Re: More documentation on Auth-Type
Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: modcall[authorize]: module ldap1 returns ok for request 0 modcall: group Autz-Type returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP You're probably running 1.0.x, rather than 1.1.x. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
Just managed to try ur 2nd suggestion... but giving below error in debug
logs.. refer debug logs.
ERROR: Unknown value specified for Auth-Type. Cannot perform requested
action
modules {
ldap ldap1 {
basedn = ou=RADIUS..
set_auth_type = yes
}
ldap ldapdialup1 {
basedn = ou=DIALUP..
set_auth_type = yes
}
authorize {
Autz-Type LDAP {
ldap1
}
Autz-Type DIALUP {
ldapdialup1
}
}
authenticate {
Auth-Type ldap1 {
ldap1
}
Auth-Type ldapdialup1 {
ldapdialup1
}
}
DEFAULT ldapdialup1-Ldap-Group == REAL, Autz-Type := DIALUP
DEFAULT Autz-Type := LDAP
#
lm_ldap: performing user authorization for bacang
radius_xlat: '(uid=bacang)'
radius_xlat: 'ou=RADIUS,ou=People,.'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to :389, authentication 0
rlm_ldap: bind as cn=Sysadmin,ou=Applications,./x to
xxx:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=RADIUS,ou=People,..., with filter
(uid=bacang)
rlm_ldap: checking if remote access for bacang is allowed by attrRoaming
rlm_ldap: Added password {CRYPT}Y3EhshegMNPxA in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value
Van-Jacobson-TCP-IP op=11
rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 op=11
rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP op=11
rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User
op=11
rlm_ldap: user bacang authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap1 returns ok for request 0
modcall: group Autz-Type returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type LDAP
ERROR: Unknown value specified for Auth-Type. Cannot perform requested
action.
auth: Failed to validate the user.
Login incorrect: [bacang] (from client sysadmin port 0)
- Original Message -
From: Phil Mayers [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Tuesday, August 08, 2006 6:28 PM
Subject: Re: More documentation on Auth-Type
Rohaizam Abu Bakar wrote:
any docs to help on my problem... ? in doc/rlm_ldap, there is section
about LDAP XLAT.. Is it the one ?
As far as I know, you should be able to do something like:
modules {
files {
usersfile = users
}
files wireless_files {
usersfile = wireless_users
}
files vpn_files {
usersfile = vpn_users
}
ldap {
basedn = %{reply:Tmp-String-1}
...
}
}
authorize {
files
Autz-Type WIRELESS {
wireless_files
ldap
}
Autz-Type VPN {
vpn_files
ldap
}
}
users:
DEFAULT Huntgroup-Name == whatever, Autz-Type := WIRELESS
DEFAULT Huntgroup-Name == something, Autz-Type := VPN
users_vpn:
DEFAULT
Tmp-String-1 = ou=vpnusers,dc=mydomain,dc=org
users_wireless:
DEFAULT
Tmp-String-1 = ou=wireless,dc=anotherdomain,dc=com
You may need to add Tmp-String-1 to a local dictionary if you're running
an older server, e.g. in dictionary
ATTRIBUTE Tmp-String-1 3000 string
Alternatively, 1.1.0 and up can do this I think?
modules {
ldap wireless_ldap {
basedn = ou=wireless,dc=domain,dc=com
set_auth_type = yes
}
ldap vpn_ldap {
basedn = ou=vpn,dc=example,dc=org
set_auth_type = yes
}
files {
...
}
}
authorize {
preprocess
files
Autz-Type WIRELESS {
wireless_ldap
}
Autz-Type VPN {
vpn_ldap
}
}
authenticate {
Auth-Type wireless_ldap {
wireless_ldap
}
Auth-Type vpn_ldap {
vpn_ldap
}
}
and in users:
DEFAULT Huntgroup-Name == VPN, Autz-Type := VPN
DEFAULT Huntgroup-Name == WIRELESS, Autz-Type := WIRELESS
Basically, what happens then is:
1. preprocess run
2. files run, autz-type set
3. authorize re-run, autz-type section run
4. appropriate LDAP module run, and IF AND ONLY IF the Auth-Type is NOT
SET, set Auth-Type to modulename - i.e. wireless_ldap or vpn_ldap
5. authenticate run, appropriate LDAP module run
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
Rohaizam Abu Bakar wrote:
any docs to help on my problem... ? in doc/rlm_ldap, there is section
about LDAP XLAT.. Is it the one ?
