Re: Wifi with Welcome message?
Like when user joe successfully authenticated with the sql database, if he was connected with NAS IP address X, he receive a Welcome message X and if he authenticated with NAS Y, he receive Welcome message Y. You don't need to run a script to do that. How would this Welcome message be transported to the client device? Certainly out of RADIUS and 802.1X, right? Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS (PAP) not working with NT domain - debian freeradius 1.1.7
Hi, I'm trying to emulate the edunet network wireless roaming network, which primarily uses (in this order): what exactly is edunet? The only wireless roaming network in the educational sector I know of is * eduroam *. Are you speaking of that or something completely different? Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + NAS (it?s make me crazy!!! please HELP)
Thank you... now it works and success. but if my client disconnect and reconnect again, now it doesn't need to input user name and password again. It's directly connected .. Is it right??? - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec use
T Kid82 wrote: Could you explain why you think that? None of the documentation or default configuration files say that. Note that the module return code OK or success does NOT mean let the user in without checking their password. That is a revelation to me. A simple explanation: There are many modules that are executed for each authentication request. If ok meant let the user in, then *any* time a module worked, it would let the user in. This just doesn't make sense. You set Auth-Type just like setting any other attribute. See man unlang for examples. I will definitely look through the documentation. Is there a specfic Auth-Type that would be appropriate for my simple case. I guess what I am asking is, can you give me an example of an Auth-Type other than the Perl example? If you want your exec module to be run, create an Auth-Type for it. This is the purpose of the Auth-Type sub-sections of authenticate. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Post-proxy and rlm_perl
Hi, I have to use FreeRadius v2.0.1 in a proxy configuration for translating attributes between two vendor specific equipements (Alcatel-Lucent and Redback). In a first phase (pre-proxy so), I use the preproxy_user file to add attributes to the proxied requests and attr_filter to block others. In a second phase (post-proxy phase I assume), when the reply comes from the home FreeRadius, I have to go through the same kind of process (add attributes which values are taken from a database), but I can't find a equivalent of preproxy_user file to the post-proxy phase. I think that using a perl script with rlm_perl will do this work in the post-proxy function, but when I try to manipulate attributes from the home server response, I can't find them in the %RAD_REQUEST, %RAD_REPLY hashes, and I can see this kind of logs : rlm_perl: Added pair Attribute1 = Value1 ... with the attributes I need from the home server, but after the execution of my code in post-proxy function. I found in the wiki that %RAD_PROXY or %RAD_PROXY_REPLY could be my solution, but when I'm trying to use them, I got an error during the launching of radiusd. Does anyone know how I can get the attributes coming in the Access-Accept from my server, and put new attributes in the Access-Accept send to the original client ? Find a way to make this in rlm_perl could be a solution but if there is an other solution, directly in a FreRadius mechanism I missed during my research, I will use it instead :) Regards, Julien Leloup Axione 130/132 Boulevard Camélinat 92240 MALAKOFF FRANCE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Post-proxy and rlm_perl
%RAD_REQUEST_PROXY and %RAD_REQUEST_PROXY_REPLY should do the job. Best Regards, Boian Jordanov SNE Orbitel - Next Generation Telecom tel. +359 2 4004 723 tel. +359 2 4004 002 On Mar 20, 2008, at 11:27 AM, Julien Leloup wrote: Hi, I have to use FreeRadius v2.0.1 in a proxy configuration for translating attributes between two vendor specific equipements (Alcatel-Lucent and Redback). In a first phase (pre-proxy so), I use the preproxy_user file to add attributes to the proxied requests and attr_filter to block others. In a second phase (post-proxy phase I assume), when the reply comes from the home FreeRadius, I have to go through the same kind of process (add attributes which values are taken from a database), but I can't find a equivalent of preproxy_user file to the post- proxy phase. I think that using a perl script with rlm_perl will do this work in the post-proxy function, but when I try to manipulate attributes from the home server response, I can't find them in the % RAD_REQUEST, %RAD_REPLY