Re: Authenticating and Blocking per client
On Mar 30, 2005 5:02 AM, Peter Nixon [EMAIL PROTECTED] wrote: Yes. Huntgroups is exactly what you what... I'm trying to get this working now. Our current setup uses sql, so I created the Huntgroup in the /etc/raddb/huntgroups file, then specified Huntgroup-Name == testgroup in the radgroupcheck table of the radius database. Is this correct? I restarted radiusd and I'm still able to connect to the redback even though the user is pointed to huntrgroup that does not contain the NAS-IP-Address of the redback... Is == correct, or should I be using := in the database (I tried both and neither seems to have an effect) ... Here is the output from radiusd -X rad_recv: Access-Request packet from host 10.0.0.50:1812, id=6, length=102 User-Name = testuser User-Password = testpass NAS-Identifier = agg0.example.com NAS-IP-Address = 10.0.0.50 NAS-Real-Port = 402653185 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 3892314151 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 14 modcall[authorize]: module preprocess returns ok for request 14 modcall[authorize]: module chap returns noop for request 14 modcall[authorize]: module mschap returns noop for request 14 rlm_realm: No '@' in User-Name = testuser, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 14 rlm_realm: No '\' in User-Name = testuser, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module ntdomain returns noop for request 14 radius_xlat: 'testuser' rlm_sql (sql): sql_set_user escaped user -- 'testuser' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'testuser' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 0 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'testuser' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 0 modcall[authorize]: module sql returns ok for request 14 modcall: group authorize returns ok for request 14 auth: type Crypt Processing the session section of radiusd.conf modcall: entering group session for request 14 modcall[session]: module sql returns noop for request 14 modcall: group session returns noop for request 14 Login OK: [testuser/testpass] (from client RedbackSMS port 3892314151) Sending Access-Accept of id 6 to 10.0.0.50:1812 Framed-IP-Address := 255.255.255.254 Finished request 14 -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating and Blocking per client
On Mar 31, 2005 11:49 AM, Jason Frisvold [EMAIL PROTECTED] wrote: Is == correct, or should I be using := in the database (I tried both and neither seems to have an effect) ... Nevermind... I changed the operator for the wrong item... :) This is working as expected now.. I'm off to drink more coffee now... Sorry for the noise.. -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating and Blocking per client
On Tuesday 29 March 2005 17:56, Jason Frisvold wrote: On Tue, 29 Mar 2005 07:51:41 -0700, Kenneth Grady [EMAIL PROTECTED] wrote: One way to do it is to add the users allowed to the huntgroups. Example: huntgroups... Ok, so now what happens when you start dealing with other devices like a redback? Can those be added into the huntgroups as well? Yes. Huntgroups is exactly what you what... -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticating and Blocking per client
Hi all, Up until now, we've used freeradius to authenticate a pool of RAS units. Moving forward, we want to authenticate some users on some RAS units, but deny them on others. What is the proper way to do this? Is this a function of the RAS or a function of the radius server? Any help would be greatly appreciated! Thanks! -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating and Blocking per client
Called-Station-Id ? -- Chris. I love deadlines. I especially love the whooshing sound they make as they fly by... - Douglas Adams, 'Hitchhiker's Guide to the Galaxy' - Original Message - From: Jason Frisvold [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Tuesday, March 29, 2005 4:18 PM Subject: Authenticating and Blocking per client Hi all, Up until now, we've used freeradius to authenticate a pool of RAS units. Moving forward, we want to authenticate some users on some RAS units, but deny them on others. What is the proper way to do this? Is this a function of the RAS or a function of the radius server? Any help would be greatly appreciated! Thanks! -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating and Blocking per client
On Tue, 29 Mar 2005 16:23:43 +0200, Chris Knipe [EMAIL PROTECTED] wrote: Called-Station-Id ? Radius checks this and allows/denies appropriately? Do you have a link to documentation on how to set something like this up? Thanks! -- Chris. -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating and Blocking per client
One way to do it is to add the users allowed to the huntgroups. Example: huntgroups... NAS1NAS-IP-Address == 1.2.3.4 User-Name == user1, User-Name == user2 NAS2NAS-IP-Address == 2.3.4.5 User-Name == user3, User-Name == user4 users... user1 Huntgroup-Name == NAS1, User-Password ... user2 Huntgroup-Name == NAS2, User-Password ... On Tue, 2005-03-29 at 07:18, Jason Frisvold wrote: Hi all, Up until now, we've used freeradius to authenticate a pool of RAS units. Moving forward, we want to authenticate some users on some RAS units, but deny them on others. What is the proper way to do this? Is this a function of the RAS or a function of the radius server? Any help would be greatly appreciated! Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating and Blocking per client
