problem with proxy configuration
Hello,
I am having following problem with proxy.
In proxy.conf, I have following entries
realm myPartnerRealm {
type= radius
authhost= mypartner.server.com:1812
accthost= mypartner.server.com:1813
secret = mypartnersecret
nostrip
}
realm myCustomRealm {
type= radius
authhost= localhost:1812
accthost= localhost:1813
secret = mysecret
nostrip
}
realm DEFAULT {
type= radius
authhost= localhost:1812
accthost= localhost:1813
secret = mysecret
}
I am able to authenticate against myPartnerRealm and default relam,
but when I submit request for myCustomRealm, the server seems to go
in a loop and marks the myCustomRealm as dead with the following
error.
marking authentication server localhost:1812 for realm myCustomRealm dead
I also get the following warning message
WARNING: Possible DoS attack from host 127.0.0.1: Too many attributes
in request (received 201, max 200 are allowed).
I read in one of the post that proxying to same server (localhost) is
not allowed , but i need this feature as I do not want to strip
certain Realms.
Thanks for your help.
Prabh
--
MyBlog: http://things-on-my-mind.blogspot.com/
Get your news at www.DailyHeadlines.NET
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mobile Phones Radius Authentications
On Mon 16 Oct 2006 06:17, nsuralullec wrote: What i want is to authenticate Mobile WAP users to a freeradius before using the mobile wap gateway(Kannel), but as per the radius logs, it successfully authenticates but it does not redirect the mobile wap request to the wap gateway. The mobile configurations are correct it works if the NAS doesnot require authentications. What makes you think that it should do this? Have you configured your NAS to do this redirection? Your Access-Accept doen't contain any such message. Does your NAS even support such a feature? Ask your NAS vendor how this is supposed to work... Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgp7eWoYa0YAk.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Inserting and/or replacing reply attributes on a proxy request
Yep. I use attrs.pre-proxy and attrs files to do what they say on the tin.
(Strip unwanted pairs pre and post proxy) then I add back in the pairs I want
with rewrite rule and/or module (Module order is important here). For example
this lets me strip Framed-IP-Address and then add one from sqlippool.
Cheers
Peter
On Mon 16 Oct 2006 00:43, Jarrod Sayers wrote:
Thanks Peter, any tips on how you have done this? I'll look at
upgrading a development box to head today if it means I can resolve
this problem.
Jarrod.
On 16/10/2006, at 12:45 AM, Peter Nixon wrote:
This is trivial to do on CVS head (We are using these features in
production).
1.1.3 is pretty limited in this regard..
Cheers
Peter
On Sun 15 Oct 2006 15:23, Jarrod Sayers wrote:
The concept is close, but the effect I need is silently add or
replace
these attributes from any proxy reply. While I am slightly concerned
that a realm neighbor would have the power to alter what tunnel group
they land in, I am also concerned about proxy replies that come back
without those variables. Reason being is without those variables,
that username and realm pair can associate to any SSID where
FreeRADIUS is used to check their credentials.
Picture Cisco Aironet 1200's with multiple SSID's, all pointing back
to a single instance of FreeRADIUS. The access point is relying on
the RADIUS reply to determine if the user should be moved to another
SSID and without it, assumes the one they are attempting to
connect to
is correct.
Jarrod.
On 15/10/2006, at 2:43 PM, Owen DeLong wrote:
Seems to me that you need to know which RADIUS box you sent the
proxy request
to and which destinations it is allowed to return. Then, you should
be able to map
any responses which don't match those tuples to proxy-reject with an
error
indicating that the proxy returned nefarious content.
Perhaps, however, I simply am not understanding the problem
statement.
Owen
On Oct 14, 2006, at 9:59 PM, Jarrod Sayers wrote:
Hi,
I have a FreeRADIUS 1.1.2 box which its only job in life is to
proxy requests based on realms, i.e., no local authentication is
done. One of the realms is internal to the organisation (lets call
that internal.org.com.au) and I trust the variables being returned,
however I have no control over one external realm (lets call that
some.other.org.net.au) and the default realm. The FreeRADIUS box
is used to proxy wireless requests which relies on the following
variables to dump users into their particular tunnel groups:
Tunnel-Type:1 = VLAN
Tunnel-Medium-Type:1 = IEEE-802
Tunnel-Private-Group-Id:1 = 1234
What I am trying to accomplish is to have replies from a certain
realm forced to be returned with set values either adding them in
if they are missing, or replacing them is they are not the same.
So, if the request is proxied to a trusted source then don't alter
the reply, though if its proxied to an external realm, force the
Tunnel-Private-Group-Id:1 attribute to be 1234, yet if its proxied
to the default realm, use 4321 instead.
I had a go at this using the exec clause and had some success in
adding variables if they didn't exist in the reply, but it wouldn't
replace existing ones:
modules {
...
exec vlan_assignment {
wait = yes
program = ${confdir}/vlan.sh
input_pairs = proxy-request
output_pairs = proxy-reply
packet_type = Access-Accept
}
}
post-proxy {
vlan_assignment
...
}
The associated script that it ran:
fruitbox# cat vlan.sh
#!/bin/sh
# Set defaults.
TunnelType=VLAN
TunnelMediumType=IEEE-802
TunnelPrivateGroupId=200
# Only alter Wireless-802.11 requests.
if [ ${NAS_PORT_TYPE} = Wireless-802.11 -a ${REALM} !=
internal.org.com.au ]; then
# Determine VLAN to be used.
if [ ${REALM} = some.other.org.net.au ]; then
# Force user into specific tunnel group.
TunnelPrivateGroupId=1234
elif [ ${REALM} = DEFAULT ]; then
# Force user into specific tunnel group.
TunnelPrivateGroupId=4321
fi
# Return actual VLAN assignment.
echo Tunnel-Type:1 = ${TunnelType}
echo Tunnel-Medium-Type:1 = ${TunnelMediumType}
echo Tunnel-Private-Group-Id:1 = \${TunnelPrivateGroupId}\
fi
exit 0
fruitbox#
Allowing these variables to pass though from untrusted sources may
allow a user to be placed in another organisations tunnel group
which I cannot allow.
Any help or ideas appreciated :)
Jarrod.