hashes, and I can see this kind of logs : rlm_perl: Added pair Attribute1 = Value1 ... with the attributes I need from the home server, but after the execution of my code in post-proxy function. I found in the wiki that %RAD_PROXY or %RAD_PROXY_REPLY could be my solution, but when I'm trying to use them, I got an error during the launching of radiusd. Does anyone know how I can get the attributes coming in the Access- Accept from my server, and put new attributes in the Access-Accept send to the original client ? Find a way to make this in rlm_perl could be a solution but if there is an other solution, directly in a FreRadius mechanism I missed during my research, I will use it instead :) Regards, Julien Leloup Axione 130/132 Boulevard Camélinat 92240 MALAKOFF FRANCE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Post-proxy and rlm_perl
Thanks for spending time on my problem, it works fine. Best regards, Julien Leloup Axione 130/132 Boulevard Camélinat 92240 MALAKOFF FRANCE Boian Jordanov a écrit : %RAD_REQUEST_PROXY and %RAD_REQUEST_PROXY_REPLY should do the job. Best Regards, Boian Jordanov SNE Orbitel - Next Generation Telecom tel. +359 2 4004 723 tel. +359 2 4004 002 On Mar 20, 2008, at 11:27 AM, Julien Leloup wrote: Hi, I have to use FreeRadius v2.0.1 in a proxy configuration for translating attributes between two vendor specific equipements (Alcatel-Lucent and Redback). In a first phase (pre-proxy so), I use the preproxy_user file to add attributes to the proxied requests and attr_filter to block others. In a second phase (post-proxy phase I assume), when the reply comes from the home FreeRadius, I have to go through the same kind of process (add attributes which values are taken from a database), but I can't find a equivalent of preproxy_user file to the post-proxy phase. I think that using a perl script with rlm_perl will do this work in the post-proxy function, but when I try to manipulate attributes from the home server response, I can't find them in the %RAD_REQUEST, %RAD_REPLY hashes, and I can see this kind of logs : rlm_perl: Added pair Attribute1 = Value1 ... with the attributes I need from the home server, but after the execution of my code in post-proxy function. I found in the wiki that %RAD_PROXY or %RAD_PROXY_REPLY could be my solution, but when I'm trying to use them, I got an error during the launching of radiusd. Does anyone know how I can get the attributes coming in the Access-Accept from my server, and put new attributes in the Access-Accept send to the original client ? Find a way to make this in rlm_perl could be a solution but if there is an other solution, directly in a FreRadius mechanism I missed during my research, I will use it instead :) Regards, Julien Leloup Axione 130/132 Boulevard Camélinat 92240 MALAKOFF FRANCE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + NAS (it?s make me crazy!!! please HELP)
Not really. But Windows XP caches credentials: http://support.microsoft.com/kb/823731 Ivan Kalik Kalik Informatika ISP Dana 20/3/2008, Koko Kurniawan [EMAIL PROTECTED] piše: Thank you... now it works and success. but if my client disconnect and reconnect again, now it doesn't need to input user name and password again. It's directly connected .. Is it right??? - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
In mac authentication mac address is used as username. So you will have to create entries that have (only) username equal to mac address and radiusAuthType Accept. Ivan Kalik Kalik Informatika ISP Dana 19/3/2008, Eric Martell [EMAIL PROTECTED] piše: Please let me know if this topic is already discussed or has doc/wiki. If yes please guide me to the right thread. Thanks. We are going to use MACaddress as silent authentication. When the users tries to connect to the WIFI Access point, Aptilo Networks is going to send MacAddress as User-Name attribute of freeradius. User-Password attribute will be empty. We are storing MAC Addresses in the LDAP under the device tree thru user interface tools. The LDAP tree is as, deviceid = 111 macaddress = 001122334455 devicename = Personal PC. deviceid = 222 macaddress = 001199887766 devicename = SIP Phone. How do I configure ldap module in the freeradius so that it checks if the MACaddress exists in LDAP and returns Access-Accept or Access-Reject along with reply of devicename. Not sure how do I handle this in authorization or authentication or post-auth? There are NO passwords. I am using freeradius-2.0.2. Is there a way I can use unlang ? Thanks and Regards. Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
php resource application
