RE: Fw: authorize and authenticate methods ina custom module

[Susana Macias]

  Thanks a lot Alan,I would like to explain what I am trying to develop. If someone has any advise, please tell me. This is my scenario:Until now, we have a RADIUS server (RADIUS PSI) which only receives Access-Request packets.Also we have a CGI application located in the URL http://X.Y.Z.W:8080/nucleo   This application receives a set of parameters as an URL encoded string (all characters that are not a-z, A-Z or 0-9 are converted to their "URL escaped" version) with this form:  Attribute1=Value1Attribute2=Value2... (where Attribute1, Attribute2... and Value1,Value2... are the differents Attribute/Value pairs obtained from the Access-Request packet)  The CGI application consults a remote database (and normally authenticate the user using the telephone number; although there are other variants).According to the response obtained from the remote resource, the RADIUS server adds differents Attribute/Value pairs to the reply list, and always reply with an Access-Accept packet (whether or not the CGI application authenticate the user successfully)Now, we want to change to a FreeRadius server.I only want to call the remote resource (using th!
 e libcurl
 library) passing it the appropiates parameters and collect the information returned by it in order to create the reply list. As the CGI application performs the authorize and authenticate activities I am a little embarrassed to say that I am not sure which function should I implement (authorize or authenticate).Thank you very much in advanceBest wishes,  Susana  - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]>To: "FreeRadius users mailing list" Sent: Tuesday, January 03, 2006 4:31 PMSubject: Re: authorize and authenticate methods ina custom module Susana Macias
 <[EMAIL PROTECTED]>wrote:  I have started working with the RADIUS protocol (and with FreeRadius  in particular) three weeks ago. Congratulations for the product, it is  really powerful! Thanks.  But, when are the authorize() and authenticate() methods called? When a packet comes in. See doc/aaa.txt  Is it necessary to include in the radiusd.conf the name of the  instance (of the new module created) in the authorize section in order  to call its authorize() method? Yes. Alan DeKok. - List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html
		Correo Yahoo!Comprueba qué es nuevo, aquíhttp://correo.yahoo.es- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

authorization depending on authentication (ldap)

[tschaos]

Hi guys,

First sorry for my bad english i am from austria ;-)

i am running freeradius-1.0.2-5.5

i have a big problem here and cant solve it alone:

there are 3 ldap instances:
ldap1,ldap2,ldap3.

and authenticate them all after another in the authentication section like
this:

authenticate {
ldap1
ldap2
ldap3
}

same in authorize-section:

authorize {
ldap1
ldap2
ldap3
}

now my problem is, that if the user x is authenticated at ldap2 for instance
the authorization fails cause the user isnt found at ldap1 (freeradius
doesnt seem to try authorizing on ldap2 or ldap3)

what i need would be a solution how to realize the following needs:

if authentication runs over ldap1 authorize on ldap1
if authentication runs over ldap1 authorize on ldap2
if authentication runs over ldap1 authorize on ldap3

how can i do that?

hope you guys can help me, i am searching for a solution for 3 days now and
i havent got any ideo how to solve that :-(

thanks and greetings from snowy austria!

-- 
DSL-Aktion wegen großer Nachfrage bis 28.2.2006 verlängert:
GMX DSL-Flatrate 1 Jahr kostenlos* http://www.gmx.net/de/go/dsl
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

In which point does the FR sever send the Access-Accept or Access-Reject packet?

[Marta Lajas]

Hy all,I have a doubt about when FreeRadius server decides to send an Access-Accept or an Access-Reject packet.   When the authenticate module returns with a RLM_MODULE_REJECT, does the FR server send an Access-Reject packet? ordoes it occurlater?  When the authenticate module returns with a RLM_MODULE_OK, does the FR server send the Access-Accept packet? ordoes it occurlater?  Thanks in advance,  Marta
		Correo Yahoo!Comprueba qué es nuevo, aquíhttp://correo.yahoo.es- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Installation problem Radiusd does not exist

[Nicola Iotti]

I'm installing freeradius 1.0.5on a Debian Linux system
I've downloaded tarball, extracted it with #tar zxvf freeradius-1.0.5.tar.gzI did:

./configure
make
make install

But installation stops with following message:

install: radiusd does not exist
make[4]: ***[install] Error 2

Does anyone know what happened ??

Ing. Nicola IottiNetwork Managermailto: [EMAIL PROTECTED] Guglielmo S.r.l. Sede legale: Via Martiri di Minozzo, 12 Sede operativa: Via Sante Vincenzi ,2 / D
42100 Reggio Emilia ITALIA Tel.: +39-0522 - 40 63 67
Fax: +39-0522 - 54 08 16 Cell: +39-320 61 90 072
internet website: http://www.guglielmo.biz mailto:[EMAIL PROTECTED] 







- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: authorization depending on authentication (ldap)

[Bjørn Mork]

[EMAIL PROTECTED] writes:

 i am running freeradius-1.0.2-5.5

 there are 3 ldap instances:
 ldap1,ldap2,ldap3.

 and authenticate them all after another in the authentication section like
 this:

 authenticate {
 ldap1
 ldap2
 ldap3
 }

 same in authorize-section:

 authorize {
 ldap1
 ldap2
 ldap3
 }

 now my problem is, that if the user x is authenticated at ldap2 for instance
 the authorization fails cause the user isnt found at ldap1 (freeradius
 doesnt seem to try authorizing on ldap2 or ldap3)

 what i need would be a solution how to realize the following needs:

 if authentication runs over ldap1 authorize on ldap1
 if authentication runs over ldap1 authorize on ldap2
 if authentication runs over ldap1 authorize on ldap3

 how can i do that?

I assume you meant 

 if authentication runs over ldap1 authorize on ldap1
 if authentication runs over ldap2 authorize on ldap2
 if authentication runs over ldap3 authorize on ldap3


The authenticate processing should set Auth-Type to an unique value
for each instance.  If you're using the default schema, then you can
do that by adding a radiusAuthType ldap attribute to each user.  Or
maybe better:  Use a default profile to set the appropriate
radiusAuthType for each ldap instance.

