Re: More documentation on Auth-Type
Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: modcall[authorize]: module ldap1 returns ok for request 0 modcall: group Autz-Type returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP You're probably running 1.0.x, rather than 1.1.x. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
Just managed to try ur 2nd suggestion... but giving below error in debug logs.. refer debug logs. ERROR: Unknown value specified for Auth-Type. Cannot perform requested action modules { ldap ldap1 { basedn = ou=RADIUS.. set_auth_type = yes } ldap ldapdialup1 { basedn = ou=DIALUP.. set_auth_type = yes } authorize { Autz-Type LDAP { ldap1 } Autz-Type DIALUP { ldapdialup1 } } authenticate { Auth-Type ldap1 { ldap1 } Auth-Type ldapdialup1 { ldapdialup1 } } DEFAULT ldapdialup1-Ldap-Group == REAL, Autz-Type := DIALUP DEFAULT Autz-Type := LDAP # lm_ldap: performing user authorization for bacang radius_xlat: '(uid=bacang)' radius_xlat: 'ou=RADIUS,ou=People,.' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to :389, authentication 0 rlm_ldap: bind as cn=Sysadmin,ou=Applications,./x to xxx:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=RADIUS,ou=People,..., with filter (uid=bacang) rlm_ldap: checking if remote access for bacang is allowed by attrRoaming rlm_ldap: Added password {CRYPT}Y3EhshegMNPxA in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value Van-Jacobson-TCP-IP op=11 rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 op=11 rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP op=11 rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User op=11 rlm_ldap: user bacang authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap1 returns ok for request 0 modcall: group Autz-Type returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Login incorrect: [bacang] (from client sysadmin port 0) - Original Message - From: Phil Mayers [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, August 08, 2006 6:28 PM Subject: Re: More documentation on Auth-Type Rohaizam Abu Bakar wrote: any docs to help on my problem... ? in doc/rlm_ldap, there is section about LDAP XLAT.. Is it the one ? As far as I know, you should be able to do something like: modules { files { usersfile = users } files wireless_files { usersfile = wireless_users } files vpn_files { usersfile = vpn_users } ldap { basedn = %{reply:Tmp-String-1} ... } } authorize { files Autz-Type WIRELESS { wireless_files ldap } Autz-Type VPN { vpn_files ldap } } users: DEFAULT Huntgroup-Name == whatever, Autz-Type := WIRELESS DEFAULT Huntgroup-Name == something, Autz-Type := VPN users_vpn: DEFAULT Tmp-String-1 = ou=vpnusers,dc=mydomain,dc=org users_wireless: DEFAULT Tmp-String-1 = ou=wireless,dc=anotherdomain,dc=com You may need to add Tmp-String-1 to a local dictionary if you're running an older server, e.g. in dictionary ATTRIBUTE Tmp-String-1 3000 string Alternatively, 1.1.0 and up can do this I think? modules { ldap wireless_ldap { basedn = ou=wireless,dc=domain,dc=com set_auth_type = yes } ldap vpn_ldap { basedn = ou=vpn,dc=example,dc=org set_auth_type = yes } files { ... } } authorize { preprocess files Autz-Type WIRELESS { wireless_ldap } Autz-Type VPN { vpn_ldap } } authenticate { Auth-Type wireless_ldap { wireless_ldap } Auth-Type vpn_ldap { vpn_ldap } } and in users: DEFAULT Huntgroup-Name == VPN, Autz-Type := VPN DEFAULT Huntgroup-Name == WIRELESS, Autz-Type := WIRELESS Basically, what happens then is: 1. preprocess run 2. files run, autz-type set 3. authorize re-run, autz-type section run 4. appropriate LDAP module run, and IF AND ONLY IF the Auth-Type is NOT SET, set Auth-Type to modulename - i.e. wireless_ldap or vpn_ldap 5. authenticate run, appropriate LDAP module run - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
