RE: Multiple entries for a realm
I try both but without success. I know if freeradius choose one server or another because for each radius we stablish a VPN, so I can see in my Cisco VPN concentrator which radius server my freeradius choosed. For each realm entry my roaming partner and we get up a VPN. Date: Wed, 13 Dec 2006 18:01:45 + From: [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Subject: Re: Multiple entries for a realm Hi, Hi people,I do roaming with other companies successfully. My roaming partner has two RADIUS servers, so in the proxy.conf I have two entries for the realm weroam/. However, only the first entry works because if I change the IP for a incorrect one (case of fallback), freeradius does not redirect to the second entry. The option ldflag is ignored. which ldflag option did you use? failover, roundrobin? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Busca desde cualquier página Web con una protección excepcional. Consigue la Barra de herramientas de Windows Live hoy mismo y GRATUITAMENTE. http://www.toolbar.live.com- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
configuring groups in sql tables
Sorry, may be my question was not spelled well.
Actually i need to move multiple default entries from users file into
sql table. Is it possible to create multiple DEFAULT instances in sql
tables istead of placing them in users file like this:
DEFAULT Huntgroup-Name == MSK, Realm == domain1.com, Auth-Type := Accept
Service-Type = Outbound-User,
Tunnel-Type = L2TP,
Tunnel-Server-Endpoint = 1.1.1.1,
Cisco-AVpair += vpdn:l2tp-tunnel-password=secret1
DEFAULT Huntgroup-Name == MSK, Realm == domain2.com, Auth-Type := Accept
Service-Type = Outbound-User,
Tunnel-Type = L2TP,
Tunnel-Server-Endpoint = 2.2.2.2,
Cisco-AVpair += vpdn:l2tp-tunnel-password=secret2
and so on ?
Alexander Serkin wrote:
Hi,
Wther i'm missing something in docs or it is impossible to do more than
one groupcheck for the same username by sql.
I have two groups which should be authorized differently - group1:
DEFAULT Huntgroup-Name == MSK, Realm == domain.com, Auth-Type := Accept
Service-Type = Outbound-User,
Tunnel-Type = L2TP,
Tunnel-Server-Endpoint = xxx.yyy.97.71,
Cisco-AVpair += vpdn:l2tp-tunnel-password=secret
and group2:
DEFAULT Realm == domain.com, NAS-IP-Address == xxx.yyy.117.1
Framed-Protocol = PPP,
Service-Type = Framed,
Framed-IP-Netmask = 255.255.255.255,
cisco-avpair = lcp:interface-config=peer default ip address
pool VRFNAM\nppp ipcp dns aaa.bbb.1.253 aaa.bbb.1.253\nppp ipcp wins
aaa.bbb.1.253\n
What i can do:
insert into RADGROUPCHECK values('','group2','Realm','==','domain.com');
insert into RADGROUPCHECK
values('','group2','NAS-IP-Address','==','xxx.yyy.117.1');
insert into RADGROUPREPLY values('','group2','Framed-Protocol','=','PPP');
insert into RADGROUPREPLY values('','group2','Service-Type','=','Framed');
insert into RADGROUPREPLY
values('','group2','Framed-IP-Netmask','=','255.255.255.255');
insert into RADGROUPREPLY
values('','group2','cisco-avpair','=','lcp:interface-config=peer default
ip address pool group1\nppp ipcp dns aaa.bbb.1.253 aaa.bbb.1.253\nppp
ipcp wins aaa.bbb.1.253\n');
and
insert into USERGROUP values('','[EMAIL PROTECTED]','','group2','5');
Then i can remove group2 description from users file and it works.
But when i do the same with group1 - both groups 1 and 2 stop working.
The difference is that both radgroupcheck and radgroupreply sql queries
now return two attribute sets for group 1 and 2 simultaneously.
I thought that radiusd should follow check items and select the proper
group according to attributes present in the request, but sqlauth module
returns notfound. So the users file and sql tables are not processed in
the same manner. What am i missing?