E.g. add something like this to the directories:

ldap1:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP1

ldap2:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP2

ldap3:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP3

And then in radiusd.conf:

modules {
..
ldap ldap1 {
..
default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA
..
}
ldap ldap2 {
..
default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA
..
}
ldap ldap3 {
..
default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA
..
}
}
..
authorize {
  Auth-Type LDAP1 {
 ldap1
  }
  Auth-Type LDAP2 {
 ldap2
  }
  Auth-Type LDAP3 {
 ldap3
  }
}




Note: This would be a lot easier with freeradius-1.1, where I believe
something like this would have been sufficient since rlm_ldap now sets
Auth-Type to the instance name by default:

authorize {
  Auth-Type ldap1 {
 ldap1
  }
  Auth-Type ldap2 {
 ldap2
  }
  Auth-Type ldap3 {
 ldap3
  }
}



Bjørn

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: authorization depending on authentication (ldap)

[Bjørn Mork]

Bjørn Mork [EMAIL PROTECTED] writes:

 authorize {
   Auth-Type LDAP1 {
  ldap1
   }
   Auth-Type LDAP2 {
  ldap2
   }
   Auth-Type LDAP3 {
  ldap3
   }
 }




 Note: This would be a lot easier with freeradius-1.1, where I believe
 something like this would have been sufficient since rlm_ldap now sets
 Auth-Type to the instance name by default:

 authorize {
   Auth-Type ldap1 {
  ldap1
   }
   Auth-Type ldap2 {
  ldap2
   }
   Auth-Type ldap3 {
  ldap3
   }
 }


Ooops, sorry.  This should of course go into the authenticate
section, *not* the authorize section.


Bjørn

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Installation problem Radiusd does not exist

[Joseba Beltrán]

Hi Nicola,

  Try compiling the debian stuff by executing
dpkg-buildpackage from freeradius source dir. That will do the trick!

You'll get debian packages ready to install (they will be placed outside
the source dir. For example: src dir /home/nicola/freeradius-XX.YY 
debian packages in /home/nicola)

Hope it helps!

 I'm installing freeradius 1.0.5 on a Debian Linux system
 I've downloaded tarball, extracted it with 

#tar zxvf freeradius-1.0.5.tar.gz

 I did :
  
  ./configure
 make
 make install
  
 But installation stops with following message:
  
 install: radiusd does not exist
 make[4]: ***[install] Error 2
  
 Does anyone know what happened ??
  
 Ing. Nicola Iotti
 Network Manager
 _mailto: [EMAIL PROTECTED]

 Guglielmo S.r.l.
 Sede legale: Via Martiri di Minozzo, 12
 Sede operativa: Via Sante Vincenzi , 2 / D
 42100 Reggio Emilia
 ITALIA
 Tel.: +39-0522 - 40 63 67
 Fax: +39-0522 - 54 08 16
 Cell: +39-320 61 90 072
 internet website: _http://www.guglielmo.biz_ http://www.guglielmo.biz/
 _mailto mailto:[EMAIL PROTECTED]:[EMAIL PROTECTED]
 mailto:[EMAIL PROTECTED]_

   
   

 Add FUN to your email - CLICK HERE!
 http://www.incredimail.com/index.asp?id=54475



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: In which point does the FR sever send the Access-Accept or Access-Reject packet?

[Bjørn Mork]

Marta Lajas [EMAIL PROTECTED] writes:

   I have a doubt about when FreeRadius server decides to send an
   Access-Accept or an Access-Reject packet.

   When the authenticate module returns with a RLM_MODULE_REJECT,
   does the FR server send an Access-Reject packet? or does it occur
   later?

   When the authenticate module returns with a RLM_MODULE_OK, does
   the FR server send the Access-Accept packet? or does it occur
   later?

You can find the answers in src/main/modcall.c.  The default
authenticate actions are: 

{
MOD_ACTION_RETURN,  /* reject   */
1,  /* fail */
MOD_ACTION_RETURN,  /* ok   */
MOD_ACTION_RETURN,  /* handled  */
1,  /* invalid  */
MOD_ACTION_RETURN,  /* userlock */
MOD_ACTION_RETURN,  /* notfound */
1,  /* noop */
1   /* updated  */
},


Which means that both RLM_MODULE_REJECT and RLM_MODULE_OK will cause
an immediate return action without calling any further modules in the
authenticate section.

Note that these actions may be modified by redundant or append
module grouping, or even configured on code by code basis.  See
doc/configurable_failover

The modules in postauth will of course still be called before sending
Access-Reject or Access-Accept.


Bjørn

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Installation problem Radiusd does not exist

[Nicolas Baradakis]

Nicola Iotti wrote:

 I'm installing freeradius 1.0.5 on a Debian Linux system
 I've downloaded tarball, extracted it with  
 #tar zxvf freeradius-1.0.5.tar.gz
 I did :
 
  ./configure
 make
 make install

You should just get the Debian binary package with apt-get.

If you really want to recompile FreeRADIUS from source, see the advices
on the wiki:
http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ#How_do_I_build_a_Debian_package_from_sources.3F

And please turn off HTML in your email client when posting to this
mailing list: http://freeradius.org/list/users.html

-- 
Nicolas Baradakis

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Installation problem Radiusd does not exist

[Kai Geek]

Hello,
#tar zxvf freeradius-1.0.5.tar.gz
#cd freeradius-1.0.5
#./configure --localstatedir=/var --sysconfdir=/etc
#make
#make install

for command debian;

ozgur:~# apt-cache search freeradius 
freeradius - a high-performance and highly configurable server
#apt-get install freeradius

and

#cd /etc/raddb
#pico users
#pico clients.conf

for edit users and clients file,

#radiusd -X

- Original Message -
From: Nicolas Baradakis [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Subject: Re: Installation problem Radiusd does not exist
Date: Thu, 5 Jan 2006 12:47:08 +0100

 
 Nicola Iotti wrote:
 
  I'm installing freeradius 1.0.5 on a Debian Linux system
  I've downloaded tarball, extracted it with  #tar zxvf 
  freeradius-1.0.5.tar.gz
  I did :
 
   ./configure
  make
  make install
 
 You should just get the Debian binary package with apt-get.
 
 If you really want to recompile FreeRADIUS from source, see the advices
 on the wiki:
 http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ#How_do_I_build_a_Debian_package_from_sources.3F
 
 And please turn off HTML in your email client when posting to this
 mailing list: http://freeradius.org/list/users.html
 
 --
 Nicolas Baradakis
 
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



+-+-+-+ BEGIN PGP SIGNATURE +-+-+-+
Version: GnuPG v1.4.2 (GNU/Linux)
   .-.  .-._  
   : :  : :   :_; 
 .-' : .--. : `-. .-. .--.  ,-.,-.
' .; :' '_.'' .; :: :' .; ; : ,. :
`.__.'`.__.'`.__.':_;`.__,_;:_;:_;

Kai Ozgur Geek
Network Engineer
PGP ID: B1B63B6E
+-+-+-+ END PGP SIGNATURE +-+-+-+


-- 
___
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.

Powered by Outblaze

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

acct_unique

[Velikanov]

 Good day.