As far as I know, you should be able to do something like:
modules {
files {
usersfile = users
}
files wireless_files {
usersfile = wireless_users
}
files vpn_files {
usersfile = vpn_users
}
ldap {
basedn = %{reply:Tmp-String-1}
...
}
}
authorize {
files
Autz-Type WIRELESS {
wireless_files
ldap
}
Autz-Type VPN {
vpn_files
ldap
}
}
users:
DEFAULT Huntgroup-Name == whatever, Autz-Type := WIRELESS
DEFAULT Huntgroup-Name == something, Autz-Type := VPN
users_vpn:
DEFAULT
Tmp-String-1 = ou=vpnusers,dc=mydomain,dc=org
users_wireless:
DEFAULT
Tmp-String-1 = ou=wireless,dc=anotherdomain,dc=com
You may need to add Tmp-String-1 to a local dictionary if you're running
an older server, e.g. in dictionary
ATTRIBUTE Tmp-String-13000string
Alternatively, 1.1.0 and up can do this I think?
modules {
ldap wireless_ldap {
basedn = ou=wireless,dc=domain,dc=com
set_auth_type = yes
}
ldap vpn_ldap {
basedn = ou=vpn,dc=example,dc=org
set_auth_type = yes
}
files {
...
}
}
authorize {
preprocess
files
Autz-Type WIRELESS {
wireless_ldap
}
Autz-Type VPN {
vpn_ldap
}
}
authenticate {
Auth-Type wireless_ldap {
wireless_ldap
}
Auth-Type vpn_ldap {
vpn_ldap
}
}
and in users:
DEFAULT Huntgroup-Name == VPN, Autz-Type := VPN
DEFAULT Huntgroup-Name == WIRELESS, Autz-Type := WIRELESS
Basically, what happens then is:
1. preprocess run
2. files run, autz-type set
3. authorize re-run, autz-type section run
4. appropriate LDAP module run, and IF AND ONLY IF the Auth-Type is
NOT SET, set Auth-Type to modulename - i.e. wireless_ldap or vpn_ldap
5. authenticate run, appropriate LDAP module run
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
For the 2nd option.. already tried almost the same except the auth-type
name... Previously tried autz auth type using the same name... Will try it
out as suggested... thx Phil
--haizam
- Original Message -
From: Phil Mayers [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Tuesday, August 08, 2006 6:28 PM
Subject: Re: More documentation on Auth-Type
Rohaizam Abu Bakar wrote:
any docs to help on my problem... ? in doc/rlm_ldap, there is section
about LDAP XLAT.. Is it the one ?
As far as I know, you should be able to do something like:
modules {
files {
usersfile = users
}
files wireless_files {
usersfile = wireless_users
}
files vpn_files {
usersfile = vpn_users
}
ldap {
basedn = %{reply:Tmp-String-1}
...
}
}
authorize {
files
Autz-Type WIRELESS {
wireless_files
ldap
}
Autz-Type VPN {
vpn_files
ldap
}
}
users:
DEFAULT Huntgroup-Name == whatever, Autz-Type := WIRELESS
DEFAULT Huntgroup-Name == something, Autz-Type := VPN
users_vpn:
DEFAULT
Tmp-String-1 = ou=vpnusers,dc=mydomain,dc=org
users_wireless:
DEFAULT
Tmp-String-1 = ou=wireless,dc=anotherdomain,dc=com
You may need to add Tmp-String-1 to a local dictionary if you're running
an older server, e.g. in dictionary
ATTRIBUTE Tmp-String-1 3000 string
Alternatively, 1.1.0 and up can do this I think?
modules {
ldap wireless_ldap {
basedn = ou=wireless,dc=domain,dc=com
set_auth_type = yes
}
ldap vpn_ldap {
basedn = ou=vpn,dc=example,dc=org
set_auth_type = yes
}
files {
...