-List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
-
Re: Inserting and/or replacing reply attributes on a proxy request
An example would be handy :)
Jarrod.
On Mon, 16 Oct 2006, Peter Nixon wrote:
Yep. I use attrs.pre-proxy and attrs files to do what they say on the tin.
(Strip unwanted pairs pre and post proxy) then I add back in the pairs I want
with rewrite rule and/or module (Module order is important here). For example
this lets me strip Framed-IP-Address and then add one from sqlippool.
Cheers
Peter
On Mon 16 Oct 2006 00:43, Jarrod Sayers wrote:
Thanks Peter, any tips on how you have done this? I'll look at
upgrading a development box to head today if it means I can resolve
this problem.
Jarrod.
On 16/10/2006, at 12:45 AM, Peter Nixon wrote:
This is trivial to do on CVS head (We are using these features in
production).
1.1.3 is pretty limited in this regard..
Cheers
Peter
On Sun 15 Oct 2006 15:23, Jarrod Sayers wrote:
The concept is close, but the effect I need is silently add or
replace
these attributes from any proxy reply. While I am slightly concerned
that a realm neighbor would have the power to alter what tunnel group
they land in, I am also concerned about proxy replies that come back
without those variables. Reason being is without those variables,
that username and realm pair can associate to any SSID where
FreeRADIUS is used to check their credentials.
Picture Cisco Aironet 1200's with multiple SSID's, all pointing back
to a single instance of FreeRADIUS. The access point is relying on
the RADIUS reply to determine if the user should be moved to another
SSID and without it, assumes the one they are attempting to
connect to
is correct.
Jarrod.
On 15/10/2006, at 2:43 PM, Owen DeLong wrote:
Seems to me that you need to know which RADIUS box you sent the
proxy request
to and which destinations it is allowed to return. Then, you should
be able to map
any responses which don't match those tuples to proxy-reject with an
error
indicating that the proxy returned nefarious content.
Perhaps, however, I simply am not understanding the problem
statement.
Owen
On Oct 14, 2006, at 9:59 PM, Jarrod Sayers wrote:
Hi,
I have a FreeRADIUS 1.1.2 box which its only job in life is to
proxy requests based on realms, i.e., no local authentication is
done. One of the realms is internal to the organisation (lets call
that internal.org.com.au) and I trust the variables being returned,
however I have no control over one external realm (lets call that
some.other.org.net.au) and the default realm. The FreeRADIUS box
is used to proxy wireless requests which relies on the following
variables to dump users into their particular tunnel groups:
Tunnel-Type:1 = VLAN
Tunnel-Medium-Type:1 = IEEE-802
Tunnel-Private-Group-Id:1 = 1234
What I am trying to accomplish is to have replies from a certain
realm forced to be returned with set values either adding them in
if they are missing, or replacing them is they are not the same.
So, if the request is proxied to a trusted source then don't alter
the reply, though if its proxied to an external realm, force the
Tunnel-Private-Group-Id:1 attribute to be 1234, yet if its proxied
to the default realm, use 4321 instead.
I had a go at this using the exec clause and had some success in
adding variables if they didn't exist in the reply, but it wouldn't
replace existing ones:
modules {
...
exec vlan_assignment {
wait = yes
program = ${confdir}/vlan.sh
input_pairs = proxy-request
output_pairs = proxy-reply
packet_type = Access-Accept
}
}
post-proxy {
vlan_assignment
...
}
The associated script that it ran:
fruitbox# cat vlan.sh
#!/bin/sh
# Set defaults.
TunnelType=VLAN
TunnelMediumType=IEEE-802
TunnelPrivateGroupId=200
# Only alter Wireless-802.11 requests.
if [ ${NAS_PORT_TYPE} = Wireless-802.11 -a ${REALM} !=
internal.org.com.au ]; then
# Determine VLAN to be used.
if [ ${REALM} = some.other.org.net.au ]; then
# Force user into specific tunnel group.
TunnelPrivateGroupId=1234
elif [ ${REALM} = DEFAULT ]; then
# Force user into specific tunnel group.
TunnelPrivateGroupId=4321
fi
# Return actual VLAN assignment.
echo Tunnel-Type:1 = ${TunnelType}
echo Tunnel-Medium-Type:1 = ${TunnelMediumType}
echo Tunnel-Private-Group-Id:1 = \${TunnelPrivateGroupId}\
fi
exit 0
fruitbox#
Allowing these variables to pass though from untrusted sources may
allow a user to be placed in another organisations tunnel group
which I cannot allow.
Any help or ideas appreciated :)
Jarrod.
-List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
Accounting-Response Log ??
Hi,I have two radius servers. (Freeradius and Juniper SBR).Freeradius server be a radius proxy to proxy all auth/acct requests to Juniper SBR.Then I sometimes found there are some accounting-stop request don't arrival to Juniper SBR. Because Freeradius server and Juniper SBR is in the different subnet and through firewall.I think this problem may cause by firewall.In the radius accounting communication model there should have request and response. Is freeradius log the accounting-response result ?How to enable it ?I want to this log to identify the problem.Thanks.Rio Yang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Machine + User Authentication
Hello everyoneI would appreciate if anybody could tell me whethere FreeRADIUS supports the following scenario or not.Currently, we have Foundry FastIron Edge 2402 switch. What we need is to deploy 802.1x user AND machine authentication. 1) If (Machine authentication is successfull) then (If User authentication is successfull) Drop the user in their respective VLAN.2) If (Machine authentication is successfull) then (If User authentication is NOT successfull) Drop the user in their default restricted VLAN.3) If (Machine authentication is NOT successfull OR there is no machine certificate) Drop the user in their default restricted VLAN OR Dont allow access to the switch port. Now the question I want to ask is, whethere FreeRADIUS supports the third case i.e. to disallow access OR drop in restricted vlan if machine authentication fails. Cisco Machine Access Restriction 4.0 for Windows ( http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_data_sheet0900aecd802fefd7.html) claims to support the abaove scenario. It would be great if someone could also tell me the relative parameters/configuration for the above particular case, if FreeRADIUS supports it.RegardsHammad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WPA authentication works only with MacOS clients
Hello all, I'm using WPA with EAP-TTLS and PEAP with a MacOS .Authentication works fine (even if enough slowly). The problem is that I can't authenticate WinXP client. I've readed that for using EAP-TTLS are required some other supplicant like SecureW2. Is SecureW2 required also for PEAP? Thanks for attention Best Regards, Josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pam radius authentication
anyone??? pls!!! no suggestions at all ? :(
Pe 12 Oct 2006, la 12:46, [EMAIL PROTECTED] a scris:
Hello!