--
Sincerely Yours,
Alexander Serkin,
Moscow Cellular Communications,
ph. +7(495)7952089
fa. +7(495)7952084
skype: aserkin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuring groups in sql tables
Am Donnerstag, 14. Dezember 2006 09:39 schrieb Alexander Serkin: Sorry, may be my question was not spelled well. Actually i need to move multiple default entries from users file into sql table. Is it possible to create multiple DEFAULT instances in sql tables istead of placing them in users file like this: Perhaps you like to use the SQL-Group test like TestNAS1NAS-IP-Address == xxx.xxx.xxx.xxx SQL-Group == dialup, SQL-Group == adsl in the proxy config. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 pgpwaVJaUeLQY.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuring groups in sql tables
Michael Schwartzkopff пишет: Perhaps you like to use the SQL-Group test like TestNAS1NAS-IP-Address == xxx.xxx.xxx.xxx SQL-Group == dialup, SQL-Group == adsl in the proxy config. Sorry, Michael. Did not understand this quite well. My multiple DEFAULT entries does not depend on NAS. They are mostly defined by Realm - on every specific realm we should accept the request and give different tunnel attributes. So do we need to determine the group by RealmHuntgroup-Name and insert the reply attributes into radgroupreply? That does not fit in my mind, sorry. I need an example :-) -- als - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help
Hi, I have experenced the following issues after following your instructures on your webpage: 1.) [EMAIL PROTECTED] ~]# net join -U Administrator Administrator's password: [2006/12/12 12:39:38, 0] utils/net_ads.c:ads_startup(186) ads_connect: Invalid credentials Joined domain MBUS. umm, your using active directory etc, yes? so why did you not put the 'ads' directive on the net join command? which version of samba are you using? you should be 3.0.23 for successful user and machine ntlm_auth action. 3.) Kerberos server has been installed but I could not start it. you dont need a kerberos server on the non AD box - just a workstation/client will do. if all you are doing is kerberos username/password checks then you only need to enable krb5 in freeradius. if you are using ntlm_auth (eg PEAP) then you need samba but not kerberos alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuring groups in sql tables
Am Donnerstag, 14. Dezember 2006 10:23 schrieb Alexander Serkin: Michael Schwartzkopff пишет: Perhaps you like to use the SQL-Group test like TestNAS1NAS-IP-Address == xxx.xxx.xxx.xxx SQL-Group == dialup, SQL-Group == adsl in the proxy config. Sorry, Michael. Did not understand this quite well. My multiple DEFAULT entries does not depend on NAS. They are mostly defined by Realm - on every specific realm we should accept the request and give different tunnel attributes. So do we need to determine the group by RealmHuntgroup-Name and insert the reply attributes into radgroupreply? That does not fit in my mind, sorry. I need an example :-) No. But you could try to use the SQL-Group Attribute in the check item. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 pgprnBdnwi7qQ.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
meetinghouse supplicant
Hi all, we have a customer who wants to use the Meetinghouse supplicant (now cisco) integrated with Novell client. The customer want to use 802.1x (EAP-TLS / EAP-TTLS) authentication based on username and password stored in eDirectory. Also he wants to use Freeradius. So we want to know: 1) is it possible ? it means ...can we use freeradius and eDir as back-end.? 2) Has someone experience in any deployment like this ? any comment or advice ? Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: meetinghouse supplicant
Am Donnerstag, 14. Dezember 2006 11:58 schrieb Mariano Morano: Hi all, we have a customer who wants to use the Meetinghouse supplicant (now cisco) integrated with Novell client. The customer want to use 802.1x (EAP-TLS / EAP-TTLS) authentication based on username and password stored in eDirectory. Also he wants to use Freeradius. So we want to know: 1) is it possible ? it means ...can we use freeradius and eDir as back-end.? 2) Has someone experience in any deployment like this ? any comment or advice ? Thanks in advance Hi, should be possible. 1) Does the eDir installation provide a RADIUS protocol stack? If yes, just configure FR to do proxy. 2) If no: Configure FR do ask eDir via LDAP. OpenLDAP is easy and there are lots of examples on the net. You should be able to transfer it to eDir. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 pgpw0jKrKGNBa.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Chap authentication
Hello: How can i set a basic CHAP authentication? What parameters and files i must set? Can you send me an example? Saludos y Gracias Francisco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Chap authentication
On Thursday 14 December 2006 07:12, [EMAIL PROTECTED] wrote: How can i set a basic CHAP authentication? What parameters and files i must set? The default freeradius config supports CHAP, so all you need to supply is a password for the user. According to [1], CHAP requires the cleartext password. Can you send me an example? A users file example with the default freeradius 1.1.3 config would be: userX User-Password := secretpass To test CHAP auth, run the following. ( echo 'User-Name = userX'; echo 'CHAP-Password = secretpass' ) | radclient your.radius.server:1812 auth your_secret Kevin Bonner [1] http://deployingradius.com/documents/protocols/compatibility.html pgp0Gybsec5BK.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session section misconfiguration?
