Re: Passing variables from inner tunnel
Hi, Thank your for your answer. Just return User-Name in the reply and do a repeat LDAP query on your outer layer; doing a 'cn' lookup should be instantaneous... I'm a little puzzled on how to accomplish this! Regards Jean -- View this message in context: http://old.nabble.com/Passing-variables-from-inner-tunnel-tp29279811p29286932.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Passing variables from inner tunnel
Hi, I think I understand the problem here, there are multiple request done to freeradius in the process of authenticating the user and since I'm trying to access the variable that was set in the previous request it is simply empty... Jean -- View this message in context: http://old.nabble.com/Passing-variables-from-inner-tunnel-tp29279811p29287687.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Passing variables from inner tunnel
HI, Since I need to have the LDAP-UserDn in the post-auth section of the default-server is there a way to execute a LDAP query in this part? Jean -- View this message in context: http://old.nabble.com/Passing-variables-from-inner-tunnel-tp29279811p29287788.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Passing variables from inner tunnel
Hi, I'm trying to pass the value of LDAP-UserDn from the inner-tunnel to the default server. I have read unlang and also tried many combinations including update outer.control from the inner tunnel and nothing worked... Here is a debug output where we can see that the User-Dn get expanded correctly in the tunnel but is empty in the default server. ++[eap] returns ok +- entering group post-auth {...} expand: %{control:LDAP-UserDn} - cn=aruba,ou=etudiant,o=org Exec-Program output: etudiant Exec-Program-Wait: plaintext: etudiant Exec-Program: returned: 0 ++[reply] returns noop ++[outer.control] returns noop } # server inner-tunnel [eap] Freeing handler ++[eap] returns ok +- entering group post-auth {...} ++[exec] returns noop expand: %{control:LDAP-UserDn} - PHP Notice: Undefined offset: 0 in /etc/freeradius/scripts/php3 on line 4 Exec-Program output: dewor Exec-Program-Wait: plaintext: dewor Exec-Program: returned: 0 Thanks Jean -- View this message in context: http://old.nabble.com/Passing-variables-from-inner-tunnel-tp29279811p29279811.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No known good password was found in LDAP
Hi, I have a setup with a laptop, access-point, wireless-controller, freeradius 2.1.8 (ubuntu 10.04) and SLES 10 eDirectory. When I put the username and password in the users file everything works fine (802.1x, PEAP) When I try to move authentication with the eDirectory with ldap, I get the Warning no known... but then the user is authorized. ([ldap] user aruba authorized to use remote access) [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=aruba) [ldap] expand: o=org - o=org [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to xxx.yyy.110.136:389, authentication 0 [ldap] bind as cn=admin,o=org/admin to xxx.yyy.110.136:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in o=org, with filter (uid=aruba) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user aruba authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 The password stored in eDirectory is valid. My understanding of eDirectory is that it will never let you see the actual password of a user, it will hash it first. Is this behavior of freeradius normal? Later in the process the user is rejected because no Auth-Type was found, is this related? Jean -- View this message in context: http://old.nabble.com/No-%22known-good%22-password-was-found-in-LDAP-tp29239201p29239201.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redirection to the NAS of an external CoA request
Here are a few lines from my cfg files: In radiusd.conf: proxy_requests = yes $INCLUDE proxy.conf In proxy.conf: #(this is where I want to forward) home_server aruba { type = coa ipaddr = xx.yy.110.148 port = 1812 src_ipaddr = xx.yy.110.128 coa { # Initial retransmit interval: 1..5 irt = 2 # Maximum Retransmit Timeout: 1..30 (0 == no maximum) mrt = 16 # Maximum Retransmit Count: 1..20 (0 == retransmit forever) mrc = 5 # Maximum Retransmit Duration: 5..60 mrd = 30 } secret = testing123 } home_server_pool to_aruba { home_server = aruba } ###Not really sure about the validity of the last 3 lines... And now I'm puzzled as to how to set the Home-server-pool as stated in recv-coa section of coa: recv-coa { # CoA Disconnect packets can be proxied in the same # way as authentication or accounting packets. # Just set Proxy-To-Realm, or Home-Server-Pool, and the # packets will be proxied. I tried to find the way that it is done for authentication packet and did not succeed. Also I just want to know if my understanding about the whole process of proxying the CoA is right: The default server config file is of no use here, in the coa I have to state somehow that I want the request to be forwarded to the controller and in the proxy.conf file I have to create this controller-server so that freeradius won't complain about an unknown IP address. Jean Alan DeKok-2 wrote: newtownz wrote: I'm trying to figure out how to send a CoA from freeRadius to the NAS. The set-up I have involves two servers and an Aruba controller. i.e. proxying CoA packets through FreeRADIUS to the NAS. While this should work, it's not