Hi, I have a working client which authenticates with the radius server, I wanted to know if anyone has had experience of using a php/sql application called mrbs. I want the application to use radius authentication to authenticate users logging into this resource booking application, there are scripts provided for other forms of authentication (ie pam, ldap, smb) however wanted to know if anyone has created a php or any other kind of script to do this. It looks like I will need to add php script to authenticate but not sure what needs to go in it. Charnjit - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: php resource application
Charnjit Sidhu wrote: Hi, I have a working client which authenticates with the radius server, I wanted to know if anyone has had experience of using a php/sql application called mrbs. I want the application to use radius authentication to authenticate users logging into this resource booking application, there are scripts provided for other forms of authentication (ie pam, ldap, smb) however wanted to know if anyone has created a php or any other kind of script to do this. It looks like I will need to add php script to authenticate but not sure what needs to go in it. Charnjit http://uk.php.net/manual/en/ref.radius.php You should be able to build a simple PAP authentication client, from the notes floating around on PHP.net. You'll need to compile in RADIUS support/ install a shared module using PECL. Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy(forward) request as PAP
Hi All, I'm having a problem trying to configure proxy from one radius to another. Users are connecting using 802.1x with EAP/PEAP. There are two groups of users, one group are authenticated on the main radius using local LDAP. However for the second group of users, they have to be authenticated via the radius proxy. The problem is the radius proxy does not have EAP configured and its not an option to reconfigure it with EAP. From the threads, I found something similar in http://lists.freeradius.org/pipermail/freeradius-users/2008-February/069230.html applies as well, will this applies to my situation as well? Thanks/Regards, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: incorrect shared secret entry authenticates successfully forfreerradius
Hi Phil, I checked the issue with MSCHAP v1 and v2 as well. Even there the authentication passes for an incorrect secret key Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] dius.org] On Behalf Of Phil Mayers Sent: Tuesday, March 18, 2008 7:24 PM To: FreeRadius users mailing list Subject: Re: incorrect shared secret entry authenticates successfully forfreerradius [EMAIL PROTECTED] wrote: Hi, I am using the following configuration: O/S: rhel4_u5_i386 Freeradius 1.1.7 Client to test: NTRadPing 1.5 Steps undertaken: - Installed a fresh system with rhel4_u5_i386 - Build and compile freeradius 1.1.7 on it. - Update the clients.conf file to add the client entries for the machine that uses NTRadPing 1.5 (IP of the client machine and the shared secret) - Start the radiusd daemon in debug mode (radiusd -X) - Now generate a simple PAP authentication request using NTRadPing. (Port is 1812, also provide the shared secret correctly). The authentication passes successfully as it should. Now give a junk secret key in the NTRadPing utility. The access is rejected. - However when the same cases are tried for CHAP we can see the difference. In the first case the authentication is successful; however when we give a junk shared secret the authentication should ideally have been rejected. However the authentication passes successfully. NOTE: I tried the same for MSCHAPv1 and MSCHAPv2 authentication using VPN client. There I can see clearly that the access is not granted to the VPN client. However when we look at the radius logs it can be seen that the Authentication requests responds with a Successful message. Any help or info in this regards would be highly appreciated. Only certain radius AVPs are encrypted with the shared secret: fgrep encrypt /usr/share/freeradius/dictionary* User-Password is one, so PAP fails if the shared secret is wrong. The CHAP attributes are not, so the request succeeds. The MS-CHAP-MPPE-Keys or MS-MPPE-Send-Key/MS-MPPE-Recv-Key reply attributes are encrypted, so MS-CHAP will fail. Many recent radius clients support the Message-Authenticator attribute, which is a signature over the entire packets AVPs encrypted with the shared secret. This will cause incorrect shared secrets to reject an entire packet. See section 3.2 of RFC3579. If your NAS supply Message-Authenticator, you could refuse packets without one: DEFAULT Message-Authenticator !* ANY, Auth-Type := Reject - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: listen { type = detail } - Forked accounting