Rohaizam Abu Bakar wrote: any docs to help on my problem... ? in doc/rlm_ldap, there is section about LDAP XLAT.. Is it the one ? As far as I know, you should be able to do something like: modules { files { usersfile = users } files wireless_files { usersfile = wireless_users } files vpn_files { usersfile = vpn_users } ldap { basedn = %{reply:Tmp-String-1} ... } } authorize { files Autz-Type WIRELESS { wireless_files ldap } Autz-Type VPN { vpn_files ldap } } users: DEFAULT Huntgroup-Name == whatever, Autz-Type := WIRELESS DEFAULT Huntgroup-Name == something, Autz-Type := VPN users_vpn: DEFAULT Tmp-String-1 = ou=vpnusers,dc=mydomain,dc=org users_wireless: DEFAULT Tmp-String-1 = ou=wireless,dc=anotherdomain,dc=com You may need to add Tmp-String-1 to a local dictionary if you're running an older server, e.g. in dictionary ATTRIBUTE Tmp-String-13000string Alternatively, 1.1.0 and up can do this I think? modules { ldap wireless_ldap { basedn = ou=wireless,dc=domain,dc=com set_auth_type = yes } ldap vpn_ldap { basedn = ou=vpn,dc=example,dc=org set_auth_type = yes } files { ... } } authorize { preprocess files Autz-Type WIRELESS { wireless_ldap } Autz-Type VPN { vpn_ldap } } authenticate { Auth-Type wireless_ldap { wireless_ldap } Auth-Type vpn_ldap { vpn_ldap } } and in users: DEFAULT Huntgroup-Name == VPN, Autz-Type := VPN DEFAULT Huntgroup-Name == WIRELESS, Autz-Type := WIRELESS Basically, what happens then is: 1. preprocess run 2. files run, autz-type set 3. authorize re-run, autz-type section run 4. appropriate LDAP module run, and IF AND ONLY IF the Auth-Type is NOT SET, set Auth-Type to modulename - i.e. wireless_ldap or vpn_ldap 5. authenticate run, appropriate LDAP module run - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
For the 2nd option.. already tried almost the same except the auth-type name... Previously tried autz auth type using the same name... Will try it out as suggested... thx Phil --haizam - Original Message - From: Phil Mayers [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, August 08, 2006 6:28 PM Subject: Re: More documentation on Auth-Type Rohaizam Abu Bakar wrote: any docs to help on my problem... ? in doc/rlm_ldap, there is section about LDAP XLAT.. Is it the one ? As far as I know, you should be able to do something like: modules { files { usersfile = users } files wireless_files { usersfile = wireless_users } files vpn_files { usersfile = vpn_users } ldap { basedn = %{reply:Tmp-String-1} ... } } authorize { files Autz-Type WIRELESS { wireless_files ldap } Autz-Type VPN { vpn_files ldap } } users: DEFAULT Huntgroup-Name == whatever, Autz-Type := WIRELESS DEFAULT Huntgroup-Name == something, Autz-Type := VPN users_vpn: DEFAULT Tmp-String-1 = ou=vpnusers,dc=mydomain,dc=org users_wireless: DEFAULT Tmp-String-1 = ou=wireless,dc=anotherdomain,dc=com You may need to add Tmp-String-1 to a local dictionary if you're running an older server, e.g. in dictionary ATTRIBUTE Tmp-String-1 3000 string Alternatively, 1.1.0 and up can do this I think? modules { ldap wireless_ldap { basedn = ou=wireless,dc=domain,dc=com set_auth_type = yes } ldap vpn_ldap { basedn = ou=vpn,dc=example,dc=org set_auth_type = yes } files { ... } } authorize { preprocess files Autz-Type WIRELESS { wireless_ldap } Autz-Type VPN { vpn_ldap } } authenticate { Auth-Type wireless_ldap { wireless_ldap } Auth-Type vpn_ldap { vpn_ldap } } and in users: DEFAULT Huntgroup-Name == VPN, Autz-Type := VPN DEFAULT Huntgroup-Name == WIRELESS, Autz-Type := WIRELESS Basically, what happens then is: 1. preprocess run 2. files run, autz-type set 3. authorize re-run, autz-type section run 4. appropriate LDAP module run, and IF AND ONLY IF the Auth-Type is NOT SET, set Auth-Type to modulename - i.e. wireless_ldap or vpn_ldap 5. authenticate run, appropriate LDAP module run - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
Alan, Refering to below config, each services having their own LDAP tree and specified under ldap module with different Auth-Type Autz-type specified in radiusd.conf. How can I set in users file to search for which tree? Normally i detect NAS-Identifier, NAS-Port-Type as check item. If I specify Auth-Type Autz-Type in users file, seems working but when up to EAP.. it's not working ) users = DEFAULT (not to set Auth-Type but need to direct to certain LDAP tree) ii) radiusd.conf == ldap adsl { basedn=ou=ADSL, ou=People... } ldap wifi { basedn=ou=wifi, ou=People... } Then .. in authenticate and authorize section :- authorize { eap Autz-Type=ADSL { adsl } Autz-Type=WIFI { wifi } } authenticate { Auth-Type=ADSL { adsl } Auth-Type=WIFI { wifi } eap } iii) eap.conf ... some config... ## - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Monday, August 07, 2006 9:08 AM Subject: Re: More documentation