Francesco Cristofori wrote:
I'm trying to understand a freeradius 1.0.0 + mysql 3.23.45 installation
(solaris8) someone else made some years ago: in radiusd.conf i have this
section:
You should probably upgrade to 1.1.3.
session {
radutmp
sql
}
I believe it's not a wise choice to make double session accounting, so I was
thinking to remove the radutmp statement. Is it a good idea? What happens if
I leave everything untouched (no radutmp statement removal)?
If you're not using it, sure.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: meetinghouse supplicant
Mariano Morano wrote: The customer want to use 802.1x (EAP-TLS / EAP-TTLS) authentication based on username and password stored in eDirectory. Also he wants to use Freeradius. EAP-TTLS, with PAP in the SSL tunnel will work. 1) is it possible ? it means ...can we use freeradius and eDir as back-end.? 2) Has someone experience in any deployment like this ? any comment or advice ? Configure it, it will work. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Chap authentication
Hi. You can try my how to eap/peap + mschapv2 (in spanish). If you only want chap, the config is similar (more simple). Take a look and post here any questions. Daniel Romero P. Santiago, Chile. - Original Message - From: [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Thursday, December 14, 2006 9:12 AM Subject: Chap authentication Hello: How can i set a basic CHAP authentication? What parameters and files i must set? Can you send me an example? Saludos y Gracias Francisco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy-State problem
Cory Robson wrote: Authentication packets are received and the radius daemon passes an auth ok but doesn’t return the proxy-state packet correctly, as a result the user is not authorized. All that is passed seems to be a hex dump and not the same as what is received. Let me guess: you ran the server in debugging mode, and saw it output the Proxy-State value as a hex string. Do not mistake the on-screen *printed* form of the packet with what gets sent over the network. The network packet doesn't contain the text Proxy-State either. I obviously must have missed something in the config files so I’m hoping someone here might be able to point me in the right direction. Since you didn't post any debugging output, it's almost impossible to help you. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: Session section misconfiguration?
Alan, thanks for quick answering. You should probably upgrade to 1.1.3. It's the next thing in the todo list, after I have understood configuration. :-) Are there any particular caveats on upgrading or best practices I should know? If you're not using it, sure. Hmmm... I need to make a little investigation on this, but I think the only thing we use is Dialup Admin interface, and it should use sql session accounting, isn't it? Alan DeKok. Thanks again, Francesco Cristofori. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting data not being properly written to mySQL database.
GentlePersons,
I'm in the process of converting from flat file to mySQL database for
our RADIUS accounting. I've modified the accounting_start_query
entry in sql.conf to:
accounting_start_query = INSERT into ${acct_table1} \
SET \
AcctSessionId = '%{Acct-Session-id}', \
AcctUniqueId = '%{Acct-Unique-Session-Id}', \
UserName = '%{SQL-User-Name}', \
Realm = '%{Realm}', \
NASIdentifier = '%{NAS-Identifier}', \
NASPortId = '%{NAS-Port}', \
NASPortType= '%{NAS-Port-Type}', \
AcctStartTime = '%S', \
AcctStopTime = '0', \
AcctSessionTime= '0', \
AcctAuthentic = '%{Acct-Authentic}', \
ConnectInfo_start = '%{Connect-Info}', \
ConnectInfo_stop = '0', \
AcctInputOctets= '0', \
AcctOutputOctets = '0', \
CalledStationId= '%{Called-Station-Id}', \
CallingStationId = '%{Calling-Station-Id}', \
AcctTerminateCause = '', \
ServiceType= '%{Service-Type}', \
FramedProtocol = '%{Framed-Protocol}', \
FramedIPAddress= '%{Framed-IP-Address}', \
AcctStartDelay = '%{Acct-Delay-Time}', \
AcctStopDelay = '0', \
XAscendDataRate= '%{X-Ascend-Data-Rate}', \
XAscendDisconnectCause = '%{X-Ascend-Disconnect-Cause}', \
XAscendModemPortNo = '%{X-Ascend-Modem-Port-No}', \
XAscendModemShelfNo= '%{X-Ascend-Modem-Shelf-No}', \