Hi, With eduroam, its good practice to proxy accounting packets back to the home server. But it's also very useful to record those accounting packets. Before I just set up the proxy in pre-acct, then listed the SQL module in accounting, and let the accounting server sent the accounting-reply... I never really liked this way because if the remote accounting server was down, it would mean lots of repeat accounting packets. What I was to do now is write out the accounting packet to two detail files, something like acct-buffer-sql and acct-buffer-proxy. Use one file to populate our local SQL db, and the other to deal with proxying the accounting information back to the home server. This would mean duplicate accounting-response packets being sent, which isn't ideal. Is there any way to stop the server sending an accounting response packet when it receives the reply from the home server ? Thanks, Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: incorrect shared secret entry authenticates successfully forfreerradius
NTRadPing is a very bad client to test real authentication. While it says it has an Access-Accept packet it isn't doing any proper checking of the packet. All Access-Accept packets are signed by the server using the shared secret. A good client will check that signature. A packet with a bad signature is rejected by a proper client even though the server sent an Access-Accept. Your test and discussion are pointless because the client NTRadPing is not telling you that the packet is invalid. It's just displaying the packet's contents. PAP is the only authentication method where you would get an Access-Reject with a bad secret. [EMAIL PROTECTED] wrote: Hi Phil, I checked the issue with MSCHAP v1 and v2 as well. Even there the authentication passes for an incorrect secret key Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] dius.org] On Behalf Of Phil Mayers Sent: Tuesday, March 18, 2008 7:24 PM To: FreeRadius users mailing list Subject: Re: incorrect shared secret entry authenticates successfully forfreerradius [EMAIL PROTECTED] wrote: Hi, I am using the following configuration: O/S: rhel4_u5_i386 Freeradius 1.1.7 Client to test: NTRadPing 1.5 Steps undertaken: - Installed a fresh system with rhel4_u5_i386 - Build and compile freeradius 1.1.7 on it. - Update the clients.conf file to add the client entries for the machine that uses NTRadPing 1.5 (IP of the client machine and the shared secret) - Start the radiusd daemon in debug mode (radiusd -X) - Now generate a simple PAP authentication request using NTRadPing. (Port is 1812, also provide the shared secret correctly). The authentication passes successfully as it should. Now give a junk secret key in the NTRadPing utility. The access is rejected. - However when the same cases are tried for CHAP we can see the difference. In the first case the authentication is successful; however when we give a junk shared secret the authentication should ideally have been rejected. However the authentication passes successfully. NOTE: I tried the same for MSCHAPv1 and MSCHAPv2 authentication using VPN client. There I can see clearly that the access is not granted to the VPN client. However when we look at the radius logs it can be seen that the Authentication requests responds with a Successful message. Any help or info in this regards would be highly appreciated. Only certain radius AVPs are encrypted with the shared secret: fgrep encrypt /usr/share/freeradius/dictionary* User-Password is one, so PAP fails if the shared secret is wrong. The CHAP attributes are not, so the request succeeds. The MS-CHAP-MPPE-Keys or MS-MPPE-Send-Key/MS-MPPE-Recv-Key reply attributes are encrypted, so MS-CHAP will fail. Many recent radius clients support the Message-Authenticator attribute, which is a signature over the entire packets AVPs encrypted with the shared secret. This will cause incorrect shared secrets to reject an entire packet. See section 3.2 of RFC3579. If your NAS supply Message-Authenticator, you could refuse packets without one: DEFAULT Message-Authenticator !* ANY, Auth-Type := Reject - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Hi Ivan, Thanks for the response. I am newbie for freeradius. Not sure which file I should configure this? I have ldap module configured in radiusd.conf. Can you please be more specific? I will really appreciate that. Thanks and Regards. --- Ivan Kalik [EMAIL PROTECTED] wrote: In mac authentication mac address is used as username. So you will have to create entries that have (only) username equal to mac address and radiusAuthType Accept. Ivan Kalik Kalik Informatika ISP Dana 19/3/2008, Eric Martell [EMAIL PROTECTED] pi¹e: Please let me know if this topic is already discussed or has doc/wiki. If yes please guide me to the right thread. Thanks. We are going to use MACaddress as silent authentication. When the users tries to connect to