I need to use such a construction in radiusd.conf

 acct_unique acct_std{
 key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
 }
 acct_unique acct_PIX{
 key = Acct-Session-Id, NAS-IP-Address, Login-IP-Host,
Login-TCP-Port
}

preacct {
preprocess
Acct-Type PIX{
  acct_PIX
}
acct_std
}

BUT got an error  when i do radiusd -X:
..
..
Module: Instantiated sql (sql)
radiusd.conf[1683] Unknown module rcode 'acct_PIX'.

In  radiusd.conf there are the strings:
string 1682: Acct-Type PIX{
string 1683: acct_PIX
string 1684:}
WHERE IS MY MISTAKE ?
And a questions - Why we need to use attribute Acct-Unique-Session-Id ?
I use sql database for accounting, there we have unique index radacctid
and i need
to understand the purpose and advantages of using the attribute
Acct-Unique-Session-Id

THANKS


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Fw: In which point does the FR sever send the Access-Accept orAccess-Reject packet?

[Marta Lajas]

Thank you very much Bjørn. So it is after the post-auth section when the FreeRadius server decides to send an Access-Accept or an Access-Reject packet (in response of a previous Access-Request packet) depending on the result (success or not, OK or REJECT) of the authenticate method. Am I right?Best regards,  Marta  - Original Message - From: "Bjørn Mork" <[EMAIL PROTECTED]>To: "FreeRadius users mailing list" Sent: Thursday, January 05, 2006 12:42 PMSubject: Re: In which point does the FR sever send the Access-AcceptorAccess-Reject packet? Marta Lajas <[EMAIL PROTECTED]>writes:  I have a doubt about when FreeRadius server decides to send an  Access-Accept or an Access-!
 Reject
 packet.  When the authenticate module returns with a RLM_MODULE_REJECT,  does the FR server send an Access-Reject packet? or does it occur  later?  When the authenticate module returns with a RLM_MODULE_OK, does  the FR server send the Access-Accept packet? or does it occur  later? You can find the answers in src/main/modcall.c. The default authenticate actions are: { MOD_ACTION_RETURN, /* reject */ 1, /* fail */ MOD_ACTION_RETURN, /* ok */ MOD_ACTION_RETURN, /* handled */ 1, /* invalid */ MOD_ACTION_RETURN, /* userlock */ MOD_ACTION_RETURN, /* notfound */ 1, /* noop */ 1 /* updated */ }, Which means that both RLM_MODULE_REJECT and RLM_MODULE_OK will cause an immediate return action without calling any further modules in the authe!
 nticate
 section. Note that these actions may be modified by "redundant" or "append" module grouping, or even configured on code by code basis. See doc/configurable_failover The modules in postauth will of course still be called before sending Access-Reject or Access-Accept. Bjørn - List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html  
		Correo Yahoo!Comprueba qué es nuevo, aquíhttp://correo.yahoo.es- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: authorization depending on authentication (ldap)

[tschaos]

 I assume you meant

 if authentication runs over ldap1 authorize on ldap1
 if authentication runs over ldap2 authorize on ldap2
 if authentication runs over ldap3 authorize on ldap3

sorry my fault - should check my copy-paste better ;-)


 The authenticate processing should set Auth-Type to an unique value
 for each instance.  If you're using the default schema, then you can
 do that by adding a radiusAuthType ldap attribute to each user.  Or
 maybe better:  Use a default profile to set the appropriate
 radiusAuthType for each ldap instance.
 
 E.g. add something like this to the directories:
 
 ldap1:
 dn: cn=radprofile,ou=dialup,o=My Org,c=UA
 radiusAuthType: LDAP1
 
 ldap2:
 dn: cn=radprofile,ou=dialup,o=My Org,c=UA
 radiusAuthType: LDAP2

 ldap3:
 dn: cn=radprofile,ou=dialup,o=My Org,c=UA
 radiusAuthType: LDAP3

hm, i dont understand where i should add this kind of lines. i guess they
should be in the users file as an default entry.

can you give a complete working sample for such an entry? sorry if this
would be base-knowledge but i dont know how to check ldap-settings in the
users file.

thanks in advance

Stefan

 --- Ursprüngliche Nachricht ---
 Von: Bjørn Mork [EMAIL PROTECTED]
 An: FreeRadius users mailing list freeradius-users@lists.freeradius.org
 Betreff: Re: authorization depending on authentication (ldap)
 Datum: Thu, 05 Jan 2006 11:56:33 +0100
 
 [EMAIL PROTECTED] writes:
 
  i am running freeradius-1.0.2-5.5
 
  there are 3 ldap instances:
  ldap1,ldap2,ldap3.
 
  and authenticate them all after another in the authentication section
 like
  this:
 
  authenticate {
  ldap1
  ldap2
  ldap3
  }
 
  same in authorize-section:
 
  authorize {
  ldap1
  ldap2
  ldap3
  }
 
  now my problem is, that if the user x is authenticated at ldap2 for
 instance
  the authorization fails cause the user isnt found at ldap1 (freeradius
  doesnt seem to try authorizing on ldap2 or ldap3)
 
  what i need would be a solution how to realize the following needs:
 
  if authentication runs over ldap1 authorize on ldap1
  if authentication runs over ldap1 authorize on ldap2
  if authentication runs over ldap1 authorize on ldap3
 
  how can i do that?
 
 I assume you meant 
 
  if authentication runs over ldap1 authorize on ldap1
  if authentication runs over ldap2 authorize on ldap2
  if authentication runs over ldap3 authorize on ldap3
 
 
 The authenticate processing should set Auth-Type to an unique value
 for each instance.  If you're using the default schema, then you can
 do that by adding a radiusAuthType ldap attribute to each user.  Or
 maybe better:  Use a default profile to set the appropriate
 radiusAuthType for each ldap instance.
 