XAscendModemSlotNo = '%{X-Ascend-Modem-Slot-No}', \
XAscendXmitRate= '%{X-Ascend-Xmit-Rate}'
I'm seeing all the fields written to the database as expected, but
several of them (all the 'XAscend' parameters) are being written to
the database as '0'. I still have flat file logging enabled and the
values are being written properly there in the Start records. e.g.:
Wed Dec 13 06:47:37 2006
Event-Timestamp = Dec 13 2006 06:47:25 PST
*User-Name = ***
*NAS-IP-Address = 1.2.3.4
*NAS-Identifier = nasid
Ascend-Owner-IP-Addr = 0.0.0.0
NAS-Port = 101072015
Ascend-NAS-Port-Format = 5
NAS-Port-Type = Async
Service-Type = Framed-User
Acct-Status-Type = Start
Acct-Delay-Time = 0
Acct-Session-Id = 521456215
Acct-Authentic = RADIUS
Ascend-Auth-Delay = 240
X-Ascend-Data-Rate = 24000
X-Ascend-Xmit-Rate = 49333
X-Ascend-Modem-PortNo = 192
X-Ascend-Modem-SlotNo = 34
X-Ascend-Modem-ShelfNo = 1
*Calling-Station-Id = 1234567890
Ascend-Calling-Id-Type-Of-Num = National-Number
Ascend-Calling-Id-Number-Plan = ISDN-Telephony
Ascend-Calling-Id-Presentatn = Allowed
Ascend-Calling-Id-Screening = Network-Provided
*Called-Station-Id = 1234567890
X-Ascend-Data-Svc = 0
Framed-Protocol = PPP
*Framed-IP-Address = 1.2.3.4
*Client-IP-Address = 1.2.3.4
Acct-Unique-Session-Id = 90bb5c1dcbf6939d
*Stripped-User-Name = user
Realm = NULL
Timestamp = 1166021257
(fields beginning with '*' have been sanitized).
Any ideas? Thanks!
Dave Martin
--
Dave Martin Netcetera, Inc.[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: Session section misconfiguration?
Francesco Cristofori wrote: Are there any particular caveats on upgrading or best practices I should know? Install the new version in a different directory (/opt/freeradius-1.13), but it won't over-write your existing config. Hmmm... I need to make a little investigation on this, but I think the only thing we use is Dialup Admin interface, and it should use sql session accounting, isn't it? If you're not using Simultaneous-Use, the whole session tracking section can be empty. Otherwise, have you looked at the radutmp file? If not, delete all references to it. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FREERADIUS USING IP POOLS
HOW CAN I USE IP POOLS WITH FREERADIUS, MY NAS is a cisco Linksys WRT54Gnow im working with freeradius 1.1.3 and mysql 5.02in ubuntu drapper and is working fine, i have my users stored in the radcheck table, but iwant to dividethe users in two groups and assing a different range of ip pools to each group of users dynamically so i want to know how can i create two ippools and assing dinamically this ips to the users of the radcheck table depending if they belong to a group A or a group B. help please! thanks in advance!!! EDUARDOLlamadas grátis de PC a PC Haz clic aquí - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FREERADIUS USING IP POOLS
Read the documentation in radiusd.conf, and experimental.conf. It's all there. You need two rlm_ippool modules instantiated, and placed in the postauth and accounting sections of the config file. You also need to add Pool-Name := pool1name in radgroupcheck under the name of group 1, and the same again for pool 2/group 2. Post what you come up with if you need further help - this configuration is in the documentation. Jan On 15/12/06, Tomas Eduardo Lotina Ramos [EMAIL PROTECTED] wrote: HOW CAN I USE IP POOLS WITH FREERADIUS, MY NAS is a cisco Linksys WRT54G now im working with freeradius 1.1.3 and mysql 5.02 in ubuntu drapper and is working fine, i have my users stored in the radcheck table, but i want to divide the users in two groups and assing a different range of ip pools to each group of users dynamically so i want to know how can i create two ippools and assing dinamically this ips to the users of the radcheck table depending if they belong to a group A or a group B. help please! thanks in advance!!! EDUARDO -- Llamadas grátis de PC a PC Haz clic aquí http://g.msn.com/8HMBESMX/2749??PS=47575 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FREERADIUS USING IP POOLS
Tomas Eduardo Lotina Ramos wrote: HOW CAN I USE IP POOLS WITH FREERADIUS, MY NAS is a cisco Linksys WRT54G Which is doing wireless, right? You will need a DHCP server to assign IP addresses. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