the WIFI Access point, Aptilo Networks is going to send MacAddress as User-Name attribute of freeradius. User-Password attribute will be empty. We are storing MAC Addresses in the LDAP under the device tree thru user interface tools. The LDAP tree is as, deviceid = 111 macaddress = 001122334455 devicename = Personal PC. deviceid = 222 macaddress = 001199887766 devicename = SIP Phone. How do I configure ldap module in the freeradius so that it checks if the MACaddress exists in LDAP and returns Access-Accept or Access-Reject along with reply of devicename. Not sure how do I handle this in authorization or authentication or post-auth? There are NO passwords. I am using freeradius-2.0.2. Is there a way I can use unlang ? Thanks and Regards. Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: listen { type = detail } - Forked accounting
Arran Cudbard-Bell wrote: What I was to do now is write out the accounting packet to two detail files, something like acct-buffer-sql and acct-buffer-proxy. I don't think you need two detail files. Use one file to populate our local SQL db, and the other to deal with proxying the accounting information back to the home server. forward to the home server. This would mean duplicate accounting-response packets being sent, Huh? No. which isn't ideal. Is there any way to stop the server sending an accounting response packet when it receives the reply from the home server ? Set up *one* detail file, and the server will work like this?: 1. NAS sends Accounting-Request to the server. 2. The server logs it to detail (and SQL, and anywhere else) 3. The server responds to the NAS with Accounting-Response 4. The server discovers a packet in the detail file, and reads it 5. The server decides it has to be proxied 6. The server proxies it. 7. The server (eventually) gets a response 8. The server responds to the client. Q: What is the client in (8)? A: The detail file! So there *is* an Accounting-Response sent after the reply from the home server. But it's sent to the place where the packet came from: the detail file. In this case, the detail file code say thanks, and doesn't send the packet anywhere. This is the Right Thing to do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius Execute Script
I understand that it is possible to have Freeradius execute a script when a user authenticate. What I want to do is to be able to pass that user name and the client's ip address to the script. This is my setup, I have freeradius with mysql setup. radgroupreply table: testprogramExec-Program-Wait==/usr/local/etc/raddb/test.pl When user Joe authenticates with his credential, radius would look in mysql and execute the test.pl script. How can I pass the user name joe and client's ip address to the test.pl script? Thanks in advance .. Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
No file. These are ldap entries which you need to make. You have entries as devices - now make entries as users. Ivan Kalik Kalik Informatika ISP Dana 20/3/2008, Eric Martell [EMAIL PROTECTED] piše: Hi Ivan, Thanks for the response. I am newbie for freeradius. Not sure which file I should configure this? I have ldap module configured in radiusd.conf. Can you please be more specific? I will really appreciate that. Thanks and Regards. --- Ivan Kalik [EMAIL PROTECTED] wrote: In mac authentication mac address is used as username. So you will have to create entries that have (only) username equal to mac address and radiusAuthType Accept. Ivan Kalik Kalik Informatika ISP Dana 19/3/2008, Eric Martell [EMAIL PROTECTED] piše: Please let me know if this topic is already discussed or has doc/wiki. If yes please guide me to the right thread. Thanks. We are going to use MACaddress as silent authentication. When the users tries to connect to the WIFI Access point, Aptilo Networks is going to send MacAddress as User-Name attribute of freeradius. User-Password attribute will be empty. We are storing MAC Addresses in the LDAP under the device tree thru user interface tools. The LDAP tree is as, deviceid = 111 macaddress = 001122334455 devicename = Personal PC. deviceid = 222 macaddress = 001199887766 devicename = SIP Phone. How do I configure ldap module in the freeradius so that it checks if the MACaddress exists in LDAP and returns Access-Accept or Access-Reject along with reply of devicename. Not sure how do I handle this in authorization or authentication or post-auth? There are NO passwords. I am using freeradius-2.0.2. Is there a way I can use unlang ? Thanks and Regards. Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Bit confusing..do you want me to create entries in ldap as, No: uid = 001122334455 radiusAuthType = Accept Forget about the device entries. radius authenticates users. Have a look at the filter configured in ldap section of radiusd.conf If yes, what additional changes I have to do in freeradius and how I can return devicename along the freeradius reply? And what would you do with that? Groups? Than create a group entries for them and use memberof in (mac) user entry. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