I try to authenticate ssh users logins using pam_radius_auth.so.
On my RedHat 9 I have the following setup:
- freeradius server
- users file:
testAuth-Type := Local, User-Password == test
- clients.conf
client 127.0.0.1 {
secret = secret
shortname = localhost
}
-pam radius module
- cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_securetty.so
auth sufficient pam_radius_auth.so debug
auth required /lib/security/pam_unix_auth.so
accountrequired pam_radius_auth.so debug
password required pam_stack.so service=system-auth
sessionrequired pam_stack.so service=system-auth
sessionrequired pam_limits.so
sessionoptional pam_console.so
-cat /etc/raddb/server
127.0.0.1 secret 1
- pam_radius_auth.so is copied in /lib/security
-I created linux user test with home directory /home/test , without setting up
a password
- freeradius started with radiusd -X
Problem is that, when I trie to connect to this machine using ssh, the radius
server receives the request, processes it, sends access-accept, but the ssh
session is ended, without the user being really logged in !!! I don't know the
reason why the user gets rejected...
tail -f /var/log/secure
Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: DEBUG:
getservbyname(radius, udp) returned 1108551052.
Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: Got RADIUS response
code 2
Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: authentication succeeded
Oct 12 11:06:27 D-Server sshd[26585]: Accepted password for test from
10.243.30.42 port 2847 ssh2
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Got user name test
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Sending RADIUS request
code 1
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: DEBUG:
getservbyname(radius, udp) returned 1108551052.
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Got RADIUS response
code 2
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: authentication succeeded
Oct 12 11:28:30 D-Server sshd[26590]: Accepted password for test from
10.243.30.42 port 2881 ssh2
from radiusd -X :
rad_recv: Access-Request packet from host 127.0.0.1:27615, id=253, length=97
User-Name = test
User-Password = test
NAS-IP-Address = 127.0.0.1
NAS-Identifier = sshd
NAS-Port = 26590
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = 512wyse83.cosmote.rom
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = test, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
users: Matched entry test at line 80
modcall[authorize]: module files returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Sending Access-Accept of id 253 to 127.0.0.1 port 27615
Finished request 0
thank you!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA authentication works only with MacOS clients
Hi Josh, Hello all, I'm using WPA with EAP-TTLS and PEAP with a MacOS .Authentication works fine (even if enough slowly). The problem is that I can't authenticate WinXP client. I've readed that for using EAP-TTLS are required some other supplicant like SecureW2. Is SecureW2 required also for PEAP? No, the built-in supplicant works. But then your server cert needs to have the TLS Web Server Authentication OID, otherwise the supplicant will refuse to authenticate. This special surprise brought to you by: Microsoft :-) Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgp9eDXTZDrWr.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: module for deleting attributes
Lars Ricken wrote: How can I understand you developed module for deleting attributes from incoming radius requests. Can You send it to me via email or give a link where I can download it.It's very important for me. I don't think there's any point in deleting attributes in the incoming request. Just don't check those attributes in authorize, that's all. If you've configured FreeRADIUS as a proxy, you want to delete the undesired attributes from the proxy request, not the incoming request. In this case you could use the attr_filter module in the pre-proxy section. See the rlm_attr_filter(5) manpage. PS: Please don't reply to freeradius-devel, this is a question for the freeradius-users mailing list. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA authentication works only with MacOS clients
Hi, Hello all, I'm using WPA with EAP-TTLS and PEAP with a MacOS .Authentication works fine (even if enough slowly). The problem is that I can't authenticate WinXP client. I've readed that for using EAP-TTLS are required some other supplicant like SecureW2. Is SecureW2 required also for PEAP? no. the builtin WinXP supplicant does PEAP natively. however, dont forget that PEAP doesnt deal with plain text passwords - you either need to have NT-hash or use ntlm_auth alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pam radius authentication
Hi, anyone??? pls!!! no suggestions at all ? :( I'd read the INSTALL doc that coems as part of the pam_radius tool. - cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_securetty.so auth sufficient pam_radius_auth.so debug auth required /lib/security/pam_unix_auth.so accountrequired pam_radius_auth.so debug password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_limits.so sessionoptional pam_console.so no. your invoking pam_radius_auth in the wrong place and for the wrong reason. again the INSTALL is your friend. your radius configuration appears to be correct alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA authentication works only with MacOS clients
On 10/16/06, Stefan Winter [EMAIL PROTECTED] wrote: Hi Josh,No, the built-in supplicant works. But then your server cert needs to havethe TLS Web Server Authentication OID, otherwise the supplicant will refuseto authenticate. This special surprise brought to you by: Microsoft :-) Hi Stefan,thank you for the quick answer.Can you tell me the parameter that I must use for having TLS Web Server Authentication OID? I have used - x509 but it is insufficient :) However, thanks.Josh Shamir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
billing problem in freeradius
Dear All,I want to integrate our billing code in freeradius. and i wants to make a code in c language with mysql database connectivity and i wants to make a so file also . Please help me.ThanksA. K.Anand KumarSoftware Engineer(VoIP) How low will we go? Check out Yahoo! Messengers low PC-to-Phone call rates.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Autoreply: Reid Canavan is on vacation.
I will be out of the office starting 10/16/2006 and will not return until 10/23/2006. I will respond to your message when I return. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
block users on-the-fly
Hi, Does anyone already have a program to block freeradius on-the-fly? ie: user has PAID = YES in radcheck table. Whenever I set PAID = NO, the user would no longer authenticate the next time he/ she logs in. OK, this works, but, if the user is already loged in, even if I set PAID = NO, the user would not be rejected (for obvious reasons). This is important because the grand number of Router mode ADSL users, that never logs out. I'm building a program to verify every x minutes the database and if PAID = NO, return a flag to freeradius and then reject the user. Is there any other means to do that? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: block users on-the-fly
On Mon 16 Oct 2006 16:25, Guilherme Franco wrote:
Hi,
Does anyone already have a program to block freeradius on-the-fly?
ie: user has PAID = YES in radcheck table.