 E.g. add something like this to the directories:
 
 ldap1:
 dn: cn=radprofile,ou=dialup,o=My Org,c=UA
 radiusAuthType: LDAP1
 
 ldap2:
 dn: cn=radprofile,ou=dialup,o=My Org,c=UA
 radiusAuthType: LDAP2
 
 ldap3:
 dn: cn=radprofile,ou=dialup,o=My Org,c=UA
 radiusAuthType: LDAP3
 
 And then in radiusd.conf:
 
 modules {
 ..
 ldap ldap1 {
 ..
 default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA
 ..
 }
 ldap ldap2 {
 ..
 default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA
 ..
 }
 ldap ldap3 {
 ..
 default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA
 ..
 }
 }
 ..
 authorize {
   Auth-Type LDAP1 {
  ldap1
   }
   Auth-Type LDAP2 {
  ldap2
   }
   Auth-Type LDAP3 {
  ldap3
   }
 }
 
 
 
 
 Note: This would be a lot easier with freeradius-1.1, where I believe
 something like this would have been sufficient since rlm_ldap now sets
 Auth-Type to the instance name by default:
 
 authorize {
   Auth-Type ldap1 {
  ldap1
   }
   Auth-Type ldap2 {
  ldap2
   }
   Auth-Type ldap3 {
  ldap3
   }
 }
 
 
 
 Bjørn
 
 - 
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 

-- 
Telefonieren Sie schon oder sparen Sie noch?
NEU: GMX Phone_Flat http://www.gmx.net/de/go/telefonie
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: authorization depending on authentication (ldap)

[tschaos]

 I assume you meant

 if authentication runs over ldap1 authorize on ldap1
 if authentication runs over ldap2 authorize on ldap2
 if authentication runs over ldap3 authorize on ldap3

sorry my fault - should check my copy-paste better ;-)


 The authenticate processing should set Auth-Type to an unique value
 for each instance.  If you're using the default schema, then you can
 do that by adding a radiusAuthType ldap attribute to each user.  Or
 maybe better:  Use a default profile to set the appropriate
 radiusAuthType for each ldap instance.
 
 E.g. add something like this to the directories:
 
 ldap1:
 dn: cn=radprofile,ou=dialup,o=My Org,c=UA
 radiusAuthType: LDAP1
 
 ldap2:
 dn: cn=radprofile,ou=dialup,o=My Org,c=UA
 radiusAuthType: LDAP2

 ldap3:
 dn: cn=radprofile,ou=dialup,o=My Org,c=UA
 radiusAuthType: LDAP3

hm, i dont understand where i should add this kind of lines. i guess they
should be in the users file as an default entry.

can you give a complete working sample for such an entry? sorry if this
would be base-knowledge but i dont know how to check ldap-settings in the
users file.

thanks in advance

Stefan

 --- Ursprüngliche Nachricht ---
 Von: Bjørn Mork [EMAIL PROTECTED]
 An: FreeRadius users mailing list freeradius-users@lists.freeradius.org
 Betreff: Re: authorization depending on authentication (ldap)
 Datum: Thu, 05 Jan 2006 11:56:33 +0100
 
 [EMAIL PROTECTED] writes:
 
  i am running freeradius-1.0.2-5.5
 
  there are 3 ldap instances:
  ldap1,ldap2,ldap3.
 
  and authenticate them all after another in the authentication section
 like
  this:
 
  authenticate {
  ldap1
  ldap2
  ldap3
  }
 
  same in authorize-section:
 
  authorize {
  ldap1
  ldap2
  ldap3
  }
 
  now my problem is, that if the user x is authenticated at ldap2 for
 instance
  the authorization fails cause the user isnt found at ldap1 (freeradius
  doesnt seem to try authorizing on ldap2 or ldap3)
 
  what i need would be a solution how to realize the following needs:
 
  if authentication runs over ldap1 authorize on ldap1
  if authentication runs over ldap1 authorize on ldap2
  if authentication runs over ldap1 authorize on ldap3
 
  how can i do that?
 
 I assume you meant 
 
  if authentication runs over ldap1 authorize on ldap1
  if authentication runs over ldap2 authorize on ldap2
  if authentication runs over ldap3 authorize on ldap3
 
 
 The authenticate processing should set Auth-Type to an unique value
 for each instance.  If you're using the default schema, then you can
 do that by adding a radiusAuthType ldap attribute to each user.  Or
 maybe better:  Use a default profile to set the appropriate
 radiusAuthType for each ldap instance.
 
 E.g. add something like this to the directories:
 
 ldap1:
 dn: cn=radprofile,ou=dialup,o=My Org,c=UA
 radiusAuthType: LDAP1
 
 ldap2:
 dn: cn=radprofile,ou=dialup,o=My Org,c=UA
 radiusAuthType: LDAP2
 
 ldap3:
 dn: cn=radprofile,ou=dialup,o=My Org,c=UA
 radiusAuthType: LDAP3
 
 And then in radiusd.conf:
 
 modules {
 ..
 ldap ldap1 {
 ..
 default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA
 ..
 }
 ldap ldap2 {
 ..
 default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA
 ..
 }
 ldap ldap3 {
 ..
 default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA
 ..
 }
 }
 ..
 authorize {
   Auth-Type LDAP1 {
  ldap1
   }
   Auth-Type LDAP2 {
  ldap2
   }
   Auth-Type LDAP3 {
  ldap3
   }
 }
 
 
 
 
 Note: This would be a lot easier with freeradius-1.1, where I believe
 something like this would have been sufficient since rlm_ldap now sets
 Auth-Type to the instance name by default:
 
 authorize {
   Auth-Type ldap1 {
  ldap1
   }
   Auth-Type ldap2 {
  ldap2
   }
   Auth-Type ldap3 {
  ldap3
   }
 }
 
 
 
 Bjørn
 
 - 
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 

-- 
Telefonieren Sie schon oder sparen Sie noch?
NEU: GMX Phone_Flat http://www.gmx.net/de/go/telefonie
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: authorization depending on authentication (ldap)

[tschaos]

sorry, now i understand what you meant with that:

  ldap1:
  dn: cn=radprofile,ou=dialup,o=My Org,c=UA
  radiusAuthType: LDAP1
  
  ldap2:
  dn: cn=radprofile,ou=dialup,o=My Org,c=UA
  radiusAuthType: LDAP2
 
  ldap3:
  dn: cn=radprofile,ou=dialup,o=My Org,c=UA
  radiusAuthType: LDAP3

i should chance the ldap-directory. isnt it possible to make it fit my needs
without changing the ldap-directory? without freeradius-1.1?


 --- Ursprüngliche Nachricht ---
 Von: [EMAIL PROTECTED]
 An: FreeRadius users mailing list freeradius-users@lists.freeradius.org
 Betreff: Re: authorization depending on authentication (ldap)
 Datum: Thu, 5 Jan 2006 13:30:16 +0100 (MET)
 
  I assume you meant
 
  if authentication runs over ldap1 authorize on ldap1
  if authentication runs over ldap2 authorize on ldap2
  if authentication runs over ldap3 authorize on ldap3
 
 sorry my fault - should check my copy-paste better ;-)
 
 
  The authenticate processing should set Auth-Type to an unique value
  for each instance.  If you're using the default schema, then you can
  do that by adding a radiusAuthType ldap attribute to each user.  Or
  maybe better:  Use a default profile to set the appropriate
  radiusAuthType for each ldap instance.
  