PS. Sorry, got mixed up. radiusGroupName for group membership. Ivan Kalik Kalik Informatika ISP Dana 20/3/2008, Eric Martell [EMAIL PROTECTED] piše: Hi Ivan, Bit confusing..do you want me to create entries in ldap as, deviceid = 111 macaddress = 001122334455 username = 001122334455 radiusAuthType = Accept devicename = Personal PC. deviceid = 222 macaddress = 001199887766 username = 001199887766 radiusAuthType = Accept devicename = SIP Phone. If yes, what additional changes I have to do in freeradius and how I can return devicename along the freeradius reply? Please reply. Thanks and Regards. --- Ivan Kalik [EMAIL PROTECTED] wrote: No file. These are ldap entries which you need to make. You have entries as devices - now make entries as users. Ivan Kalik Kalik Informatika ISP Dana 20/3/2008, Eric Martell [EMAIL PROTECTED] piše: Hi Ivan, Thanks for the response. I am newbie for freeradius. Not sure which file I should configure this? I have ldap module configured in radiusd.conf. Can you please be more specific? I will really appreciate that. Thanks and Regards. --- Ivan Kalik [EMAIL PROTECTED] wrote: In mac authentication mac address is used as username. So you will have to create entries that have (only) username equal to mac address and radiusAuthType Accept. Ivan Kalik Kalik Informatika ISP Dana 19/3/2008, Eric Martell [EMAIL PROTECTED] piše: Please let me know if this topic is already discussed or has doc/wiki. If yes please guide me to the right thread. Thanks. We are going to use MACaddress as silent authentication. When the users tries to connect to the WIFI Access point, Aptilo Networks is going to send MacAddress as User-Name attribute of freeradius. User-Password attribute will be empty. We are storing MAC Addresses in the LDAP under the device tree thru user interface tools. The LDAP tree is as, deviceid = 111 macaddress = 001122334455 devicename = Personal PC. deviceid = 222 macaddress = 001199887766 devicename = SIP Phone. How do I configure ldap module in the freeradius so that it checks if the MACaddress exists in LDAP and returns Access-Accept or Access-Reject along with reply of devicename. Not sure how do I handle this in authorization or authentication or post-auth? There are NO passwords. I am using freeradius-2.0.2. Is there a way I can use unlang ? Thanks and Regards. Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius 2GB problem
Hi, I've got the same issue. The check_item value wraps to -2G. It gives a negative value with counter = 0 (no traffic from the user). With a value of 200,000 of traffic, Check item - counter, becomes positive again: -2147483648 - 200,000 0 as the result reaches the negative limit. Would this be due to a check_item coded on a 32 bit field (eg int) I wonder? Value in the SQL table is an INT(20) and displays correctly with a value 2G. David Roze http://www.netexpertise.eu -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rahul Nakra Sent: 19 March 2008 13:21 To: freeradius-users@lists.freeradius.org Subject: freeradius 2GB problem I am using freeradius 2.0. With the default schema which comes with that. Following is the database entry. It shows a new user never logged in before. If i give value of Max-All-Data 2147483646 it works fine. Anything above it doesnt work. Attached is the radius log where it displays negative value for sqlcounter. mysql select * from radcheck; ++--+--+++ | id | username | attribute| op | value | ++--+--+++ | 1 | rahul| password | == | rahul | | 2 | rahul| Max-All-Data | := | 2147483648 | ++--+--+++ 2 rows in set (0.00 sec) sqlcounter -- sqlcounter usagelimitDOWN { counter-name = Max-All-Session-Data check-name = Max-All-Data reply-name = Mikrotik-Xmit-Limit sqlmod-inst = sql key = User-Name reset = never query=select SUM(acctinputoctets+acctoutputoctets) from radacct where UserName='%{%k}' } User-Name = rahul User-Password = rahul NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = rahul, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound expand: %{User-Name} - rahul rlm_sql (sql): sql_set_user escaped user -- 'rahul' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'rahul' ORDER BY id WARNING: Found User-Password == WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See man rlm_pap for more information. rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'rahul' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'rahul' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok rlm_sqlcounter: Entering module authorize code sqlcounter_expand: 'select SUM(acctinputoctets+acctoutputoctets) from radacct where UserName='%{User-Name}'' expand: select SUM(acctinputoctets+acctoutputoctets) from radacct where UserName='%{User-Name}' - select SUM(acctinputoctets+acctoutputoctets) from radacct where UserName='rahul' sqlcounter_expand: '%{sql:select SUM(acctinputoctets+acctoutputoctets) from radacct where UserName='rahul'}' rlm_sql (sql): - sql_xlat expand: %{User-Name} - rahul rlm_sql (sql): sql_set_user escaped user -- 'rahul' expand: select SUM(acctinputoctets+acctoutputoctets) from radacct where UserName='rahul' - select SUM(acctinputoctets+acctoutputoctets) from radacct where UserName='rahul' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): row[0] returned NULL rlm_sql (sql): Released sql socket id: 3 expand: %{sql:select SUM(acctinputoctets+acctoutputoctets) from radacct where UserName='rahul'} - rlm_sqlcounter: (Check item - counter) is less than zero rlm_sqlcounter: Rejected user rahul, check_item=-2147483648, counter=0 ++[usagelimitDOWN] returns reject Invalid user (rlm_sqlcounter: Maximum never usage time reached): [rahul/rahul] (from client localhost port 1812) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - rahul attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Reply-Message = Your maximum never usage time has been reached Waking up in 4.9 seconds. Cleaning up request 0
FW: php resource application
Hi, I need what is called a Authen/Radius.pm file. for my application authentication, does anyone know where I can get one of these from, this is to allow my perl script to run Authen::Radius Charnjit From: Charnjit Sidhu Sent: Thu 3/20/2008 12:15 PM To: freeradius-users@lists.freeradius.org Subject: php resource application Hi, I have a working client which authenticates with the radius server, I wanted to know if anyone has had experience of using a php/sql application called mrbs. I want the application to use radius authentication to authenticate users logging into this resource booking application, there are scripts provided for other forms of authentication (ie pam, ldap, smb) however wanted to know if anyone has created a php or any other kind of script to do this. It looks like I will need to add php script to authenticate but not sure what needs to go in it. Charnjit - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: php resource application
On 20 Mar 2008, at 17:19, Charnjit Sidhu wrote: Hi, I need what is called a Authen/Radius.pm file. for my application authentication, does anyone know where I can get one of these from, this is to allow my perl script to run Authen::Radius http://search.cpan.org/dist/RadiusPerl/ cheers, pedro -- you don't code php. you merely edit it until it works. - merlyn Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trade marks of British Sky Broadcasting Group plc and are used under licence. British Sky Broadcasting Limited (Registration No. 2906991), Sky Interactive Limited (Registration No. 3554332), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of British Sky Broadcasting Group plc (Registration No. 2247735). All of the c! ompanies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: php resource application
Hi, Hi, I need what is called a Authen/Radius.pm file. for my application authentication, does anyone know where I can get one of these from, this is to allow my perl script to run Authen::Radius PERL library sometimes installable via eg perl-authen-radius.rpm or somesuch, or download the PERL code from cpan.org - either through the web interface, extract the tarball, perl Makefile.pl and make install, or use PERL with CPAN to get the file...eg perl -MCPAN -e shell cpaninstall Authen::Radius alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius with Nortel WSS 2300
Has anyone tried to use free radius to authenticate users via username/password to a Nortel wireless security switch 2300. I can get 802.1x working with a self-signed cert but want to be able to plain username/password authentication. Mike Wing IT Manager Anaheim Ducks Honda Center (714) 704-2549 phone (714) 704-2406 fax [EMAIL PROTECTED] image001.jpg- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sqlcounter + reset=never
Hi, I'm using the sqlcounter noresetcounter which sets the reset to never. When it sends back the reply, it ends up looking like : Your maximum never usage time has been reached Is there a way to change it short of just changing the line : snprintf(msg, sizeof(msg), Your maximum %s usage time has been reached, data-reset); not to insert data-reset ? Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with Nortel WSS 2300
