Digging through the rlm_perl source, I stumbled over the following:
1. Is it on purpose that it normally checks USE_ITHREADS and only perl_xlat
checks WITH_ITHREADS?
2. Is it also on purpose that radiusd::radog is newXS'd only after perl_parse()?
That hit me because as it is, you can't log
EF Is it also on purpose that radiusd::radog is newXS'd only after
perl_parse()?
AdK No idea.
I'm not familiar with the FreeRADIUS project: Is there something like a
maintainer of the rlm_perl module I could ask this question?
AdK Well, patches are welcome.
That would be trivial: move the
To answer my own question:
In the module init code, can I tell whether I'm in the threading case or not?
Yes: use Config and check $Config{useithreads}.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks, this has been very helpful.
If I read the source correctly, it works as follows:
-- A global interpreter is created that runs the module initialization code.
-- When a perl function is going to be called, the global interpreter is used
in the non-threading case. In the threading case, if
Sorry if this sounds like a stupid question with an obvious answer, but I
could not easily find this documented.
If I have an rlm_perl script, is it possible that multiple instances of it
are running concurrently due to FreeRADIUS' threading?
-
List info/subscribe/unsubscribe? See
Yes. Likely, even.
Thanks. So will these then be two distinct Perl interpreters or two instances
of the same Perl interpreter? From the Perl script's point of view, what will
the two instances share?
Can you hint me to any documentation covering this?
-
List info/subscribe/unsubscribe? See
Define your own [attributes]. That's why the dictionary files are editable.
Is there a private name space for that (i.e., X-*) that is guaranteed not to
conflict with future official attribute names?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
raddb/dictionary
I already deduced from there that I'm supposed to use attribute numbers
[3000...4000[, but I'm not sure about the attribute names.
The suggestion seems to be to use a name unused at the present time hoping that
it will stay unused in the future.
Or what am I missing?
-
List
names?
Yes.
computers and RADIUS care about attribute numbers
more than anything else in their lives
Both in rlm_perl and in unlang I'm supposed to use names, not numbers.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I was probably too fuzzy about what I actually mean, sorry.
Suppose I'm writing my own module or I'm using rlm_perl.
Then, in authenticate, I gather some information.
Later, in post-auth, I need this information for my authorization policy.
So, as far as I can see, I'll have to put this
Seems that I'm slowly getting it.
To authorize subscriber you should make a decision based on both
subscriber profile and authentication result. This is what post-auth
section does. Put your authorization policies in this section.
So do I understand this correctly: if I, for example, want to
EF Am I supposed to use the Tmp-Xxx-N attributes for that?
ADK Define your own. That's why the dictionary files are editable.
Ah, you mean raddb/dictionary, I suppose. Thanks, I over-looked that.
Just out of curiosity: What are the pre-defined Tmp-Xxx-N attributes for, then?
-
List
The rlm_perl Documentation (in the Wiki) lists the $type values for
radiusd::radlog($type, $message) as
0 - Debug
1 - Auth
2 - Proxy
3 - Info
4 - Error
while include/radiusd.h says
#define L_DBG 1
#define L_AUTH
- identify
- authenticate
- authorize
Ah, thanks! I understand the process much better now, replacing the section
names (authorize, authenticate, post-auth) with what you gave (identify,
authenticate, authorize).
Put your authorization policies in [the post-auth] section.
OK, now it all
A probably simple question I could not find explained in the FAQ or the
Concepts section:
Given that Authentication is proving who I am and Authorization is checking
what I'm allowed to do, I naively would have expected a RADIUS server to first
authenticate me an then check my authorization.
Thanks for the explanation.
[This question] comes up from time to time
So it may be nice if someone feeling comfortable enough to answer it could add
an explanation to the wiki.
If you're unhappy with the way the default configuration works,
I'm not unhappy with it, it just sounded
My recommendation to anybody who asks this question [...],
is to think of authorisation being separate from generating the reply.
Do I understand you correctly in that you only recommend to /think/ that way,
not that it's actually /done/ that way? As I understand it, crucial parts of
the reply
While setting up proxying for EAP, I ran into the issue that only the first
packet was proxied to the home server.
Fortunately, I found the explanation in the list archive that the ok = return
line in the eap configuration section of the default virtual server leads to
the files section not
I guess you (a) didn't read my message,
Sorry, I did read your message.
and (b) want to debug it yourself.
That's sometimes the thing I end up with.
Exactly.
So I upgraded and things got worse (or better, if you prefer consistency). Now,
it doesn't honor the src_ipaddr setting no matter if I
What I could try later is using another interface's (one not having an alias)
address as src_ipaddr and see if that is honoured or not.
With that, I still get the Failed binding to proxy address messages.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Failed binding to proxy address port 1000: Permission denied
(note there are two spaces here^^
I' unsure why ip_ntoh fails (I don't get any ip_ntoh: errors), but turning
off dns_lookups shows the default IP (the one to be used without ip_srcaddr)
here.
-
List info/subscribe/unsubscribe? See
Your configuration must be doing something odd.
Yes. As specifying multiple identical src_ipaddr values for several home
servers resulted in 2.1.7 not to start up properly, I (mis)understood the
comment
# The rest of the configuration items listed here are optional,
# and do not have to
I've a strange problem with proxying working perfectly in debugging mode, but
not in production mode.
I tracked this down to the src_ipaddr setting in proxy.conf apperantly being
ignored depending on command-line options.
Option settings that do work include:
-sfxx -l stdout
-sfx -l stdout
Why debug a problem when you can upgrade, and have it go away?
Why go into the hazzle of updating if it's unlikely to go away?
Why update to 2.1.10 if the problem is known to be fixed in 2.1.9, which for me
t's much easier to update to.
So I will have to take the hazzle of updating to 2.1.10
RV but if I wanted to extract the emailAddress or CN field from the
RV X509 certificate and authorize it against my LDAP tree
AdK The limitation isn't the users file.
AdK It's that extracting the fields from the certificate is hard.
I don't understand. rlm_eap's check_cert_cn must be able to
Whein using EAP-TLS, is there any sane way of restricting the use of a CA
Certificate to a subset of the possible identities? I.e., is it possible to
configure a single FreeRADIUS 2 server to accept users @foo.my.domain only if
their Certificates are signed with CA-Cert.foo and users
You can configure 2 EAP modules
Ah, thanks. That looks a lot less insane than two RADIUS servers.
and have requests for different domains be handled by different modules.
But how do I direct certain users to an instance of the eap module?
Inside the eap module, I have check_cert_cn, but I would
man unlang
Oh, this seems to be new in 2.x.
Would be nice if this was documented somewhere on the Website.
Or am I simply too stupid to find the documentation?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
switch %{Realm} {
case domain1 {
I'm admittedly feeling totally stupid, but is this syntax documented
anywhere?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I thought this was a FAQ but apparently it isn't.
I have an 1.1.7 FreeRADIUS server up and running with EAP/TLS.
Now, I would like to put clients into different VLANs based on who signed
their certificate.
Is there a way to set the Tunnel-Private-Group-Id attribute based on the
certificate
30 matches
Mail list logo