Sure.
Change:
authorize_check_query = SELECT id, UserName, Attribute, Value, Op \
FROM ${authcheck_table} \
WHERE Username = '%{SQL-User-Name}' AND calledstationid
= '%{Called-Station-Id}' \
ORDER BY id
to
authorize_check_query = SELECT id, UserName, Attribute, Value, Op \
FROM ${authcheck_table} \
WHERE Username = '%{SQL-User-Name}' AND calledstationid
= '%{Called-Station-Id}' \
AND PAID = 'YES' \
ORDER BY id
Cheers
--
Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
pgp6m1fcdzGmO.pgp
Description: PGP signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: block users on-the-fly
On Mon 16 Oct 2006 16:25, Guilherme Franco wrote: Hi, Does anyone already have a program to block freeradius on-the-fly? ie: user has PAID = YES in radcheck table. Whenever I set PAID = NO, the user would no longer authenticate the next time he/ she logs in. OK, this works, but, if the user is already loged in, even if I set PAID = NO, the user would not be rejected (for obvious reasons). This is important because the grand number of Router mode ADSL users, that never logs out. I'm building a program to verify every x minutes the database and if PAID = NO, return a flag to freeradius and then reject the user. Thats the wrong way to do it. Simply disconnect the user on your NAS at the same time as setting PAID = NO. The way you do this depends on your NAS but PoD comes to mind: http://wiki.freeradius.org/POD -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AP, FreeRADIUS and Fedora Directory Server
Hm, well, sort of, as you get: rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. Probably wrong password. One cannot really be sure as you left out those earlier in this session parts of the _full_ debug output. Same password works when binding to LDAP server from different client applications, sucha as GQ. So I'm pretty sure that password is correct. I'm not sure that how will RADIUS server know to check password against LDAP server while EAP is in place? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: block users on-the-fly
I've been through exactly the same hell authenticating a bunch of VPN users. The fundamental problem is that FreeRADIUS is event-driven: ie, it can only do anything when someone sends a RADIUS request to it. This means, for our purposes, that freeradius needs to be *asked* if a user can continue to be connected. I did this by making VPN users be re-authenticated every 30 minutes by the VPN NAS - if the nas recieves an Access-Accept packet, then all is well, it continues to provide service (I also bundle on some max-upload and max-download attributes, so the user's speed can be changed on their gigabyte total, but this is an aside) - however, if it recieves and access-deny, the user is booted from the nas. What you need to do is get your NAS box to re-authenticate the users every n minutes (or hours or whatever you prefer). Depending on how you're authenticating in the first place, this could be done in any number of ways... However, unless your current solution is either software-based or has the functions in it already, it's probably going to be expensive to implement. If your NAS has a 'status list' function and a 'kick user' function (eg, telnet administration interface), you could write a script that connects to the status list, compares the usernames with the MySQL database, and then connects via telnet to the admin interface to issue a 'kill $user' command. I've seen this done before, and in some cases it can be less resource-intensive than the increased amount of RADIUS auth packets. However it's only really any good for 1 or 2 NAS'es - if you want your system to scale to 30-40 nases then you'll probably want to keep it simple to manage and debug, and get radius to handle periodic reauthentication. Hope this helps, Jan On 16/10/06, Guilherme Franco [EMAIL PROTECTED] wrote: Hi, Does anyone already have a program to block freeradius on-the-fly? ie: user has PAID = YES in radcheck table. Whenever I set PAID = NO, the user would no longer authenticate the next time he/ she logs in. OK, this works, but, if the user is already loged in, even if I set PAID = NO, the user would not be rejected (for obvious reasons). This is important because the grand number of Router mode ADSL users, that never logs out. I'm building a program to verify every x minutes the database and if PAID = NO, return a flag to freeradius and then reject the user. Is there any other means to do that? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: block users on-the-fly
On Oct 16, 2006, at 6:25 AM, Guilherme Franco wrote: Hi, Does anyone already have a program to block freeradius on-the-fly? ie: user has PAID = YES in radcheck table. Whenever I set PAID = NO, the user would no longer authenticate the next time he/ she logs in. OK, this works, but, if the user is already loged in, even if I set PAID = NO, the user would not be rejected (for obvious reasons). This is important because the grand number of Router mode ADSL users, that never logs out. I'm building a program to verify every x minutes the database and if PAID = NO, return a flag to freeradius and then reject the user. Is there any other means to do that? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html The radius protocol only supports processing of authentication requests. Unless you can get your hardware to send a periodic re-auth request, there's no way to have them processed by radius again no matter what you do to the database. Radius has no push capability. Your options are: + Get your hardware to re-auth periodically. + Use another process to boot users (forcing a reauth) when you change the database. Owen PGP.sig Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS Documentation
I read the mailing list... please send there in the future. On Sunday 15 October 2006 03:04, affora deeb wrote: do u know about IAS windows server 2003 configuration with NORTEL NAS Nope, don't have a clue. I try to avoid any windows that can't stand against a harsh external environment. Maybe someone else on the list can help you with the issues you're finding. -Kevin pgpi0lY8KxAOO.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re:Help: How to authenticate additional attribute
Title: Re:Re:Help: How to authenticate additional attribute Cisco APs have a dot11 location config. stmt., I should also have mentioned that the snmp server-location config. stmt. controls the Location-name. For more info, see http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124newft/124t/124t2/ht_wispr.htm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Huntgroupname checkitem in LDAP
Hello, im looking for a way to have my huntgroups defined in LDAP similar to the way they are in SQL. For example if a user belongs to Ldap-Group vpn, the Group in ldap contains an attribute containing the huntgroup names which the Group gives access to. I tried adding checkItem Huntgroup-Name info to my ldap.attrmap with attribute info having value: =~ ^(vpn|sslvpn)$ (without succes) I had success with the following setup: In users: DEFAULT Huntgroup-Name == vpn, Ldap-Group == vpn Fall-Through = no DEFAULT Huntgroup-Name == sslvpn, Ldap-Group == sslvpn Fall-Through = no DEFAULT Auth-Type := Reject This allows to specify which user has access to which nasgroup by adding groupmemberships to the user. But it breaks the users existing in SQL. I could off course also add the specific SQL-Groups into the users file but this would still require a reorganisation of the SQL users since they only have a Huntgroup-Name attribtue for there grouplevel which specifies multiple huntgroups by using regexp. Im kinda stuck in how to implement it. Any advice would be greatly appreciated. J. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: block users on-the-fly