So set up the supplicant to use the authentication method you want. Ivan Kalik Kalik Informatika ISP Dana 20/3/2008, Mike Wing [EMAIL PROTECTED] piše: Has anyone tried to use free radius to authenticate users via username/password to a Nortel wireless security switch 2300. I can get 802.1x working with a self-signed cert but want to be able to plain username/password authentication. Mike Wing IT Manager Anaheim Ducks Honda Center (714) 704-2549 phone (714) 704-2406 fax [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hint. Need help
Hello Please, what the hint should I add to hints file to remove Nas-Port-ID attribute Nas-Port-ID = GigabitEthernet 0/0/3.23203101:2321-121 and add PortID like this PortID = 2321-121 ? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec use
Yes... but from the debug output you posted, it looks like you deleted everything *else* The debug output I pasted was not in its entirety. I did not paste any preceding output since it looked fine to me. No errors. Could you explain why you think that? None of the documentation or default configuration files say that. Note that the module return code OK or success does NOT mean let the user in without checking their password. That is a revelation to me. You set Auth-Type just like setting any other attribute. See man unlang for examples. I will definitely look through the documentation. Is there a specfic Auth-Type that would be appropriate for my simple case. I guess what I am asking is, can you give me an example of an Auth-Type other than the Perl example? On Wed, Mar 19, 2008 at 1:59 PM, Alan DeKok [EMAIL PROTECTED] wrote: T Kid82 wrote: I got this from the comments in exec-program-wait (which has been deprecated) where it explains how to use rlm_exec. It says, An entry for the module 'rlm_exec' must be added to the file 'radiusd.conf' with the path of the script. Yes... but from the debug output you posted, it looks like you deleted everything *else*. Why would this let all users through? I thought that since I am always returning 3 to the server, that this would let all users pass through. Could you explain why you think that? None of the documentation or default configuration files say that. Note that the module return code OK or success does NOT mean let the user in without checking their password. you didn't set Auth-Type Where do I set the Auth-Type. Can you provide a sample code snippet on how to do this? Or perhaps a link to the doc. You set Auth-Type just like setting any other attribute. See man unlang for examples. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Hi Ivan, Bit confusing..do you want me to create entries in ldap as, deviceid = 111 macaddress = 001122334455 username = 001122334455 radiusAuthType = Accept devicename = Personal PC. deviceid = 222 macaddress = 001199887766 username = 001199887766 radiusAuthType = Accept devicename = SIP Phone. If yes, what additional changes I have to do in freeradius and how I can return devicename along the freeradius reply? Please reply. Thanks and Regards. --- Ivan Kalik [EMAIL PROTECTED] wrote: No file. These are ldap entries which you need to make. You have entries as devices - now make entries as users. Ivan Kalik Kalik Informatika ISP Dana 20/3/2008, Eric Martell [EMAIL PROTECTED] pi¹e: Hi Ivan, Thanks for the response. I am newbie for freeradius. Not sure which file I should configure this? I have ldap module configured in radiusd.conf. Can you please be more specific? I will really appreciate that. Thanks and Regards. --- Ivan Kalik [EMAIL PROTECTED] wrote: In mac authentication mac address is used as username. So you will have to create entries that have (only) username equal to mac address and radiusAuthType Accept. Ivan Kalik Kalik Informatika ISP Dana 19/3/2008, Eric Martell [EMAIL PROTECTED] pi¹e: Please let me know if this topic is already discussed or has doc/wiki. If yes please guide me to the right thread. Thanks. We are going to use MACaddress as silent authentication. When the users tries to connect to the WIFI Access point, Aptilo Networks is going to send MacAddress as User-Name attribute of freeradius. User-Password attribute will be empty. We are storing MAC Addresses in the LDAP under the device tree thru user interface tools. The LDAP tree is as, deviceid = 111 macaddress = 001122334455 devicename = Personal PC. deviceid = 222 macaddress = 001199887766 devicename = SIP Phone. How do I configure ldap module in the freeradius so that it checks if the MACaddress exists in LDAP and returns Access-Accept or Access-Reject along with reply of devicename. Not sure how do I handle this in authorization or authentication or post-auth? There are NO passwords. I am using freeradius-2.0.2. Is there a way I can use unlang ? Thanks and Regards. Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html