}
}
authorize {
preprocess
files
Autz-Type WIRELESS {
wireless_ldap
}
Autz-Type VPN {
vpn_ldap
}
}
authenticate {
Auth-Type wireless_ldap {
wireless_ldap
}
Auth-Type vpn_ldap {
vpn_ldap
}
}
and in users:
DEFAULT Huntgroup-Name == VPN, Autz-Type := VPN
DEFAULT Huntgroup-Name == WIRELESS, Autz-Type := WIRELESS
Basically, what happens then is:
1. preprocess run
2. files run, autz-type set
3. authorize re-run, autz-type section run
4. appropriate LDAP module run, and IF AND ONLY IF the Auth-Type is NOT
SET, set Auth-Type to modulename - i.e. wireless_ldap or vpn_ldap
5. authenticate run, appropriate LDAP module run
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
Alan,
Refering to below config, each services having their own LDAP tree and
specified under ldap module with different Auth-Type Autz-type specified
in radiusd.conf. How can I set in users file to search for which tree?
Normally i detect NAS-Identifier, NAS-Port-Type as check item. If I specify
Auth-Type Autz-Type in users file, seems working but when up to EAP.. it's
not working
) users
=
DEFAULT (not to set Auth-Type but need to direct to certain LDAP
tree)
ii) radiusd.conf
==
ldap adsl {
basedn=ou=ADSL, ou=People...
}
ldap wifi {
basedn=ou=wifi, ou=People...
}
Then .. in authenticate and authorize section :-
authorize {
eap
Autz-Type=ADSL {
adsl
}
Autz-Type=WIFI {
wifi
}
}
authenticate {
Auth-Type=ADSL {
adsl
}
Auth-Type=WIFI {
wifi
}
eap
}
iii) eap.conf
... some config...
##
- Original Message -
From: Alan DeKok [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Monday, August 07, 2006 9:08 AM
Subject: Re: More documentation on Auth-Type
Rohaizam Abu Bakar [EMAIL PROTECTED] wrote:
I've read the docs about auth-type configuration. And agree that without
setting auth-type and leave FR to auto detect it, the auth will work even
up
to EAP. But sometimes we have to specify auth-type in order to search for
different tree in LDAP
... which isn't authentication. You just described searching an
LDAP tree for information. That's using LDAP for what it was designed
to do best: database lookups.
Once the information is found in LDAP, the RADIUS server can do
CHAP, MS-CHAP, etc. for authentication. LDAP servers don't handle
those authentication protocols, so you're stuck with using LDAP for DB
lookups, and RADIUS for authentication.
normally EAP sequence works OK but when up to comparing password, it will
failed. I've reported my problem a few times in mailing list.
I don't recall seeing that, sorry. What was the problem?
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
Rohaizam Abu Bakar wrote: Alan, Refering to below config, each services having their own LDAP tree and specified under ldap module with different Auth-Type Autz-type specified in radiusd.conf. How can I set in users file to search for Aside from setting Reject/Accept, that (use of 1 module for a given auth method) is probably the single valid use. That use would be better supported using another method than conflating module instance names with algorithm names. which tree? Normally i detect NAS-Identifier, NAS-Port-Type as check item. If I specify Auth-Type Autz-Type in users file, seems working but when up to EAP.. it's not working That is probably because the EAP inner request does not have the NAS-Id and NAS-Port-Type attribute. Set copy_request_to_tunnel = yes on the EAP method(s) you're using. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
Aside from setting Reject/Accept, that (use of 1 module for a given auth method) is probably the single valid use. That use would be better supported using another method than conflating module instance names with algorithm names. I'm not quite understand above suggestion/comments.. That is probably because the EAP inner request does not have the NAS-Id and NAS-Port-Type attribute. Set copy_request_to_tunnel = yes on the EAP method(s) you're using. I will try that one... thanks.. --haizam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: Refering to below config, each services having their own LDAP tree and specified under ldap module with different Auth-Type Autz-type specified in radiusd.conf. How can I set in users file to search for which tree? Right now, you can't. It's probably not too hard to add support in rlm_ldap for dynamic updates of the basedn. That would make life a lot easier for many people, I think. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
On Mon, 7 Aug 2006, Alan DeKok wrote: Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: Refering to below config, each services having their own LDAP tree and specified under ldap module with different Auth-Type Autz-type specified in radiusd.conf. How can I set in users file to search for which tree? Right now, you can't. It's probably not too hard to add support in rlm_ldap for dynamic updates of the basedn. That would make life a lot easier for many people, I think. basedn is already xlated.. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