Thanks, I didn't know about the POD (it wasn't on the wiki when I've read it before) On 10/16/06, Peter Nixon [EMAIL PROTECTED] wrote: On Mon 16 Oct 2006 16:25, Guilherme Franco wrote: Hi, Does anyone already have a program to block freeradius on-the-fly? ie: user has PAID = YES in radcheck table. Whenever I set PAID = NO, the user would no longer authenticate the next time he/ she logs in. OK, this works, but, if the user is already loged in, even if I set PAID = NO, the user would not be rejected (for obvious reasons). This is important because the grand number of Router mode ADSL users, that never logs out. I'm building a program to verify every x minutes the database and if PAID = NO, return a flag to freeradius and then reject the user. Thats the wrong way to do it. Simply disconnect the user on your NAS at the same time as setting PAID = NO. The way you do this depends on your NAS but PoD comes to mind: http://wiki.freeradius.org/POD -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Guilherme de Oliveira Franco Damovo - Brasil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA authentication works only with MacOS clients
Hi, I can't use NT-hash because I use PAP and I need clear-text password. However I've generated server-side certificates with CA.all script with standart xpextension: [ xpclient_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ xpserver_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 Can I modify this OID to create MS-Windows compatible certificates? Or there are some other way to obtain this feature? Best Regards, Josh On 10/16/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:Hi, Hello all, I'm using WPA with EAP-TTLS and PEAP with a MacOS .Authentication works fine (even if enough slowly). The problem is that I can't authenticate WinXP client. I've readed that for using EAP-TTLS are required some other supplicant like SecureW2. Is SecureW2 required also for PEAP? no. the builtin WinXP supplicant does PEAP natively.however, dont forgetthat PEAP doesnt deal with plain text passwords - you either need to haveNT-hash or use ntlm_authalan-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: block users on-the-fly
Thanks Owen On 10/16/06, Owen DeLong [EMAIL PROTECTED] wrote: On Oct 16, 2006, at 6:25 AM, Guilherme Franco wrote: Hi, Does anyone already have a program to block freeradius on-the-fly? ie: user has PAID = YES in radcheck table. Whenever I set PAID = NO, the user would no longer authenticate the next time he/ she logs in. OK, this works, but, if the user is already loged in, even if I set PAID = NO, the user would not be rejected (for obvious reasons). This is important because the grand number of Router mode ADSL users, that never logs out. I'm building a program to verify every x minutes the database and if PAID = NO, return a flag to freeradius and then reject the user. Is there any other means to do that? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html The radius protocol only supports processing of authentication requests. Unless you can get your hardware to send a periodic re-auth request, there's no way to have them processed by radius again no matter what you do to the database. Radius has no push capability. Your options are: + Get your hardware to re-auth periodically. + Use another process to boot users (forcing a reauth) when you change the database. Owen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Guilherme de Oliveira Franco Damovo - Brasil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WPA authentication works only with MacOS clients
Date: Mon, 16 Oct 2006 13:25:22 +0200 From: Josh Shamir [EMAIL PROTECTED] Subject: WPA authentication works only with MacOS clients To: freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 Hello all, I'm using WPA with EAP-TTLS and PEAP with a MacOS .Authentication works fine (even if enough slowly). The problem is that I can't authenticate WinXP client. I've readed that for using EAP-TTLS are required some other supplicant like SecureW2. Is SecureW2 required also for PEAP? You are correct. The Windows supplicant on XP SP2 supports PEAP-MSCHAPv2 otherwise known as PEAPv0 and EAP-TLS. If you want to use EAP-TTLS you have a few choices. You can use a commercial supplicant like Funk Odyssey Access Client (30 day free trial here: http://www.juniper.net/customers/support/products/oac.jsp. It's a great supplicant and supports EAP-TTLS, PEAPv0, PEAPv1, EAP-TLS, EAP-SIM, EAP-GTC etc. You also may want to check if your wireless card has its own supplicant that supports TTLS. Most new laptops come with an Intel Centrino chipset and Intel's Proset Wireless supplicant does support TTLS. It's also faster and has more features than the MS supplicant. If these aren't available options, why not just use PEAP-MSCHAPv2? If you're just doing username/password authentication this should work fine. PEAP and TTLS are very similar in nature and PEAP is supported in OS X and in the Windows supplicant. Thanks for attention Best Regards, Josh -- next part -- An HTML attachment was scrubbed... URL: https://list.xs4all.nl/pipermail/freeradius-users/attachments/20061016/aafb6aa7/attachment-0001.html -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius confirmation
Hi All! I use freeradius with pppoe-server and mysql. If I connect to freeradius, the radius server give confirmation. The content of confirmation : Attributes + Values ex: Framed- Ip-Address, Reply_message etc... These attributes and values is in the my radreply table, in mysql. I modified dictionary file, and I add new attributes to dicrionary and radreply table, but the server not use these new attributes and radius confirmation not content these. Why? Thanks your answers. Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AP, FreeRADIUS and Fedora Directory Server
On 10/16/06, Mustafa Şenay [EMAIL PROTECTED] wrote: Same password works when binding to LDAP server from different client applications, sucha as GQ. So I'm pretty sure that password is correct. That doesn't mean it works for PEAP too (probably not). See below. I'm not sure that how will RADIUS server know to check password against LDAP server while EAP is in place? It's not so much EAP in general, but the PEAP (i.e. MSCHAPv2 part). However search this list's archive, see documentation etc. and the pertinent parts of the server's debug output you still chose not to provide here. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA authentication works only with MacOS clients
Hi Jason,I want to use PEAP.So I can use PEAP on a WinXP SP2 client without any other supplicant, using his native supplicant.The problem is that with native WinXP supplicant the authentication process failed, and freeradius server give me an error regarding certificates. The strange thing is that with the same certificates, PEAP works fine with MacOSx.Could be a problem of certificates ?I generate certificates with CA.all.Any ideas about how generate certificates that works also with MS WixXP client? Thanks for helpBest Regards, Josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sqlippool + MySQL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Does somebody knows how to configure sqlippool with MySQL ?