a deeply tested scenario. In this test set-up the client authenticates locally on the freeRadius server. The server listen on port 3799 for a CoA request that is generated from another computer, the freeRadius accepts the request and sends a ACK to the generator but it does not send anything to the NAS, Did you configure the server to proxy the CoA request? Look for proxy in raddb/sites-available/coa in 2.1.9. I tried to supply in the request a NAS-IP-Address attribute and also tried with Packet-Dst-IP-Address with no success. Also tried different things in CoA and Originate-CoA with the same results. Well.. the coa documents exactly what you need to do. Trying random *undocumented* things won't make it work. The goal I'm trying to reach is to supply the user-name in the CoA request that will force the client to silently reconnect and in the meantime I will have changed the Access-List accessible to the client. Use a Disconnect-Request packet to make the client disconnect. 1: Is it possible to send a CoA request to the freeRadius server and then have it relay the request to the Aruba controller? Yes. This is called proxying 2: If it is possible what do I have to put in the configs file and where? This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://old.nabble.com/Redirection-to-the-NAS-of-an-external-CoA-request-tp29206196p29216134.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Redirection to the NAS of an external CoA request
Hi, I'm trying to figure out how to send a CoA from freeRadius to the NAS. The set-up I have involves two servers and an Aruba controller. +--+ CoA-Request +--+ | | | Ubuntu | | NAS || RADIUS | | Aruba | CoA-Response | Server | |Controller | -| 2.1.9| +--+ +--+ | Port 3799 | | | | +--+ | | | Request | | Generator | | | +--+ In this test set-up the client authenticates locally on the freeRadius server. The server listen on port 3799 for a CoA request that is generated from another computer, the freeRadius accepts the request and sends a ACK to the generator but it does not send anything to the NAS, I tried to supply in the request a NAS-IP-Address attribute and also tried with Packet-Dst-IP-Address with no success. Also tried different things in CoA and Originate-CoA with the same results. The goal I'm trying to reach is to supply the user-name in the CoA request that will force the client to silently reconnect and in the meantime I will have changed the Access-List accessible to the client. 1: Is it possible to send a CoA request to the freeRadius server and then have it relay the request to the Aruba controller? 2: If it is possible what do I have to put in the configs file and where? Thank you Jean -- View this message in context: http://old.nabble.com/Redirection-to-the-NAS-of-an-external-CoA-request-tp29206196p29206196.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redirection to the NAS of an external CoA request
Hi, Ok I found that if I put update coa { Packet-dst-IP-Address := 127.0.0.1 User-Name := test } like it's written in the doc(sigh...) the server relays the request. The only problem I have left is the Warning Unknown destination IP if I put another address than 127.0.0.1 Jean newtownz wrote: Hi, I'm trying to figure out how to send a CoA from freeRadius to the NAS. The set-up I have involves two servers and an Aruba controller. +--+ CoA-Request +--+ | | | Ubuntu | | NAS || RADIUS | | Aruba | CoA-Response | Server | |Controller | -| 2.1.9| +--+ +--+ | Port 3799 | | | | +--+ | | | Request | | Generator | | | +--+ In this test set-up the client authenticates locally on the freeRadius server. The server listen on port 3799 for a CoA request that is generated from another computer, the freeRadius accepts the request and sends a ACK to the generator but it does not send anything to the NAS, I tried to supply in the request a NAS-IP-Address attribute and also tried with Packet-Dst-IP-Address with no success. Also tried different things in CoA and Originate-CoA with the same results. The goal I'm trying to reach is to supply the user-name in the CoA request that will force the client to silently reconnect and in the meantime I will have changed the Access-List accessible to the client. 1: Is it possible to send a CoA request to the freeRadius server and then have it relay the request to the Aruba controller? 2: If it is possible what do I have to put in the configs file and where? Thank you Jean -- View this message in context: http://old.nabble.com/Redirection-to-the-NAS-of-an-external-CoA-request-tp29206196p29208311.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRadius Disconnect-Message
Hi Alan, Sorry about the quotes... I'll have a look at the CoA. Thank you for your answer. Jean newtownz wrote: Hi, Quote from another post: 2.1.9 supports disconnect. It's for disconnecting users. Alan DeKok. and another one: The Freeradius server will not do this for you You have to write maybe 10 lines of configuration to get this done. Alan DeKok. Here are my questions: 1 - Is freeRadius server able to send a disconnect-request? 2 - If so, where can I get information on how to do this? 3 - Do we still have to use radclient to send the message? Thank you. Jean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://old.nabble.com/freeRadius-Disconnect-Message-tp29153410p29154843.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html