on Auth-Type Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: I've read the docs about auth-type configuration. And agree that without setting auth-type and leave FR to auto detect it, the auth will work even up to EAP. But sometimes we have to specify auth-type in order to search for different tree in LDAP ... which isn't authentication. You just described searching an LDAP tree for information. That's using LDAP for what it was designed to do best: database lookups. Once the information is found in LDAP, the RADIUS server can do CHAP, MS-CHAP, etc. for authentication. LDAP servers don't handle those authentication protocols, so you're stuck with using LDAP for DB lookups, and RADIUS for authentication. normally EAP sequence works OK but when up to comparing password, it will failed. I've reported my problem a few times in mailing list. I don't recall seeing that, sorry. What was the problem? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
Rohaizam Abu Bakar wrote: Alan, Refering to below config, each services having their own LDAP tree and specified under ldap module with different Auth-Type Autz-type specified in radiusd.conf. How can I set in users file to search for Aside from setting Reject/Accept, that (use of 1 module for a given auth method) is probably the single valid use. That use would be better supported using another method than conflating module instance names with algorithm names. which tree? Normally i detect NAS-Identifier, NAS-Port-Type as check item. If I specify Auth-Type Autz-Type in users file, seems working but when up to EAP.. it's not working That is probably because the EAP inner request does not have the NAS-Id and NAS-Port-Type attribute. Set copy_request_to_tunnel = yes on the EAP method(s) you're using. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
Aside from setting Reject/Accept, that (use of 1 module for a given auth method) is probably the single valid use. That use would be better supported using another method than conflating module instance names with algorithm names. I'm not quite understand above suggestion/comments.. That is probably because the EAP inner request does not have the NAS-Id and NAS-Port-Type attribute. Set copy_request_to_tunnel = yes on the EAP method(s) you're using. I will try that one... thanks.. --haizam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: Refering to below config, each services having their own LDAP tree and specified under ldap module with different Auth-Type Autz-type specified in radiusd.conf. How can I set in users file to search for which tree? Right now, you can't. It's probably not too hard to add support in rlm_ldap for dynamic updates of the basedn. That would make life a lot easier for many people, I think. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
On Mon, 7 Aug 2006, Alan DeKok wrote: Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: Refering to below config, each services having their own LDAP tree and specified under ldap module with different Auth-Type Autz-type specified in radiusd.conf. How can I set in users file to search for which tree? Right now, you can't. It's probably not too hard to add support in rlm_ldap for dynamic updates of the basedn. That would make life a lot easier for many people, I think. basedn is already xlated.. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
On Friday 04 August 2006 17:21, Alan DeKok wrote: Kevin Bonner [EMAIL PROTECTED] wrote: One thing I didn't see mentioned on the auth type page is the heavily used Auth-Type := Local. Was that consciously omitted, or are you still adding content to that page? I'm adding content... check back soon! But as for Auth-Type := Local, I didn't even think to address it, because I never use it, and don't think there's any need for it. What kind of discussion do you think is necessary? Alan DeKok. It's an auth method that some still have cluttering their users files. Perhaps just a small blurb stating that it was used in legacy versions of FR, but is no longer necessary. Local and System are the only 2 I can recall that I don't see on your page, but have been around for a long time. -Kevin pgpvAJA5RKUjL.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