The sqlippool.conf example is for pgsql. And for MySQL ?
Here is my sqlippool.conf, corrected for MySQL:
sqlippool sqlippool {
#
# SQL connection information
#
sql-instance-name = sql
# lease_duration. fix for lost acc-stop packets
lease-duration = 3600
# Attribute which should be considered unique per NAS
pool-key = %{Acct-Session-Id}
pool-name = mypool
# pool-key = %{Calling-Station-Id}
#
# This series of queries allocates an IP address
#
allocate-clear = UPDATE radippool \
SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \
expiry_time = NOW() - INTERVAL 1 SECOND \
WHERE pool_key = '${pool-key}'
# note the ORDER BY clause of next query, it'll try to allocate IPs
# like Cisco internal pools do - it _trys_ to allocate the same IP-address
# which user had last session...
allocate-find = SELECT FramedIPAddress FROM radippool \
WHERE pool_name = '%{reply:Pool-Name}' AND expiry_time NOW() \
ORDER BY pool_name, (UserName '%{User-Name}'), (CallingStationId
'%{Calling-Station-Id}'), expiry_time \
LIMIT 1 \
FOR UPDATE
allocate-update = UPDATE radippool \
SET NASIPAddress = '%{NAS-IP-Address}', pool_key = '${pool-key}', \
CallingStationId = '%{Calling-Station-Id}', UserName = '%{User-Name}', \
expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \
WHERE FramedIPAddress = '%{Framed-IP-Address}'
#
# This series of queries frees an IP number when an accounting
# START record arrives
#
start-update = UPDATE radippool \
SET expiry_time = NOW() + INTERVAL %J SECOND \
WHERE NASIPAddress = '%n' AND pool_key = '${pool-key}' AND pool_name =
'%P'
#
# This series of queries frees an IP number when an accounting
# STOP record arrives
#
stop-clear = UPDATE radippool \
SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \
expiry_time = NOW() - INTERVAL 1 SECOND \
WHERE NASIPAddress = '%{NAS-IP-Address}' AND pool_key = '${pool-key}'
AND UserName = '%{User-Name}' \
AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress =
'%{Framed-IP-Address}'
#
# This series of queries frees an IP number when an accounting
# ALIVE record arrives
#
alive-update = UPDATE radippool \
SET expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \
WHERE NASIPAddress = '%{Nas-IP-Address}' AND pool_key = '${pool-key}'
AND UserName = '%{User-Name}' \
AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress =
'%{Framed-IP-Address}'
#
# This series of queries frees the IP numbers allocate to a
# NAS when an accounting ON record arrives
#
on-clear = UPDATE radippool \
SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \
expiry_time = NOW() - INTERVAL 1 SECOND \
WHERE NASIPAddress = '%{NAS-IP-Address}' AND UserName = '%{User-Name}' \
AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress =
'%{Framed-IP-Address}'
#
# This series of queries frees the IP numbers allocate to a
# NAS when an accounting OFF record arrives
#
off-clear = UPDATE radippool \
SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \
expiry_time = NOW() - INTERVAL 1 SECOND \
WHERE NASIPAddress = '%{NAS-IP-Address}' AND UserName = '%{User-Name}' \
AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress =
'%{Framed-IP-Address}'
}
Here is the radiusd -X:
...
Mon Oct 16 17:50:50 2006 : Debug: Processing the post-auth section of
radiusd.conf
Mon Oct 16 17:50:50 2006 : Debug: modcall: entering group post-auth for
request 0
Mon Oct 16 17:50:50 2006 : Debug: modsingle[post-auth]: calling
sqlippool (rlm_sqlippool) for request 0
Mon Oct 16 17:50:50 2006 : Debug: rlm_sqlippool: Framed-IP-Address
already exists
Mon Oct 16 17:50:50 2006 : Debug: modsingle[post-auth]: returned from
sqlippool (rlm_sqlippool) for request 0
Mon Oct 16 17:50:50 2006 : Debug: modcall[post-auth]: module
sqlippool returns noop for request 0
Mon Oct 16 17:50:50 2006 : Debug: modcall: leaving group post-auth
(returns noop) for request 0
...
...
Mon Oct 16 17:50:50 2006 : Debug: modsingle[accounting]: calling
sqlippool (rlm_sqlippool) for request 1
Mon Oct 16 17:50:50 2006 : Debug: rlm_sql (sql): Reserving sql socket id: 2
Mon Oct 16 17:50:50 2006 : Debug: radius_xlat: 'BEGIN'
Mon Oct 16 17:50:50 2006 : Debug: radius_xlat: 'UPDATE radippool SET
expiry_time = NOW() + INTERVAL 3600 SECOND WHERE NASIPAddress =
'xx.xx.xx.xx' AND pool_key = '4533F0AA608100' AND pool_name = 'sqlippool''
...
This 'update' will never match !!! Here is the radippool's current line:
mysql select * from radippool;
++---+-+--+-+--+-+--+--+
| id | pool_name | FramedIPAddress | NASIPAddress | CalledStationId |
CallingStationId | expiry_time | UserName | pool_key |
Re: sqlippool + MySQL
Someone needs to do some serious work on sqlippool. I'd do so, but
currently I have no need for SQL-assigned IPs, as I only have one
RADIUS server - and if it fails over, the least thing I have to worry
about is current IP assignments.
I recommend finding someone who is adept at *SQL and buy them a pizza.
Then ask them to 'translate' those queries for you.
Jan
On 16/10/06, Roberto Gonzalez Azevedo [EMAIL PROTECTED] wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Does somebody knows how to configure sqlippool with MySQL ?
The sqlippool.conf example is for pgsql. And for MySQL ?