  E.g. add something like this to the directories:
  
  ldap1:
  dn: cn=radprofile,ou=dialup,o=My Org,c=UA
  radiusAuthType: LDAP1
  
  ldap2:
  dn: cn=radprofile,ou=dialup,o=My Org,c=UA
  radiusAuthType: LDAP2
 
  ldap3:
  dn: cn=radprofile,ou=dialup,o=My Org,c=UA
  radiusAuthType: LDAP3
 
 hm, i dont understand where i should add this kind of lines. i guess they
 should be in the users file as an default entry.
 
 can you give a complete working sample for such an entry? sorry if this
 would be base-knowledge but i dont know how to check ldap-settings in the
 users file.
 
 thanks in advance
 
 Stefan
 
  --- Ursprüngliche Nachricht ---
  Von: Bjørn Mork [EMAIL PROTECTED]
  An: FreeRadius users mailing list
 freeradius-users@lists.freeradius.org
  Betreff: Re: authorization depending on authentication (ldap)
  Datum: Thu, 05 Jan 2006 11:56:33 +0100
  
  [EMAIL PROTECTED] writes:
  
   i am running freeradius-1.0.2-5.5
  
   there are 3 ldap instances:
   ldap1,ldap2,ldap3.
  
   and authenticate them all after another in the authentication section
  like
   this:
  
   authenticate {
   ldap1
   ldap2
   ldap3
   }
  
   same in authorize-section:
  
   authorize {
   ldap1
   ldap2
   ldap3
   }
  
   now my problem is, that if the user x is authenticated at ldap2 for
  instance
   the authorization fails cause the user isnt found at ldap1 (freeradius
   doesnt seem to try authorizing on ldap2 or ldap3)
  
   what i need would be a solution how to realize the following needs:
  
   if authentication runs over ldap1 authorize on ldap1
   if authentication runs over ldap1 authorize on ldap2
   if authentication runs over ldap1 authorize on ldap3
  
   how can i do that?
  
  I assume you meant 
  
   if authentication runs over ldap1 authorize on ldap1
   if authentication runs over ldap2 authorize on ldap2
   if authentication runs over ldap3 authorize on ldap3
  
  
  The authenticate processing should set Auth-Type to an unique value
  for each instance.  If you're using the default schema, then you can
  do that by adding a radiusAuthType ldap attribute to each user.  Or
  maybe better:  Use a default profile to set the appropriate
  radiusAuthType for each ldap instance.
  
  E.g. add something like this to the directories:
  
  ldap1:
  dn: cn=radprofile,ou=dialup,o=My Org,c=UA
  radiusAuthType: LDAP1
  
  ldap2:
  dn: cn=radprofile,ou=dialup,o=My Org,c=UA
  radiusAuthType: LDAP2
  
  ldap3:
  dn: cn=radprofile,ou=dialup,o=My Org,c=UA
  radiusAuthType: LDAP3
  
  And then in radiusd.conf:
  
  modules {
  ..
  ldap ldap1 {
  ..
  default_profile = cn=radprofile,ou=dialup,o=My
 Org,c=UA
  ..
  }
  ldap ldap2 {
  ..
  default_profile = cn=radprofile,ou=dialup,o=My
 Org,c=UA
  ..
  }
  ldap ldap3 {
  ..
  default_profile = cn=radprofile,ou=dialup,o=My
 Org,c=UA
  ..
  }
  }
  ..
  authorize {
Auth-Type LDAP1 {
   ldap1
}
Auth-Type LDAP2 {
   ldap2
}
Auth-Type LDAP3 {
   ldap3
}
  }
  
  
  
  
  Note: This would be a lot easier with freeradius-1.1, where I believe
  something like this would have been sufficient since rlm_ldap now sets
  Auth-Type to the instance name by default:
  
  authorize {
Auth-Type ldap1 {

Re: authorization depending on authentication (ldap)

[Chaos Commander]

i managed it, there is one attribute in our ldap where i can exactly define
where the user should be authorized.
With the radiusAuthType Attribute it works now perfectly.

thanks a lot for this litte hint :-)

Stefan

 --- Ursprüngliche Nachricht ---
 Von: [EMAIL PROTECTED]
 An: FreeRadius users mailing list freeradius-users@lists.freeradius.org
 Betreff: Re: authorization depending on authentication (ldap)
 Datum: Thu, 5 Jan 2006 13:56:35 +0100 (MET)
 
 sorry, now i understand what you meant with that:
 
   ldap1:
   dn: cn=radprofile,ou=dialup,o=My Org,c=UA
   radiusAuthType: LDAP1
   
   ldap2:
   dn: cn=radprofile,ou=dialup,o=My Org,c=UA
   radiusAuthType: LDAP2
  
   ldap3:
   dn: cn=radprofile,ou=dialup,o=My Org,c=UA
   radiusAuthType: LDAP3
 
 i should chance the ldap-directory. isnt it possible to make it fit my
 needs
 without changing the ldap-directory? without freeradius-1.1?
 
 
  --- Ursprüngliche Nachricht ---
  Von: [EMAIL PROTECTED]
  An: FreeRadius users mailing list
 freeradius-users@lists.freeradius.org
  Betreff: Re: authorization depending on authentication (ldap)
  Datum: Thu, 5 Jan 2006 13:30:16 +0100 (MET)
  
   I assume you meant
  
   if authentication runs over ldap1 authorize on ldap1
   if authentication runs over ldap2 authorize on ldap2
   if authentication runs over ldap3 authorize on ldap3
  
  sorry my fault - should check my copy-paste better ;-)
  
  
   The authenticate processing should set Auth-Type to an unique value
   for each instance.  If you're using the default schema, then you can
   do that by adding a radiusAuthType ldap attribute to each user.  Or
   maybe better:  Use a default profile to set the appropriate
   radiusAuthType for each ldap instance.
   