any docs to help on my problem... ? in doc/rlm_ldap, there is section about LDAP XLAT.. Is it the one ? thanks.. --haizam - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, August 08, 2006 12:28 AM Subject: Re: More documentation on Auth-Type On Mon, 7 Aug 2006, Alan DeKok wrote: Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: Refering to below config, each services having their own LDAP tree and specified under ldap module with different Auth-Type Autz-type specified in radiusd.conf. How can I set in users file to search for which tree? Right now, you can't. It's probably not too hard to add support in rlm_ldap for dynamic updates of the basedn. That would make life a lot easier for many people, I think. basedn is already xlated.. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
I've read the docs about auth-type configuration. And agree that without setting auth-type and leave FR to auto detect it, the auth will work even up to EAP. But sometimes we have to specify auth-type in order to search for different tree in LDAP for each services. Even Autz-Type also need to be specified but some of the EAP won't work such as EAP-TTLS-PAP. normally EAP sequence works OK but when up to comparing password, it will failed. I've reported my problem a few times in mailing list. Any comments? --haizam - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, August 04, 2006 2:47 AM Subject: More documentation on Auth-Type http://deployingradius.com/documents/configuration/auth_type.html Many web sites contain all sorts of recommendations about Auth-Type. This one is correct. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: I've read the docs about auth-type configuration. And agree that without setting auth-type and leave FR to auto detect it, the auth will work even up to EAP. But sometimes we have to specify auth-type in order to search for different tree in LDAP ... which isn't authentication. You just described searching an LDAP tree for information. That's using LDAP for what it was designed to do best: database lookups. Once the information is found in LDAP, the RADIUS server can do CHAP, MS-CHAP, etc. for authentication. LDAP servers don't handle those authentication protocols, so you're stuck with using LDAP for DB lookups, and RADIUS for authentication. normally EAP sequence works OK but when up to comparing password, it will failed. I've reported my problem a few times in mailing list. I don't recall seeing that, sorry. What was the problem? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
Duane Cox [EMAIL PROTECTED] wrote: Alan, great job putting the new book together. And you haven't seen the rest of the content... As an example, I've got 10 pages describing how dictionaries work, and how to create them. At this rate, the book will be 400 pages long. I am using rlm_sql for user database lookup, and it works when the user is found, but how do I define a catch all for users not found in the db so that the server knows to reject them... doc/configurable_failover In the authorize section, where you have the sql module listed, change the 1-line entry of sql to: sql { notfound = reject } And you're done. debug output Server rejecting request 2 due to failure to be told how to respond. WARNING: You did not configure the server to accept, or reject the user. Double-check Auth-Type. That works, too, but generates lots of warning messages. It's better to tell the server explicitely what to do. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
Kevin Bonner [EMAIL PROTECTED] wrote: Looks great! The compatibility matrix is pretty handy as well. Thanks. Little touches like that help a lot. One thing I didn't see mentioned on the auth type page is the heavily used Auth-Type := Local. Was that consciously omitted, or are you still adding content to that page? I'm adding content... check back soon! But as for Auth-Type := Local, I didn't even think to address it, because I never use it, and don't think there's any need for it. What kind of discussion do you think is necessary? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More documentation on Auth-Type
http://deployingradius.com/documents/configuration/auth_type.html Many web sites contain all sorts of recommendations about Auth-Type. This one is correct. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html