Here is my sqlippool.conf, corrected for MySQL:
sqlippool sqlippool {
#
# SQL connection information
#
sql-instance-name = sql
# lease_duration. fix for lost acc-stop packets
lease-duration = 3600
# Attribute which should be considered unique per NAS
pool-key = %{Acct-Session-Id}
pool-name = mypool
# pool-key = %{Calling-Station-Id}
#
# This series of queries allocates an IP address
#
allocate-clear = UPDATE radippool \
SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \
expiry_time = NOW() - INTERVAL 1 SECOND \
WHERE pool_key = '${pool-key}'
# note the ORDER BY clause of next query, it'll try to allocate IPs
# like Cisco internal pools do - it _trys_ to allocate the same IP-address
# which user had last session...
allocate-find = SELECT FramedIPAddress FROM radippool \
WHERE pool_name = '%{reply:Pool-Name}' AND expiry_time NOW() \
ORDER BY pool_name, (UserName '%{User-Name}'), (CallingStationId
'%{Calling-Station-Id}'), expiry_time \
LIMIT 1 \
FOR UPDATE
allocate-update = UPDATE radippool \
SET NASIPAddress = '%{NAS-IP-Address}', pool_key = '${pool-key}', \
CallingStationId = '%{Calling-Station-Id}', UserName = '%{User-Name}', \
expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \
WHERE FramedIPAddress = '%{Framed-IP-Address}'
#
# This series of queries frees an IP number when an accounting
# START record arrives
#
start-update = UPDATE radippool \
SET expiry_time = NOW() + INTERVAL %J SECOND \
WHERE NASIPAddress = '%n' AND pool_key = '${pool-key}' AND pool_name =
'%P'
#
# This series of queries frees an IP number when an accounting
# STOP record arrives
#
stop-clear = UPDATE radippool \
SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \
expiry_time = NOW() - INTERVAL 1 SECOND \
WHERE NASIPAddress = '%{NAS-IP-Address}' AND pool_key = '${pool-key}'
AND UserName = '%{User-Name}' \
AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress =
'%{Framed-IP-Address}'
#
# This series of queries frees an IP number when an accounting
# ALIVE record arrives
#
alive-update = UPDATE radippool \
SET expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \
WHERE NASIPAddress = '%{Nas-IP-Address}' AND pool_key = '${pool-key}'
AND UserName = '%{User-Name}' \
AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress =
'%{Framed-IP-Address}'
#
# This series of queries frees the IP numbers allocate to a
# NAS when an accounting ON record arrives
#
on-clear = UPDATE radippool \
SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \
expiry_time = NOW() - INTERVAL 1 SECOND \
WHERE NASIPAddress = '%{NAS-IP-Address}' AND UserName = '%{User-Name}' \
AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress =
'%{Framed-IP-Address}'
#
# This series of queries frees the IP numbers allocate to a
# NAS when an accounting OFF record arrives
#
off-clear = UPDATE radippool \
SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \
expiry_time = NOW() - INTERVAL 1 SECOND \
WHERE NASIPAddress = '%{NAS-IP-Address}' AND UserName = '%{User-Name}' \
AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress =
'%{Framed-IP-Address}'
}
Here is the radiusd -X:
...
Mon Oct 16 17:50:50 2006 : Debug: Processing the post-auth section of
radiusd.conf
Mon Oct 16 17:50:50 2006 : Debug: modcall: entering group post-auth for
request 0
Mon Oct 16 17:50:50 2006 : Debug: modsingle[post-auth]: calling
sqlippool (rlm_sqlippool) for request 0
Mon Oct 16 17:50:50 2006 : Debug: rlm_sqlippool: Framed-IP-Address
already exists
Mon Oct 16 17:50:50 2006 : Debug: modsingle[post-auth]: returned from
sqlippool (rlm_sqlippool) for request 0
Mon Oct 16 17:50:50 2006 : Debug: modcall[post-auth]: module
sqlippool returns noop for request 0
Mon Oct 16 17:50:50 2006 : Debug: modcall: leaving group post-auth
(returns noop) for request 0
...
...
Mon Oct 16 17:50:50 2006 : Debug: modsingle[accounting]: calling
sqlippool (rlm_sqlippool) for request 1
Mon Oct 16 17:50:50 2006 : Debug: rlm_sql (sql): Reserving sql socket id: 2
Mon Oct 16 17:50:50 2006 : Debug: radius_xlat: 'BEGIN'
Mon Oct 16 17:50:50 2006 : Debug: radius_xlat: 'UPDATE radippool SET
expiry_time = NOW() + INTERVAL 3600 SECOND WHERE NASIPAddress =
'xx.xx.xx.xx' AND pool_key = '4533F0AA608100' AND pool_name =
Re: billing problem in freeradius
anand kumar wrote: Dear All, I want to integrate our billing code in freeradius. and i wants to make a code in c language with mysql database connectivity and i wants to make a so file also . Please help me. Thanks A. K. Anand Kumar Software Engineer(VoIP) Hi Anand, I'm not quite sure what you mean. Are you trying to get freeradius to deny authorization when a user meets certain billing-related criteria, eg: haven't paid their bill for x months, have used up all their pre-paid usage, etc? Or, are you trying to log accounting data into a database in some way that the rlm_sql accounting code doesn't already allow you to do? The standard approach is to simply use sql accounting, which will log accounting data to an SQL (MySQL, PostgreSQL, Oracle etc) database, then use billing software to generate bills based on the data in your accounting table, or a capture of that data at a particular instance, or something similar. If you have usage meters or other such software, you'd have those querying the accounting table. Did that help, or am I way off? Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Out of touch for a bit...
I've been away and unable to get mail for the past few days, and now my main net connection has a fibre cut. Hopefully I'll be back up and running tomorrow. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [sec: unclas] Huntgroupname checkitem in LDAP
I have been experimenting with something like this and
found you can (mis)use the hints file to do something like
this:
DEFAULT Hint
=
`%{ldap:ldap:///ou=hosts,dc=demo,dc=org?radiusHuntgroupName?one?ipHostNumber=%{NAS-IP-Address}}`
If you want you can use Huntgroup-Name insttead of hint. in
that case, you should add a default, otherwise Huntgroup-Name
gets set to "".