   E.g. add something like this to the directories:
   
   ldap1:
   dn: cn=radprofile,ou=dialup,o=My Org,c=UA
   radiusAuthType: LDAP1
   
   ldap2:
   dn: cn=radprofile,ou=dialup,o=My Org,c=UA
   radiusAuthType: LDAP2
  
   ldap3:
   dn: cn=radprofile,ou=dialup,o=My Org,c=UA
   radiusAuthType: LDAP3
  
  hm, i dont understand where i should add this kind of lines. i guess
 they
  should be in the users file as an default entry.
  
  can you give a complete working sample for such an entry? sorry if this
  would be base-knowledge but i dont know how to check ldap-settings in
 the
  users file.
  
  thanks in advance
  
  Stefan
  
   --- Ursprüngliche Nachricht ---
   Von: Bjørn Mork [EMAIL PROTECTED]
   An: FreeRadius users mailing list
  freeradius-users@lists.freeradius.org
   Betreff: Re: authorization depending on authentication (ldap)
   Datum: Thu, 05 Jan 2006 11:56:33 +0100
   
   [EMAIL PROTECTED] writes:
   
i am running freeradius-1.0.2-5.5
   
there are 3 ldap instances:
ldap1,ldap2,ldap3.
   
and authenticate them all after another in the authentication
 section
   like
this:
   
authenticate {
ldap1
ldap2
ldap3
}
   
same in authorize-section:
   
authorize {
ldap1
ldap2
ldap3
}
   
now my problem is, that if the user x is authenticated at ldap2 for
   instance
the authorization fails cause the user isnt found at ldap1
 (freeradius
doesnt seem to try authorizing on ldap2 or ldap3)
   
what i need would be a solution how to realize the following needs:
   
if authentication runs over ldap1 authorize on ldap1
if authentication runs over ldap1 authorize on ldap2
if authentication runs over ldap1 authorize on ldap3
   
how can i do that?
   
   I assume you meant 
   
if authentication runs over ldap1 authorize on ldap1
if authentication runs over ldap2 authorize on ldap2
if authentication runs over ldap3 authorize on ldap3
   
   
   The authenticate processing should set Auth-Type to an unique value
   for each instance.  If you're using the default schema, then you can
   do that by adding a radiusAuthType ldap attribute to each user.  Or
   maybe better:  Use a default profile to set the appropriate
   radiusAuthType for each ldap instance.
   
   E.g. add something like this to the directories:
   
   ldap1:
   dn: cn=radprofile,ou=dialup,o=My Org,c=UA
   radiusAuthType: LDAP1
   
   ldap2:
   dn: cn=radprofile,ou=dialup,o=My Org,c=UA
   radiusAuthType: LDAP2
   
   ldap3:
   dn: cn=radprofile,ou=dialup,o=My Org,c=UA
   radiusAuthType: LDAP3
   
   And then in radiusd.conf:
   
   modules {
   ..
   ldap ldap1 {
   ..
   default_profile = cn=radprofile,ou=dialup,o=My
  Org,c=UA
   ..
   }
   ldap ldap2 {
   ..
   default_profile = cn=radprofile,ou=dialup,o=My
  Org,c=UA
   ..
   }
   ldap ldap3 {
   

NAS-identifier instead of IP-identifier

[Rob Cleminson]

Hello, I am new to freeradius and need a little help

We are going to be deploying a bunch of Wireless Routers all over the place and 
they may have DHCP addresses on them instead of static WAN addresses..When a 
client associates to our Wireless Router they are redirected to the Radius 
Server which then creates a secure session onto the internet(WPA etc) 

Is there a way of identifying the router to our FreeRadius server without 
having a static IP address on each Router?

Cheers

Rob


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP-TLS and user configuration

[dark0s dark0s]

Hi, I must ti configure an authentication server with
freeradius 1.0.5. The authentication method must be
EAP-TLS. I have configured the files:

eap.conf, radiusd.conf, clients.conf

I would to known:
1) If I must configure /etc/raddb/users
2) How to configure /etc/raddb/users
3) Authentication operation will be showed in the any
files in the system

Thanks








___ 
Yahoo! Mail: gratis 1GB per i messaggi e allegati da 10MB 
http://mail.yahoo.it
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

LDAP scope

[Stefan Adams]

Hi!

Is it possible to specify a basedn of dc=example,dc=com with a scope
of sub so that my search filters can apply to both ou=People and
ou=Computers for example?  It seems from my testing that the scope
is one by default.

The reason I would like to do this is to have the check box in Windows
XP that says Authenticate as computer... checked.  Doing this,
FreeRADIUS is first presented with the credentials of the computer
(host/name).  Since I already have a computer account in ou=Computers,
I figure I'd just add a cn=host/name attribute and modify the filter
to be (|(uid=%{User-Name})(cn=%{User-Name})).  But this can only work
with a basedn of dc=example,dc=com and a scope of sub.

Thanks!
Stefan

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: In which point does the FR sever send the Access-Accept or Access-Reject packet?

[Alan DeKok]

Marta Lajas [EMAIL PROTECTED] wrote:
   I have a doubt about when FreeRadius server decides to send an 
 Access-Accept or an Access-Reject packet. 

  Why ask the list when you can run it yourself and see?

   When the authenticate module returns with a RLM_MODULE_REJECT, does the FR 
 server send an Access-Reject packet? or does it occur later?

  Yes.  It *may* occur later because of reject_delay.  See radiusd.conf.

   When the authenticate module returns with a RLM_MODULE_OK, does the FR 
 server send the Access-Accept packet? or does it occur later?

  Yes.  And it's sent immediately.

  I can't help but think these questions are *not* the questions you
want answered.

  What problem are you trying to solve?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: acct_unique

[Alan DeKok]

Velikanov [EMAIL PROTECTED] wrote:
 preacct {
 preprocess
 Acct-Type PIX{
   acct_PIX
 }

  You put an Acct-Type in a preacct section.  That won't work.
Acct-Types have to go into accounting sections.

 radiusd.conf[1683] Unknown module rcode 'acct_PIX'.

  It's treating Acct-Type as a module name, because Acct-Types don't
belong in preacct sections.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: NAS-identifier instead of IP-identifier

[Alan DeKok]

Rob Cleminson [EMAIL PROTECTED] wrote:
 Is there a way of identifying the router to our FreeRadius server
 without having a static IP address on each Router?

  Configure a networked client in clients.conf.  See the examples there.

  The NASes all have to have the same secret, though.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: NAS-identifier instead of IP-identifier

[Rich Marriner]

I don't believe so. Not if you use the NAS-IP-Address attribute. 
Traditionally that was used for access servers on the coporate level and 
due to the nature of their work they had static IP addresses.  I for one 
would not want my APs (if I were deploying a wide area wireless network) 
to have dynamic IP addresses.  The administration of that would seem to 
become a nightmare unless you use a dynamic dns service, but that seems 
kind of corny for a service provider.


I may be talking out my butt, and I don't mean anything by it, I just 
wouldn't use dynamic ip addresses for any of my network infrastructure. 
Usually static IP address aren't that much more from your upstream provider.


On second thought, what if you created a VPN tunnel from the AP (using, 
say OpenWrt) and then you could assign static private IPs to the AP? 
Would this work?


I hope this was useful, but somebody else will probably come up with a 
lot more intelligent answer.