On Friday 04 August 2006 17:21, Alan DeKok wrote: Kevin Bonner [EMAIL PROTECTED] wrote: One thing I didn't see mentioned on the auth type page is the heavily used Auth-Type := Local. Was that consciously omitted, or are you still adding content to that page? I'm adding content... check back soon! But as for Auth-Type := Local, I didn't even think to address it, because I never use it, and don't think there's any need for it. What kind of discussion do you think is necessary? Alan DeKok. It's an auth method that some still have cluttering their users files. Perhaps just a small blurb stating that it was used in legacy versions of FR, but is no longer necessary. Local and System are the only 2 I can recall that I don't see on your page, but have been around for a long time. -Kevin pgpvAJA5RKUjL.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
any docs to help on my problem... ? in doc/rlm_ldap, there is section about LDAP XLAT.. Is it the one ? thanks.. --haizam - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, August 08, 2006 12:28 AM Subject: Re: More documentation on Auth-Type On Mon, 7 Aug 2006, Alan DeKok wrote: Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: Refering to below config, each services having their own LDAP tree and specified under ldap module with different Auth-Type Autz-type specified in radiusd.conf. How can I set in users file to search for which tree? Right now, you can't. It's probably not too hard to add support in rlm_ldap for dynamic updates of the basedn. That would make life a lot easier for many people, I think. basedn is already xlated.. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
I've read the docs about auth-type configuration. And agree that without setting auth-type and leave FR to auto detect it, the auth will work even up to EAP. But sometimes we have to specify auth-type in order to search for different tree in LDAP for each services. Even Autz-Type also need to be specified but some of the EAP won't work such as EAP-TTLS-PAP. normally EAP sequence works OK but when up to comparing password, it will failed. I've reported my problem a few times in mailing list. Any comments? --haizam - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, August 04, 2006 2:47 AM Subject: More documentation on Auth-Type http://deployingradius.com/documents/configuration/auth_type.html Many web sites contain all sorts of recommendations about Auth-Type. This one is correct. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: I've read the docs about auth-type configuration. And agree that without setting auth-type and leave FR to auto detect it, the auth will work even up to EAP. But sometimes we have to specify auth-type in order to search for different tree in LDAP ... which isn't authentication. You just described searching an LDAP tree for information. That's using LDAP for what it was designed to do best: database lookups. Once the information is found in LDAP, the RADIUS server can do CHAP, MS-CHAP, etc. for authentication. LDAP servers don't handle those authentication protocols, so you're stuck with using LDAP for DB lookups, and RADIUS for authentication. normally EAP sequence works OK but when up to comparing password, it will failed. I've reported my problem a few times in mailing list. I don't recall seeing that, sorry. What was the problem? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
Duane Cox [EMAIL PROTECTED] wrote:
Alan, great job putting the new book together.
And you haven't seen the rest of the content... As an example, I've
got 10 pages describing how dictionaries work, and how to create them.
At this rate, the book will be 400 pages long.
I am using rlm_sql for user database lookup, and it works when the user is
found, but how do I define a catch all for users not
found in the db so that the server knows to reject them...
doc/configurable_failover
In the authorize section, where you have the sql module listed,
change the 1-line entry of sql to:
sql {
notfound = reject
}
And you're done.
debug output
Server rejecting request 2 due to failure to be told how to respond.
WARNING: You did not configure the server to accept, or reject the user.
Double-check Auth-Type.
That works, too, but generates lots of warning messages. It's
better to tell the server explicitely what to do.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
Kevin Bonner [EMAIL PROTECTED] wrote: Looks great! The compatibility matrix is pretty handy as well. Thanks. Little touches like that help a lot. One thing I didn't see mentioned on the auth type page is the heavily used Auth-Type := Local. Was that consciously omitted, or are you still adding content to that page? I'm adding content... check back soon! But as for Auth-Type := Local, I didn't even think to address it, because I never use it, and don't think there's any need for it. What kind of discussion do you think is necessary? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More documentation on Auth-Type
http://deployingradius.com/documents/configuration/auth_type.html Many web sites contain all sorts of recommendations about Auth-Type. This one is correct. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