On Tue, 29 Mar 2005 07:51:41 -0700, Kenneth Grady [EMAIL PROTECTED] wrote: One way to do it is to add the users allowed to the huntgroups. Example: huntgroups... Ok, so now what happens when you start dealing with other devices like a redback? Can those be added into the huntgroups as well? -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating and Blocking per client
Yes, it does. A sample from our users file #testy Auth-Type := Local, Simultaneous-Use := 1, Max-All-Session := 10800, Pool-Name := ippool-prepaid, Called-Station-Id = wcore-nasgw01, NAS-Port-Type == Ethernet # Acct-Interim-Interval = 300, # Rate-Limit = 256k/256k, # Service-Type = Framed-User, # Framed-Protocol = PPP, # Framed-Compression = Van-Jacobson-TCP-IP, # Framed-Routing = Broadcast-Listen, # MS-MPPE-Encryption-Policy = 1, # MS-MPPE-Encryption-Types = LS What the value of Called-Station-Id is supposed to be, is up to what your NAS sends to FR though. As the other reply also stated, huntgroups is another way to do this but it may not be a viable option to have all your user accounts in two (or more) places. Called-Station-Id also works very nicely as a check item in MySQL if you're using databases. -- Chris. I love deadlines. I especially love the whooshing sound they make as they fly by... - Douglas Adams, 'Hitchhiker's Guide to the Galaxy' - Original Message - From: Jason Frisvold [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Tuesday, March 29, 2005 4:37 PM Subject: Re: Authenticating and Blocking per client On Tue, 29 Mar 2005 16:23:43 +0200, Chris Knipe [EMAIL PROTECTED] wrote: Called-Station-Id ? Radius checks this and allows/denies appropriately? Do you have a link to documentation on how to set something like this up? Thanks! -- Chris. -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating and Blocking per client
On Tue, 29 Mar 2005 17:13:33 +0200, Chris Knipe [EMAIL PROTECTED] wrote: What the value of Called-Station-Id is supposed to be, is up to what your NAS sends to FR though. As the other reply also stated, huntgroups is another way to do this but it may not be a viable option to have all your user accounts in two (or more) places. *sigh* It looks like the RAS units send unknown as the called-station-id, and the redback sends nothing. Is it possible to do something similar to the above, but use NAS-IP-Address? And if so, how do you specify multiple addresses? Called-Station-Id also works very nicely as a check item in MySQL if you're using databases. How so? Do you mean in the radgroupcheck table? -- Chris. Thanks! -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating and Blocking per client
- Original Message - From: Jason Frisvold [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Tuesday, March 29, 2005 5:51 PM Subject: Re: Authenticating and Blocking per client On Tue, 29 Mar 2005 17:13:33 +0200, Chris Knipe [EMAIL PROTECTED] wrote: What the value of Called-Station-Id is supposed to be, is up to what your NAS sends to FR though. As the other reply also stated, huntgroups is another way to do this but it may not be a viable option to have all your user accounts in two (or more) places. *sigh* It looks like the RAS units send unknown as the called-station-id, and the redback sends nothing. Is it possible to do something similar to the above, but use NAS-IP-Address? And if so, how do you specify multiple addresses? Yep. Should work. Multiple addresses... Hmmm... try adding it multiple times? NAS-IP-Address = x.x.x.x, NAS-IP-Address = y.y.y.y, etc Called-Station-Id also works very nicely as a check item in MySQL if you're using databases. How so? Do you mean in the radgroupcheck table? Yep. Or radcheck (if you want to do it per user vs per group). -- Chris. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating and Blocking per client
On Tue, 29 Mar 2005 17:59:13 +0200, Chris Knipe [EMAIL PROTECTED] wrote: Yep. Should work. Multiple addresses... Hmmm... try adding it multiple times? Ok, so I added multiple NAS-IP-Address entries in the database. Tested it from a RAS that wasn't in that list, and got on without a problem. So... I'm missing something. Is there some special module that needs to be active? -- Chris. -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating and Blocking per client
On Tue, 29 Mar 2005 12:09:46 -0500, Jason Frisvold [EMAIL PROTECTED] wrote: Ok, so I added multiple NAS-IP-Address entries in the database. Tested it from a RAS that wasn't in that list, and got on without a problem. So... I'm missing something. Is there some special module that needs to be active? Aha! checkval .. So, can checkval check for multiple values? Or can there be multiple different checkval modules? -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html