Richard




Rob Cleminson wrote:

Hello, I am new to freeradius and need a little help

We are going to be deploying a bunch of Wireless Routers all over the place and they may have DHCP addresses on them instead of static WAN addresses..When a client associates to our Wireless Router they are redirected to the Radius Server which then creates a secure session onto the internet(WPA etc) 


Is there a way of identifying the router to our FreeRadius server without 
having a static IP address on each Router?

Cheers

Rob


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

MySQL settings causing FreeRADIUS to segfault

[radius]

Hello again,I got the DialupAdmin/SQL problem fixed (Thanks) but now I'm running into a problem with FreeRADIUS. I've tried following several different guides I've found on the net for setting up FreeRADIUS and MySQL and each time, I get the same results. Whenever, I enable anything regarding SQL in radiusd.conf and start up radiusd in debug mode (radiusd -X), FreeRADIUS segfaults. If I start the program with -x, I get the same results however when I start up radiusd without any options (radiusd, by itself), the program starts fine. Could this be a configuration issue in FreeRADIUS or something messed up with my Ubuntu install? We've tried authenticating when FreeRADIUS is started without command-line options and it does not accept the information in the MySQL database inputed via Dialupadmin.If needed, I can post my config files. I figured I'd wait to see if it was needed before doing so.Thanks- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Failed to link to module 'rlm_exec': /usr/local/lib/rlm_exec.a: invalid ELF header

[Mathieu Clément]

Mathieu Clément wrote:

 Good morning,

 Look at this:

 ---
 # radiusd -X
 Starting - reading configuration files ...
 reread_config:  reading radiusd.conf
 Config:   including file: /etc/raddb/proxy.conf
 Config:   including file: /etc/raddb/clients.conf
 Config:   including file: /etc/raddb/snmp.conf
 Config:   including file: /etc/raddb/eap.conf
 Config:   including file: /etc/raddb/sql.conf
 main: prefix = /usr/local
 main: localstatedir = /usr/local/var
 main: logdir = /usr/local/var/log/radius
 main: libdir = /usr/local/lib
 main: radacctdir = /usr/local/var/log/radius/radacct
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = /usr/local/var/log/radius/radius.log
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
 main: user = (null)
 main: group = (null)
 main: usercollide = no
 main: lower_user = no
 main: lower_pass = no
 main: nospace_user = no
 main: nospace_pass = no
 main: checkrad = /usr/local/sbin/checkrad
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = yes
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
 read_config_files:  reading dictionary
 read_config_files:  reading naslist
 Using deprecated naslist file.  Support for this will go away soon.
 read_config_files:  reading clients
 read_config_files:  reading realms
 radiusd:  entering modules setup
 Module: Library search path is /usr/local/lib
 radiusd.conf[1383] Failed to link to module 'rlm_exec':
 /usr/local/lib/rlm_exec.a: invalid ELF header
 

 Running mandrake with mysql.

 Second question: How to add users in the mysql table ?
 I see UserName, value, etc. but where to put the password, and which
 format (md5 ? sha1 ? cleared-text ?)

 Thank you in advance,
 Have a good day.

 Mathieu


 ---
 avast! Antivirus: message Sortant propre.
 Base de donnÚes des virus (VPS): 0601-1, 03/01/2006
 Test du: 05/01/2006 02:47:50
 avast! - copyright (c) 1988-2004 ALWIL Software.
 http://www.avast.com



 - List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Connection TimeOut!!!

[Kirti S. Bajwa]

Title: Connection TimeOut!!!






Hello:

RH 9.0, freeRADIUS 1.4

I have been using freeRADIUS for the last 10 Months. Works great. I like to setup a maximum connection time of 120 minutes for each user. I am a complete newbie. 

Can somebody direct me to the file I need to set the timeout time? I also need to know the exact command, if possible.

Thanks in Advance.

Kirt




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Connection TimeOut!!!

[Dusty Doris]

Hello:

RH 9.0, freeRADIUS 1.4

I have been using freeRADIUS for the last 10 Months. Works great. I like
to setup a maximum connection time of 120 minutes for each user. I am a
complete newbie.

Can somebody direct me to the file I need to set the timeout time? I
also need to know the exact command, if possible.



Do you mean max connection time before logging in again?  In that case, 
you usually just need to add


Session-Timeout = xxx

With xxx being the number of seconds before timing out.

If you want to give them say 120 minutes each day or week or month.  Then 
you should look at rlm_sql_counter.  Install freeradius with experimental 
modules and read experimental.conf.


This is all dependant on your NAS accepting the Session-Timeout variable 
and actually ending the session at that time.



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP scope

[Gary Algier]

Stefan Adams wrote:

Hi!

Is it possible to specify a basedn of dc=example,dc=com with a scope
of sub so that my search filters can apply to both ou=People and
ou=Computers for example?  It seems from my testing that the scope
is one by default.

From my experience it is a scope of sub by default.  My people are
in the data store like:
dn: uid=gaa,ou=people,dc=ulticom,dc=com
and my ldap section of radius.conf is:
ldap {
server = ldap.ulticom.com
basedn = dc=ulticom,dc=com
filter = 
((objectclass=person)(uid=%{Stripped-User-Name:-%{User-Name}}))
do_xlat = yes
base_filter = (objectclass=*)
start_tls = no
access_attr = uid
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}




The reason I would like to do this is to have the check box in Windows
XP that says Authenticate as computer... checked.  Doing this,
FreeRADIUS is first presented with the credentials of the computer
(host/name).  Since I already have a computer account in ou=Computers,
I figure I'd just add a cn=host/name attribute and modify the filter
to be (|(uid=%{User-Name})(cn=%{User-Name})).  But this can only work
with a basedn of dc=example,dc=com and a scope of sub.

The thing to watch out for is the actual LDAP lookup may not be
what you think.  Without special regex matches or other tricks it
will only lookup your hostname.  For instance with a user of gaa
on host malachite, the supplied user value is MALACHITE\GAA.
This then results in an LDAP lookup of (from radiusd -X):
-
rlm_ldap: performing user authorization for MALACHITE\gaa
radius_xlat:  '((objectclass=person)(uid=MALACHITE))'
radius_xlat:  'dc=ulticom,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ulticom,dc=com, with filter 
((objectclass=person)(uid=MALACHITE))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
-

I tried to handle it with this:

hints file:
...
DEFAULT NAS-IP-Address == 172.25.16.9, User-Name =~ ^(.*)(.*)
Hint = 8021XUSER,
Stripped-User-Name = `${2}`
...
users file:
...
DEFAULT Hint == 8021XUSER
Fall-Through = 1
...

