. Jean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://old.nabble.com/freeRadius-Disconnect-Message-tp29153410p29154843.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