DEFAULT
Huntgroup-Name =
`%{ldap:ldap:///ou=hosts,dc=demo,dc=org?radiusHuntgroupName?one?ipHostNumber=%{NAS-IP-Address}:-None}`
In this case, Huntgroup-Name
gets set to None if it isn't found in ldap.
Some
caveats:
The huntgroup file will not
be processed if Huntgroup-Name exists already. Since hints is processed before
huntgroups that will be the
case.
Hints does not implement
fallthrough - you get one match only. If you want to process usernames too,
instantiate another instance.
Another approach I have used
is similar to your solution. i used rules in users like
this:
DEFAULT Ldap-Group ==
`%{Huntgroup-Name}` Access-Level
:= RW, Service-Type =
Administrative-User, Cisco-AVPair
:= "shell:priv-lvl=15",
Passport-Command-Impact = configuration
The huntgroups are defined
in the huntgroups file, or could be defined as above; users are put into groups
corresponding to the huntgroup names.
You can also generate pseudo
groups like this:
DEFAULT Ldap-Group ==
`%{Huntgroup-Name}_RO`
Access-Level := RO, Service-Type =
Nas-Prompt-User
So a user in radius group
sydney_RO gets Readonly access to devices in huntgroup
sydney
For this to work you need to
apply a patch I submitted in the list some time ago, otherwise the substitution
works only once.
regards
Frank
Ranner
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of Jonathan De GraeveSent: Tuesday, 17 October 2006
01:18To: freeradius-users@lists.freeradius.orgSubject:
Huntgroupname checkitem in LDAP
Hello, im looking for a way to
have my huntgroups defined in LDAP similar to the way they are in
SQL.
For example if a user belongs to
Ldap-Group vpn, the Group in ldap contains an attribute containing the
huntgroup names which the Group gives access to.
I tried adding checkItem
Huntgroup-Name info to my ldap.attrmap with attribute info having value:
=~ ^(vpn|sslvpn)$ (without succes)
I had success with the following
setup:
In
users:
DEFAULT Huntgroup-Name == vpn,
Ldap-Group == vpn
Fall-Through = no
DEFAULT Huntgroup-Name == sslvpn,
Ldap-Group == sslvpn
Fall-Through = no
DEFAULT Auth-Type :=
Reject
This allows to specify which user
has access to which nasgroup by adding groupmemberships to the user. But it
breaks the users existing in SQL.
I could off course also add the
specific SQL-Groups into the users file but this would still require a
reorganisation of the SQL users since they only have a Huntgroup-Name
attribtue for there grouplevel which specifies multiple huntgroups by using
regexp.
Im kinda stuck in how to
implement it. Any advice would be greatly
appreciated.
J.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA authentication works only with MacOS clients
Message: 5 Date: Mon, 16 Oct 2006 22:36:14 +0200 From: Josh Shamir [EMAIL PROTECTED] Subject: Re: WPA authentication works only with MacOS clients To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 Hi Jason, I want to use PEAP. So I can use PEAP on a WinXP SP2 client without any other supplicant, using his native supplicant. The problem is that with native WinXP supplicant the authentication process failed, and freeradius server give me an error regarding certificates. The strange thing is that with the same certificates, PEAP works fine with MacOSx. Could be a problem of certificates ? I generate certificates with CA.all. Any ideas about how generate certificates that works also with MS WixXP client? This is a common problem. Windows XP requires that the server and client certificates have specific attributes. This is useful as it prevents a main-in-the-middle attack where an authentic client masquerades as a server with his client cert. You need to use Microsoft's Extended Attributes: [ xpclient_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ xpserver_ext ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 See http://www.linuxjournal.com/node/8095/print for detailed instructions how to create a server certificate that will work with PEAP and MS clients. The HOWTO is for EAP-TLS which requires client and server certificates. Since you are using PEAP, you just need to create the server certificate. Good luck. In particular you'll want to do: openssl req -new -keyout server_key.pem -out server_req.pem -days 730 -config ./openssl.cnf openssl ca -config ./openssl.cnf \ -policy policy_anything -out server_cert.pem \ -extensions xpserver_ext -extfile ./xpextensions \ -infiles ./server_req.pem You'll now have server_cert.pem (Public Certificate) and server_key.pem (Private Key which has no password). The public certificate will have the Server extended key usage extensions set and now your XP client should authenticate. signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA authentication works only with MacOS clients
Message: 5 Date: Mon, 16 Oct 2006 22:36:14 +0200 From: Josh Shamir [EMAIL PROTECTED] Subject: Re: WPA authentication works only with MacOS clients To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 Hi Jason, I want to use PEAP. So I can use PEAP on a WinXP SP2 client without any other supplicant, using his native supplicant. The problem is that with native WinXP supplicant the authentication process failed, and freeradius server give me an error regarding certificates. The strange thing is that with the same certificates, PEAP works fine with MacOSx. Could be a problem of certificates ? I generate certificates with CA.all. Any ideas about how generate certificates that works also with MS WixXP client? This is a common problem. Windows XP requires that the server and client certificates have specific attributes. This is useful as it prevents a main-in-the-middle attack where an authentic client masquerades as a server with his client cert. You need to use Microsoft's Extended Attributes: [ xpclient_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ xpserver_ext ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 See http://www.linuxjournal.com/node/8095/print for detailed instructions how to create a server certificate that will work with PEAP and MS clients. The HOWTO is for EAP-TLS which requires client and server certificates. Since you are using PEAP, you just need to create the server certificate. Good luck. In particular you'll want to do: openssl req -new -keyout server_key.pem -out server_req.pem -days 730 -config ./openssl.cnf openssl ca -config ./openssl.cnf \ -policy policy_anything -out server_cert.pem \ -extensions xpserver_ext -extfile ./xpextensions \ -infiles ./server_req.pem You'll now have server_cert.pem (Public Certificate) and server_key.pem (Private Key which has no password). The public certificate will have the Server extended key usage extensions set and now your XP client should authenticate. Jason Wittlin-Cohen P.S: Sorry for the double post. My last message had flowed text making it very difficult to read so I decided to resend it. signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