This strips the hostname off, mostly.  I see it do several uid=gaa
lookups, then one uid=MALACHITE and then it fails.  If you get it
to work, let me know.  All I want to do is lookup the user.

If you want to use the hostname, how will you match the password?  What
credentials are you expecting it to pass?  I was under the assumption
that when you select Authenticate as computer... it expects to
use certificates (I may be wrong here).

The format of the password when using the Windows domain style login
is the Windows encrypted format (actually a hash, not encrypted,
but you still can't recreate the clear text password).  The the default
configuration, this value is matched against the LDAP attribute
sambaNTPassword.  This assumes that you are already using
Samba for SMB/CIFS access.  (I am).



Thanks!
Stefan

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
Gary Algier, WB2FWZ  gaa at ulticom.com +1 856 787 2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054  Fax:+1 856 866 2033

Nielsen's First Law of Computer Manuals:
People don't read documentation voluntarily.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Fw: authorize and authenticate methods ina custom module

[Yannick Deltroo]

I've done something like this.

You should write a custom script for the authorization section, put
something like this in radiusd.conf

modules {
 .
exec myscript  {
program = /path/to/myscript %{User-Name}
wait = yes
input_pairs = request
output_pairs = config
packet_type = Access-Accept
}
.
}

authorize {
.
pap
chap
myscript
..
}


Assuming it's a shell script, it has do this:
- retrieve the parameters of the Access-Request. User-Name is passed
as an argument, other attributes can be access from the environment
variables or passed as addition myscript arguments
- then call the cgi with the approriate parameters using curl
- if the user exists, the cgi should return the Password XX to
myscript (I'm assuming PAP/CHAP is used for authentication)
- then myscript will write Password =X to stdout (it will make a
config attribute for freeradius) and then exit(0)
- if the cgi says that the user does not exits. Exit(0) without
writing anything to stdout. This way other authorization modules may
try to find the user.

If the user really does not exist anywhere, the access-reject will be
decided during PAP/CHAP authentication. (a user with no password = 
reject)

Yannick Deltroo

On 1/5/06, Susana Macias [EMAIL PROTECTED] wrote:

 Thanks a lot Alan,

 I would like to explain what I am trying to develop. If someone has any
 advise, please tell me. This is my scenario:

 Until now, we have a RADIUS server (RADIUS PSI) which only receives
 Access-Request packets.

 Also we have a CGI application located in the URL http://X.Y.Z.W:8080/nucleo
 This application receives a set of parameters as an URL encoded string (all
 characters that are not a-z, A-Z or 0-9 are converted to their URL escaped
 version) with this form:
 Attribute1=Value1Attribute2=Value2... (where Attribute1,
 Attribute2... and Value1,Value2... are the differents Attribute/Value pairs
 obtained from the Access-Request packet)
 The CGI application consults a remote database (and normally authenticate
 the user using the telephone number; although there are other variants).

 According to the response obtained from the remote resource, the RADIUS
 server adds differents Attribute/Value pairs to the reply list, and always
 reply with an Access-Accept packet (whether or not the CGI application
 authenticate the user successfully)

 Now, we want to change to a FreeRadius server.

 I only want to call the remote resource (using th! e libcurl library)
 passing it  the appropiates parameters and collect the information returned
 by it in order to create the reply list. As the CGI application performs the
 authorize and authenticate activities I am a little embarrassed to say  that
 I am not sure which function should I implement (authorize or authenticate).

 Thank you very much in advance

 Best wishes,
 Susana





 - Original Message -
 From: Alan DeKok
 To: FreeRadius users mailing list
 Sent: Tuesday, January 03, 2006 4:31 PM
 Subject: Re: authorize and authenticate methods ina custom module


  Susana Macias wrote:
   I have started working with the RADIUS protocol (and with FreeRadius
   in particular) three weeks ago. Congratulations for the product, it is
   really powerful!
 
  Thanks.
 
   But, when are the authorize() and authenticate() methods called?
 
  When a packet comes in. See doc/aaa.txt
 
   Is it necessary to include in the radiusd.conf the name of the
   instance (of the new module created) in the authorize section in order
   to call its authorize() method?
 
  Yes.
 
  Alan DeKok.
  -
  List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 





  

 Correo Yahoo!
 Comprueba qué es nuevo, aquí
 http://correo.yahoo.es


 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Connection TimeOut!!!

[Kirti S. Bajwa]

Do you mean max connection time before logging in again?  In that case,

you usually just need to add

Session-Timeout = xxx

Yes.

I have looked into various files and can not find out where I enter this
setting. Kindly, point out the file  the location (or the module),
where I enter this command?

Thanks a million.

FUI, I use 3COM TCM. I think it handles the Session-Timeout featire.

Kirti



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

before freeradius, openssl don't work

[pelusa vali]

hi everybody, well still trying to use freeradius for a wlan.  i use debian 
sarge kernel 2.6.13, openssl 0.9.8.a to generate certificates and last 
freeradius version.
well i followed many tutorials about securing wlans with freeradius and all 
of them have this step:


openssl rsa newreq.pem   servidor-key.pem

but when i type this my system returns:

unable to load Private Key 5237:error:0906D06C:PEM routines:PEM_read_bio:no 
start line:pem_lib.c:644:Expecting: ANY PRIVATE KEY


so i think it's a problem with rsa generation and tried to generate rsa key 
but always get same error.


i know it's not a list of openssl but i posted this question in openssl list 
and nobody ask; searched in internet and nothing; so, any body could help?? 
what is happening and how could i solve this?? excuse if this so trivial but 
i'm new with both, openssl and freeradius and don't understand what is 
happening and why.


thanks in advance for your time and help.

_
MSN Amor: busca tu ½ naranja http://latam.msn.com/amor/

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Test

[Mathieu Clément]

Please answer if it works
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Test

[M T]

got it  here's your reply
M T
On 1/5/06, Mathieu Clément [EMAIL PROTECTED] wrote:
Please answer if it works-List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

thread pool information

[DilipSimha.N.M]

hi,

can anyone please tell me abt the thread pool configurations?

start_servers = 5
... but 5 RADIUS servers aren't started initially.
then what is this attribute for??

--DilipSimha
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: thread pool information

[Alan DeKok]

DilipSimha.N.M [EMAIL PROTECTED] wrote:
 can anyone please tell me abt the thread pool configurations?

  Read the documentation in the comments in radiusd.conf?

 start_servers = 5
 ... but 5 RADIUS servers aren't started initially.
 then what is this attribute for??

  threads are not processes.  The server starts 5 threads, not processes.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html